Moving changes to production and dev code

cds-snc · Oct 18, 2024 · 0196564 · 0196564
1 parent a45683a
commit 0196564
Show file tree

Hide file tree

Showing 7 changed files with 214 additions and 1 deletion.
diff --git a/.github/workflows/merge_to_main_production.yml b/.github/workflows/merge_to_main_production.yml
@@ -693,6 +693,39 @@ jobs:
           cd env/${{env.ENVIRONMENT}}/newrelic
           terragrunt apply --terragrunt-non-interactive -auto-approve
 
+  terragrunt-apply-manifest_secrets:
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    needs: [terragrunt-apply-rds, terragrunt-apply-elasticache, terragrunt-apply-eks, terragrunt-apply-ecr, terragrunt-apply-lambda-api, terragrunt-apply-heartbeat, terragrunt-apply-database-tools, terragrunt-apply-quicksight, terragrunt-apply-lambda-google-cidr, terragrunt-apply-ses_to_sqs_email_callbacks, terragrunt-apply-sns_to_sqs_sms_callbacks, terragrunt-apply-pinpoint_to_sqs_sms_callbacks, terragrunt-apply-system_status, terragrunt-apply-system_status_static_site, terragrunt-apply-newrelic]
+    runs-on: ubuntu-latest  
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      - name: setup-terraform
+        uses: ./.github/actions/setup-terraform
+        with:
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
+          role_session_name: NotifyTerraformApply        
+
+      - name: Install 1Pass CLI
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws
+          cd aws
+          op read op://ppnxsriom3alsxj4ogikyjxlzi/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars   
+
+      - name: terragrunt apply manifest_secrets
+        run: |
+          cd env/${{env.ENVIRONMENT}}/manifest_secrets
+          terragrunt apply --terragrunt-non-interactive -auto-approve      
+         
+
+
   bump-version-and-push-tag:
     if: |
         always() &&

diff --git a/.github/workflows/terragrunt_create_dev_environment.yml b/.github/workflows/terragrunt_create_dev_environment.yml
@@ -766,6 +766,37 @@ jobs:
   #         cd env/${{env.ENVIRONMENT}}/newrelic
   #         terragrunt apply --terragrunt-non-interactive -auto-approve
 
+  terragrunt-apply-manifest_secrets:
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    needs: [terragrunt-apply-common, terragrunt-apply-eks, terragrunt-apply-rds, terragrunt-apply-elasticache, terragrunt-apply-ecr, terragrunt-apply-ecr-us-east, terragrunt-apply-lambda-admin-pr, terragrunt-apply-performance-test, terragrunt-apply-heartbeat, terragrunt-apply-database-tools, terragrunt-apply-lambda-google-cidr, terragrunt-apply-ses_to_sqs_email_callbacks, terragrunt-apply-sns_to_sqs_sms_callbacks, terragrunt-apply-pinpoint_to_sqs_sms_callbacks, terragrunt-apply-system_status, terragrunt-apply-system_status_static_site]
+    runs-on: ubuntu-latest  
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      - name: setup-terraform
+        uses: ./.github/actions/setup-terraform
+        with:
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
+          role_session_name: NotifyTerraformApply         
+
+      - name: Install 1Pass CLI
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws
+          cd aws
+          op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars   
+
+      - name: terragrunt apply manifest_secrets
+        run: |
+          cd env/${{env.ENVIRONMENT}}/manifest_secrets
+          terragrunt apply --terragrunt-non-interactive -auto-approve
+
   deploy-application:
     if: |
       always() &&

diff --git a/.github/workflows/terragrunt_plan_dev.yml b/.github/workflows/terragrunt_plan_dev.yml
@@ -38,7 +38,8 @@ jobs:
       system_status: ${{ steps.filter.outputs.system_status }}
       system_status_static_site: ${{ steps.filter.outputs.system_status_static_site }}
       newrelic: ${{ steps.filter.outputs.newrelic }}
-
+      manifest_secrets: ${{ steps.filter.outputs.manifest_secrets }}
+
     steps:
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
         id: filter
@@ -112,6 +113,9 @@ jobs:
             newrelic:
               - 'aws/newrelic/**'
               - 'env/${{env.ENVIRONMENT}}/newrelic/**'
+            manifest_secrets:
+              - 'aws/manifest_secrets/**'
+              - 'env/${{env.ENVIRONMENT}}/manifest_secrets/**'
 
