diff --git a/.github/workflows/environment-main-deploy.yaml b/.github/workflows/environment-main-deploy.yaml new file mode 100644 index 00000000..cc2ed649 --- /dev/null +++ b/.github/workflows/environment-main-deploy.yaml @@ -0,0 +1,41 @@ +name: Environment Main - Apply + +on: + push: + branches: + - main + +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + envtest: + name: Environment Main - Apply + runs-on: ubuntu-latest + environment: main + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Checkout code + uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 + - name: Configure AWS Access + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 + with: + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/GitHubAction-Wildsea@${{ vars.ENVIRONMENT }} + role-session-name: GitHubTest + aws-region: ${{ vars.AWS_REGION }} + - name: terraform plan + uses: dflook/terraform-apply@@c3f4d3e8d5a1a5b8d5e4e3e7f8f2b3a1c4e9d3f2 + with: + path: terraform/environment/github + variables: | + aws_account="${{ vars.AWS_ACCOUNT }}" + aws_region="${{ vars.AWS_REGION }}" + state_bucket="${{ vars.STATE_BUCKET }}" + environment="${{ vars.ENVIRONMENT }}" + backend_config: + bucket=${{ vars.STATE_BUCKET }} + key=${{ vars.ENVIRONMENT }}/terraform.tfstate + region=${{ vars.AWS_REGION }} diff --git a/.github/workflows/environment-main-plan.yaml b/.github/workflows/environment-main-plan.yaml new file mode 100644 index 00000000..7bd9379c --- /dev/null +++ b/.github/workflows/environment-main-plan.yaml @@ -0,0 +1,39 @@ +name: Environment Main - Plan + +on: + pull_request: {} + +permissions: + id-token: write + contents: read + pull-requests: write + +jobs: + envtest: + name: Environment Main - Plan + runs-on: ubuntu-latest + environment: main + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + steps: + - name: Checkout code + uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 + - name: Configure AWS Access + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 + with: + role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/GitHubAction-Wildsea + role-session-name: GitHubTest + aws-region: ${{ vars.AWS_REGION }} + - name: terraform plan + uses: dflook/terraform-plan@d9df4f6c2484e709ba7ffaa16c98a6906f4760cd + with: + path: terraform/environment/github + variables: | + aws_account="${{ vars.AWS_ACCOUNT }}" + aws_region="${{ vars.AWS_REGION }}" + state_bucket="${{ vars.STATE_BUCKET }}" + environment="${{ vars.ENVIRONMENT }}" + backend_config: + bucket=${{ vars.STATE_BUCKET }} + key=${{ vars.ENVIRONMENT }}/terraform.tfstate + region=${{ vars.AWS_REGION }} diff --git a/README.md b/README.md index 293b4a36..f59beb65 100644 --- a/README.md +++ b/README.md @@ -22,3 +22,18 @@ To set up a github repository: * Add "Codacy Static Code Analysis" to status checks that are required * Block force pushes * TODO: Require code scanning results +* Install into the repo +* Under settings, "Set up code scanning" + * Enable everything exeept Dependabot version updates + * Set up CodeQL to default + * Set the Protection rules to Any/Any +* Create an AWS Account for deployment + * Set up OIDC as per + * Restrict it to the repo and branch main + * Add AdministratorAccess, for now, and call it GitHubAccess-Wildsea@main + * Add another role with ReadyOnlyAccess, don't restrict the branch, and call it GitHubAccess-Wildsea +* Add an environment "main" + * Add an Environment Variable in the environment "AWS_ACCOUNT" with the ID of the AWS Account + * Add an Environment Variable in the environment "AWS_REGION" with the AWS Region you want to use + * Add an Environment Variable in the environment "STATE_BUCKET" with the name of the state bucket you