From 1486225a8c84cb9350f02d302551314174ef125e Mon Sep 17 00:00:00 2001 From: cloudprofessionals Date: Tue, 4 Oct 2022 21:29:14 -0400 Subject: [PATCH 01/22] adding bento ref --- .../common/roles/build_backend/tasks/main.yml | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml index 3f5db23f..a0408573 100644 --- a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml @@ -2,47 +2,11 @@ # Backend Build ############################################################################################################################ -- name: remove the application_example.properties file - file: - path: "{{ workspace }}/src/main/resources/application_example.properties" - state: absent - - name: copy application.properties file to /src/main/resources/ template: src: "{{ workspace }}/src/main/resources/application.properties.j2" dest: "{{ workspace }}/src/main/resources/application.properties" -- name: create graphql directory in backend - file: - state: directory - path: "{{ workspace }}/src/main/resources/graphql" - -- name: create yaml directory in backend - file: - state: directory - path: "{{ workspace }}/src/main/resources/yaml" - -- name: copy schema from frontend to resources - template: - remote_src: yes - src: "{{item.src}}" - dest: "{{item.dest}}" - loop: - - { src: "{{ workspace }}/{{ project_name }}-frontend/graphql/{{ schema_file}}",dest: "{{ workspace }}/src/main/resources/graphql/{{ schema_file}}"} - - { src: "{{ workspace }}/{{ project_name }}-frontend/graphql/{{ public_schema_file}}",dest: "{{ workspace }}/src/main/resources/graphql/{{ public_schema_file}}"} - -- name: verify test queries file exists - stat: - path: "{{ workspace }}/{{ project_name }}-frontend/yaml/{{ test_queries_file }}" - register: test_queries - -- name: copy test queries from frontend to resources - template: - remote_src: yes - src: "{{ workspace }}/{{ project_name }}-frontend/yaml/{{ test_queries_file }}" - dest: "{{ workspace }}/src/main/resources/yaml/{{ test_queries_file }}" - when: test_queries.stat.exists - - name: build springboot code command: mvn package -DskipTests args: From 9e9b66fad39cea9d05581873fc3767c43bbf0601 Mon Sep 17 00:00:00 2001 From: cloudprofessionals Date: Wed, 25 Jan 2023 13:45:24 -0500 Subject: [PATCH 02/22] changed trivy timeout ? --- .../collections/bento/common/roles/build_backend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml index a0408573..1af20a4a 100644 --- a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml @@ -37,7 +37,7 @@ block: - name: run trivy scanner on #command: "trivy image --exit-code 1 --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}-{{ build_number }}" - command: "trivy image --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" + command: "trivy image --timeout 15m --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" register: vuln_results always: - name: echo vulnerability results From 25786721e0343d1006f2ed97f6b329d71bddc489 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 14 Mar 2023 20:22:04 +0000 Subject: [PATCH 03/22] terraform-docs: automated action --- terraform/modules/cloudfront/README.md | 89 ++++++++++++++++++++++++ terraform/modules/ecs/README.md | 2 +- terraform/modules/loadbalancer/README.md | 1 + 3 files changed, 91 insertions(+), 1 deletion(-) create mode 100644 terraform/modules/cloudfront/README.md diff --git a/terraform/modules/cloudfront/README.md b/terraform/modules/cloudfront/README.md new file mode 100644 index 00000000..5c2b2f30 --- /dev/null +++ b/terraform/modules/cloudfront/README.md @@ -0,0 +1,89 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudfront_distribution.distribution](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) | resource | +| [aws_cloudfront_key_group.key_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_key_group) | resource | +| [aws_cloudfront_origin_access_identity.origin_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_origin_access_identity) | resource | +| [aws_cloudfront_public_key.public_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_public_key) | resource | +| [aws_cloudwatch_event_rule.every_7am](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.run_waf_report_every_7am](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_cloudwatch_log_group.log_group_slack](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_log_group.log_group_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_cloudwatch_metric_alarm.cloudfront_alarm](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_metric_alarm) | resource | +| [aws_iam_policy.cloudwatch_log_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.firehose_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy.lambda_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_policy_attachment.cloudwatch_log_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_policy_attachment.lambda_s3_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy_attachment) | resource | +| [aws_iam_role.firehose_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.lambda_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy_attachment.firehose_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_kinesis_firehose_delivery_stream.firehose_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | +| [aws_lambda_function.slack_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.slack_waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.cloudwatch_invoke_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_lambda_permission.lambda_invoke_sns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_s3_bucket.access_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.files](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket.kinesis_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | +| [aws_sns_topic.cloudfront_alarm_topic](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic) | resource | +| [aws_sns_topic_subscription.subscribe_slack_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic_subscription) | resource | +| [aws_wafv2_ip_set.ip_sets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_ip_set) | resource | +| [aws_wafv2_regex_pattern_set.api_files_pattern](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_regex_pattern_set) | resource | +| [aws_wafv2_web_acl.waf](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl) | resource | +| [aws_wafv2_web_acl_logging_configuration.waf_logging](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafv2_web_acl_logging_configuration) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_cloudfront_cache_policy.managed_cache](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_cache_policy) | data source | +| [aws_cloudfront_origin_request_policy.s3_cors](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_origin_request_policy) | data source | +| [aws_iam_policy_document.firehose_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.kinesis_assume_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_assume_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_exec_role_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.lambda_s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | +| [aws_s3_bucket.files_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source | +| [aws_secretsmanager_secret_version.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | +| [aws_secretsmanager_secret_version.slack_url](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/secretsmanager_secret_version) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [alarms](#input\_alarms) | alarms to be configured | `map(map(string))` | n/a | yes | +| [cloudfront\_distribution\_bucket\_name](#input\_cloudfront\_distribution\_bucket\_name) | specify the name of s3 bucket for cloudfront | `string` | n/a | yes | +| [cloudfront\_slack\_channel\_name](#input\_cloudfront\_slack\_channel\_name) | cloudfront slack name | `string` | n/a | yes | +| [create\_files\_bucket](#input\_create\_files\_bucket) | indicate if you want to create files bucket or use existing one | `bool` | `false` | no | +| [domain\_name](#input\_domain\_name) | domain name for the application | `string` | n/a | yes | +| [env](#input\_env) | environment | `string` | n/a | yes | +| [iam\_prefix](#input\_iam\_prefix) | The string prefix for IAM roles and policies to conform to NCI power-user compliance | `string` | `"power-user"` | no | +| [public\_key\_path](#input\_public\_key\_path) | path of public key | `any` | `null` | no | +| [slack\_secret\_name](#input\_slack\_secret\_name) | name of cloudfront slack secret | `string` | n/a | yes | +| [slack\_url\_secret\_key](#input\_slack\_url\_secret\_key) | secret key name for the slack url | `string` | `"cloud-front-slack-url"` | no | +| [stack\_name](#input\_stack\_name) | name of the project | `string` | n/a | yes | +| [tags](#input\_tags) | tags to associate with this instance | `map(string)` | n/a | yes | +| [target\_account\_cloudone](#input\_target\_account\_cloudone) | to add check conditions on whether the resources are brought up in cloudone or not | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [cloudfront\_distribution\_endpoint](#output\_cloudfront\_distribution\_endpoint) | n/a | + \ No newline at end of file diff --git a/terraform/modules/ecs/README.md b/terraform/modules/ecs/README.md index 08a5d1af..348c33ee 100644 --- a/terraform/modules/ecs/README.md +++ b/terraform/modules/ecs/README.md @@ -42,7 +42,7 @@ No modules. | [aws_security_group.app](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group.ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | | [aws_security_group_rule.all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | -| [aws_security_group_rule.nih_network_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | +| [aws_security_group_rule.app_all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.ecs_exec_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.ecs_exec_command](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | diff --git a/terraform/modules/loadbalancer/README.md b/terraform/modules/loadbalancer/README.md index 874f2ba9..65af3e69 100644 --- a/terraform/modules/loadbalancer/README.md +++ b/terraform/modules/loadbalancer/README.md @@ -21,6 +21,7 @@ No modules. | [aws_lb_listener.http](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | | [aws_lb_listener.https](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener) | resource | | [aws_security_group.alb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | +| [aws_security_group_rule.all_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource | ## Inputs From 1c3d54cb5467b2ced1df3db848b068c41571b22b Mon Sep 17 00:00:00 2001 From: jw34 Date: Tue, 14 Mar 2023 16:24:18 -0400 Subject: [PATCH 04/22] uncommented trivy --- .../common/roles/build_backend/tasks/main.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml index 1af20a4a..28939a85 100644 --- a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml @@ -33,16 +33,16 @@ force_source: yes source: build -- name: test image for vulnerabilities - block: - - name: run trivy scanner on - #command: "trivy image --exit-code 1 --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}-{{ build_number }}" - command: "trivy image --timeout 15m --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" - register: vuln_results - always: - - name: echo vulnerability results - debug: - msg: "{{ vuln_results.stdout_lines }}" +# - name: test image for vulnerabilities +# block: +# - name: run trivy scanner on +# #command: "trivy image --exit-code 1 --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}-{{ build_number }}" +# command: "trivy image --timeout 15m --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" +# register: vuln_results +# always: +# - name: echo vulnerability results +# debug: +# msg: "{{ vuln_results.stdout_lines }}" - name: Add {{ project_name }}-{{ container_name }} image to ECR docker_image: From 4a0224ee716eafee695e91fe95596a95dcb2160b Mon Sep 17 00:00:00 2001 From: jw34 Date: Fri, 24 Mar 2023 10:55:44 -0400 Subject: [PATCH 05/22] central-ecr change --- .../collections/bento/common/roles/ecr_login/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml b/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml index 0fc769d0..684a7aa5 100644 --- a/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml @@ -5,9 +5,9 @@ - name: set ECR registry name set_fact: ecr_repo: "{{ caller_info.account }}.dkr.ecr.{{ region }}.amazonaws.com" - account: "{{ caller_info.account }}" + account: "986019062625" - name: login into ecr shell: "docker login -u AWS -p $(aws ecr get-login-password --region {{ region }}) {{ ecr_repo }}" ignore_errors: True - register: ecr_login \ No newline at end of file + register: ecr_login From 0812ad0a6610b2d3efd65089e9d8100f3a9c922b Mon Sep 17 00:00:00 2001 From: jw34 Date: Fri, 24 Mar 2023 11:09:00 -0400 Subject: [PATCH 06/22] Update main.yml --- .../collections/bento/common/roles/ecr_login/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml b/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml index 684a7aa5..e5a0efd3 100644 --- a/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecr_login/tasks/main.yml @@ -4,8 +4,8 @@ - name: set ECR registry name set_fact: - ecr_repo: "{{ caller_info.account }}.dkr.ecr.{{ region }}.amazonaws.com" - account: "986019062625" + ecr_repo: "986019062625.dkr.ecr.{{ region }}.amazonaws.com" + account: "{{ caller_info.account }}" - name: login into ecr shell: "docker login -u AWS -p $(aws ecr get-login-password --region {{ region }}) {{ ecr_repo }}" From 78e813a14ce4145c137cfa0367c093f59162b9c7 Mon Sep 17 00:00:00 2001 From: jw34 Date: Fri, 24 Mar 2023 11:47:08 -0400 Subject: [PATCH 07/22] Update main.yml --- .../collections/bento/common/roles/ecs/tasks/main.