Merge pull request #136 from resource-watch/dev

Update Staging from Dev

Author: tanderegg

.github/workflows/terraform_build.yaml

@@ -1,46 +1,136 @@
 name: Run tests and apply terraform changes for current branch
 
+concurrency:
+  group: deploy-terraform
+  cancel-in-progress: false
+
 on:
   push:
     branches: [dev, staging]
 
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: read
+  actions: read
+
 jobs:
-  build_dev:
+  build_eks_cluster:
     runs-on: ubuntu-latest
 
     env:
-        ENV: ${{ github.ref_name }}
-        AWS_ACCESS_KEY_ID: >-
-          ${{ github.ref_name == 'production' && secrets.aws_key_production || 
-              github.ref_name == 'staging' && secrets.aws_key_staging ||
-              secrets.aws_key_dev }}
-        AWS_SECRET_ACCESS_KEY: >-
-          ${{ github.ref_name == 'production' && secrets.aws_secret_production ||
-              github.ref_name == 'staging' && secrets.aws_secret_staging ||
-              secrets.aws_secret_dev }}
-        AWS_REGION: >-
-          ${{ github.ref_name == 'production' && secrets.aws_region_production ||
-              github.ref_name == 'staging' && secrets.aws_region_staging ||
-              secrets.aws_region_dev }}
-        TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }}
-        TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }}
-        TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }}
+      ENV: ${{ github.ref_name }}
+      AWS_ACCESS_KEY_ID: >-
+        ${{ github.ref_name == 'production' && secrets.aws_key_production || 
+            github.ref_name == 'staging' && secrets.aws_key_staging ||
+            secrets.aws_key_dev }}
+      AWS_SECRET_ACCESS_KEY: >-
+        ${{ github.ref_name == 'production' && secrets.aws_secret_production ||
+            github.ref_name == 'staging' && secrets.aws_secret_staging ||
+            secrets.aws_secret_dev }}
+      AWS_REGION: >-
+        ${{ github.ref_name == 'production' && secrets.aws_region_production ||
+            github.ref_name == 'staging' && secrets.aws_region_staging ||
+            secrets.aws_region_dev }}
+      TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }}
+      TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }}
+      TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }}
 
     steps:
-    - uses: actions/checkout@v1
+    - uses: actions/checkout@v4
+
+    - name: Setup terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.3.6
 
     - name: TF Init
-      run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars
+      run: terraform -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars
+
+    #- name: TF Plan
+    #  run: |
+    #    terraform -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \
+    #      -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \
+    #      -var "cloudflare_email=${TF_VAR_cloudflare_email}" \
+    #      -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" \
+    #      -out tf.plan
+
+    - name: Get PR Number
+      uses: jwalton/gh-find-current-pr@master
+      id: findpr
+      with:
+        state: closed
+
+    - name: Download TF EKS Cluster Plan
+      uses: dawidd6/action-download-artifact@v3
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        workflow: terraform_plan.yaml
+        pr: ${{ steps.findpr.outputs.pr }}
+        name: tf_eks-${{ steps.findpr.outputs.pr }}.plan
+        path: terraform/
+        check_artifacts: true
 
-    - name: TF Plan
-      run: |
-        ./scripts/infra -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \
-          -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \
-          -var "cloudflare_email=${TF_VAR_cloudflare_email}" \
-          -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}"
     - name: TF Apply
       run: |
-        ./scripts/infra -chdir=terraform apply -auto-approve -var-file=vars/terraform-$ENV.tfvars \
-          -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \
-          -var "cloudflare_email=${TF_VAR_cloudflare_email}" \
-          -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}"
+        terraform -chdir=terraform apply tf_eks-${{ steps.findpr.outputs.pr }}.plan
+
+  build_k8s_infra:
+    runs-on: ubuntu-latest
+    needs: build_eks_cluster
+
+    env:
+      ENV: ${{ github.ref_name }}
+      AWS_ROLE: >-
+        ${{ github.base_ref == 'production' && 'TBD' || 
+            github.base_ref == 'staging' && 'TBD' ||
+            'arn:aws:iam::842534099497:role/wri-api-dev-githubactions-role' }}
+      AWS_REGION: >-
+        ${{ github.ref_name == 'production' && secrets.aws_region_production ||
+            github.ref_name == 'staging' && secrets.aws_region_staging ||
+            secrets.aws_region_dev }}
+      TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }}
+      TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }}
+      TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }}
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@main
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Setup terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.3.6
+
+      - name: Configure Kubeconfig
+        run: aws eks update-kubeconfig --region us-east-1 --name core-k8s-cluster-$ENV
+
+      - name: TF Init K8s Infra
+        run: terraform -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars
+
+      - name: Get PR Number
+        uses: jwalton/gh-find-current-pr@master
+        id: findpr
+        with:
+          state: closed
+
+      - name: Download TF k8s Infra Plan
+        uses: dawidd6/action-download-artifact@v3
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          workflow: terraform_plan.yaml
+          pr: ${{ steps.findpr.outputs.pr }}
+          name: tf_k8s_infra-${{ steps.findpr.outputs.pr }}.plan
+          path: terraform-k8s-infrastructure/
+          check_artifacts: true
+
+      - name: TF Apply
+        run: |
+          terraform -chdir=terraform-k8s-infrastructure apply \
+            tf_k8s_infra-${{ steps.findpr.outputs.pr }}.plan

.github/workflows/terraform_plan.yaml

@@ -1,11 +1,18 @@
-name: Plan terraform changes for base branch
+name: Terraform Plan
+
+concurrency:
+  group: deploy-terraform
+  cancel-in-progress: false
 
 on:
   pull_request:
     branches: [dev, staging]
 
