Transition Dev environment Infrastructure to ECS (#222)

Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
CDCgov · Jan 7, 2025 · 10e1475 · 10e1475
1 parent 370365d
commit 10e1475
Show file tree

Hide file tree

Showing 36 changed files with 1,906 additions and 0 deletions.
diff --git a/.github/workflows/ecs_terraform.yaml b/.github/workflows/ecs_terraform.yaml
@@ -0,0 +1,88 @@
+name: Terraform Plan & Terraform Apply
+run-name: Terraform plan & apply ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  merge_group:
+    types:
+      - checks_requested
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: "The workspace to terraform against"
+        required: true
+        type: string
+        default: "dev"
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: dev
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        # this may need to be updated if you change the directory you are working with
+        # ./terraform/implementation/dev || ./terraform/implementation/prod for example
+        # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: "1.9.8"
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Terraform
+        env:
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          REGION: ${{ vars.region }}
+          WORKSPACE: ${{ env.workspace }}
+          UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }}
+          ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}}
+          TLS_CERT: ${{ secrets.TLS_CERT}}
+          TLS_KEY: ${{ secrets.TLS_KEY}}
+        shell: bash
+        run: |
+          rm -rf .terraform .terraform.lock.hcl
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform apply -auto-approve -target=aws_acm_certificate.cloudflare_cert \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"
+          terraform plan \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"          
+          terraform apply -replace="module.ecs.dockerless_remote_image.dibbs"
diff --git a/.github/workflows/terraform_plan.yaml b/.github/workflows/terraform_plan.yaml
@@ -0,0 +1,76 @@
+name: Ad-hoc Terraform Plan
+run-name: Terraform plan ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: "The workspace to terraform against"
+        required: true
+        type: string
+        default: "dev"
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: dev
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        # this may need to be updated if you change the directory you are working with
+        # ./terraform/implementation/dev || ./terraform/implementation/prod for example
+        # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: "1.9.8"
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Terraform
+        env:
+          # ACTION: ${{ env.terraform_action }}
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          REGION: ${{ vars.region }}
+          WORKSPACE: ${{ env.workspace }}
+          UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }}
+          ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}}
+          TLS_CERT: ${{ secrets.TLS_CERT}}
+          TLS_KEY: ${{ secrets.TLS_KEY}}
+        shell: bash
+        run: |
+          rm -rf .terraform .terraform.lock.hcl
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform plan \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"
diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
@@ -0,0 +1,55 @@
+name: Terraform Linting
+on:
+  pull_request:
+    branches:
+      - "**"
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        dirs:
+          [
+            terraform/modules/oidc,
+            terraform/modules/tfstate,
+            terraform/implementation/setup,
+            terraform/implementation/ecs,
+          ]
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: actions/cache@v4
+        name: Cache plugin dir
+        with:
+          path: ~/.tflint.d/plugins
+          key: ${{ matrix.dirs }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.52.0
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable
+        # env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        # GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        working-directory: ${{ github.workspace }}/${{matrix.dirs}}
+        run: tflint -f compact
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,33 @@
+name: Trivy Security Scan
+
+on:
+  pull_request:
+    branches:
+      - "**"
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: trivy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          scan-ref: "terraform/modules/"
+          scanners: "vuln,secret,config"
+          ignore-unfixed: false
+          exit-code: "1"
+          format: "table"
+          severity: "CRITICAL,HIGH"
diff --git a/.gitignore b/.gitignore
@@ -84,3 +84,10 @@ build/
 
 .env
 .local.env 
+
+tmp_remote_image_*
+
+# Local .terraform directories
+**/.terraform/*
+.terraform/modules/ecs
+terraform/implementation/ecs/.terraform/*
diff --git a/terraform/implementation/ecs/README.md b/terraform/implementation/ecs/README.md
@@ -0,0 +1,45 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.9.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | =5.56.1 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.56.1 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_ecs"></a> [ecs](#module\_ecs) | CDCgov/dibbs-ecr-viewer/aws | 0.3.0 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.16.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_acm_certificate.this](https://registry.terraform.io/providers/hashicorp/aws/5.56.1/docs/data-sources/acm_certificate) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | The availability zones to use | `list(string)` | <pre>[<br>  "us-east-1a",<br>  "us-east-1b",<br>  "us-east-1c"<br>]</pre> | no |
+| <a name="input_internal"></a> [internal](#input\_internal) | Flag to determine if the several AWS resources are public (intended for external access, public internet) or private (only intended to be accessed within your AWS VPC or avaiable with other means, a transit gateway for example). | `bool` | `true` | no |
+| <a name="input_owner"></a> [owner](#input\_owner) | The owner of the infrastructure | `string` | `"skylight"` | no |
+| <a name="input_phdi_version"></a> [phdi\_version](#input\_phdi\_version) | PHDI container image version | `string` | `"v1.7.6"` | no |
+| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | The private subnets | `list(string)` | <pre>[<br>  "176.24.1.0/24",<br>  "176.24.3.0/24"<br>]</pre> | no |
+| <a name="input_project"></a> [project](#input\_project) | The project name | `string` | `"dibbs"` | no |
+| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | The public subnets | `list(string)` | <pre>[<br>  "176.24.2.0/24",<br>  "176.24.4.0/24"<br>]</pre> | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS region | `string` | `"us-east-1"` | no |
+| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | The CIDR block for the VPC | `string` | `"176.24.0.0/16"` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/terraform/implementation/ecs/_local.tf b/terraform/implementation/ecs/_local.tf
@@ -0,0 +1,8 @@
+locals {
+  vpc_name = "${var.project}-${var.owner}-${terraform.workspace}"
+  tags = {
+    project   = var.project
+    owner     = var.owner
+    workspace = terraform.workspace
+  }
+}