Github action CD

.github/iac/main.tf

@@ -0,0 +1,121 @@
+terraform {
+  backend "s3" {
+    bucket = "demeter-tf"
+    key    = "github/demeter-fabric.tfstate"
+    region = "us-west-2"
+  }
+  required_providers {
+    kubernetes = {
+      source = "hashicorp/kubernetes"
+    }
+  }
+}
+
+provider "kubernetes" {
+  config_path    = "~/.kube/config"
+  config_context = "arn:aws:eks:us-west-2:295114534192:cluster/m2-prod-7xjh33"
+}
+
+provider "helm" {
+  kubernetes {
+    config_path    = "~/.kube/config"
+    config_context = "arn:aws:eks:us-west-2:295114534192:cluster/m2-prod-7xjh33"
+  }
+}
+
+variable "rpc_image" {}
+variable "kafka_admin_password" {}
+variable "kafka_rpc_password" {}
+variable "kafka_daemon_password" {}
+variable "secret" {}
+variable "auth0_client_id" {}
+variable "auth0_client_secret" {}
+variable "auth0_audience" {}
+variable "stripe_api_key" {}
+variable "email_ses_access_key_id" {}
+variable "email_ses_secret_access_key" {}
+
+locals {
+  namespace                   = "fabric-stg"
+  queue_instance_name         = "fabric-queue"
+  replicas                    = 1
+  external_domain             = "stg-fabric-queue.demeter.run"
+  broker_urls                 = "redpanda.${local.external_domain}:31092"
+  secret                      = var.secret
+  kafka_admin_username        = "admin"
+  kafka_admin_password        = var.kafka_admin_password
+  kafka_rpc_username          = "rpc"
+  kafka_rpc_password          = var.kafka_rpc_password
+  kafka_daemon_username       = "daemon"
+  kafka_daemon_password       = var.kafka_daemon_password
+  kafka_daemon_consumer       = "daemon"
+  kafka_topic                 = "stg"
+  auth0_client_id             = var.auth0_client_id
+  auth0_client_secret         = var.auth0_client_secret
+  auth0_audience              = var.auth0_audience
+  stripe_api_key              = var.stripe_api_key
+  email_invite_ttl_min        = 15
+  email_ses_region            = "us-west-2"
+  email_ses_access_key_id     = var.email_ses_access_key_id
+  email_ses_secret_access_key = var.email_ses_secret_access_key
+  email_ses_verified_email    = "[email protected]"
+}
+
+resource "kubernetes_namespace_v1" "fabric_namespace" {
+  metadata {
+    name = local.namespace
+  }
+}
+
+module "fabric_queue" {
+  source     = "../../../fabric/bootstrap/queue/"
+  depends_on = [kubernetes_namespace_v1.fabric_namespace]
+
+  namespace       = local.namespace
+  instance_name   = local.queue_instance_name
+  replicas        = local.replicas
+  external_domain = local.external_domain
+  admin_username  = local.kafka_admin_username
+  admin_password  = local.kafka_admin_password
+  rpc_username    = local.kafka_rpc_username
+  rpc_password    = local.kafka_rpc_password
+
+  daemon_users = [
+    {
+      name          = local.kafka_daemon_username
+      password      = local.kafka_daemon_password
+      consumer_name = local.kafka_daemon_consumer
+    },
+  ]
+}
+
+module "fabric_rpc" {
+  source = "../../../fabric/bootstrap/rpc"
+
+  namespace                   = local.namespace
+  image                       = var.rpc_image
+  broker_urls                 = local.broker_urls
+  consumer_name               = "rpc"
+  kafka_username              = local.kafka_admin_username
+  kafka_password              = local.kafka_admin_password
+  kafka_topic                 = local.kafka_topic
+  secret                      = local.secret
+  auth0_client_id             = local.auth0_client_id
+  auth0_client_secret         = local.auth0_client_secret
+  auth0_audience              = local.auth0_audience
+  stripe_api_key              = local.stripe_api_key
+  email_invite_ttl_min        = local.email_invite_ttl_min
+  email_ses_region            = local.email_ses_region
+  email_ses_access_key_id     = local.email_ses_access_key_id
+  email_ses_secret_access_key = local.email_ses_secret_access_key
+  email_ses_verified_email    = local.email_ses_verified_email
+}
+
+module "fabric_services" {
+  source     = "../../../fabric/bootstrap/services/"
+  depends_on = [module.fabric_queue, module.fabric_rpc]
+
+  namespace          = local.namespace
+  ingress_class_name = "nginx"
+  dns_zone           = "demeter.run"
+}

.github/workflows/build.yml

@@ -1,4 +1,4 @@
-name: build
+name: Build
 
 on:
   workflow_dispatch: {}

.github/workflows/deploy.yml

@@ -0,0 +1,54 @@
+name: Deploy
+
+on:
+  workflow_dispatch: {}
+  workflow_run:
+    workflows: [Build]
+    types: [completed]
+
+jobs:
+  rpc:
+    runs-on: ubuntu-latest
+    env:
+      TF_VAR_rpc_image: rpc_image=ghcr.io/demeter-run/fabric-rpc:${{ github.sha }}
+      TF_VAR_kafka_admin_password: ${{ secrets.KAFKA_ADMIN_PASSWORD }} 
+      TF_VAR_kafka_rpc_password: ${{ secrets.KAFKA_RPC_PASSWORD }}
+      TF_VAR_kafka_daemon_password: ${{ secrets.KAFKA_DAEMON_PASSWORD }}
+      TF_VAR_secret: ${{ secrets.SECRET }}
+      TF_VAR_auth0_client_id: ${{ secrets.AUTH0_CLIENT_ID }}
+      TF_VAR_auth0_client_secret: ${{ secrets.AUTH0_CLIENT_SECRET }} 
+      TF_VAR_auth0_audience:  ${{ secrets.AUTH0_AUDIENCE }}
+      TF_VAR_stripe_api_key:  ${{ secrets.STRIPE_API_KEY }}
+      TF_VAR_email_ses_access_key_id: ${{ secrets.EMAIL_SES_ACCESS_KEY_ID }}
+      TF_VAR_email_ses_secret_access_key: ${{ secrets.EMAIL_SES_SECRET_ACCESS_KEY }}
+    steps:
+      - uses: actions/checkout@v2
+
+      - uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/ClusterAdminRole
+          role-session-name: Github-Actions-Demeter
+          role-duration-seconds: 1200
+
+      - name: setup kubeconfig
+        run: aws eks update-kubeconfig --name ${{ secrets.AWS_CLUSTER_NAME }}
+
+      - name: setup terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: init terraform
+        working-directory: .github/iac
+        run: terraform init
+
+      - name: validate terraform
+        working-directory: .github/iac
+        run: terraform validate
+
+      - name: apply terraform
+        working-directory: .github/iac
+        env:
+          IMAGE_TAG: ${{ github.sha }}
+        run: terraform apply -auto-approve -input=false

.gitignore

@@ -7,3 +7,4 @@ rpc.toml
 test/.terraform*
 test/local.tfstate*
 crds-path/
+.github/iac/.terraform*