test workflow

NASA-PDS · Jul 11, 2023 · e40e275 · e40e275
1 parent 8cb6fb0
commit e40e275
Show file tree

Hide file tree

Showing 5 changed files with 174 additions and 18 deletions.
diff --git a/.github/workflows/terraform-workflow.yaml b/.github/workflows/terraform-workflow.yaml
@@ -0,0 +1,90 @@
+name: 'Terraform-Workflow'
+
+on:
+  push:
+    branches:
+      - '**'
+  pull_request:
+    types: [opened, edited, reopened, ready_for_review, review_requested]
+  workflow_dispatch:
+
+permissions:
+  id-token: write  # required to use OIDC authentication
+  contents: read # required to checkout the code from the repo
+
+jobs:
+  deploy:
+    name: 'Terraform'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: ./terraform
+    environment: NGAP DEV
+    env:
+      TF_LOG: INFO
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        aws-region: "${{ secrets.AWS_REGION }}"
+        role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
+        role-session-name: PDS_GitHub_OIDC_TERRAFORM
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+
+    - name: Terraform Fmt, Init & Validate
+      id: fmt_init_validate
+      env:
+        AWS_BUCKET_NAME: ${{ secrets.AWS_BUCKET_NAME}}
+        AWS_BUCKET_KEY_NAME: ${{ secrets.AWS_BUCKET_KEY_NAME}}
+      run: |
+        terraform fmt
+        terraform init -backend-config="bucket=${AWS_BUCKET_NAME}" -backend-config="key=${AWS_BUCKET_KEY_NAME}"
+        terraform validate -no-color
+
+    - name: Terraform Plan
+      id: plan
+      if: github.event_name == 'pull_request'
+      env:
+        TF_VAR_aws_fg_vpc: "${{ secrets.AWS_FG_VPC }}"
+        TF_VAR_aws_fg_security_groups: "${{ secrets.AWS_FG_SECURITY_GROUPS }}"
+        TF_VAR_aws_fg_subnets: "${{ secrets.AWS_FG_SUBSETS }}"
+        TF_VAR_aws_fg_cpu_units: 256
+        TF_VAR_aws_fg_ram_units: 512
+        TF_VAR_aws_fg_image: "${{ secrets.AWS_FG_IMAGE }}"
+        TF_VAR_aws_lb_listener_arn: "${{ secrets.AWS_LB_LISTENER_ARN }}"
+        TF_VAR_es_hosts: "${{ secrets.ES_HOSTS }}"
+        TF_VAR_es_user_name: "${{ secrets.ES_USER_NAME }}"
+        TF_VAR_http_header_forward_value: "search-en-delta/1"
+        TF_VAR_node_name_abbr: "en"
+        TF_VAR_venue: "delta"
+      run: terraform plan -no-color
+      continue-on-error:  true
+
+    - name: Terraform Plan Status
+      id : plan_status
+      if: steps.plan.outcome == 'failure' && github.event_name == 'pull_request'
+      run: exit 1
+
+    - name: Terraform Apply
+      if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+      env:
+        TF_VAR_aws_fg_vpc: "${{ secrets.AWS_FG_VPC }}"
+        TF_VAR_aws_fg_security_groups: "${{ secrets.AWS_FG_SECURITY_GROUPS }}"
+        TF_VAR_aws_fg_subnets: "${{ secrets.AWS_FG_SUBSETS }}"
+        TF_VAR_aws_fg_cpu_units: 256
+        TF_VAR_aws_fg_ram_units: 512
+        TF_VAR_aws_fg_image: "${{ secrets.AWS_FG_IMAGE }}"
+        TF_VAR_aws_lb_listener_arn: "${{ secrets.AWS_LB_LISTENER_ARN }}"
+        TF_VAR_es_hosts: "${{ secrets.ES_HOSTS }}"
+        TF_VAR_es_user_name: "${{ secrets.ES_USER_NAME }}"
+        TF_VAR_http_header_forward_value: "search-en-delta/1"
+        TF_VAR_node_name_abbr: "en"
+        TF_VAR_venue: "delta"
+      run: terraform apply -auto-approve
diff --git a/.gitignore b/.gitignore
@@ -86,3 +86,23 @@ model/target
 
