diff --git a/.github/workflows/terragrunt_create_dev_environment.yml b/.github/workflows/terragrunt_create_dev_environment.yml index 570a5d702..3f9f7ed52 100644 --- a/.github/workflows/terragrunt_create_dev_environment.yml +++ b/.github/workflows/terragrunt_create_dev_environment.yml @@ -43,9 +43,14 @@ jobs: op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TFVars - ${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars - name: terragrunt apply COMMON - run: | - cd env/${{env.ENVIRONMENT}}/common - terragrunt apply --terragrunt-non-interactive -auto-approve + uses: nick-fields/retry@v3 + with: + timeout_seconds: 600 + max_attempts: 3 + retry_on: error + command: | + cd env/${{env.ENVIRONMENT}}/common + terragrunt apply --terragrunt-non-interactive -auto-approve terragrunt-apply-ecr: if: | @@ -64,6 +69,40 @@ jobs: role-to-assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-api-apply role-session-name: NotifyApiGitHubActions aws-region: "ca-central-1" + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: setup-terraform + uses: ./.github/actions/setup-terraform + with: + role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply + role_session_name: NotifyTerraformDevApply + + - name: Install 1Pass CLI + run: | + curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb + sudo dpkg -i 1pass.deb + sudo mkdir -p aws + cd aws + op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TFVars - ${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars + + - name: terragrunt apply ECR + run: | + cd env/${{env.ENVIRONMENT}}/ecr + terragrunt apply --terragrunt-non-interactive -auto-approve + + terragrunt-apply-ecr-us-east: + if: | + always() && + !contains(needs.*.result, 'failure') && + !contains(needs.*.result, 'cancelled') + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Configure credentials to Notify Private ECR using OIDC uses: aws-actions/configure-aws-credentials@master @@ -90,9 +129,9 @@ jobs: cd aws op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TFVars - ${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars - - name: terragrunt apply ECR + - name: terragrunt apply ECR US East run: | - cd env/${{env.ENVIRONMENT}}/ecr + cd env/${{env.ENVIRONMENT}}/ecr-us-east terragrunt apply --terragrunt-non-interactive -auto-approve terragrunt-apply-ses_receiving_emails: diff --git a/aws/ecr-us-east/ecr.tf b/aws/ecr-us-east/ecr.tf new file mode 100644 index 000000000..e5a394fbd --- /dev/null +++ b/aws/ecr-us-east/ecr.tf @@ -0,0 +1,12 @@ +resource "aws_ecr_repository" "ses_receiving_emails" { + # The :latest tag is used in Staging + + provider = aws.us-east-1 + name = "notify/ses_receiving_emails" + image_tag_mutability = "MUTABLE" #tfsec:ignore:AWS078 + force_delete = var.force_delete_ecr + + image_scanning_configuration { + scan_on_push = true + } +} \ No newline at end of file diff --git a/aws/ecr-us-east/images.tf b/aws/ecr-us-east/images.tf new file mode 100644 index 000000000..f6c010a2e --- /dev/null +++ b/aws/ecr-us-east/images.tf @@ -0,0 +1,40 @@ +# SES Receiving Emails Build and Push + +# Clone Lambda Repository +resource "null_resource" "lambda_repo_clone" { + count = var.bootstrap ? 1 : 0 + triggers = { + always_run = "${timestamp()}" + } + + provisioner "local-exec" { + command = "git clone 'https://github.com/cds-snc/notification-lambdas.git' /var/tmp/notification-lambdas" + } +} + +resource "null_resource" "build_ses_receiving_emails_docker_image" { + count = var.bootstrap ? 1 : 0 + + triggers = { + always_run = "${timestamp()}" + } + + depends_on = [ + null_resource.lambda_repo_clone + ] + + provisioner "local-exec" { + command = "cd /var/tmp/notification-lambdas/ && docker build -t ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap -f /var/tmp/notification-lambdas/sesreceivingemails/Dockerfile ." + } + +} + +resource "null_resource" "push_ses_receiving_emails_docker_image" { + count = var.bootstrap ? 