Added bootstrap module

sourcefuse · Feb 20, 2024 · 74edaab · 74edaab
1 parent 7168e33
commit 74edaab
Show file tree

Hide file tree

Showing 8 changed files with 299 additions and 1 deletion.
diff --git a/.github/workflows/plan-bootstrap.yaml b/.github/workflows/plan-bootstrap.yaml
@@ -0,0 +1,30 @@
+---
+name: Plan - Bootstrap
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - dev
+    paths:
+      - 'terraform/bootstrap/*'
+      - 'terraform/bootstrap/**'
+      - '.github/workflows/plan-bootstrap.yaml'
+      - '.github/workflows/reusable-ci-workflow.yaml'
+  workflow_dispatch:
+
+jobs:
+  ## run terraform plan
+  plan_poc:
+    name: Bootstrap
+    uses: "./.github/workflows/reusable-ci-workflow.yaml"
+    with:
+      working_directory: bootstrap
+      environment: dev
+      assume_role_name: ""
+      aws_region: us-east-1
+      publish_plan_artifact: false  # only for apply step
+    secrets: inherit
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
diff --git a/.github/workflows/reusable-ci-workflow.yaml b/.github/workflows/reusable-ci-workflow.yaml
@@ -0,0 +1,101 @@
+---
+on:  # yamllint disable-line rule:truthy
+  workflow_call:
+    inputs:
+      working_directory:
+        required: true
+        type: string
+        description: "This is the path to your terraform configuration"
+      environment:
+        required: true
+        type: string
+        description: "The environment / workspace resources will be created in"
+      assume_role_name:
+        required: true
+        type: string
+        description: "The role name to assume against the target environment account"
+      aws_region:
+        required: false
+        type: string
+        default: us-east-1
+        description: "The AWS Region where the resources will be created in"
+      publish_plan_artifact:
+        required: false
+        type: boolean
+        default: false
+        description: "This option will allow to publish successful plan artifact"
+    outputs:
+      plan_id:
+        value: ${{ jobs.plan.outputs.plan_id }}
+        description: "The short commit sha for the plan id of the current run."
+
+env:
+  ## !!! required for the action-init-plan-apply.sh script !!!
+  DIRECTORY: ${{ inputs.working_directory }}
+  ENV: ${{ inputs.environment }}
+  ## END - !!! required for the action-init-plan-apply.sh script !!!
+
+jobs:
+  plan:
+    name: Plan - ${{ inputs.environment }}
+    runs-on:
+      - self-hosted
+      - arc
+    outputs:
+      plan_id: ${{ steps.workflow_vars.outputs.plan_id }}
+    permissions:
+      id-token: write
+      contents: read
+      pull-requests: write
+    ## uncomment if the repo has environments enabled
+    #    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install tfenv
+        run: ./scripts/dependencies/install-tfenv.sh
+        continue-on-error: false
+
+      - name: Install AWS CLI
+        run: ./scripts/dependencies/install-aws-cli.sh
+        continue-on-error: false
+
+      # Setup plan id for plan exports
+      - name: Set outputs
+        id: workflow_vars
+        run: |
+          echo "plan_id=$(git rev-parse --short "$GITHUB_SHA")" >> $GITHUB_OUTPUT
+
+      # configure iam /initialize backend
+      - name: Configure credentials for ${{ inputs.environment }}
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: "arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ inputs.assume_role_name }}"
+          aws-region: ${{ inputs.aws_region }}
+
+      - name: Initialize backend
+        run: |
+          source scripts/action-init-plan-apply.sh -i ${{ inputs.environment }} -d ${{ inputs.working_directory }}
+        continue-on-error: false
+
+      # running plan
+      - name: Plan against ${{ inputs.environment }}
+        id: environment_plan
+        run: |
+          source scripts/action-init-plan-apply.sh -p ${{ inputs.environment }} -d ${{ inputs.working_directory }}
+
+      # publish plan to artifacts
+      - name: Publish Terraform Plan
+        if: ${{ inputs.publish_plan_artifact }} == true  &&  ${{ steps.environment_plan.outcome}}  == success()
+        uses: actions/upload-artifact@v3
+        with:
+          name: "${{ inputs.environment }}-${{inputs.working_directory}}-${{ steps.workflow_vars.outputs.plan_id }}.tfplan"
+          path: "terraform/${{ inputs.working_directory }}/${{ inputs.environment }}-${{ inputs.working_directory }}-${{ steps.workflow_vars.outputs.plan_id }}.tfplan"
+        continue-on-error: false
+
+      - name: Update plan output to pr
+        uses: mshick/add-pr-comment@v2
+        with:
+          message-id: ${{ inputs.environment }}-${{ inputs.working_directory }}-tfplan
+          message-path: "terraform/${{ inputs.working_directory }}/${{ inputs.environment }}-plan-output.txt"
diff --git a/terraform/bootstrap/.terraform-version b/terraform/bootstrap/.terraform-version
@@ -0,0 +1 @@
+latest:^1.4
diff --git a/terraform/bootstrap/README.md b/terraform/bootstrap/README.md
@@ -0,0 +1,50 @@
+# ARC SAAS IAC: Bootstrap  
+
+## Overview
+
+AWS bootstrap for the ARC SAAS Infrastructure. This will contain resources used for managing the Terraform Backend State.  
+
+
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 3.0 |