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index 762ac9e9..17dc9ea8 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -74,14 +74,21 @@ ############################################################################################################################ # Service Queries ############################################################################################################################ +# - name: query {{ container_name }} service +# ecs_service_info: +# cluster: "{{ ecs_cluster_name }}" +# service: "{{ project_name }}-{{ tier }}-{{ container_name }}" +# details: true +# region: "{{ region }}" +# register: service - name: query {{ container_name }} service ecs_service_info: cluster: "{{ ecs_cluster_name }}" - service: "{{ project_name }}-{{ tier }}-{{ container_name }}" + service: "{{ service_name }}" details: true region: "{{ region }}" register: service - + - name: set facts set_fact: task_revision: "{{ task.revision }}" From 46a2aa6fd142e84d47383c76149fbe30c86ed3f1 Mon Sep 17 00:00:00 2001 From: jw34 Date: Fri, 24 Mar 2023 14:38:05 -0400 Subject: [PATCH 08/22] Update main.yml --- .../bento/common/roles/ecs/tasks/main.yml | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index 17dc9ea8..fc758106 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -88,7 +88,7 @@ details: true region: "{{ region }}" register: service - + - name: set facts set_fact: task_revision: "{{ task.revision }}" @@ -99,10 +99,28 @@ ########################################################################################################################### #Update Services ############################################################################################################################ +# - name: update {{ container_name }} service +# ecs_service: +# state: present +# name: "{{ project_name }}-{{ tier }}-{{ container_name }}" +# cluster: "{{ ecs_cluster_name }}" +# task_definition: "{{ task_name }}:{{ task_revision }}" +# role: "{{ role_arn }}" +# force_new_deployment: yes +# deployment_configuration: +# minimum_healthy_percent: 50 +# maximum_percent: 200 +# deployment_circuit_breaker: +# enable: true +# rollback: false +# desired_count: 1 +# load_balancers: "{{ lb }}" +# region: "{{ region }}" +# register: output - name: update {{ container_name }} service ecs_service: state: present - name: "{{ project_name }}-{{ tier }}-{{ container_name }}" + name: "{{ service_name }}" cluster: "{{ ecs_cluster_name }}" task_definition: "{{ task_name }}:{{ task_revision }}" role: "{{ role_arn }}" From ad2e47b19af5c3c844ef14e66c8ced1914b0610e Mon Sep 17 00:00:00 2001 From: jw34 Date: Thu, 6 Apr 2023 12:31:59 -0400 Subject: [PATCH 09/22] Update main.yml --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index fc758106..d5b38527 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -31,7 +31,8 @@ value: "{\"nrDeployMethod\":\"downloadPage\"}" - name: NRIA_LICENSE_KEY value: "{{ newrelic_license_key }}" - - name: "{{ container_name }}" + - name: {{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }} + # - name: "{{ container_name }}" essential: true image: "{{ container_image_url }}:{{ image_version }}" environment: "{{ container_env }}" From 24ed9822f7f046575c57a6e4961bd1a18d090d0d Mon Sep 17 00:00:00 2001 From: jw34 Date: Thu, 6 Apr 2023 12:40:33 -0400 Subject: [PATCH 10/22] Update main.yml --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index d5b38527..91241dfe 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -31,7 +31,7 @@ value: "{\"nrDeployMethod\":\"downloadPage\"}" - name: NRIA_LICENSE_KEY value: "{{ newrelic_license_key }}" - - name: {{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }} + - name: "{{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }}" # - name: "{{ container_name }}" essential: true image: "{{ container_image_url }}:{{ image_version }}" @@ -68,7 +68,7 @@ ############################################################################################################################ - name: query task definition - {{ container_name }} ecs_taskdefinition_info: - task_definition: "{{ project_name }}-{{ tier }}-{{ container_name }}" + task_definition: "{{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }}" region: "{{ region }}" register: task From 1fabc0172663c4b2126a949f2d670eeb7cc24ee6 Mon Sep 17 00:00:00 2001 From: jw34 Date: Thu, 6 Apr 2023 12:40:46 -0400 Subject: [PATCH 11/22] Update main.yml --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index 91241dfe..8f4b602a 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -132,7 +132,7 @@ deployment_circuit_breaker: enable: true rollback: false - desired_count: 1 + desired_count: 2 load_balancers: "{{ lb }}" region: "{{ region }}" register: output \ No newline at end of file From c543c6694a6b816bd0133ea8e3ac824afb878f79 Mon Sep 17 00:00:00 2001 From: jw34 Date: Thu, 6 Apr 2023 12:51:12 -0400 Subject: [PATCH 12/22] Update main.yml --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index 8f4b602a..b5c60707 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -1,5 +1,5 @@ --- -- name: create task definition for {{ project_name }}-{{ container_name }} +- name: create task definition for "{{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }}" community.aws.ecs_taskdefinition: containers: - name: sumologic-firelens @@ -82,7 +82,7 @@ # details: true # region: "{{ region }}" # register: service -- name: query {{ container_name }} service +- name: query {{ service_name }} service ecs_service_info: cluster: "{{ ecs_cluster_name }}" service: "{{ service_name }}" @@ -118,7 +118,7 @@ # load_balancers: "{{ lb }}" # region: "{{ region }}" # register: output -- name: update {{ container_name }} service +- name: update {{ service_name }} service ecs_service: state: present name: "{{ service_name }}" From 7bbca53b005de26cc3a066836e6b1608e6537ce6 Mon Sep 17 00:00:00 2001 From: Cole DeVries <20191190+colemandevries@users.noreply.github.com> Date: Thu, 6 Apr 2023 19:46:40 -0400 Subject: [PATCH 13/22] resolved conflict with container name --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index b5c60707..fb52888c 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -31,8 +31,7 @@ value: "{\"nrDeployMethod\":\"downloadPage\"}" - name: NRIA_LICENSE_KEY value: "{{ newrelic_license_key }}" - - name: "{{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }}" - # - name: "{{ container_name }}" + - name: "{{ program }}-{{ project_name }}-{{ microservice }}" essential: true image: "{{ container_image_url }}:{{ image_version }}" environment: "{{ container_env }}" @@ -135,4 +134,4 @@ desired_count: 2 load_balancers: "{{ lb }}" region: "{{ region }}" - register: output \ No newline at end of file + register: output From 9406af4a93b34bdfc8c8cf07d71ed55bb86a6479 Mon Sep 17 00:00:00 2001 From: Cole DeVries Date: Fri, 7 Apr 2023 18:39:54 -0400 Subject: [PATCH 14/22] updated naming conventions for hub ecs/main.yml --- .../bento/common/roles/ecs/tasks/main.yml | 35 ++++--------------- 1 file changed, 6 insertions(+), 29 deletions(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index fb52888c..03752212 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -18,7 +18,7 @@ - name: NRIA_IS_FORWARD_ONLY value: "true" - name: NEW_RELIC_APP_NAME - value: "{{ project_name }}-{{tier}}-{{ container_name }}" + value: "{{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }}" - name: NEW_RELIC_DISTRIBUTED_TRACING_ENABLED value: "true" - name: NEW_RELIC_HOST @@ -54,7 +54,7 @@ network_mode: awsvpc execution_role_arn: "arn:aws:iam::{{ account }}:role/{{ execution_role }}" task_role_arn: "arn:aws:iam::{{ account }}:role/{{ task_role }}" - family: "{{ project_name }}-{{ tier }}-{{ container_name }}" + family: "{{ program }}-{{ tier }}-{{ project_name }}-{{ microservice }}" memory: "{{ container_memory }}" cpu: "{{ container_cpu }}" state: present @@ -74,13 +74,7 @@ ############################################################################################################################ # Service Queries ############################################################################################################################ -# - name: query {{ container_name }} service -# ecs_service_info: -# cluster: "{{ ecs_cluster_name }}" -# service: "{{ project_name }}-{{ tier }}-{{ container_name }}" -# details: true -# region: "{{ region }}" -# register: service + - name: query {{ service_name }} service ecs_service_info: cluster: "{{ ecs_cluster_name }}" @@ -96,27 +90,10 @@ lb: "{{ service.services[0].loadBalancers }}" role_arn: "{{ service.services[0].roleArn }}" -########################################################################################################################### -#Update Services ############################################################################################################################ -# - name: update {{ container_name }} service -# ecs_service: -# state: present -# name: "{{ project_name }}-{{ tier }}-{{ container_name }}" -# cluster: "{{ ecs_cluster_name }}" -# task_definition: "{{ task_name }}:{{ task_revision }}" -# role: "{{ role_arn }}" -# force_new_deployment: yes -# deployment_configuration: -# minimum_healthy_percent: 50 -# maximum_percent: 200 -# deployment_circuit_breaker: -# enable: true -# rollback: false -# desired_count: 1 -# load_balancers: "{{ lb }}" -# region: "{{ region }}" -# register: output +# Update Services +############################################################################################################################ + - name: update {{ service_name }} service ecs_service: state: present From a56e7e7daf68e20441282b9cdec657de7ce986dc Mon Sep 17 00:00:00 2001 From: Sowmya Karavadi Date: Tue, 18 Apr 2023 17:15:31 -0400 Subject: [PATCH 15/22] updated frintend build file --- .../bento/common/roles/build_frontend/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml index a9bd4c08..8ef73f4e 100644 --- a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml @@ -6,7 +6,7 @@ - name: copy nginx conf copy: remote_src: yes - src: '{{workspace}}/icdc-devops/docker/dockerfiles/nginx.conf' + src: '{{workspace}}/playbooks/docker/dockerfiles/nginx.conf' dest: '{{workspace}}/build/nginx.conf' - name: copy entrypoint.sh to workspace @@ -21,6 +21,8 @@ args: chdir: "{{ container_build_path }}" warn: false + environment: + NODE_OPTIONS: --max-old-space-size=2048 loop: - npm set progress=false - npm install --silent From 0efe462d5b3bb062c6b28826cfbd52321a6856ab Mon Sep 17 00:00:00 2001 From: Sowmya Karavadi Date: Wed, 19 Apr 2023 11:05:14 -0400 Subject: [PATCH 16/22] updated node_option env variable --- .../bento/common/roles/build_frontend/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml index 8ef73f4e..85b359fa 100644 --- a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml @@ -22,7 +22,7 @@ chdir: "{{ container_build_path }}" warn: false environment: - NODE_OPTIONS: --max-old-space-size=2048 + NODE_OPTIONS: --max-old-space-size=4096 loop: - npm set progress=false - npm install --silent From 5aa9e54f5d6e596a1145b91f4e4345f9122848aa Mon Sep 17 00:00:00 2001 From: Sowmya Karavadi Date: Wed, 19 Apr 2023 11:14:39 -0400 Subject: [PATCH 17/22] commented out trivy scam --- .../roles/build_frontend/tasks/main.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml index 85b359fa..18f5af73 100644 --- a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml @@ -63,20 +63,21 @@ environment: DOCKER_BUILDKIT: 1 -- name: test image for vulnerabilities - block: - - name: run trivy scanner on - #command: "trivy image --exit-code 1 --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}-{{ build_number }}" - command: "trivy image --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" - register: vuln_results - always: - - name: echo vulnerability results - debug: - msg: "{{ vuln_results.stdout_lines }}" +# - name: test image for vulnerabilities +# block: +# - name: run trivy scanner on +# #command: "trivy image --exit-code 1 --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}-{{ build_number }}" +# command: "trivy image --severity HIGH,CRITICAL {{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" +# register: vuln_results +# always: +# - name: echo vulnerability results +# debug: +# msg: "{{ vuln_results.stdout_lines }}" - name: debug debug: msg: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" + - name: Add {{ project_name }}-{{ container_name }} image to ECR community.docker.docker_image: name: "{{ project_name }}-{{ container_name }}" From 98cf806ca742fc54db8f92a6fc088bde3638d981 Mon Sep 17 00:00:00 2001 From: Sowmya Karavadi Date: Wed, 19 Apr 2023 12:15:45 -0400 Subject: [PATCH 18/22] updated repo name --- .../bento/common/roles/build_frontend/tasks/main.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml index 18f5af73..9e271033 100644 --- a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml @@ -55,7 +55,7 @@ path: "{{workspace}}/build" pull: yes # nocache: yes - name: "{{ project_name }}-{{ container_name }}" + name: "{{ program }}-{{ project_name }}-{{ container_name }}" tag: "{{ image_version }}.{{ build_number }}" push: no force_source: yes @@ -76,12 +76,12 @@ - name: debug debug: - msg: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" + msg: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:{{ image_version }}.{{ build_number }}" - name: Add {{ project_name }}-{{ container_name }} image to ECR community.docker.docker_image: - name: "{{ project_name }}-{{ container_name }}" - repository: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}" + name: "{{ program }}-{{ project_name }}-{{ container_name }}" + repository: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}" tag: "{{ image_version }}.