Add initial Terraform, deploy and destroy workflows

When a PR is opened/reopened/updated, build the code and deploy to a popup env When a PR is closed, delete the popup env #minor
ministryofjustice · Oct 2, 2023 · 07fee9e · 07fee9e
1 parent 173d7bd
commit 07fee9e
Show file tree

Hide file tree

Showing 10 changed files with 382 additions and 11 deletions.
diff --git a/.github/workflows/env-deploy.yml b/.github/workflows/env-deploy.yml
@@ -0,0 +1,83 @@
+name: "[Job] Deploy to Environment"
+
+on:
+  workflow_call:
+    inputs:
+      workspace_name:
+        description: "The terraform workspace to target for environment actions"
+        required: true
+        type: string
+      version_tag:
+        description: "The docker image tag to deploy in the environment"
+        required: true
+        type: string
+    secrets:
+      aws_access_key_id:
+        description: "AWS Access Key ID"
+        required: true
+      aws_secret_access_key:
+        description: "AWS Secret Access Key"
+        required: true
+      github_access_token:
+        description: 'Github Token'
+        required: true
+
+jobs:
+  terraform_environment_workflow:
+    runs-on: ubuntu-latest
+    # environment:
+    #   name: ${{ inputs.workspace_name }} popup environment
+    #   url: ${{ steps.terraform_outputs.outputs.url }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - uses: unfor19/install-aws-cli-action@v1
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.4.6
+          terraform_wrapper: false
+      - name: Configure AWS Credentials For Terraform
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
+          aws-region: eu-west-1
+          role-duration-seconds: 3600
+          role-session-name: OPGLpaStoreGithubAction
+
+      - name: Lint Terraform
+        run: terraform fmt -check -recursive
+        working-directory: ./terraform/environment
+        continue-on-error: true
+
+      - name: Terraform Init
+        run: terraform init -input=false
+        working-directory: ./terraform/environment
+
+      - name: Terraform Plan
+        env:
+          TF_WORKSPACE: ${{ inputs.workspace_name }}
+          TF_VAR_app_version: ${{ inputs.version_tag }}
+        run: |
+          terraform workspace show
+          echo "plan_summary=$(terraform plan -no-color -lock-timeout=300s -input=false -parallelism=30 | grep -ioE 'Plan: [[:digit:]]+ to add, [[:digit:]]+ to change, [[:digit:]]+ to destroy|No changes. Your infrastructure matches the configuration.')" >> $GITHUB_OUTPUT
+          terraform plan -lock-timeout=300s -input=false -parallelism=30
+        working-directory: ./terraform/environment
+
+      - name: Terraform Apply
+        env:
+          TF_WORKSPACE: ${{ inputs.workspace_name }}
+          TF_VAR_app_version: ${{ inputs.version_tag }}
+        run: |
+          terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
+        working-directory: ./terraform/environment
+
+      # - name: Terraform Outputs
+      #   id: terraform_outputs
+      #   env:
+      #     TF_WORKSPACE: ${{ inputs.workspace_name }}
+      #     TF_VAR_app_version: ${{ inputs.version_tag }}
+      #   run: |
+      #     echo "url=$(terraform output -raw app_fqdn)" >> $GITHUB_OUTPUT
+      #   working-directory: ./terraform/environment
diff --git a/.github/workflows/env-destroy.yml b/.github/workflows/env-destroy.yml
@@ -0,0 +1,54 @@
+name: "[Job] Destroy Environment"
+
+on:
+  workflow_call:
+    inputs:
+      workspace_name:
+        description: "The terraform workspace to target for environment actions"
+        required: true
+        type: string
+    secrets:
+      aws_access_key_id:
+        description: "AWS Access Key ID"
+        required: true
+      aws_secret_access_key:
+        description: "AWS Secret Access Key"
+        required: true
+
+jobs:
+  terraform_environment_workflow:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+      - uses: unfor19/install-aws-cli-action@v1
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.4.6
+          terraform_wrapper: false
+      - name: Configure AWS Credentials For Terraform
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
+          aws-region: eu-west-1
+          role-duration-seconds: 3600
+          role-session-name: OPGLpaStoreGithubAction
+
+      - name: Lint Terraform
+        run: terraform fmt -check -recursive
+        working-directory: ./terraform/aws
+        continue-on-error: true
+
+      - name: Terraform Init
+        run: terraform init -input=false
+        working-directory: ./terraform/aws
+
+      - name: Terraform Destroy
+        run: |
+          terraform workspace select ${{ inputs.workspace_name }}
+          terraform destroy -auto-approve
+          terraform workspace select default
+          terraform workspace delete ${{ inputs.workspace_name }}
+        working-directory: ./terraform/aws
diff --git a/.github/workflows/workflow-pr-close.yml b/.github/workflows/workflow-pr-close.yml
@@ -0,0 +1,41 @@
+name: PR Workflow
+
+on:
+  pull_request:
+    types:
+      - closed
+    branches:
+      - main
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  generate-environment-workspace-name:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate workspace name
+        id: name_workspace
+        run: |
+          workspace=${{ github.event.number }}${{ github.head_ref }}
+          workspace=${workspace//-}
+          workspace=${workspace//_}
+          workspace=${workspace//\/}
+          workspace=${workspace:0:11}
+          workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]')
+          echo "name=${workspace}" >> $GITHUB_OUTPUT
+          echo ${workspace}
+    outputs:
+      environment_workspace_name: ${{ steps.name_workspace.outputs.name }}
+
+  destroy-pr-env:
+    name: Destroy PR Environment
+    needs: [generate-environment-workspace-name]
+    uses: ./.github/workflows/env-destroy.yml
+    with:
+      workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/workflow-pr.yml b/.github/workflows/workflow-pr.yml
@@ -1,4 +1,4 @@
-name: Test & Build
+name: PR Workflow
 