 # macOS specific stuff
 .DS_Store
+
+# Local .terraform state files, directories and crash logs
+**/.terraform/*
+*.tfstate
+*.tfstate.*
+*.tfvars
+*.tfvars.json
+crash.log
+crash.*.log
+
+# Ignore Terraform CLI configuration files
+.terraformrc
+terraform.rc
+
+# Ignore Terraform override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
diff --git a/service/pre-commit-config.yaml b/service/pre-commit-config.yaml
@@ -0,0 +1,21 @@
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+    - id: trailing-whitespace
+    - id: end-of-file-fixer
+    - id: check-merge-conflict
+    - id: debug-statements
+    - id: check-yaml
+    - id: check-json #checks json files for parseable syntax.
+    - id: pretty-format-json #sets a standard for formatting json files.
+
+-   repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.81.0
+    hooks:
+    - id: terraform_fmt #Rewrites all Terraform configuration files to a canonical format.
+    - id: terraform_validate #Validates all Terraform configuration files.
+    - id: terraform_tflint #Validates all Terraform configuration files with TFLint.
+    # - id: terrascan #Detect compliance and security violations of Terraform templates.
+    # - id: terraform_tfsec
+    # - id: terraform_docs
diff --git a/service/terraform/.terraform.lock.hcl b/service/terraform/.terraform.lock.hcl
diff --git a/service/terraform/ecs.tf b/service/terraform/ecs.tf
@@ -3,8 +3,8 @@ resource "aws_ecs_cluster" "ecs_cluster" {
   name = "pds-${var.node_name_abbr}-${var.venue}-reg-cluster"
 
   tags = {
-    Alfa = var.node_name_abbr
-    Bravo = var.venue
+    Alfa    = var.node_name_abbr
+    Bravo   = var.venue
     Charlie = "registry"
   }
 }
@@ -19,8 +19,8 @@ resource "aws_cloudwatch_log_group" "pds-registry-log-group" {
   name = "/ecs/pds-${var.node_name_abbr}-${var.venue}-reg-api-svc-task"
 
   tags = {
-    Alfa = var.node_name_abbr
-    Bravo = var.venue
+    Alfa    = var.node_name_abbr
+    Bravo   = var.venue
     Charlie = "registry"
   }
 }
@@ -42,13 +42,13 @@ resource "aws_ecs_service" "pds-registry-reg-service" {
 
   network_configuration {
     assign_public_ip = false
-    security_groups = var.aws_fg_security_groups
-    subnets = var.aws_fg_subnets
+    security_groups  = var.aws_fg_security_groups
+    subnets          = var.aws_fg_subnets
   }
 
   tags = {
-    Alfa = var.node_name_abbr
-    Bravo = var.venue
+    Alfa    = var.node_name_abbr
+    Bravo   = var.venue
     Charlie = "registry"
   }
 }
@@ -99,23 +99,23 @@ EOF
   task_role_arn      = data.aws_iam_role.pds-task-execution-role.arn
 
   # These are the minimum values for Fargate containers.
-  cpu                      = 256
-  memory                   = 512
+  cpu                      = var.aws_fg_cpu_units
+  memory                   = var.aws_fg_ram_units
   requires_compatibilities = ["FARGATE"]
 
   # This is required for Fargate containers
   network_mode = "awsvpc"
 
   tags = {
-    Alfa = var.node_name_abbr
-    Bravo = var.venue
+    Alfa    = var.node_name_abbr
+    Bravo   = var.venue
     Charlie = "registry"
   }
 }
 
 # role under which ECS will execute tasks.
 data "aws_iam_role" "pds-task-execution-role" {
-  name    = "am-ecs-task-execution"
+  name = "am-ecs-task-execution"
 }
 
 resource "aws_lb_target_group" "pds-registry-target-group" {
@@ -126,9 +126,9 @@ resource "aws_lb_target_group" "pds-registry-target-group" {
   vpc_id      = var.aws_fg_vpc
 
   health_check {
-    enabled = true
-    path    = "/swagger-ui/index.html"
-    matcher = "200,301,302"
+    enabled  = true
+    path     = "/swagger-ui/index.html"
+    matcher  = "200,301,302"
     interval = 60
   }
 }
@@ -138,13 +138,13 @@ resource "aws_lb_listener_rule" "pds-registry-forward-rule" {
 
   action {
     type             = "forward"
-    target_group_arn =  aws_lb_target_group.pds-registry-target-group.arn
+    target_group_arn = aws_lb_target_group.pds-registry-target-group.arn
   }
 
   condition {
     http_header {
       http_header_name = var.http_header_forward_name
-      values           = [var.http_header_forward_value,]
+      values           = [var.http_header_forward_value, ]
     }
   }
 }