us-east-1

cds-snc · Oct 10, 2024 · dd4d81a · dd4d81a
1 parent 981f3eb
commit dd4d81a
Show file tree

Hide file tree

Showing 18 changed files with 254 additions and 84 deletions.
diff --git a/.github/workflows/terragrunt_create_dev_environment.yml b/.github/workflows/terragrunt_create_dev_environment.yml
@@ -43,9 +43,14 @@ jobs:
           op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TFVars - ${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars   
 
       - name: terragrunt apply COMMON
-        run: |
-          cd env/${{env.ENVIRONMENT}}/common
-          terragrunt apply --terragrunt-non-interactive -auto-approve
+        uses: nick-fields/retry@v3
+        with:
+          timeout_seconds: 600
+          max_attempts: 3
+          retry_on: error
+          command: |
+            cd env/${{env.ENVIRONMENT}}/common
+            terragrunt apply --terragrunt-non-interactive -auto-approve
 
   terragrunt-apply-ecr:
     if: |
@@ -64,6 +69,40 @@ jobs:
           role-to-assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-api-apply
           role-session-name: NotifyApiGitHubActions
           aws-region: "ca-central-1"        
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: setup-terraform
+        uses: ./.github/actions/setup-terraform
+        with:
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
+          role_session_name: NotifyTerraformDevApply        
+
+      - name: Install 1Pass CLI
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws
+          cd aws
+          op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TFVars - ${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars   
+
+      - name: terragrunt apply ECR
+        run: |
+          cd env/${{env.ENVIRONMENT}}/ecr
+          terragrunt apply --terragrunt-non-interactive -auto-approve
+
+  terragrunt-apply-ecr-us-east:
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    runs-on: ubuntu-latest  
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
       - name: Configure credentials to Notify Private ECR using OIDC
         uses: aws-actions/configure-aws-credentials@master
@@ -90,9 +129,9 @@ jobs:
           cd aws
           op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TFVars - ${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars   
 
-      - name: terragrunt apply ECR
+      - name: terragrunt apply ECR US East
         run: |
-          cd env/${{env.ENVIRONMENT}}/ecr
+          cd env/${{env.ENVIRONMENT}}/ecr-us-east
           terragrunt apply --terragrunt-non-interactive -auto-approve
 
   terragrunt-apply-ses_receiving_emails:

diff --git a/aws/ecr-us-east/ecr.tf b/aws/ecr-us-east/ecr.tf
@@ -0,0 +1,12 @@
+resource "aws_ecr_repository" "ses_receiving_emails" {
+  # The :latest tag is used in Staging
+
+  provider             = aws.us-east-1
+  name                 = "notify/ses_receiving_emails"
+  image_tag_mutability = "MUTABLE" #tfsec:ignore:AWS078
+  force_delete         = var.force_delete_ecr
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+}
diff --git a/aws/ecr-us-east/images.tf b/aws/ecr-us-east/images.tf
@@ -0,0 +1,40 @@
+# SES Receiving Emails Build and Push
+
+# Clone Lambda Repository
+resource "null_resource" "lambda_repo_clone" {
+  count = var.bootstrap ? 1 : 0
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+
+  provisioner "local-exec" {
+    command = "git clone 'https://github.com/cds-snc/notification-lambdas.git' /var/tmp/notification-lambdas"
+  }
+}
+
+resource "null_resource" "build_ses_receiving_emails_docker_image" {
+  count = var.bootstrap ? 1 : 0
+
+  triggers = {
+    always_run = "${timestamp()}"
+  }
+
+  depends_on = [
+    null_resource.lambda_repo_clone
+  ]
+
+  provisioner "local-exec" {
+    command = "cd /var/tmp/notification-lambdas/ && docker build -t ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap -f /var/tmp/notification-lambdas/sesreceivingemails/Dockerfile ."
+  }
+
+}
+
+resource "null_resource" "push_ses_receiving_emails_docker_image" {
+  count      = var.bootstrap ? 1 : 0
+  depends_on = [null_resource.build_ses_receiving_emails_docker_image]
+
+  provisioner "local-exec" {
+    command = "docker push ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap"
+  }
+
+}
diff --git a/aws/ecr-us-east/outputs.tf b/aws/ecr-us-east/outputs.tf
@@ -0,0 +1,8 @@
+output "ses_receiving_emails_ecr_arn" {
+  description = "arn of ses_receiving_emails ECR"
+  value       = aws_ecr_repository.ses_receiving_emails.arn
+}
+output "ses_receiving_emails_ecr_repository_url" {
+  description = "Repository URL of ses_receiving_emails ECR"
+  value       = aws_ecr_repository.ses_receiving_emails.repository_url
+}
diff --git a/aws/ecr-us-east/secrets.tf b/aws/ecr-us-east/secrets.tf
@@ -0,0 +1,9 @@
+resource "aws_secretsmanager_secret" "ses_receiving_emails_repository_url" {
+  name                    = "SES_RECEIVING_EMAILS_REPOSITORY_URL"
+  recovery_window_in_days = 0
+}
+
+resource "aws_secretsmanager_secret_version" "ses_receiving_emails_repository_url" {
+  secret_id     = aws_secretsmanager_secret.ses_receiving_emails_repository_url.id
+  secret_string = aws_ecr_repository.ses_receiving_emails.repository_url
+}
diff --git a/aws/ecr/ecr.tf b/aws/ecr/ecr.tf
@@ -60,19 +60,6 @@ resource "aws_ecr_repository" "performance-test" {
   }
 }
 