+permissions:
+  id-token: write
+
 jobs:
-  plan:
+  plan_eks_cluster:
     runs-on: ubuntu-latest
 
     env:
@@ -27,14 +34,83 @@ jobs:
       TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }}
 
     steps:
-    - uses: actions/checkout@v1
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Setup terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.3.6
+
+    - name: TF Init EKS Cluster
+      run: terraform -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars
+
+    - name: TF Plan EKS Cluster
+      run: |
+        terraform -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \
+          -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \
+          -var "cloudflare_email=${TF_VAR_cloudflare_email}" \
+          -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}" \
+          -out tf_eks-${{ github.event.pull_request.number }}.plan
+    
+    - name: Upload EKS Cluster Plan File
+      uses: actions/upload-artifact@v4
+      with:
+        name: tf_eks-${{ github.event.pull_request.number }}.plan
+        path: "terraform/tf_eks-${{ github.event.pull_request.number }}.plan"
+        if-no-files-found: 'error'
+        overwrite: true
+
+  plan_k8s_infra:
+    runs-on: ubuntu-latest
+    needs: plan_eks_cluster
+
+    env:
+      ENV: ${{ github.base_ref }}
+      AWS_ROLE: >-
+        ${{ github.base_ref == 'production' && 'TBD' || 
+            github.base_ref == 'staging' && 'arn:aws:iam::843801476059:role/wri-api-staging-githubactions-role' ||
+            'arn:aws:iam::842534099497:role/wri-api-dev-githubactions-role' }}
+      AWS_REGION: >-
+        ${{ github.base_ref == 'production' && secrets.aws_region_production ||
+            github.base_ref == 'staging' && secrets.aws_region_staging ||
+            secrets.aws_region_dev }}
+      TF_VAR_cloudflare_api_key: ${{ secrets.cloudflare_api_key }}
+      TF_VAR_cloudflare_email: ${{ secrets.cloudflare_email }}
+      TF_VAR_sparkpost_api_key: ${{ secrets.sparkpost_api_key }}
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@main
+      with:
+        role-to-assume: ${{ env.AWS_ROLE }}
+        aws-region: ${{ env.AWS_REGION }}
+
+    - name: Setup terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.3.6
+
+    - name: Configure Kubeconfig
+      run: aws eks update-kubeconfig --region us-east-1 --name core-k8s-cluster-$ENV
 
-    - name: TF Init
-      run: ./scripts/infra -chdir=terraform init -backend-config=vars/backend-$ENV.tfvars
+    - name: TF Init K8s Infra
+      run: terraform -chdir=terraform-k8s-infrastructure init -backend-config=vars/backend-$ENV.tfvars
 
-    - name: TF Plan
+    - name: TF Plan K8s Infra
       run: |
-        ./scripts/infra -chdir=terraform plan -var-file=vars/terraform-$ENV.tfvars \
+        terraform -chdir=terraform-k8s-infrastructure plan -var-file=vars/terraform-$ENV.tfvars \
           -var "cloudflare_api_key=${TF_VAR_cloudflare_api_key}" \
           -var "cloudflare_email=${TF_VAR_cloudflare_email}" \
-          -var "sparkpost_api_key=${TF_VAR_sparkpost_api_key}"
+          -out tf_k8s_infra-${{ github.event.pull_request.number }}.plan
+    
+    - name: Upload K8s Infrastructure Plan File
+      uses: actions/upload-artifact@v4
+      with:
+        name: tf_k8s_infra-${{ github.event.pull_request.number }}.plan
+        path: "terraform-k8s-infrastructure/tf_k8s_infra-${{ github.event.pull_request.number }}.plan"
+        if-no-files-found: 'error'
+        overwrite: true

.gitignore

@@ -25,6 +25,7 @@ crash.log
 # version control.
 #
 # example.tfvars
+*.auto.tfvars
 
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
@@ -52,3 +53,6 @@ terraform-k8s-infrastructure/vars/private.tfvars
 
 terraform.tfstate
 terraform.tfstate.backup
+
+# Snyk Security Extension - AI Rules (auto-generated)
+.github/instructions/snyk_rules.instructions.md

README.md

@@ -4,6 +4,9 @@
 
 For a description of the setup, see the infrastructure [section](https://resource-watch.github.io/doc-api/developer.html#infrastructure-configuration) of the developer documentation.
 
+# Github Actions
+Github Actions (GHA) has been setup to run `terraform plan` when a PR is opened to either the `dev`, `staging`, or `production` (TODO) branches, and `terraform apply` when the PR is merged. This makes use of an OIDC role as described here: https://docs.github.com/en/actions/how-tos/secure-your-work/security-harden-deployments/oidc-in-aws.  The role for each environment was created manually, and is specified using the `gha_role_arn` Terraform variable.
+
 ## Setting up the AWS resources
 
 To setup the cluster cloud resources, use the following command:

scripts/README.md

@@ -0,0 +1,4 @@
+# PVC Debugger
+
+export PVC_NAME=<my-pvc-name>
+envsubst < pvc-debugger.yaml | kubectl apply -n <namespace> -f -

scripts/pvc-debugger.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: volume-debugger
+spec:
+  volumes:
+    - name: volume-to-debug
+      persistentVolumeClaim:
+        claimName: ${PVC_NAME} # Replace with your PVC name
+  containers:
+    - name: debugger
+      image: busybox:stable
+      command: ['sleep', '3600'] # Keeps the pod running
+      volumeMounts:
+        - mountPath: "/data" # The path where the volume will be mounted
+          name: volume-to-debug
+  restartPolicy: Never