-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into wmg/check-on-reconnect
- Loading branch information
Showing
161 changed files
with
4,012 additions
and
1,808 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 1 addition & 1 deletion
2
.github/workflows/check-infra-auth.yml → .github/workflows/check-ci-cd-auth.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,4 @@ | ||
name: Check GitHub Actions AWS Authentication | ||
name: Check CI/CD AWS authentication | ||
|
||
on: | ||
workflow_dispatch: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,72 @@ | ||
# This workflow checks the status of infrastructure deployments to see whether | ||
# infrastructure code configuration matches the actual state of the infrastructure. | ||
# It does this by checking that Terraform plans show an empty diff (no changes) | ||
# across all root modules and backend configurations. | ||
name: Check infra deploy status | ||
|
||
on: | ||
workflow_dispatch: | ||
schedule: | ||
# Run every day at 07:00 UTC (3am ET, 12am PT) after engineers are likely done with work | ||
- cron: "0 7 * * *" | ||
|
||
jobs: | ||
collect-configs: | ||
name: Collect configs | ||
runs-on: ubuntu-latest | ||
outputs: | ||
root_module_configs: ${{ steps.collect-infra-deploy-status-check-configs.outputs.root_module_configs }} | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Collect root module configurations | ||
id: collect-infra-deploy-status-check-configs | ||
run: | | ||
root_module_configs="$(./bin/infra-deploy-status-check-configs)" | ||
echo "${root_module_configs}" | ||
echo "root_module_configs=${root_module_configs}" >> "$GITHUB_OUTPUT" | ||
check: | ||
name: ${{ matrix.root_module_subdir }} ${{ matrix.backend_config_name }} | ||
runs-on: ubuntu-latest | ||
needs: collect-configs | ||
|
||
# Skip this job if there are no root module configurations to check, | ||
# otherwise the GitHub actions will give the error: "Matrix must define at least one vector" | ||
if: ${{ needs.collect-configs.outputs.root_module_configs != '[]' }} | ||
|
||
strategy: | ||
fail-fast: false | ||
matrix: | ||
include: ${{ fromJson(needs.collect-configs.outputs.root_module_configs) }} | ||
|
||
permissions: | ||
contents: read | ||
id-token: write | ||
|
||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: 1.8.3 | ||
terraform_wrapper: false | ||
|
||
- name: Configure AWS credentials | ||
uses: ./.github/actions/configure-aws-credentials | ||
with: | ||
account_name: ${{ matrix.infra_layer == 'accounts' && matrix.account_name || null }} | ||
network_name: ${{ matrix.infra_layer == 'networks' && matrix.backend_config_name || null }} | ||
app_name: ${{ contains(fromJSON('["build-repository", "database", "service"]'), matrix.infra_layer) && matrix.app_name || null }} | ||
environment: ${{ contains(fromJSON('["build-repository", "database", "service"]'), matrix.infra_layer) && matrix.backend_config_name || null }} | ||
|
||
- name: Check Terraform plan | ||
run: | | ||
echo "::group::Initialize Terraform" | ||
echo terraform -chdir="infra/${{ matrix.root_module_subdir }}" init -input=false -reconfigure -backend-config="${{ matrix.backend_config_name }}.s3.tfbackend" | ||
terraform -chdir="infra/${{ matrix.root_module_subdir }}" init -input=false -reconfigure -backend-config="${{ matrix.backend_config_name }}.s3.tfbackend" | ||
echo "::endgroup::" | ||
echo "::group::Check Terraform plan" | ||
echo terraform -chdir="infra/${{ matrix.root_module_subdir }}" plan -input=false -detailed-exitcode ${{ matrix.extra_params }} | ||
terraform -chdir="infra/${{ matrix.root_module_subdir }}" plan -input=false -detailed-exitcode ${{ matrix.extra_params }} | ||
echo "::endgroup::" | ||
env: | ||
TF_IN_AUTOMATION: "true" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: CI App PR Environment Checks | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
pr_number: | ||
required: true | ||
type: string | ||
commit_hash: | ||
required: true | ||
type: string | ||
# !! Uncomment the following lines once you've set up the dev environment and are ready to enable PR environments | ||
# pull_request: | ||
jobs: | ||
update: | ||
name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise | ||
uses: ./.github/workflows/pr-environment-checks.yml | ||
with: | ||
app_name: "app" | ||
environment: "dev" | ||
pr_number: ${{ inputs.pr_number || github.event.number }} | ||
commit_hash: ${{ inputs.commit_hash || github.event.pull_request.head.sha }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
name: CI App PR Environment Destroy | ||
on: | ||
workflow_dispatch: | ||
inputs: | ||
pr_number: | ||
required: true | ||
type: string | ||
# !! Uncomment the following lines once you've set up the dev environment and are ready to enable PR environments | ||
# pull_request: | ||
# types: [closed] | ||
jobs: | ||
destroy: | ||
name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise | ||
uses: ./.github/workflows/pr-environment-destroy.yml | ||
with: | ||
app_name: "app" | ||
environment: "dev" | ||
pr_number: ${{ inputs.pr_number || github.event.number }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,9 +14,9 @@ jobs: | |
name: Lint markdown | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
# This is the GitHub Actions-friendly port of the linter used in the Makefile. | ||
- uses: gaurav-nelson/[email protected] | ||
with: | ||
use-quiet-mode: 'yes' # errors only. | ||
config-file: '.github/workflows/markdownlint-config.json' | ||
use-quiet-mode: "yes" # errors only. | ||
config-file: ".github/workflows/markdownlint-config.json" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -21,7 +21,7 @@ jobs: | |
name: Lint GitHub Actions workflows | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
- name: Download actionlint | ||
id: get_actionlint | ||
run: bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) | ||
|
@@ -33,14 +33,14 @@ jobs: | |
name: Lint scripts | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
- name: Shellcheck | ||
run: make infra-lint-scripts | ||
check-terraform-format: | ||
name: Check Terraform format | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
- uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: 1.8.3 | ||
|
@@ -53,7 +53,7 @@ jobs: | |
name: Validate Terraform modules | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
- uses: hashicorp/setup-terraform@v2 | ||
with: | ||
terraform_version: 1.8.3 | ||
|
@@ -64,7 +64,7 @@ jobs: | |
name: Check compliance with checkov | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
- uses: actions/setup-python@v4 | ||
with: | ||
python-version: "3.10" | ||
|
@@ -88,7 +88,7 @@ jobs: | |
pull-requests: write | ||
|
||
steps: | ||
- uses: actions/checkout@v3 | ||
- uses: actions/checkout@v4 | ||
- name: Run tfsec check | ||
uses: aquasecurity/[email protected] | ||
with: | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.