Skip to content

Commit

Permalink
Add initial Terraform and deploy workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
gregtyler committed Oct 2, 2023
1 parent 173d7bd commit c8494ab
Show file tree
Hide file tree
Showing 8 changed files with 266 additions and 10 deletions.
68 changes: 68 additions & 0 deletions .github/workflows/env-deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: "[Job] Deploy to Environment"

on:
workflow_call:
inputs:
workspace_name:
description: "The terraform workspace to target for environment actions"
required: true
type: string
version_tag:
description: "The docker image tag to deploy in the environment"
required: true
type: string
secrets:
aws_access_key_id:
description: "AWS Access Key ID"
required: true
aws_secret_access_key:
description: "AWS Secret Access Key"
required: true

jobs:
terraform_environment_workflow:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- uses: unfor19/install-aws-cli-action@v1
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.4.6
terraform_wrapper: false
- name: Configure AWS Credentials For Terraform
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: eu-west-1
role-duration-seconds: 3600
role-session-name: OPGLpaStoreGithubAction

- name: Lint Terraform
run: terraform fmt -check -recursive
working-directory: ./terraform/environment
continue-on-error: true

- name: Terraform Init
run: terraform init -input=false
working-directory: ./terraform/environment

- name: Terraform Plan
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_app_version: ${{ inputs.version_tag }}
run: |
terraform workspace show
echo "plan_summary=$(terraform plan -no-color -lock-timeout=300s -input=false -parallelism=30 | grep -ioE 'Plan: [[:digit:]]+ to add, [[:digit:]]+ to change, [[:digit:]]+ to destroy|No changes. Your infrastructure matches the configuration.')" >> $GITHUB_OUTPUT
terraform plan -lock-timeout=300s -input=false -parallelism=30
working-directory: ./terraform/environment

# - name: Terraform Apply
# env:
# TF_WORKSPACE: ${{ inputs.workspace_name }}
# TF_VAR_app_version: ${{ inputs.version_tag }}
# run: |
# terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
# working-directory: ./terraform/environment
20 changes: 10 additions & 10 deletions .github/workflows/workflow-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,13 +71,13 @@ jobs:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

# deploy-pr-env:
# name: Deploy PR Environment
# needs: [build, generate-environment-workspace-name]
# uses: ./.github/workflows/deploy.yml
# with:
# workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
# version_tag: ${{ needs.generate-tags.outputs.docker_tag }}
# secrets:
# aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
deploy-pr-env:
name: Deploy PR Environment
needs: [build, generate-environment-workspace-name]
uses: ./.github/workflows/env-deploy.yml
with:
workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
version_tag: ${{ needs.generate-tags.outputs.docker_tag }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
6 changes: 6 additions & 0 deletions terraform/environment/.envrc
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Terraform
export TF_WORKSPACE=gt-test
export TF_VAR_default_role=operator
export TF_VAR_management_role=operator

export TF_CLI_ARGS_init="-backend-config=role_arn=arn:aws:iam::311462405659:role/operator"
25 changes: 25 additions & 0 deletions terraform/environment/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

30 changes: 30 additions & 0 deletions terraform/environment/dynamodb.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
resource "aws_dynamodb_table" "deeds_table" {
name = "${local.environment_name}-deeds"
billing_mode = "PAY_PER_REQUEST"
deletion_protection_enabled = local.environment.is_production
stream_enabled = false
hash_key = "uid"

server_side_encryption {
enabled = true
}

attribute {
name = "uid"
type = "S"
}

point_in_time_recovery {
enabled = true
}

lifecycle {
ignore_changes = [replica]
}
}

resource "aws_dynamodb_table_replica" "deeds_table" {
global_table_arn = aws_dynamodb_table.deeds_table.arn
point_in_time_recovery = true
provider = aws.eu-west-2
}
74 changes: 74 additions & 0 deletions terraform/environment/terraform.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
terraform {
backend "s3" {
bucket = "opg.terraform.state"
key = "opg-data-lpa-deed/terraform.tfstate"
encrypt = true
region = "eu-west-1"
role_arn = "arn:aws:iam::311462405659:role/lpa-store-ci"
dynamodb_table = "remote_lock"
}

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 5.8.0"
}
}
required_version = ">= 1.4.0"
}

provider "aws" {
alias = "global"
region = "us-east-1"

assume_role {
role_arn = "arn:aws:iam::${local.environment.account_id}:role/${var.default_role}"
session_name = "terraform-session"
}

default_tags {
tags = local.default_tags
}
}

provider "aws" {
alias = "eu-west-1"
region = "eu-west-1"

assume_role {
role_arn = "arn:aws:iam::${local.environment.account_id}:role/${var.default_role}"
session_name = "terraform-session"
}

default_tags {
tags = local.default_tags
}
}

provider "aws" {
alias = "eu-west-2"
region = "eu-west-2"

assume_role {
role_arn = "arn:aws:iam::${local.environment.account_id}:role/${var.default_role}"
session_name = "terraform-session"
}

default_tags {
tags = local.default_tags
}
}

provider "aws" {
alias = "management"
region = "eu-west-1"

assume_role {
role_arn = "arn:aws:iam::311462405659:role/${var.management_role}"
session_name = "terraform-session"
}

default_tags {
tags = local.default_tags
}
}
14 changes: 14 additions & 0 deletions terraform/environment/terraform.tfvars.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"environments": {
"default": {
"account_id": "493907465011",
"account_name": "development",
"is_production": false
},
"development": {
"account_id": "493907465011",
"account_name": "development",
"is_production": false
}
}
}
39 changes: 39 additions & 0 deletions terraform/environment/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
locals {
environment_name = lower(replace(terraform.workspace, "_", "-"))
environment = contains(keys(var.environments), local.environment_name) ? var.environments[local.environment_name] : var.environments["default"]

default_tags = merge(local.mandatory_moj_tags, local.optional_tags)
mandatory_moj_tags = {
business-unit = "OPG"
application = "opg-data-lpa-deed"
environment-name = local.environment_name
account = local.environment.account_name
is-production = local.environment.is_production
owner = "[email protected]"
}

optional_tags = {
source-code = "https://github.com/ministryofjustice/opg-data-lpa-deed"
infrastructure-support = "[email protected]"
}
}

variable "environments" {
type = map(
object({
account_id = string
account_name = string
is_production = bool
})
)
}

variable "default_role" {
type = string
default = "lpa-store-ci"
}

variable "management_role" {
type = string
default = "lpa-store-ci"
}

0 comments on commit c8494ab

Please sign in to comment.