-resource "aws_ecr_repository" "ses_receiving_emails" {
-  # The :latest tag is used in Staging
-
-  provider             = aws.us-east-1
-  name                 = "notify/ses_receiving_emails"
-  image_tag_mutability = "MUTABLE" #tfsec:ignore:AWS078
-  force_delete         = var.force_delete_ecr
-
-  image_scanning_configuration {
-    scan_on_push = true
-  }
-}
-
 resource "aws_ecr_repository" "ses_to_sqs_email_callbacks" {
   # The :latest tag is used in Staging
 

diff --git a/aws/ecr/images.tf b/aws/ecr/images.tf
@@ -158,35 +158,6 @@ resource "null_resource" "push_google_cidr_docker_image" {
 
 # SES Receiving Emails Build and Push
 
-resource "null_resource" "build_ses_receiving_emails_docker_image" {
-  count = var.bootstrap ? 1 : 0
-
-  triggers = {
-    always_run = "${timestamp()}"
-  }
-
-  depends_on = [
-    null_resource.lambda_repo_clone
-  ]
-
-  provisioner "local-exec" {
-    command = "cd /var/tmp/notification-lambdas/ && docker build -t ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap -f /var/tmp/notification-lambdas/sesreceivingemails/Dockerfile ."
-  }
-
-}
-
-resource "null_resource" "push_ses_receiving_emails_docker_image" {
-  count      = var.bootstrap ? 1 : 0
-  depends_on = [null_resource.build_ses_receiving_emails_docker_image]
-
-  provisioner "local-exec" {
-    command = "docker push ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap"
-  }
-
-}
-
-# SES Receiving Emails Build and Push
-
 resource "null_resource" "build_ses_to_sqs_email_callbacks_docker_image" {
   count = var.bootstrap ? 1 : 0
 

diff --git a/aws/ecr/outputs.tf b/aws/ecr/outputs.tf
@@ -1,11 +1,3 @@
-output "ses_receiving_emails_ecr_arn" {
-  description = "arn of ses_receiving_emails ECR"
-  value       = aws_ecr_repository.ses_receiving_emails.arn
-}
-output "ses_receiving_emails_ecr_repository_url" {
-  description = "Repository URL of ses_receiving_emails ECR"
-  value       = aws_ecr_repository.ses_receiving_emails.repository_url
-}
 output "ses_to_sqs_email_callbacks_ecr_arn" {
   description = "arn of ses_to_sqs_email_callbacks ECR"
   value       = aws_ecr_repository.ses_to_sqs_email_callbacks.arn

diff --git a/aws/ecr/secrets.tf b/aws/ecr/secrets.tf
@@ -1,13 +1,3 @@
-resource "aws_secretsmanager_secret" "ses_receiving_emails_repository_url" {
-  name                    = "SES_RECEIVING_EMAILS_REPOSITORY_URL"
-  recovery_window_in_days = 0
-}
-
-resource "aws_secretsmanager_secret_version" "ses_receiving_emails_repository_url" {
-  secret_id     = aws_secretsmanager_secret.ses_receiving_emails_repository_url.id
-  secret_string = aws_ecr_repository.ses_receiving_emails.repository_url
-}
-
 resource "aws_secretsmanager_secret" "ses_to_sqs_email_callbacks_repository_url" {
   name                    = "SES_TO_SQS_EMAIL_CALLBACKS_REPOSITORY_URL"
   recovery_window_in_days = 0

diff --git a/env/dev/ecr-us-east/terragrunt.hcl b/env/dev/ecr-us-east/terragrunt.hcl
@@ -0,0 +1,25 @@
+include {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}"
+
+  after_hook "cleanup-admin" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-admin"]
+    run_on_error = true
+  }
+
+  after_hook "cleanup-api" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-api"]
+    run_on_error = true
+  }
+  after_hook "cleanup-lambdas" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-lambdas"]
+    run_on_error = true
+  }
+
+}
diff --git a/env/dev/ses_receiving_emails/terragrunt.hcl b/env/dev/ses_receiving_emails/terragrunt.hcl
@@ -21,8 +21,8 @@ dependency "common" {
   }
 }
 