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_bootstrap"></a> [bootstrap](#module\_bootstrap) | sourcefuse/arc-bootstrap/aws | 1.1.0 |
+| <a name="module_tags"></a> [tags](#module\_tags) | sourcefuse/arc-tags/aws | 1.2.3 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_bucket_name"></a> [bucket\_name](#input\_bucket\_name) | Name of the bucket. | `string` | `"infra-state"` | no |
+| <a name="input_dynamodb_name"></a> [dynamodb\_name](#input\_dynamodb\_name) | Name of the Dynamo DB lock table. | `string` | `"infra_state"` | no |
+| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `"dev"` | no |
+| <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Name of the project. | `string` | n/a | yes |
+| <a name="input_region"></a> [region](#input\_region) | AWS Region | `string` | `"us-east-1"` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_state_bucket_arn"></a> [state\_bucket\_arn](#output\_state\_bucket\_arn) | State bucket ARN |
+| <a name="output_state_bucket_name"></a> [state\_bucket\_name](#output\_state\_bucket\_name) | State bucket name |
+| <a name="output_state_lock_table_arn"></a> [state\_lock\_table\_arn](#output\_state\_lock\_table\_arn) | State lock table ARN |
+| <a name="output_state_lock_table_name"></a> [state\_lock\_table\_name](#output\_state\_lock\_table\_name) | State lock table name |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
diff --git a/terraform/bootstrap/config.dev.hcl b/terraform/bootstrap/config.dev.hcl
@@ -0,0 +1,5 @@
+region         = "us-east-1"
+key            = "bootstrap/terraform.tfstate"
+bucket         = "arc-saas-dev-terraform-state"
+dynamodb_table = "arc-saas-dev-terraform-state-lock"
+encrypt        = true
diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf
@@ -1 +1,76 @@
-# Todo Add bootstrap module
+################################################################################
+## defaults
+################################################################################
+terraform {
+  required_version = "~> 1.4.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.0"
+    }
+  }
+
+  //backend "s3" {}
+}
+
+provider "aws" {
+  region = var.region
+}
+
+################################################################################
+## Tags
+################################################################################
+module "tags" {
+  source  = "sourcefuse/arc-tags/aws"
+  version = "1.2.5"
+
+  environment = var.environment
+  project     = var.namespace
+
+}
+
+################################################################################
+## backend state configuration
+################################################################################
+resource "random_string" "bucket_suffix" {
+  length  = 6
+  special = false
+  upper   = false
+}
+
+module "bootstrap" {
+  source  = "sourcefuse/arc-bootstrap/aws"
+  version = "1.1.3"
+
+  bucket_name   = "${var.namespace}-${var.environment}-terraform-state-${resource.random_string.bucket_suffix.result}"
+  dynamodb_name = "${var.namespace}-${var.environment}-terraform-state-lock"
+
+  tags = merge(module.tags.tags, tomap({
+    Name         = "${var.namespace}-${var.environment}-terraform-state-${resource.random_string.bucket_suffix.result}"
+    DynamoDBName = "${var.namespace}-${var.environment}-terraform-state-lock"
+  }))
+}
+
+################################################################################
+## Store terraform state bucket in parameter store
+################################################################################
+resource "aws_ssm_parameter" "tf_state_bucket" {
+  name        = "/${var.namespace}/${var.environment}/terraform-state-bucket"
+  description = "Terraform State Bucket Name"
+  type        = "String"
+  overwrite   = true
+  value       = module.bootstrap.bucket_name
+  depends_on  = [resource.random_string.bucket_suffix, module.bootstrap]
+  tags        = module.tags.tags
+}
+
+resource "aws_ssm_parameter" "tf_state_table" {
+  name        = "/${var.namespace}/${var.environment}/terraform-state-dynamodb-table"
+  description = "Terraform State Dynamodb Table"
+  type        = "String"
+  overwrite   = true
+  value       = module.bootstrap.dynamodb_name
+  depends_on  = [module.bootstrap]
+  tags        = module.tags.tags
+}
diff --git a/terraform/bootstrap/output.tf b/terraform/bootstrap/output.tf
@@ -0,0 +1,19 @@
+output "state_bucket_arn" {
+  value       = module.bootstrap.bucket_arn
+  description = "State bucket ARN"
+}
+
+output "state_bucket_name" {
+  value       = module.bootstrap.bucket_name
+  description = "State bucket name"
+}
+
+output "state_lock_table_arn" {
+  value       = module.bootstrap.dynamodb_arn
+  description = "State lock table ARN"
+}
+
+output "state_lock_table_name" {
+  value       = module.bootstrap.dynamodb_name
+  description = "State lock table name"
+}
diff --git a/terraform/bootstrap/variable.tf b/terraform/bootstrap/variable.tf
@@ -0,0 +1,17 @@
+variable "region" {
+  description = "AWS Region"
+  default     = "us-east-1"
+  type        = string
+}
+
+variable "namespace" {
+  description = "Namespace the resource belongs in."
+  default     = "arc-saas"
+  type        = string
+}
+
+variable "environment" {
+  default     = "dev"
+  description = "ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT'"
+  type        = string
+}