feat: first infra for EKS #66
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: air.stacks-infrastructure-eks | |
| on: | |
| push: | |
| paths: | |
| - 'build/github/**' | |
| - 'build/taskctl/**' | |
| - 'src/**' | |
| - 'deploy/aws/**' | |
| - 'deploy/k8s/aws/**' | |
| - '.github/workflows/ci.yml' | |
| pull_request: | |
| branches: | |
| - master | |
| - main | |
| env: | |
| # The following SECRETS must be defined per environment (which must match environment key) in your GH Repository: | |
| # AWS_ACCESS_KEY_ID | |
| # AWS_ACCOUNT_ID | |
| # AWS_DEFAULT_REGION | |
| # AWS_SECRET_ACCESS_KEY | |
| # AWS_TF_STATE_BUCKET | |
| # AWS_TF_STATE_DYNAMOTABLE | |
| # AWS_TF_STATE_ENCRYPTION | |
| # AWS_TF_STATE_KEY | |
| # AWS_TF_STATE_REGION | |
| CLOUD_PROVIDER: "aws" | |
| TaskctlVersion: '1.5.1' | |
| COMPANY: "ensono" | |
| PROJECT: "stacks" | |
| COMPONENT: "eks" | |
| REGION: "eu-west-2" | |
| NON_PROD_AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| TF_INFRA_FILE_LOCATION: deploy/aws/infra | |
| TF_PRE_INFRA_FILE_LOCATION: deploy/aws/pre-infra | |
| VPC_CIDR: "10.0.0.0/16" | |
| NON_PROD_VPC_NAT_GATEWAY_PER_AZ: false | |
| PROD_VPC_NAT_GATEWAY_PER_AZ: true | |
| # DNS | |
| DNS_CREATE_HOSTEDZONE: true | |
| DNS_CREATE_HOSTEDZONE_PARENT_LINK: true | |
| NON_PROD_DOMAIN_NAME: "nonprod.aws.stacks.ensono.com" | |
| PROD_DOMAIN_NAME: "prod.aws.stacks.ensono.com" | |
| DNS_PARENT_NAME: "aws.stacks.ensono.com" | |
| CLUSTER_VERSION: "1.30" | |
| NON_PROD_CLUSTER_SINGLE_AZ: true | |
| PROD_CLUSTER_SINGLE_AZ: false | |
| EKS_MINIMUM_NODES: "1" | |
| EKS_DESIRED_NODES: "1" | |
| EKS_MAXIMUM_NODES: "3" | |
| EKS_NODE_SIZE: "t3.small" | |
| CLUSTER_ENDPOINT_PRIVATE_ACCESS: false | |
| CLUSTER_ENDPOINT_PUBLIC_ACCESS: true | |
| CONTAINER_REGISTRY_PULL_PUSH_USER: true | |
| NON_PROD_FIREWALL_ENABLED: false | |
| PROD_FIREWALL_ENABLED: true | |
| FIREWALL_ALLOWED_DOMAIN_TARGETS: "[]" | |
| NON_PROD_FIREWALL_CREATE_TLS_ALERT_RULE: false | |
| PROD_FIREWALL_CREATE_TLS_ALERT_RULE: true | |
| # Ingress Nginx Helm | |
| INGRESS_NGINX_ENABLED: true | |
| INGRESS_NGINX_NAMESPACE: "ingress-nginx" | |
| INGRESS_NGINX_SERVICE_ACCOUNT_NAME: "ingress-nginx" | |
| INGRESS_NGINX_REPLICA_COUNT: 3 | |
| # Cert Manager Helm | |
| CERT_MANAGER_ENABLED: true | |
| CERT_MANAGER_NAMESPACE: "cert-manager" | |
| CERT_MANAGER_SERVICE_ACCOUNT_NAME: "cert-manager" | |
| jobs: | |
| Lint: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./build/github/templates/install-taskctl | |
| - run: taskctl image-pull | |
| - run: taskctl -d yaml-lint | |
| - run: taskctl -d terraform-lint | |
| env: | |
| TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }} | |
| - run: taskctl -d terraform-lint | |
| env: | |
| TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }} | |
| InfraDev: | |
| if: github.ref != 'refs/heads/master' && github.ref != 'refs/heads/main' | |
| needs: Lint | |
| runs-on: ubuntu-24.04 | |
| environment: nonprod | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ./build/github/templates/install-taskctl | |
| - run: taskctl image-pull | |
| - run: taskctl -d infrastructure | |
| env: | |
| ENV_NAME: nonprod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Terraform Backend Configuration | |
| TF_FILE_LOCATION: ${{ env.TF_PRE_INFRA_FILE_LOCATION }} | |
| TF_BACKEND_ARGS: region=${{ secrets.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ secrets.AWS_TF_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=${{ secrets.AWS_TF_STATE_ENCRYPTION }} | |
| # Terraform Resource Configuration | |
| TF_VAR_name_company: ${{ env.COMPANY }} | |
| TF_VAR_name_project: ${{ env.PROJECT }} | |
| TF_VAR_name_component: ${{ env.COMPONENT }} | |
| TF_VAR_name_environment: "nonprod" | |
| TF_VAR_region: ${{ env.REGION }} | |
| TF_VAR_dns_create_hostedzone: ${{ env.DNS_CREATE_HOSTEDZONE}} | |
| TF_VAR_dns_hostedzone_name: ${{ env.NON_PROD_DOMAIN_NAME }} | |
| TF_VAR_dns_create_hostedzone_parent_link: ${{ env.DNS_CREATE_HOSTEDZONE_PARENT_LINK }} | |
| TF_VAR_dns_parent_hostedzone_name: ${{ env.DNS_PARENT_NAME }} | |
| TF_VAR_k8s_role_file_map: "[\"../../k8s/users/nonprod-admin-users.json\", \"../../k8s/users/nonprod-developer-users.json\"]" | |
| TF_VAR_container_registry_pull_push_user: ${{ env.CONTAINER_REGISTRY_PULL_PUSH_USER }} | |
| - run: taskctl -d infrastructure | |
| env: | |
| ENV_NAME: nonprod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # Terraform Backend Configuration | |
| TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }} | |
| TF_BACKEND_ARGS: region=${{ secrets.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ secrets.AWS_TF_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=${{ secrets.AWS_TF_STATE_ENCRYPTION }} | |
| # Terraform Resource Configuration | |
| TF_VAR_name_company: ${{ env.COMPANY }} | |
| TF_VAR_name_project: ${{ env.PROJECT }} | |
| TF_VAR_name_component: ${{ env.COMPONENT }} | |
| TF_VAR_name_environment: "nonprod" | |
| TF_VAR_region: ${{ env.REGION }} | |
| TF_VAR_vpc_cidr: ${{ env.VPC_CIDR }} | |
| TF_VAR_vpc_nat_gateway_per_az: ${{ env.NON_PROD_VPC_NAT_GATEWAY_PER_AZ }} | |
| TF_VAR_firewall_enabled: ${{ env.NON_PROD_FIREWALL_ENABLED }} | |
| TF_VAR_firewall_allowed_domain_targets: ${{ env.FIREWALL_ALLOWED_DOMAIN_TARGETS }} | |
| TF_VAR_firewall_create_tls_alert_rule: ${{ env.NON_PROD_FIREWALL_CREATE_TLS_ALERT_RULE }} | |
| TF_VAR_cluster_version: ${{ env.CLUSTER_VERSION }} | |
| TF_VAR_cluster_single_az: ${{ env.NON_PROD_CLUSTER_SINGLE_AZ }} | |