-dependency "ecr" {
-  config_path = "../ecr"
+dependency "ecr-us-east" {
+  config_path = "../ec-us-east"
 }
 
 
@@ -35,8 +35,7 @@ inputs = {
   sns_alert_critical_arn_us_east_1        = dependency.common.outputs.sns_alert_critical_arn_us_east_1
   sns_alert_ok_arn_us_east_1              = dependency.common.outputs.sns_alert_ok_arn_us_east_1
   sqs_notify_internal_tasks_arn           = dependency.common.outputs.sqs_notify_internal_tasks_arn
-  sqs_notify_internal_tasks_arn           = dependency.common.outputs.sqs_notify_internal_tasks_arn
-  ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url
-  ses_receiving_emails_ecr_arn            = dependency.ecr.outputs.ses_receiving_emails_ecr_arn  
+  ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url
+  ses_receiving_emails_ecr_arn            = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn  
 }
 
diff --git a/env/production/ecr-us-east/terragrunt.hcl b/env/production/ecr-us-east/terragrunt.hcl
@@ -0,0 +1,25 @@
+include {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}"
+
+  after_hook "cleanup-admin" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-admin"]
+    run_on_error = true
+  }
+
+  after_hook "cleanup-api" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-api"]
+    run_on_error = true
+  }
+  after_hook "cleanup-lambdas" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-lambdas"]
+    run_on_error = true
+  }
+
+}
diff --git a/env/production/ses_receiving_emails/terragrunt.hcl b/env/production/ses_receiving_emails/terragrunt.hcl
@@ -21,8 +21,8 @@ dependency "common" {
   }
 }
 
-dependency "ecr" {
-  config_path = "../ecr"
+dependency "ecr-us-east" {
+  config_path = "../ec-us-east"
 }
 
 
@@ -35,8 +35,7 @@ inputs = {
   sns_alert_critical_arn_us_east_1        = dependency.common.outputs.sns_alert_critical_arn_us_east_1
   sns_alert_ok_arn_us_east_1              = dependency.common.outputs.sns_alert_ok_arn_us_east_1
   sqs_notify_internal_tasks_arn           = dependency.common.outputs.sqs_notify_internal_tasks_arn
-  sqs_notify_internal_tasks_arn           = dependency.common.outputs.sqs_notify_internal_tasks_arn
-  ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url
-  ses_receiving_emails_ecr_arn            = dependency.ecr.outputs.ses_receiving_emails_ecr_arn  
+  ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url
+  ses_receiving_emails_ecr_arn            = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn  
 }
 
diff --git a/env/production/terragrunt.hcl b/env/production/terragrunt.hcl
@@ -0,0 +1,25 @@
+include {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}"
+
+  after_hook "cleanup-admin" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-admin"]
+    run_on_error = true
+  }
+
+  after_hook "cleanup-api" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-api"]
+    run_on_error = true
+  }
+  after_hook "cleanup-lambdas" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-lambdas"]
+    run_on_error = true
+  }
+
+}
diff --git a/env/sandbox/ecr-us-east/terragrunt.hcl b/env/sandbox/ecr-us-east/terragrunt.hcl
@@ -0,0 +1,25 @@
+include {
+  path = find_in_parent_folders()
+}
+
+terraform {
+  source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}"
+
+  after_hook "cleanup-admin" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-admin"]
+    run_on_error = true
+  }
+
+  after_hook "cleanup-api" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-api"]
+    run_on_error = true
+  }
+  after_hook "cleanup-lambdas" {
+    commands     = ["apply"]
+    execute      = ["rm", "-rfd", "/var/tmp/notification-lambdas"]
+    run_on_error = true
+  }
+
+}
diff --git a/env/sandbox/ses_receiving_emails/terragrunt.hcl b/env/sandbox/ses_receiving_emails/terragrunt.hcl
@@ -21,8 +21,8 @@ dependency "common" {
   }
 }
 
-dependency "ecr" {
-  config_path = "../ecr"
+dependency "ecr-us-east" {
+  config_path = "../ec-us-east"
 }
 
 
@@ -35,7 +35,7 @@ inputs = {
   sns_alert_critical_arn_us_east_1        = dependency.common.outputs.sns_alert_critical_arn_us_east_1
   sns_alert_ok_arn_us_east_1              = dependency.common.outputs.sns_alert_ok_arn_us_east_1
   sqs_notify_internal_tasks_arn           = dependency.common.outputs.sqs_notify_internal_tasks_arn
-  ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url
-  ses_receiving_emails_ecr_arn            = dependency.ecr.outputs.ses_receiving_emails_ecr_arn  
+  ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url
+  ses_receiving_emails_ecr_arn            = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn  
 }