Skip to content

Commit

Permalink
GitHub secrets (#1662)
Browse files Browse the repository at this point in the history 
* beginning

* formatting
[review]

* formatting
[review]

* new line

* defaults

* conditionals and formatting

* workflows

* debug

* debug

* terragrunt hcls
  • Loading branch information
@ben851
ben851 authored Nov 20, 2024
1 parent 487f98b commit 445f331
Show file tree
Hide file tree
Showing 15 changed files with 416 additions and 6 deletions.
33 changes: 32 additions & 1 deletion .github/workflows/merge_to_main_production.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ env:
ACCOUNT_ID: ${{ secrets.PRODUCTION_ACCOUNT_ID }}
AWS_REGION: ca-central-1
ENVIRONMENT: production
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PRODUCTION_OP_SERVICE_ACCOUNT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_PRODUCTION }}
WORKFLOW: true

permissions:
Expand Down Expand Up @@ -692,3 +692,34 @@ jobs:
run: |
cd env/${{env.ENVIRONMENT}}/manifest_secrets
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-github:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-apply-rds, terragrunt-apply-elasticache, terragrunt-apply-eks, terragrunt-apply-ecr, terragrunt-apply-lambda-api, terragrunt-apply-heartbeat, terragrunt-apply-database-tools, terragrunt-apply-lambda-google-cidr, terragrunt-apply-ses_to_sqs_email_callbacks, terragrunt-apply-sns_to_sqs_sms_callbacks, terragrunt-apply-pinpoint_to_sqs_sms_callbacks, terragrunt-apply-system_status, terragrunt-apply-system_status_static_site, terragrunt-apply-newrelic]
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
role_session_name: NotifyTerraformApply

- name: Install 1Pass CLI
run: |
curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
sudo dpkg -i 1pass.deb
sudo mkdir -p aws
cd aws
op read op://ppnxsriom3alsxj4ogikyjxlzi/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars
- name: terragrunt apply github
run: |
cd env/${{env.ENVIRONMENT}}/manifest_secrets
terragrunt apply --terragrunt-non-interactive -auto-approve
31 changes: 31 additions & 0 deletions .github/workflows/merge_to_main_staging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -791,6 +791,37 @@ jobs:
cd env/${{env.ENVIRONMENT}}/manifest_secrets
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-github:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-apply-rds, terragrunt-apply-elasticache, terragrunt-apply-eks, terragrunt-apply-ecr, terragrunt-apply-lambda-api, terragrunt-apply-lambda-admin-pr, terragrunt-apply-performance-test, terragrunt-apply-heartbeat, terragrunt-apply-database-tools, terragrunt-apply-quicksight, terragrunt-apply-lambda-google-cidr, terragrunt-apply-ses_to_sqs_email_callbacks, terragrunt-apply-sns_to_sqs_sms_callbacks, terragrunt-apply-pinpoint_to_sqs_sms_callbacks, terragrunt-apply-system_status, terragrunt-apply-system_status_static_site, terragrunt-apply-newrelic]
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
role_session_name: NotifyTerraformApply

- name: Install 1Pass CLI
run: |
curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
sudo dpkg -i 1pass.deb
sudo mkdir -p aws
cd aws
op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars
- name: terragrunt apply github
run: |
cd env/${{env.ENVIRONMENT}}/github
terragrunt apply --terragrunt-non-interactive -auto-approve
bump-version-and-push-tag:
if: |
always() &&
Expand Down
35 changes: 34 additions & 1 deletion .github/workflows/terragrunt_plan_dev.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -904,4 +904,37 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terraform-init: |
-upgrade
-upgrade
terragrunt-plan-github:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-plan-rds, terragrunt-plan-elasticache, terragrunt-plan-eks, terragrunt-plan-lambda-api, terragrunt-plan-lambda-admin-pr, terragrunt-plan-performance-test, terragrunt-plan-heartbeat, terragrunt-plan-database-tools, terragrunt-plan-quicksight, terragrunt-plan-lambda-google-cidr, terragrunt-plan-ses_to_sqs_email_callbacks, terragrunt-plan-sns_to_sqs_sms_callbacks, terragrunt-plan-pinpoint_to_sqs_sms_callbacks, terragrunt-plan-system_status, terragrunt-plan-system_status_static_site, terragrunt-plan-newrelic]
runs-on: ubuntu-latest
env:
COMPONENT: "github"
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Install 1Pass CLI and Download TFVars
run: |
curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
sudo dpkg -i 1pass.deb
sudo mkdir -p aws && cd aws
op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars
- name: Terragrunt plan ${{env.COMPONENT}}
uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
with:
directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}"
comment-delete: "true"
comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terraform-init: |
-upgrade
37 changes: 35 additions & 2 deletions .github/workflows/terragrunt_plan_production.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ env:
ENVIRONMENT: production
ACCOUNT_ID: ${{ secrets.PRODUCTION_ACCOUNT_ID }}
AWS_REGION: ca-central-1
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PRODUCTION_OP_SERVICE_ACCOUNT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_PRODUCTION }}
WORKFLOW: true