1 : 0 + depends_on = [null_resource.build_ses_receiving_emails_docker_image] + + provisioner "local-exec" { + command = "docker push ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap" + } + +} \ No newline at end of file diff --git a/aws/ecr-us-east/outputs.tf b/aws/ecr-us-east/outputs.tf new file mode 100644 index 000000000..efe64ef9a --- /dev/null +++ b/aws/ecr-us-east/outputs.tf @@ -0,0 +1,8 @@ +output "ses_receiving_emails_ecr_arn" { + description = "arn of ses_receiving_emails ECR" + value = aws_ecr_repository.ses_receiving_emails.arn +} +output "ses_receiving_emails_ecr_repository_url" { + description = "Repository URL of ses_receiving_emails ECR" + value = aws_ecr_repository.ses_receiving_emails.repository_url +} \ No newline at end of file diff --git a/aws/ecr-us-east/secrets.tf b/aws/ecr-us-east/secrets.tf new file mode 100644 index 000000000..08cbd5ac1 --- /dev/null +++ b/aws/ecr-us-east/secrets.tf @@ -0,0 +1,9 @@ +resource "aws_secretsmanager_secret" "ses_receiving_emails_repository_url" { + name = "SES_RECEIVING_EMAILS_REPOSITORY_URL" + recovery_window_in_days = 0 +} + +resource "aws_secretsmanager_secret_version" "ses_receiving_emails_repository_url" { + secret_id = aws_secretsmanager_secret.ses_receiving_emails_repository_url.id + secret_string = aws_ecr_repository.ses_receiving_emails.repository_url +} diff --git a/aws/ecr/ecr.tf b/aws/ecr/ecr.tf index 503383928..f7eaac214 100644 --- a/aws/ecr/ecr.tf +++ b/aws/ecr/ecr.tf @@ -60,19 +60,6 @@ resource "aws_ecr_repository" "performance-test" { } } -resource "aws_ecr_repository" "ses_receiving_emails" { - # The :latest tag is used in Staging - - provider = aws.us-east-1 - name = "notify/ses_receiving_emails" - image_tag_mutability = "MUTABLE" #tfsec:ignore:AWS078 - force_delete = var.force_delete_ecr - - image_scanning_configuration { - scan_on_push = true - } -} - resource "aws_ecr_repository" "ses_to_sqs_email_callbacks" { # The :latest tag is used in Staging diff --git a/aws/ecr/images.tf b/aws/ecr/images.tf index 7264f96ce..48ccc8f10 100644 --- a/aws/ecr/images.tf +++ b/aws/ecr/images.tf @@ -158,35 +158,6 @@ resource "null_resource" "push_google_cidr_docker_image" { # SES Receiving Emails Build and Push -resource "null_resource" "build_ses_receiving_emails_docker_image" { - count = var.bootstrap ? 1 : 0 - - triggers = { - always_run = "${timestamp()}" - } - - depends_on = [ - null_resource.lambda_repo_clone - ] - - provisioner "local-exec" { - command = "cd /var/tmp/notification-lambdas/ && docker build -t ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap -f /var/tmp/notification-lambdas/sesreceivingemails/Dockerfile ." - } - -} - -resource "null_resource" "push_ses_receiving_emails_docker_image" { - count = var.bootstrap ? 1 : 0 - depends_on = [null_resource.build_ses_receiving_emails_docker_image] - - provisioner "local-exec" { - command = "docker push ${aws_ecr_repository.ses_receiving_emails.repository_url}:bootstrap" - } - -} - -# SES Receiving Emails Build and Push - resource "null_resource" "build_ses_to_sqs_email_callbacks_docker_image" { count = var.bootstrap ? 1 : 0 diff --git a/aws/ecr/outputs.tf b/aws/ecr/outputs.tf index 94dce379f..d7f967526 100644 --- a/aws/ecr/outputs.tf +++ b/aws/ecr/outputs.tf @@ -1,11 +1,3 @@ -output "ses_receiving_emails_ecr_arn" { - description = "arn of ses_receiving_emails ECR" - value = aws_ecr_repository.ses_receiving_emails.arn -} -output "ses_receiving_emails_ecr_repository_url" { - description = "Repository URL of ses_receiving_emails ECR" - value = aws_ecr_repository.ses_receiving_emails.repository_url -} output "ses_to_sqs_email_callbacks_ecr_arn" { description = "arn of ses_to_sqs_email_callbacks ECR" value = aws_ecr_repository.ses_to_sqs_email_callbacks.arn diff --git a/aws/ecr/secrets.tf b/aws/ecr/secrets.tf index 2cbf75a3d..6ae52d071 100644 --- a/aws/ecr/secrets.tf +++ b/aws/ecr/secrets.tf @@ -1,13 +1,3 @@ -resource "aws_secretsmanager_secret" "ses_receiving_emails_repository_url" { - name = "SES_RECEIVING_EMAILS_REPOSITORY_URL" - recovery_window_in_days = 0 -} - -resource "aws_secretsmanager_secret_version" "ses_receiving_emails_repository_url" { - secret_id = aws_secretsmanager_secret.ses_receiving_emails_repository_url.id - secret_string = aws_ecr_repository.ses_receiving_emails.repository_url -} - resource "aws_secretsmanager_secret" "ses_to_sqs_email_callbacks_repository_url" { name = "SES_TO_SQS_EMAIL_CALLBACKS_REPOSITORY_URL" recovery_window_in_days = 0 diff --git a/env/dev/ecr-us-east/terragrunt.hcl b/env/dev/ecr-us-east/terragrunt.hcl new file mode 100644 index 000000000..3859700a6 --- /dev/null +++ b/env/dev/ecr-us-east/terragrunt.hcl @@ -0,0 +1,25 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}" + + after_hook "cleanup-admin" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-admin"] + run_on_error = true + } + + after_hook "cleanup-api" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-api"] + run_on_error = true + } + after_hook "cleanup-lambdas" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-lambdas"] + run_on_error = true + } + +} diff --git a/env/dev/ses_receiving_emails/terragrunt.hcl b/env/dev/ses_receiving_emails/terragrunt.hcl index bae8abdf5..6d886720d 100644 --- a/env/dev/ses_receiving_emails/terragrunt.hcl +++ b/env/dev/ses_receiving_emails/terragrunt.hcl @@ -21,8 +21,8 @@ dependency "common" { } } -dependency "ecr" { - config_path = "../ecr" +dependency "ecr-us-east" { + config_path = "../ec-us-east" } @@ -35,8 +35,7 @@ inputs = { sns_alert_critical_arn_us_east_1 = dependency.common.outputs.sns_alert_critical_arn_us_east_1 sns_alert_ok_arn_us_east_1 = dependency.common.outputs.sns_alert_ok_arn_us_east_1 sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url - ses_receiving_emails_ecr_arn = dependency.ecr.outputs.ses_receiving_emails_ecr_arn + ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url + ses_receiving_emails_ecr_arn = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn } diff --git a/env/production/ecr-us-east/terragrunt.hcl b/env/production/ecr-us-east/terragrunt.hcl new file mode 100644 index 000000000..3859700a6 --- /dev/null +++ b/env/production/ecr-us-east/terragrunt.hcl @@ -0,0 +1,25 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}" + + after_hook "cleanup-admin" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-admin"] + run_on_error = true + } + + after_hook "cleanup-api" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-api"] + run_on_error = true + } + after_hook "cleanup-lambdas" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-lambdas"] + run_on_error = true + } + +} diff --git a/env/production/ses_receiving_emails/terragrunt.hcl b/env/production/ses_receiving_emails/terragrunt.hcl index bae8abdf5..6d886720d 100644 --- a/env/production/ses_receiving_emails/terragrunt.hcl +++ b/env/production/ses_receiving_emails/terragrunt.hcl @@ -21,8 +21,8 @@ dependency "common" { } } -dependency "ecr" { - config_path = "../ecr" +dependency "ecr-us-east" { + config_path = "../ec-us-east" } @@ -35,8 +35,7 @@ inputs = { sns_alert_critical_arn_us_east_1 = dependency.common.outputs.sns_alert_critical_arn_us_east_1 sns_alert_ok_arn_us_east_1 = dependency.common.outputs.sns_alert_ok_arn_us_east_1 sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url - ses_receiving_emails_ecr_arn = dependency.ecr.outputs.ses_receiving_emails_ecr_arn + ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url + ses_receiving_emails_ecr_arn = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn } diff --git a/env/production/terragrunt.hcl b/env/production/terragrunt.hcl new file mode 100644 index 000000000..3859700a6 --- /dev/null +++ b/env/production/terragrunt.hcl @@ -0,0 +1,25 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}" + + after_hook "cleanup-admin" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-admin"] + run_on_error = true + } + + after_hook "cleanup-api" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-api"] + run_on_error = true + } + after_hook "cleanup-lambdas" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-lambdas"] + run_on_error = true + } + +} diff --git a/env/sandbox/ecr-us-east/terragrunt.hcl b/env/sandbox/ecr-us-east/terragrunt.hcl new file mode 100644 index 000000000..3859700a6 --- /dev/null +++ b/env/sandbox/ecr-us-east/terragrunt.hcl @@ -0,0 +1,25 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}" + + after_hook "cleanup-admin" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-admin"] + run_on_error = true + } + + after_hook "cleanup-api" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-api"] + run_on_error = true + } + after_hook "cleanup-lambdas" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-lambdas"] + run_on_error = true + } + +} diff --git a/env/sandbox/ses_receiving_emails/terragrunt.hcl b/env/sandbox/ses_receiving_emails/terragrunt.hcl index 082e7f70e..6d886720d 100644 --- a/env/sandbox/ses_receiving_emails/terragrunt.hcl +++ b/env/sandbox/ses_receiving_emails/terragrunt.hcl @@ -21,8 +21,8 @@ dependency "common" { } } -dependency "ecr" { - config_path = "../ecr" +dependency "ecr-us-east" { + config_path = "../ec-us-east" } @@ -35,7 +35,7 @@ inputs = { sns_alert_critical_arn_us_east_1 = dependency.common.outputs.sns_alert_critical_arn_us_east_1 sns_alert_ok_arn_us_east_1 = dependency.common.outputs.sns_alert_ok_arn_us_east_1 sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url - ses_receiving_emails_ecr_arn = dependency.ecr.outputs.ses_receiving_emails_ecr_arn + ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url + ses_receiving_emails_ecr_arn = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn } diff --git a/env/staging/ecr-us-east/terragrunt.hcl b/env/staging/ecr-us-east/terragrunt.hcl new file mode 100644 index 000000000..3859700a6 --- /dev/null +++ b/env/staging/ecr-us-east/terragrunt.hcl @@ -0,0 +1,25 @@ +include { + path = find_in_parent_folders() +} + +terraform { + source = "${get_env("ENVIRONMENT") == "production" ? "git::https://github.com/cds-snc/notification-terraform//aws/ecr-us-east?ref=v${get_env("INFRASTRUCTURE_VERSION")}" : "../../../aws//ecr-us-east"}" + + after_hook "cleanup-admin" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-admin"] + run_on_error = true + } + + after_hook "cleanup-api" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-api"] + run_on_error = true + } + after_hook "cleanup-lambdas" { + commands = ["apply"] + execute = ["rm", "-rfd", "/var/tmp/notification-lambdas"] + run_on_error = true + } + +} diff --git a/env/staging/ses_receiving_emails/terragrunt.hcl b/env/staging/ses_receiving_emails/terragrunt.hcl index bae8abdf5..6d886720d 100644 --- a/env/staging/ses_receiving_emails/terragrunt.hcl +++ b/env/staging/ses_receiving_emails/terragrunt.hcl @@ -21,8 +21,8 @@ dependency "common" { } } -dependency "ecr" { - config_path = "../ecr" +dependency "ecr-us-east" { + config_path = "../ec-us-east" } @@ -35,8 +35,7 @@ inputs = { sns_alert_critical_arn_us_east_1 = dependency.common.outputs.sns_alert_critical_arn_us_east_1 sns_alert_ok_arn_us_east_1 = dependency.common.outputs.sns_alert_ok_arn_us_east_1 sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - sqs_notify_internal_tasks_arn = dependency.common.outputs.sqs_notify_internal_tasks_arn - ses_receiving_emails_ecr_repository_url = dependency.ecr.outputs.ses_receiving_emails_ecr_repository_url - ses_receiving_emails_ecr_arn = dependency.ecr.outputs.ses_receiving_emails_ecr_arn + ses_receiving_emails_ecr_repository_url = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_repository_url + ses_receiving_emails_ecr_arn = dependency.ecr-us-east.outputs.ses_receiving_emails_ecr_arn }