cd-terraform added

enricogoerlitz · Jun 15, 2024 · 4c35bf3 · 4c35bf3
1 parent d15a415
commit 4c35bf3
Show file tree

Hide file tree

Showing 9 changed files with 232 additions and 7 deletions.
diff --git a/.github/workflows/cd-terraform.yml b/.github/workflows/cd-terraform.yml
@@ -0,0 +1,110 @@
+name: Terraform Deployment
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+      id-token: write # This is required for aws oidc connection
+      contents: read # This is required for actions/checkout
+      pull-requests: write # This is required for gh bot to comment PR
+
+env:
+  TF_LOG: INFO
+  AWS_REGION: ${{ secrets.AWS_REGION }}
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform
+
+    steps:
+      - name: Git checkout
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials from AWS account
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-session-name: GitHub-OIDC-TERRAFORM
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.5.7
+
+      - name: Terraform fmt
+        id: fmt
+        run: terraform fmt -check
+        continue-on-error: true
+
+      - name: Terraform Init
+        id: init
+        env:
+          AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME }}
+          AWS_BUCKET_KEY_NAME: ${{ secrets.AWS_BUCKET_KEY_NAME }}
+        run: terraform init -backend-config="bucket=${AWS_BUCKET_NAME}" -backend-config="key=${AWS_BUCKET_KEY_NAME}" -backend-config="region=${AWS_REGION}"
+
+      - name: Terraform Validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Terraform Plan
+        id: plan
+        run: terraform plan -no-color
+        if: github.event_name == 'pull_request'
+        continue-on-error: true
+
+      - uses: actions/github-script@v6
+        if: github.event_name == 'pull_request'
+        env:
+          PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+            #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+            #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+            <details><summary>Validation Output</summary>
+
+            \`\`\`\n
+            ${{ steps.validate.outputs.stdout }}
+            \`\`\`
+
+            </details>
+
+            #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+
+            <details><summary>Show Plan</summary>
+
+            \`\`\`\n
+            ${process.env.PLAN}
+            \`\`\`
+
+            </details>
+
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
+
+      - name: Terraform Plan Status
+        if: steps.plan.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Apply
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve -input=false
diff --git a/README.md b/README.md
@@ -20,4 +20,42 @@ $ docker push enricogoerlitz/bp2-backend-amd64v2:latest
 
 https://www.youtube.com/watch?v=GowFk_5Rx_I&ab_channel=CloudScalr
 
-deploy terraform on S3 and manage this in S3
+deploy terraform on S3 and manage this in S3
+
+## Doku OpenIDConnect
+
+aws > IAM > Identity Provider > new Identity Provider
+    - url=https://token.actions.githubusercontent.com
+    - audience=sts.amazonaws.com
+
+enricogoerlitz/aws-bp-2-hosting-backend-on-ec2-asg-alb
+
+aws > s3 > create bucket
+    - name
+    - enable enrcyption
+
+aws > IAM > roles > create role > custom trusted policy
+policy:
+{
+    "Version": "2008-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:YOUR_GITHUB_USERNAME/YOUR_REPO_NAME:*"
+                }
+            }
+        }
+    ]
+}
+
+GitHub Secrets:
+- AWS_BUCKET_NAME=bp2-terraform-deployment-state
+- AWS_BUCKET_KEY_NAME=infra.tfstate
+- AWS_REGION=eu-central-1
+- AWS_ROLE=arn:aws:iam::533267024986:role/github-oicd-bp2-terraform-deployment-role
diff --git a/app/tests/test_app.py b/app/tests/test_app.py
@@ -15,29 +15,29 @@ def test_healthcheck(self):
         hostname = os.uname()[1]
 
         # WHEN
-        response = self.app.get('/')
+        response = self.app.get("/")
         data = response.get_json()
 
         # THEN
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(data['healthcheck'], 'ok')
-        self.assertEqual(data['hostname'], hostname)
+        self.assertEqual(data["healthcheck"], "ok")
+        self.assertEqual(data["hostname"], hostname)
 
     def test_host_ip(self):
         # GIVEN
         ip = os.uname()[1]
 
         # WHEN
-        response = self.app.get('/host')
+        response = self.app.get("/host")
         data = response.get_json()
 
         # THEN
         self.assertEqual(response.status_code, 200)
-        self.assertEqual(data['hostname'], ip)
+        self.assertEqual(data["hostname"], ip)
 
     # def test_fail(self):
     #     self.assertEqual(True, False)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
     unittest.main()
diff --git a/terraform/ec2-userscript.sh → terraform/config/ec2-userscript.sh b/terraform/ec2-userscript.sh → terraform/config/ec2-userscript.sh
diff --git a/terraform/config/iam-role-trusted-entity.json b/terraform/config/iam-role-trusted-entity.json
@@ -0,0 +1,17 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "Federated": "arn:aws:iam::533267024986:oidc-provider/token.actions.githubusercontent.com"
+            },
+            "Action": "sts:AssumeRoleWithWebIdentity",
+            "Condition": {
+                "StringLike": {
+                    "token.actions.githubusercontent.com:sub": "repo:enricogoerlitz/aws-bp-2-hosting-backend-on-ec2-asg-alb:ref:refs/heads/main"
+                }
+            }
+        }
+    ]
+}
diff --git a/terraform/config/iam-s3-access-policy.json b/terraform/config/iam-s3-access-policy.json
@@ -0,0 +1,17 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:PutObject",
+                "s3:GetObject",
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::bp2-terraform-deployment-state/*",
+                "arn:aws:s3:::bp2-terraform-deployment-state"
+            ]
+        }
+    ]
+}
diff --git a/terraform/config/iam-tf-infrastructure-deployment-policy.json b/terraform/config/iam-tf-infrastructure-deployment-policy.json
@@ -0,0 +1,40 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:Describe*",
+                "ec2:RunInstances",
+                "ec2:CreateSecurityGroup",
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CreateKeyPair",
+                "ec2:CreateLaunchTemplate",
+                "ec2:ModifyLaunchTemplate",
+                "ec2:TerminateInstances",
+                "autoscaling:CreateAutoScalingGroup",
+                "autoscaling:UpdateAutoScalingGroup",
+                "autoscaling:Describe*",
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateTargetGroup",
+                "elasticloadbalancing:CreateListener",
+                "elasticloadbalancing:ModifyListener",
+                "elasticloadbalancing:DeleteListener",
+                "elasticloadbalancing:Describe*",
+                "route53:ChangeResourceRecordSets",
+                "route53:GetHostedZone",
+                "acm:DescribeCertificate",
+                "acm:GetCertificate",
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:PutLogEvents"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": "acm:ListCertificates",
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/terraform/main.desc.txt → terraform/config/main.desc.txt b/terraform/main.desc.txt → terraform/config/main.desc.txt
diff --git a/terraform/providers.tf b/terraform/providers.tf
@@ -0,0 +1,3 @@
+terraform {
+  backend "s3" {}
+}