| TF_VAR_cluster_endpoint_private_access: ${{ env.CLUSTER_ENDPOINT_PRIVATE_ACCESS }} | |
| TF_VAR_cluster_endpoint_public_access: ${{ env.CLUSTER_ENDPOINT_PUBLIC_ACCESS }} | |
| TF_VAR_eks_minimum_nodes: ${{ env.EKS_MINIMUM_NODES }} | |
| TF_VAR_eks_desired_nodes: ${{ env.EKS_DESIRED_NODES }} | |
| TF_VAR_eks_maximum_nodes: ${{ env.EKS_MAXIMUM_NODES }} | |
| TF_VAR_eks_node_size: ${{ env.EKS_NODE_SIZE }} | |
| TF_VAR_cert_manager_enabled: "${{ env.CERT_MANAGER_ENABLED }}" | |
| TF_VAR_cert_manager_namespace: "${{ env.CERT_MANAGER_NAMESPACE }}" | |
| TF_VAR_cert_manager_service_account_name: "${{ env.CERT_MANAGER_SERVICE_ACCOUNT_NAME }}" | |
| - run: taskctl -d helm | |
| env: | |
| ENV_NAME: nonprod | |
| # AWS Environmental Config | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # InfraProd: | |
| # if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/main' | |
| # needs: Lint | |
| # runs-on: ubuntu-24.04 | |
| # environment: prod | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # - uses: ./build/github/templates/install-taskctl | |
| # - run: taskctl -d infrastructure | |
| # env: | |
| # ENV_NAME: prod | |
| # # AWS Environmental Config | |
| # AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| # AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| # AWS_DEFAULT_REGION: ${{ env.REGION }} | |
| # # Terraform Backend Configuration | |
| # AWS_TF_STATE_BUCKET: ${{ secrets.AWS_TF_STATE_BUCKET }} | |
| # AWS_TF_STATE_DYNAMOTABLE: ${{ secrets.AWS_TF_STATE_DYNAMOTABLE }} | |
| # AWS_TF_STATE_ENCRYPTION: ${{ secrets.AWS_TF_STATE_ENCRYPTION }} | |
| # AWS_TF_STATE_KEY: ${{ secrets.AWS_TF_STATE_KEY }} | |
| # AWS_TF_STATE_REGION: ${{ secrets.AWS_TF_STATE_REGION }} | |
| # TF_FILE_LOCATION: ${{ env.TF_INFRA_FILE_LOCATION }} | |
| # TF_BACKEND_ARGS: region=${{ secrets.AWS_TF_STATE_REGION }},access_key=${{ secrets.AWS_ACCESS_KEY_ID }},secret_key=${{ secrets.AWS_SECRET_ACCESS_KEY }},bucket=${{ secrets.AWS_TF_STATE_BUCKET }},key=${{ secrets.AWS_TF_STATE_KEY }},dynamodb_table=${{ secrets.AWS_TF_STATE_DYNAMOTABLE }},encrypt=${{ secrets.AWS_TF_STATE_ENCRYPTION }} | |
| # # Terraform Resource Configuration | |
| # TF_VAR_name_environment: "prod" | |
| # TF_VAR_name_company: ${{ env.COMPANY }} | |
| # TF_VAR_name_project: ${{ env.PROJECT }} | |
| # TF_VAR_name_component: ${{ env.COMPONENT }} | |
| # TF_VAR_region: ${{ env.REGION }} | |
| # TF_VAR_dns_hostedzone_name: "${{ env.PROD_BASE_DOMAIN_NAME }}" | |
| # TF_VAR_enable_zone: true | |
| # TF_VAR_cert_manager_enabled: "${{ env.CERT_MANAGER_ENABLED }}" | |
| # TF_VAR_cert_manager_namespace: "${{ env.CERT_MANAGER_NAMESPACE }}" | |
| # TF_VAR_cert_manager_service_account_name: "${{ env.CERT_MANAGER_SERVICE_ACCOUNT_NAME }}" | |
| # TF_VAR_firewall_enabled: "true" |