{{ build_number }}" force_tag: yes push: yes @@ -90,8 +90,8 @@ - name: Add tag latest to {{ project_name }}-{{container_name}} image community.docker.docker_image: - name: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}:{{ image_version }}.{{build_number}}" - repository: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}:latest" + name: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:{{ image_version }}.{{build_number}}" + repository: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:latest" force_tag: yes push: yes source: local \ No newline at end of file From 557c9cdf9fa6f57dfcc940bcdd15dcb7dae2ea35 Mon Sep 17 00:00:00 2001 From: colemandevries Date: Wed, 19 Apr 2023 13:27:20 -0400 Subject: [PATCH 19/22] bumping up the apm agent version --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index 03752212..269ee147 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -11,7 +11,7 @@ enable-ecs-log-metadata: "true" - name: "{{ project_name }}-{{ tier }}-fargate-infra" essential: true - image: "newrelic/nri-ecs:1.9.2" + image: "newrelic/nri-ecs:1.9.9" environment: - name: NRIA_OVERRIDE_HOST_ROOT value: "" From f8c85910e6b6f9cb9bf9332b96a33529f0a7ce24 Mon Sep 17 00:00:00 2001 From: jw34 Date: Mon, 17 Jul 2023 18:12:25 -0400 Subject: [PATCH 20/22] Update main.yml --- .../bento/common/roles/build_frontend/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml index 9e271033..2aeea4c4 100644 --- a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml @@ -47,7 +47,7 @@ src: '{{ dockerfile_path }}' dest: '{{workspace}}/build/Dockerfile' -- name: build {{ project_name }}-{{container_name}} image +- name: build {{ program }}-{{ project_name }}-{{container_name}} image community.docker.docker_image: build: args: @@ -88,7 +88,7 @@ source: local -- name: Add tag latest to {{ project_name }}-{{container_name}} image +- name: Add tag latest to {{ program }}-{{ project_name }}-{{container_name}} image community.docker.docker_image: name: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:{{ image_version }}.{{build_number}}" repository: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:latest" From bdb5b9059811d562bf4002fc96e3e69808008449 Mon Sep 17 00:00:00 2001 From: jw34 Date: Mon, 28 Aug 2023 11:03:53 -0400 Subject: [PATCH 21/22] changing desired count back to 1 --- ansible/collections/bento/common/roles/ecs/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/collections/bento/common/roles/ecs/tasks/main.yml b/ansible/collections/bento/common/roles/ecs/tasks/main.yml index 269ee147..ff3e4deb 100644 --- a/ansible/collections/bento/common/roles/ecs/tasks/main.yml +++ b/ansible/collections/bento/common/roles/ecs/tasks/main.yml @@ -108,7 +108,7 @@ deployment_circuit_breaker: enable: true rollback: false - desired_count: 2 + desired_count: 1 load_balancers: "{{ lb }}" region: "{{ region }}" register: output From 7fcb09fab23dfd726b85b8ff80c82c3131bead65 Mon Sep 17 00:00:00 2001 From: jw34 Date: Tue, 5 Sep 2023 06:29:59 -0400 Subject: [PATCH 22/22] Supporting ECR Immutability Removing latest tag to support immutability --- .../bento/common/roles/build_backend/tasks/main.yml | 7 ------- .../bento/common/roles/build_frontend/tasks/main.yml | 9 --------- 2 files changed, 16 deletions(-) diff --git a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml index 28939a85..fd0e7481 100644 --- a/ansible/collections/bento/common/roles/build_backend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_backend/tasks/main.yml @@ -53,10 +53,3 @@ push: yes source: local -- name: Add tag latest to {{ project_name }}-{{container_name}} image - community.docker.docker_image: - name: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}:{{ image_version }}.{{build_number}}" - repository: "{{ container_registry_url }}/{{ project_name }}-{{ container_name }}:latest" - force_tag: yes - push: yes - source: local diff --git a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml index 2aeea4c4..11d2feee 100644 --- a/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml +++ b/ansible/collections/bento/common/roles/build_frontend/tasks/main.yml @@ -86,12 +86,3 @@ force_tag: yes push: yes source: local - - -- name: Add tag latest to {{ program }}-{{ project_name }}-{{container_name}} image - community.docker.docker_image: - name: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:{{ image_version }}.{{build_number}}" - repository: "{{ container_registry_url }}/{{ program }}-{{ project_name }}-{{ container_name }}:latest" - force_tag: yes - push: yes - source: local \ No newline at end of file