greenfield infra code (#4687)

.github/workflows/deploy.yaml

@@ -0,0 +1,113 @@
+name: 'Deployment'
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - <change-me-to-main>
+  pull_request:
+    branches: [<change-me-to-main>]
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency: ${{ github.head_ref || github.ref_name || github.run_id }}
+jobs:
+  terraform:
+    name: ${{matrix.runner}} - dev
+    runs-on: ['${{ matrix.runner }}']
+    strategy:
+      max-parallel: 1
+      matrix:
+        include:
+          - environment: dev
+            runner: ubuntu-latest
+    env:
+      AWS_DEFAULT_REGION: us-east-1
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.OIDC_IAM_ROLE_ARN }}
+          aws-region: us-east-1
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Build, tag, and push the web image to Amazon ECR
+        id: build-web-image
+        env:
+          ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }}
+          ECR_REPOSITORY: ${{ secrets.WEB_ECR_REPOSITORY }}
+          OKTA_DOMAIN: ${{ secrets.OKTA_DOMAIN }}
+          TEALIUM_ENV: 'dev'
+          LD_CLIENT_ID: ${{ secrets.LD_CLIENT_ID }}
+          TEALIUM_TAG: ${{ secrets.TEALIUM_TAG }}
+          API_URL: ${{ secrets.API_URL }}
+
+        run: |
+          # Build a docker container and push it to ECR
+          export IMAGE_TAG=$(git rev-parse --short "$GITHUB_SHA")
+          docker build --quiet -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG --build-arg LD_CLIENT_ID=$LD_CLIENT_ID --build-arg TEALIUM_ENV=$TEALIUM_ENV --build-arg TEALIUM_TAG=TEALIUM_TAG --build-arg OKTA_DOMAIN=$OKTA_DOMAIN -f web/DockerfileECS .
+          echo "Pushing image to ECR..."
+          export WEB_IMAGE=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker push $WEB_IMAGE
+          echo "::set-output name=image::${WEB_IMAGE}"
+
+      - name: Build, tag, and push the api image to Amazon ECR
+        id: build-api-image
+        env:
+          ECR_REGISTRY: ${{ secrets.ECR_REGISTRY }}
+          ECR_REPOSITORY: ${{ secrets.API_ECR_REPOSITORY }}
+        run: |
+          # Build a docker container and push it to ECR
+          export IMAGE_TAG=$(git rev-parse --short "$GITHUB_SHA")
+          docker build --quiet -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -f api/DockerfileECS .
+          echo "Pushing image to ECR..."
+          export API_IMAGE=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
+          docker push $API_IMAGE
+          echo "::set-output name=image::${API_IMAGE}"
+
+      - uses: hashicorp/setup-terraform@v1
+        with:
+          terraform_wrapper: false
+      - name: Terraform Init
+        id: init
+        working-directory: terraform/greenfield/ecs
+        run: |
+          rm -rf .terraform
+          terraform init -backend-config=envs/dev/backend.tfvars -upgrade=true -no-color -input=false
+      - name: Terraform Plan
+        id: plan
+        working-directory: terraform/greenfield/ecs
+        run: |
+          terraform plan -input=false -var-file=envs/dev/inputs.tfvars -var "web_image=$WEB_IMAGE" -var "aws_account=$AWS_ACCOUNT"  -var "api_image=$API_IMAGE" -no-color
+        env:
+          AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
+          WEB_IMAGE: ${{steps.build-web-image.outputs.image}}
+          API_IMAGE: ${{steps.build-api-image.outputs.image}}
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/gf-ecs'
+        id: apply
+        working-directory: terraform/greenfield/ecs
+        run: |
+          terraform apply -auto-approve -input=false -var-file=envs/dev/inputs.tfvars -var "aws_account=$AWS_ACCOUNT" -var "web_image=$WEB_IMAGE" -var "api_image=$API_IMAGE"
+        env:
+          AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
+          WEB_IMAGE: ${{steps.build-web-image.outputs.image}}
+          API_IMAGE: ${{steps.build-api-image.outputs.image}}
+      - name: Terraform destroy
+        if: github.ref == 'refs/heads/destroy'
+        id: destroy
+        working-directory: terraform/greenfiel/ecs
+        run: |
+          terraform destroy -auto-approve -input=false -var-file=envs/dev/inputs.tfvars
+        env:
+          WEB_IMAGE: ${{steps.build-web-image.outputs.image}}
+          API_IMAGE: ${{steps.build-api-image.outputs.image}}

