Skip to content

Commit

Permalink
gh workflow updates
Browse files Browse the repository at this point in the history
  • Loading branch information
alismx committed Jun 26, 2024
1 parent e664bf4 commit c3e51ec
Show file tree
Hide file tree
Showing 6 changed files with 154 additions and 56 deletions.
65 changes: 32 additions & 33 deletions .github/workflows/ecr_deployment.yaml
Original file line number Diff line number Diff line change
@@ -1,36 +1,37 @@
name: Deploy to ECR
name: Deploy to ECS

on:
push:
branches:
#- main
- 1611-create-elastic-container-service

permissions:
id-token: write
contents: read
# packages: write
jobs:
deploy:
terraform:
name: Run Terraform
runs-on: ubuntu-latest

defaults:
run:
shell: bash
working-directory: ./terraform/implementation/ecs
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Check Out Changes
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3

- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
region: us-east-1

# - name: Authenticate Docker Registry for ECR
# run: aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin 339712971032.dkr.ecr.us-east-1.amazonaws.com
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: githubECSDeploymentWorkflow
aws-region: us-east-1

- uses: hashicorp/[email protected]
with:
terraform_version: 1.3.3
- name: Init Terraform
working-directory: ./terraform/implementation/ecs
- name: Load variables
env:
ENVIRONMENT: dev
BUCKET: infra-tfstate-alis-default-aizwjxuh
Expand All @@ -40,16 +41,14 @@ jobs:
PROJECT: infra
shell: bash
run: |
touch $ENVIRONMENT.tfvars
echo "owner = \"$OWNER\""
echo "project = \"$PROJECT\""
echo "region = \"$REGION\""
./ecs.sh -e dev --ci
# - name: Apply Terraform
# working-directory: ./terraform/implementation/ecs
# env:
# ENVIRONMENT: value
# shell: bash
# run: |
# terraform apply -var-file="$ENVIRONMENT.tfvars"
echo "ENVIRONMENT=$ENVIRONMENT" >> .env
echo "BUCKET=infra-tfstate-alis-default-aizwjxuh" >> .env
echo "DYNAMODB_TABLE=infra-tfstate-lock-alis-default-aizwjxuh" >> .env
echo "REGION=us-east-1" >> .env
echo "owner = \"$OWNER\"" >> $ENVIRONMENT.tfvars
echo "project = \"$PROJECT\"" >> $ENVIRONMENT.tfvars
echo "region = \"$REGION\"" >> $ENVIRONMENT.tfvars
- name: Terraform
run: |
./ecs.sh -e dev --ci
22 changes: 15 additions & 7 deletions terraform/implementation/ecs/ecs.sh
Original file line number Diff line number Diff line change
Expand Up @@ -116,12 +116,13 @@ terraform init \
-backend-config "region=$REGION" \
|| (echo "terraform init failed, exiting..." && exit 1)

if [ "$CI" = false ]; then
# Check if workspace exists
if terraform workspace list | grep -q "$ENVIRONMENT"; then
echo "Selecting $ENVIRONMENT terraform workspace"
terraform workspace select "$ENVIRONMENT"
else

# Check if workspace exists
if terraform workspace list | grep -q "$ENVIRONMENT"; then
echo "Selecting $ENVIRONMENT terraform workspace"
terraform workspace select "$ENVIRONMENT"
else
if [ "$CI" = false ]; then
read -p "Workspace '$ENVIRONMENT' does not exist. Do you want to create it? (y/n): " choice
if [[ $choice =~ ^[Yy]$ ]]; then
echo "Creating '$ENVIRONMENT' terraform workspace"
Expand All @@ -130,7 +131,14 @@ if [ "$CI" = false ]; then
echo "Workspace creation cancelled."
exit 1
fi
else
echo "Creating '$ENVIRONMENT' terraform workspace"
terraform workspace new "$ENVIRONMENT"
fi
fi

terraform apply -var-file="$ENVIRONMENT.tfvars"
# if [ "$CI" = false ]; then
terraform apply -var-file="$ENVIRONMENT.tfvars"
# else
# terraform apply -auto-approve -var-file="$ENVIRONMENT.tfvars"
# fi
103 changes: 103 additions & 0 deletions terraform/implementation/setup/iam.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
data "aws_caller_identity" "current" {}