   terragrunt-plan-common:
     runs-on: ubuntu-latest  
@@ -867,3 +871,37 @@ jobs:
           terragrunt: "true"
           terraform-init: |
             -upgrade
+
+
+  terragrunt-plan-manifest_secrets:
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    needs: [terragrunt-plan-rds, terragrunt-plan-elasticache, terragrunt-plan-eks, terragrunt-plan-lambda-api, terragrunt-plan-lambda-admin-pr, terragrunt-plan-performance-test, terragrunt-plan-heartbeat, terragrunt-plan-database-tools, terragrunt-plan-quicksight, terragrunt-plan-lambda-google-cidr, terragrunt-plan-ses_to_sqs_email_callbacks, terragrunt-plan-sns_to_sqs_sms_callbacks, terragrunt-plan-pinpoint_to_sqs_sms_callbacks, terragrunt-plan-system_status, terragrunt-plan-system_status_static_site, terragrunt-plan-newrelic]
+    runs-on: ubuntu-latest  
+    env:
+      COMPONENT: "manifest_secrets"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: ./.github/actions/setup-terraform
+        with:
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
+          role_session_name: NotifyTerraformApply
+      - name: Install 1Pass CLI and Download TFVars
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws && cd aws
+          op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars          
+      - name: Terragrunt plan ${{env.COMPONENT}}
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
+        with:
+          directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}"
+          comment-delete: "true"
+          comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"
+          terraform-init: |
+            -upgrade
diff --git a/.github/workflows/terragrunt_plan_production.yml b/.github/workflows/terragrunt_plan_production.yml
@@ -706,3 +706,36 @@ jobs:
           terragrunt: "true"
           terraform-init: |
             -upgrade
+
+  terragrunt-plan-manifest_secrets:
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    needs: [terragrunt-plan-rds, terragrunt-plan-elasticache, terragrunt-plan-eks, terragrunt-plan-lambda-api, terragrunt-plan-heartbeat, terragrunt-plan-database-tools, terragrunt-plan-quicksight, terragrunt-plan-lambda-google-cidr, terragrunt-plan-ses_to_sqs_email_callbacks, terragrunt-plan-sns_to_sqs_sms_callbacks, terragrunt-plan-pinpoint_to_sqs_sms_callbacks, terragrunt-plan-system_status, terragrunt-plan-system_status_static_site, terragrunt-plan-newrelic]
+    runs-on: ubuntu-latest  
+    env:
+      COMPONENT: "manifest_secrets"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: ./.github/actions/setup-terraform
+        with:
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-plan
+          role_session_name: NotifyTerraformPlan
+      - name: Install 1Pass CLI and Download TFVars
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws && cd aws
+          op read op://ppnxsriom3alsxj4ogikyjxlzi/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars          
+      - name: Terragrunt plan ${{env.COMPONENT}}
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
+        with:
+          directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}"
+          comment-delete: "true"
+          comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"
+          terraform-init: |
+            -upgrade
diff --git a/env/dev/manifest_secrets/terragrunt.hcl b/env/dev/manifest_secrets/terragrunt.hcl
@@ -0,0 +1,26 @@
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/manifest_secrets?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//manifest_secrets"}"
+}
+
+dependencies {
+  paths = ["../rds", "../elasticache"]
+}
+
+dependency "rds" {
+  config_path = "../rds"
+}
+
+dependency "elasticache" {
+  config_path = "../elasticache"
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  database_read_only_proxy_endpoint = dependency.rds.outputs.database_read_only_proxy_endpoint
+  database_read_write_proxy_endpoint = dependency.rds.outputs.database_read_write_proxy_endpoint
+  cluster_endpoint = dependency.rds.outputs.cluster_endpoint
+  redis_primary_endpoint_address = dependency.elasticache.outputs.redis_primary_endpoint_address
+}
diff --git a/env/production/manifest_secrets/terragrunt.hcl b/env/production/manifest_secrets/terragrunt.hcl
@@ -0,0 +1,26 @@
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/manifest_secrets?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//manifest_secrets"}"
+}
+
+dependencies {
+  paths = ["../rds", "../elasticache"]
+}
+
+dependency "rds" {
+  config_path = "../rds"
+}
+
+dependency "elasticache" {
+  config_path = "../elasticache"
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  database_read_only_proxy_endpoint = dependency.rds.outputs.database_read_only_proxy_endpoint
+  database_read_write_proxy_endpoint = dependency.rds.outputs.database_read_write_proxy_endpoint
+  cluster_endpoint = dependency.rds.outputs.cluster_endpoint
+  redis_primary_endpoint_address = dependency.elasticache.outputs.redis_primary_endpoint_address
+}
diff --git a/env/sandbox/manifest_secrets/terragrunt.hcl b/env/sandbox/manifest_secrets/terragrunt.hcl
@@ -0,0 +1,26 @@
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/manifest_secrets?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//manifest_secrets"}"
+}
+
+dependencies {
+  paths = ["../rds", "../elasticache"]
+}
+
+dependency "rds" {
+  config_path = "../rds"
+}
+
+dependency "elasticache" {
+  config_path = "../elasticache"
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+inputs = {
+  database_read_only_proxy_endpoint = dependency.rds.outputs.database_read_only_proxy_endpoint
+  database_read_write_proxy_endpoint = dependency.rds.outputs.database_read_write_proxy_endpoint
+  cluster_endpoint = dependency.rds.outputs.cluster_endpoint
+  redis_primary_endpoint_address = dependency.elasticache.outputs.redis_primary_endpoint_address
+}