created + * Add an Environment Variable in the environment "ENVIRONMENT" with the name of the environment diff --git a/renovate.json b/renovate.json index 5db72dd6..9a3152d9 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,7 @@ { "$schema": "https://docs.renovatebot.com/renovate-schema.json", "extends": [ - "config:recommended" + "config:recommended", + ":dependencyDashboard" ] } diff --git a/terraform/environment/github/.terraform.lock.hcl b/terraform/environment/github/.terraform.lock.hcl new file mode 100644 index 00000000..0d365aee --- /dev/null +++ b/terraform/environment/github/.terraform.lock.hcl @@ -0,0 +1,43 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/aws" { + version = "5.62.0" + hashes = [ + "h1:8tevkFG+ea/sNZYiQ2GQ02hknPcWBukxkrpjRCodQC0=", + "zh:1f366cbcda72fb123015439a42ab19f96e10ce4edb404273f4e1b7e06da20b73", + "zh:25f098454a34b483279e0382b24b4f42e51c067222c6e797eda5d3ec33b9beb1", + "zh:4b59d48b527e3cefd73f196853bfc265b3e1e57b55c1c8a2d12ff6e3534b4f07", + "zh:7bb88c1ca95e2b3f0f1fe8636925133b9813fc5b137cc467ba6a233ddf4b360e", + "zh:8a93dece40e816c92647e762839d0370e9cad2aa21dc4ca95baee9385f116459", + "zh:8dfe82c55ab8f633c1e2a39c687e9ca8c892d1c2005bf5166ac396ce868ecd05", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a754952d69b4860480d5207390e3ab42350c964dbca9a5ac0c6912dd24b4c11d", + "zh:b2a4dbf4abee0e9ec18c5d323b99defdcd3c681f8c4306fb6e02cff7de038f85", + "zh:b57d84be258b571c04271015f03858ab215768b82e47c11ecd86e789d577030a", + "zh:be811b03289407c8d59e6b199bf16e6071165565ffe502148172d0886cf849c4", + "zh:d4144c7366c840eff1ac15ba13d96063f798f0983d24053a832362033624fe6f", + "zh:d88612856d453c4e10c49c76e4ef522b7d068b4f7c3e2e0b03dd74540986eecd", + "zh:e8bd231a5d0786cc4aab8471bb6dabd5a5df1c598afda077a9f27987ada57b67", + "zh:ffb40a66b4d000a8ee4c54227eeb998f887ad867419c3af7d3981587788de074", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.2" + hashes = [ + "h1:zT1ZbegaAYHwQa+QwIFugArWikRJI9dqohj8xb0GY88=", + "zh:3248aae6a2198f3ec8394218d05bd5e42be59f43a3a7c0b71c66ec0df08b69e7", + "zh:32b1aaa1c3013d33c245493f4a65465eab9436b454d250102729321a44c8ab9a", + "zh:38eff7e470acb48f66380a73a5c7cdd76cc9b9c9ba9a7249c7991488abe22fe3", + "zh:4c2f1faee67af104f5f9e711c4574ff4d298afaa8a420680b0cb55d7bbc65606", + "zh:544b33b757c0b954dbb87db83a5ad921edd61f02f1dc86c6186a5ea86465b546", + "zh:696cf785090e1e8cf1587499516b0494f47413b43cb99877ad97f5d0de3dc539", + "zh:6e301f34757b5d265ae44467d95306d61bef5e41930be1365f5a8dcf80f59452", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:913a929070c819e59e94bb37a2a253c228f83921136ff4a7aa1a178c7cce5422", + "zh:aa9015926cd152425dbf86d1abdbc74bfe0e1ba3d26b3db35051d7b9ca9f72ae", + "zh:bb04798b016e1e1d49bcc76d62c53b56c88c63d6f2dfe38821afef17c416a0e1", + "zh:c23084e1b23577de22603cff752e59128d83cfecc2e6819edadd8cf7a10af11e", + ] +} diff --git a/terraform/environment/github/main.tf b/terraform/environment/github/main.tf index 15731b42..7d3f2f77 100644 --- a/terraform/environment/github/main.tf +++ b/terraform/environment/github/main.tf @@ -1 +1,35 @@ resource "null_resource" "test" {} + +variable "aws_account" { + description = "ID of the AWS Account" + type = string + sensitive = true +} + +variable "aws_region" { + description = "AWS Region name" + type = string + sensitive = true +} + +variable "state_bucket" { + description = "Name of the S3 state bucket" + type = string +} + +variable "environment" { + description = "Name of the Environment" + type = string +} + +terraform { + backend "s3" { + // region, bucket and key come from -backend-config + } +} + +provider "aws" { + assume_role { + role_arn = "arn:aws:iam::${var.aws_account}:role/GitHubAction-Wildsea" + } +}