# # create a role that can be assumed to pull and push docker images from
data "aws_iam_policy_document" "github_assume_role" {
statement {
principals {
type = "Federated"
identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
}
actions = [
"sts:AssumeRoleWithWebIdentity"
]
condition {
test = "StringEquals"
variable = "token.actions.githubusercontent.com:aud"
values = ["sts.amazonaws.com",]
}
condition {
test = "StringLike"
variable = "token.actions.githubusercontent.com:sub"
values = [
"repo:${var.github_repo}:*",
]
}
}
}

data "aws_iam_policy_document" "github" {
statement {
actions = [
"appmesh:DescribeMesh",
"appmesh:ListTagsForResource",
"appmesh:DescribeVirtualNode",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
"ec2:DescribeAddresses",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkAcls",
"ec2:DescribeAddress",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeFlowLogs",
"ecr:GetAuthorizationToken",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecs:DescribeClusters",
"ecs:DescribeTaskDefinition",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeTags",
"iam:GetRole",
"iam:GetPolicy",
"iam:ListRolePolicies",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"logs:DescribeLogGroups",
"logs:ListTagsLogGroup",
"s3:listBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectAttributes",
"servicediscovery:GetNamespace",
"servicediscovery:ListTagsForResource",
"servicediscovery:GetService",
]
resources = [
"*"
# aws_dynamodb_table.tfstate_lock.arn,
# "${aws_dynamodb_table.tfstate_lock.arn}/*",
# aws_s3_bucket.tfstate.arn,
# "${aws_s3_bucket.tfstate.arn}/*",
# "arn:aws:ec2:::",
# "arn:aws:ecr:${var.region}:${data.aws_caller_identity.current.account_id}:repository/*",
# "arn:aws:ecs:${var.region}:${data.aws_caller_identity.current.account_id}:cluster/*",
# "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group::*",
# "arn:aws:appmesh:${var.region}:${data.aws_caller_identity.current.account_id}:mesh/*"
]
}
}

resource "aws_iam_policy" "github" {
name = "${var.project}-github-policy-${var.owner}-${terraform.workspace}"
policy = data.aws_iam_policy_document.github.json
}

resource "aws_iam_role" "github" {
name = "${var.project}-github-role-${var.owner}-${terraform.workspace}"
assume_role_policy = data.aws_iam_policy_document.github_assume_role.json
}

resource "aws_iam_role_policy_attachment" "github" {
role = aws_iam_role.github.name
policy_arn = aws_iam_policy.github.arn
}
2 changes: 1 addition & 1 deletion terraform/implementation/setup/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -77,4 +77,4 @@ resource "local_file" "ecs_env" {
REGION=${var.region}
EOT
filename = "../ecs/.env"
}
}
3 changes: 3 additions & 0 deletions terraform/implementation/setup/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@ variable "region" {
type = string
default = "us-east-1"
}
variable "github_repo" {
type = string
}
15 changes: 0 additions & 15 deletions terraform/modules/ecr/_data.tf
Original file line number Diff line number Diff line change
@@ -1,18 +1,3 @@
data "aws_iam_policy_document" "ecr_policy" {

for_each = var.service_data
statement {
actions = [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
]

resources = ["arn:aws:ecs:${var.region}:${var.aws_caller_identity}:cluster/${var.ecs_cluster_name}/${each.key}"]
}
}

data "docker_registry_image" "ghcr_data" {
for_each = var.service_data
name = "ghcr.io/cdcgov/phdi/${each.key}:${var.phdi_version}"
Expand Down

0 comments on commit c3e51ec

Please sign in to comment.