jobs:
Expand Down Expand Up @@ -738,4 +738,37 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terraform-init: |
-upgrade
-upgrade
terragrunt-plan-github:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-plan-rds, terragrunt-plan-elasticache, terragrunt-plan-eks, terragrunt-plan-lambda-api, terragrunt-plan-heartbeat, terragrunt-plan-database-tools, terragrunt-plan-quicksight, terragrunt-plan-lambda-google-cidr, terragrunt-plan-ses_to_sqs_email_callbacks, terragrunt-plan-sns_to_sqs_sms_callbacks, terragrunt-plan-pinpoint_to_sqs_sms_callbacks, terragrunt-plan-system_status, terragrunt-plan-system_status_static_site, terragrunt-plan-newrelic]
runs-on: ubuntu-latest
env:
COMPONENT: "github"
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-plan
role_session_name: NotifyTerraformPlan
- name: Install 1Pass CLI and Download TFVars
run: |
curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
sudo dpkg -i 1pass.deb
sudo mkdir -p aws && cd aws
op read op://ppnxsriom3alsxj4ogikyjxlzi/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars
- name: Terragrunt plan ${{env.COMPONENT}}
uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
with:
directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}"
comment-delete: "true"
comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terraform-init: |
-upgrade
40 changes: 39 additions & 1 deletion .github/workflows/terragrunt_plan_staging.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ jobs:
system_status_static_site: ${{ steps.filter.outputs.system_status_static_site }}
newrelic: ${{ steps.filter.outputs.newrelic }}
manifest_secrets: ${{ steps.filter.outputs.manifest_secrets }}
github: ${{ steps.filter.outputs.github }}

steps:
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
Expand Down Expand Up @@ -128,6 +129,9 @@ jobs:
manifest_secrets:
- 'aws/manifest_secrets/**'
- 'env/${{env.ENVIRONMENT}}/manifest_secrets/**'
github:
- 'aws/github/**'
- 'env/${{env.ENVIRONMENT}}/github/**'
terragrunt-plan-common:
if: |
Expand Down Expand Up @@ -944,4 +948,38 @@ jobs:
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terraform-init: |
-upgrade
-upgrade
terragrunt-plan-github:
if: |
always() &&
needs.terragrunt-filter.outputs.github == 'true' &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-filter,terragrunt-plan-rds, terragrunt-plan-elasticache, terragrunt-plan-eks, terragrunt-plan-lambda-api, terragrunt-plan-lambda-admin-pr, terragrunt-plan-performance-test, terragrunt-plan-heartbeat, terragrunt-plan-database-tools, terragrunt-plan-quicksight, terragrunt-plan-lambda-google-cidr, terragrunt-plan-ses_to_sqs_email_callbacks, terragrunt-plan-sns_to_sqs_sms_callbacks, terragrunt-plan-pinpoint_to_sqs_sms_callbacks, terragrunt-plan-system_status, terragrunt-plan-system_status_static_site, terragrunt-plan-newrelic]
runs-on: ubuntu-latest
env:
COMPONENT: "github"
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-plan
role_session_name: NotifyTerraformPlan
- name: Install 1Pass CLI and Download TFVars
run: |
curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
sudo dpkg -i 1pass.deb
sudo mkdir -p aws && cd aws
op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars
- name: Terragrunt plan ${{env.COMPONENT}}
uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
with:
directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}"
comment-delete: "true"
comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
terraform-init: |
-upgrade
2 changes: 1 addition & 1 deletion .github/workflows/terragrunt_quicksight_production.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ env:
ACCOUNT_ID: ${{ secrets.PRODUCTION_ACCOUNT_ID }}
AWS_REGION: ca-central-1
ENVIRONMENT: production
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PRODUCTION_OP_SERVICE_ACCOUNT_TOKEN }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_PRODUCTION }}
WORKFLOW: true

permissions:
Expand Down
23 changes: 23 additions & 0 deletions aws/github/respositories.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
data "github_repository" "notification_terraform" {
name = "notification-terraform"
}

data "github_repository" "notification_manifests" {
name = "notification-manifests"
}

data "github_repository" "notification_admin" {
name = "notification-admin"
}

data "github_repository" "notification_api" {
name = "notification-api"
}

data "github_repository" "notification_documentation" {
name = "notification-documentation"
}

data "github_repository" "notification_document_download" {
name = "notification-document-download"
}
40 changes: 40 additions & 0 deletions aws/github/terraform-secrets.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
resource "github_actions_secret" "account_id" {
repository = data.github_repository.notification_terraform.name
secret_name = "${upper(var.env)}_ACCOUNT_ID"
plaintext_value = var.account_id
}

resource "github_actions_secret" "notify_dev_slack_webhook" {
count = var.env == "production" ? 1 : 0
repository = data.github_repository.notification_terraform.name
secret_name = "NOTIFY_${upper(var.env)}_SLACK_WEBHOOK"
plaintext_value = var.notify_dev_slack_webhook
}

resource "github_actions_secret" "op_service_account_token" {
count = var.env == "production" || var.env == "staging" ? 1 : 0
repository = data.github_repository.notification_terraform.name
secret_name = "OP_SERVICE_ACCOUNT_TOKEN_${upper(var.env)}"
plaintext_value = var.op_service_account_token
}

resource "github_actions_secret" "openai_api_key" {
count = var.env == "production" ? 1 : 0
repository = data.github_repository.notification_terraform.name
secret_name = "OPENAI_API_KEY"
plaintext_value = var.openai_api_key
}

resource "github_actions_secret" "aws_access_key_id" {
count = var.env == "production" || var.env == "staging" ? 1 : 0
repository = data.github_repository.notification_terraform.name
secret_name = "${upper(var.env)}_AWS_ACCESS_KEY_ID"
plaintext_value = var.aws_access_key_id
}

resource "github_actions_secret" "aws_secret_access_key" {
count = var.env == "production" || var.env == "staging" ? 1 : 0
repository = data.github_repository.notification_terraform.name
secret_name = "${upper(var.env)}_AWS_SECRET_ACCESS_KEY"
plaintext_value = var.aws_secret_access_key
}
Loading

0 comments on commit 445f331

Please sign in to comment.