 on:
   pull_request:
@@ -71,13 +71,14 @@ jobs:
       aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
       aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
-  # deploy-pr-env:
-  #   name: Deploy PR Environment
-  #   needs: [build, generate-environment-workspace-name]
-  #   uses: ./.github/workflows/deploy.yml
-  #   with:
-  #     workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
-  #     version_tag: ${{ needs.generate-tags.outputs.docker_tag }}
-  #   secrets:
-  #     aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-  #     aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  deploy-pr-env:
+    name: Deploy PR Environment
+    needs: [build, generate-environment-workspace-name]
+    uses: ./.github/workflows/env-deploy.yml
+    with:
+      workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
+      version_tag: ${{ needs.generate-tags.outputs.docker_tag }}
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      github_access_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/terraform/environment/.envrc b/terraform/environment/.envrc
@@ -0,0 +1,6 @@
+# Terraform
+export TF_WORKSPACE=development
+export TF_VAR_default_role=operator
+export TF_VAR_management_role=operator
+
+export TF_CLI_ARGS_init="-backend-config=role_arn=arn:aws:iam::311462405659:role/operator"
diff --git a/terraform/environment/.terraform.lock.hcl b/terraform/environment/.terraform.lock.hcl
diff --git a/terraform/environment/dynamodb.tf b/terraform/environment/dynamodb.tf
@@ -0,0 +1,32 @@
+resource "aws_dynamodb_table" "deeds_table" {
+  name                        = "deeds-${local.environment_name}"
+  billing_mode                = "PAY_PER_REQUEST"
+  deletion_protection_enabled = local.environment.is_production
+  stream_enabled              = false
+  hash_key                    = "uid"
+
+  server_side_encryption {
+    enabled = true
+  }
+
+  attribute {
+    name = "uid"
+    type = "S"
+  }
+
+  point_in_time_recovery {
+    enabled = true
+  }
+
+  lifecycle {
+    ignore_changes = [replica]
+  }
+
+  provider = aws.eu_west_1
+}
+
+resource "aws_dynamodb_table_replica" "deeds_table" {
+  global_table_arn       = aws_dynamodb_table.deeds_table.arn
+  point_in_time_recovery = true
+  provider               = aws.eu_west_2
+}
diff --git a/terraform/environment/terraform.tf b/terraform/environment/terraform.tf
@@ -0,0 +1,74 @@
+terraform {
+  backend "s3" {
+    bucket         = "opg.terraform.state"
+    key            = "opg-data-lpa-deed/terraform.tfstate"
+    encrypt        = true
+    region         = "eu-west-1"
+    role_arn       = "arn:aws:iam::311462405659:role/lpa-store-ci"
+    dynamodb_table = "remote_lock"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.8.0"
+    }
+  }
+  required_version = ">= 1.4.0"
+}
+
+provider "aws" {
+  alias  = "global"
+  region = "us-east-1"
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${local.environment.account_id}:role/${var.default_role}"
+    session_name = "terraform-session"
+  }
+
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+provider "aws" {
+  alias  = "eu_west_1"
+  region = "eu-west-1"
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${local.environment.account_id}:role/${var.default_role}"
+    session_name = "terraform-session"
+  }
+
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+provider "aws" {
+  alias  = "eu_west_2"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${local.environment.account_id}:role/${var.default_role}"
+    session_name = "terraform-session"
+  }
+
+  default_tags {
+    tags = local.default_tags
+  }
+}
+
+provider "aws" {
+  alias  = "management"
+  region = "eu-west-1"
+
+  assume_role {
+    role_arn     = "arn:aws:iam::311462405659:role/${var.management_role}"
+    session_name = "terraform-session"
+  }
+
+  default_tags {
+    tags = local.default_tags
+  }
+}
diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json
@@ -0,0 +1,14 @@
+{
+  "environments": {
+    "default": {
+      "account_id": "493907465011",
+      "account_name": "development",
+      "is_production": false
+    },
+    "development": {
+      "account_id": "493907465011",
+      "account_name": "development",
+      "is_production": false
+    }
+  }
+}