Transition Dev environment Infrastructure to ECS

.github/workflows/ecs_terraform.yaml

@@ -0,0 +1,93 @@
+name: Terraform Plan & Terraform Apply
+run-name: Terraform plan & apply ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  pull_request:
+    branches:
+      - "**"
+  merge_group:
+    types:
+      - checks_requested
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: "The workspace to terraform against"
+        required: true
+        type: string
+        default: "dev"
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: dev
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        # this may need to be updated if you change the directory you are working with
+        # ./terraform/implementation/dev || ./terraform/implementation/prod for example
+        # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: "1.9.8"
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Terraform
+        env:
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          OWNER: ${{ vars.OWNER }}
+          PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ vars.region }}
+          WORKSPACE: ${{ env.workspace }}
+          UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }}
+          ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}}
+          TLS_CERT: ${{ secrets.TLS_CERT}}
+          TLS_KEY: ${{ secrets.TLS_KEY}}
+        shell: bash
+        run: |
+          rm -rf .terraform .terraform.lock.hcl
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform apply -auto-approve -target=aws_acm_certificate.cloudflare_cert \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"
+          terraform plan -out=tfplan \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"
+          terraform apply tfplan

.github/workflows/terraform_plan.yaml

@@ -0,0 +1,84 @@
+name: Ad-hoc Terraform Plan
+run-name: Terraform plan ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: "The workspace to terraform against"
+        required: true
+        type: string
+        default: "dev"
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: dev
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        # this may need to be updated if you change the directory you are working with
+        # ./terraform/implementation/dev || ./terraform/implementation/prod for example
+        # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: "1.9.8"
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ secrets.AWS_REGION }}
+
+      - name: Terraform
+        env:
+          # ACTION: ${{ env.terraform_action }}
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          OWNER: ${{ vars.OWNER }}
+          PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ vars.region }}
+          WORKSPACE: ${{ env.workspace }}
+          UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }}
+          ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}}
+          TLS_CERT: ${{ secrets.TLS_CERT}}
+          TLS_KEY: ${{ secrets.TLS_KEY}}
+        shell: bash
+        run: |
+          rm -rf .terraform .terraform.lock.hcl
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform apply -auto-approve -target=aws_acm_certificate.cloudflare_cert \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"
+          terraform plan -out=tfplan \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert=${TLS_CERT}"

.github/workflows/tflint.yaml

@@ -0,0 +1,55 @@
+name: Terraform Linting
+on:
+  pull_request:
+    branches:
+      - "**"
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        dirs:
+          [
+            terraform/modules/oidc,
+            terraform/modules/tfstate,
+            terraform/implementation/setup,
+            terraform/implementation/ecs,
+          ]
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: actions/cache@v4
+        name: Cache plugin dir
+        with:
+          path: ~/.tflint.d/plugins
+          key: ${{ matrix.dirs }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.52.0
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable
+        # env:
+        # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+        # GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        working-directory: ${{ github.workspace }}/${{matrix.dirs}}
+        run: tflint -f compact

.github/workflows/trivy.yaml

@@ -0,0 +1,33 @@
+name: Trivy Security Scan
+
+on:
+  pull_request:
+    branches:
+      - "**"
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: trivy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: "fs"
+          scan-ref: "terraform/modules/"
+          scanners: "vuln,secret,config"
+          ignore-unfixed: false
+          exit-code: "1"
+          format: "table"
+          severity: "CRITICAL,HIGH"

.gitignore

@@ -84,3 +84,10 @@ build/
 
 .env
 .local.env 
+
+tmp_remote_image_*
+
+# Local .terraform directories
+**/.terraform/*
+.terraform/modules/ecs
+terraform/implementation/ecs/.terraform/*

terraform/.terraform/environment

@@ -0,0 +1 @@
+dev

terraform/implementation/ecs/.terraform/environment

@@ -0,0 +1 @@
+dev

terraform/implementation/ecs/.terraform/modules/modules.json

@@ -0,0 +1 @@
+{"Modules":[{"Key":"","Source":"","Dir":"."},{"Key":"ecs","Source":"registry.terraform.io/CDCgov/dibbs-ecr-viewer/aws","Version":"0.3.0","Dir":".terraform/modules/ecs"},{"Key":"rds","Source":"registry.terraform.io/terraform-aws-modules/rds/aws","Version":"6.10.0","Dir":".terraform/modules/rds"},{"Key":"rds.db_instance","Source":"./modules/db_instance","Dir":".terraform/modules/rds/modules/db_instance"},{"Key":"rds.db_instance_role_association","Source":"./modules/db_instance_role_association","Dir":".terraform/modules/rds/modules/db_instance_role_association"},{"Key":"rds.db_option_group","Source":"./modules/db_option_group","Dir":".terraform/modules/rds/modules/db_option_group"},{"Key":"rds.db_parameter_group","Source":"./modules/db_parameter_group","Dir":".terraform/modules/rds/modules/db_parameter_group"},{"Key":"rds.db_subnet_group","Source":"./modules/db_subnet_group","Dir":".terraform/modules/rds/modules/db_subnet_group"},{"Key":"vpc","Source":"registry.terraform.io/terraform-aws-modules/vpc/aws","Version":"5.16.0","Dir":".terraform/modules/vpc"}]}