.github/workflows/test.yaml

@@ -0,0 +1,74 @@
+name: 'Deployment'
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - <change-me-to-main>
+  pull_request:
+    branches: [<change-me-to-main>]
+defaults:
+  run:
+    shell: bash
+
+permissions:
+  id-token: write
+  contents: read
+
+concurrency: ${{ github.head_ref || github.ref_name || github.run_id }}
+jobs:
+  dependency_vulnerability_scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: '16.19.1'
+      # - name: save yarn package cache
+      #   continue-on-error: true
+      #   with:
+      #     id: cache-npm
+      #     uses: actions/cache@v3
+      #     # npm cache files are stored in `~/.npm` on Linux/macOS
+      #     path: ~/.cache/yarn
+      #     key: cms-eapd-yarn-packages-{{ checksum "yarn.lock" }}
+      #     restore-keys: |
+      #       ${{ runner.os }}-build-${{ cms-eapd-yarn-packages }}-
+      #       ${{ runner.os }}-build-
+      #       ${{ runner.os }}-
+      - name: install dependencies
+        continue-on-error: true
+        run: yarn install --frozen-lockfile --cache-folder ~/.cache/yarn
+      - name: setup nvm
+        continue-on-error: true
+        run: |
+          curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.37.2/install.sh | bash
+          export NVM_DIR="$HOME/.nvm"
+          [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
+          [ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"
+          nvm install 16.19.1
+          nvm alias default 16.19.1
+          echo 'export NVM_DIR="$HOME/.nvm"' >> $GITHUB_ENV
+          echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> $GITHUB_ENV
+
+      - name: dependency vulnerability scan
+        continue-on-error: true
+        run: yarn run audit
+      - name: yaml test
+        working-directory: ./web
+        run: |
+          yarn install --frozen-lockfile
+          yarn add glob
+          yarn add js-yaml
+          node yaml-tests.js
+      - name: backend_lint
+        continue-on-error: true
+        working-directory: ./api
+        run: |
+          npm install -g eslint
+          yarn lint
+      - name: frontend_lint
+        continue-on-error: true
+        working-directory: ./web
+        run: |
+          npm install -g eslint
+          yarn lint

api/DockerfileECS

@@ -0,0 +1,33 @@
+FROM node:16.19.1-bullseye-slim as builder
+
+RUN mkdir /app
+WORKDIR /app
+
+COPY package.json .
+COPY ./api/package.json ./api/package.json
+COPY yarn.lock .
+COPY common ./common
+
+RUN chown -R node:node /app
+USER node:node
+
+RUN yarn install --frozen-lockfile --non-interactive
+RUN npm rebuild
+
+COPY api ./api
+
+# ---
+
+FROM node:16.19.1-bullseye-slim
+
+USER node
+WORKDIR /home/node
+
+COPY --from=builder --chown=node:node /app/package.json ./
+COPY --from=builder --chown=node:node /app/node_modules/ ./node_modules/
+COPY --from=builder --chown=node:node /app/common/ ./common/
+COPY --from=builder --chown=node:node /app/api/ ./api/
+
+WORKDIR /home/node/api
+
+CMD yarn run start

terraform/greenfield/.gitignore

@@ -0,0 +1,29 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*

terraform/greenfield/bootstrap/.gitignore

@@ -0,0 +1,29 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*

terraform/greenfield/bootstrap/README.md

@@ -0,0 +1,48 @@
+# Terraform for GitHub OIDC
+
+## Usage
+
+This Terraform module is located in a sub-directory, since some users may wish
+to consume this module even if they don't need to set up self-hosted runners.
+Note that to refer to a sub-directory as a Terraform module source, you need to
+[include a double slash before the sub-directory](https://developer.hashicorp.com/terraform/language/modules/sources#modules-in-package-sub-directories).
+
+```hcl
+  module "github-actions-aws" {
+    source = "modules//oidc/github" # double-slash denotes a sub-directory
+
+    subject_claim_filters                         = ["repo:{your GitHub org}/{your GitHub repo}:{GitHub ref}"]
+    # audience_list                               = [] # optional, defaults to ["sts.amazonaws.com"]
+    # thumbprint_list                             = [] # optional, defaults to ["6938fd4d98bab03faadb97b34396831e3780aea1"]
+    # github_actions_permissions_policy_json_path = "" # optional, defaults to "github_actions_permission_policy.json"
+    # add_read_only_access                        = bool # optional, defaults to false
+  }
+```
+
+## Permissions policy
+
+This module assumes that the permissions policy for the IAM role will be named
+`github_actions_permission_policy.json` and located in the same folder as the
+root module (the path and filename are configurable via the
+`github_actions_permissions_policy_json_path` variable). An example policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": ["securityhub:BatchImportFindings"],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Sid": "UpdateService",
+      "Effect": "Allow",
+      "Action": ["ecs:UpdateService"],
+      "Resource": [
+        "arn:aws:ecs:{your region}:{your account number}:service/{your self-hosted runner cluster name}/{your github runner service name}"
+      ]
+    }
+  ]
+}
+```

terraform/greenfield/bootstrap/environments/dev/backend.tfvars

@@ -0,0 +1,4 @@
+
+region = "us-east-1"
+bucket = "eapd-tf-<replace_me_with_aws_account>"
+key    = "bootstrap/dev/terraform.tfstate"