feat: #915 tfc s3 migration deployment (#948)

bcgov · Oct 5, 2023 · e325af6 · e325af6
1 parent e765f1f
commit e325af6
Show file tree

Hide file tree

Showing 27 changed files with 131 additions and 125 deletions.
diff --git a/.github/workflows/ci_infrastructure.yml b/.github/workflows/ci_infrastructure.yml
@@ -23,8 +23,13 @@ on:
       - ".github/workflows/reusable_terraform_server.yml"
       - ".github/workflows/pr_open_terraform_ci.yml"
 
-jobs:
+# When use GHA OIDC provider and for action to create the JWT, it is required to have the id-token: write permission
+# permission can be added at job level or workflow level. Ref: https://github.com/aws-actions/configure-aws-credentials#OIDC
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
 
+jobs:
   backend-terraform-plan:
     uses: ./.github/workflows/reusable_terraform_server.yml
     with:
@@ -33,7 +38,6 @@ jobs:
       execute_flyway: false
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_idir_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"
@@ -47,7 +51,6 @@ jobs:
       idim_proxy_api_api_key: "${{ secrets.IDIM_PROXY_API_API_KEY }}"
       gc_notify_email_api_key: "${{ secrets.GC_NOTIFY_EMAIL_API_KEY }}"
 
-
   frontend-terraform-plan:
     needs: backend-terraform-plan
     uses: ./.github/workflows/reusable_terraform_frontend.yml
@@ -56,7 +59,6 @@ jobs:
       tf_subcommand: plan
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
 
   backend-terraform-plan-destroy:
     needs: frontend-terraform-plan
@@ -69,7 +71,6 @@ jobs:
       execute_flyway: false
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_bceid_business_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"

diff --git a/.github/workflows/dev_deployment.yml b/.github/workflows/dev_deployment.yml
@@ -6,8 +6,13 @@ on:
     branches:
       - "main"
 
-jobs:
+# When use GHA OIDC provider and for action to create the JWT, it is required to have the id-token: write permission
+# permission can be added at job level or workflow level. Ref: https://github.com/aws-actions/configure-aws-credentials#OIDC
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
 
+jobs:
   aws-dev-deployment-server:
     uses: ./.github/workflows/reusable_terraform_server.yml
     with:
@@ -16,7 +21,6 @@ jobs:
       execute_flyway: true
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_idir_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"
@@ -30,7 +34,6 @@ jobs:
       idim_proxy_api_api_key: "${{ secrets.IDIM_PROXY_API_API_KEY }}"
       gc_notify_email_api_key: "${{ secrets.GC_NOTIFY_EMAIL_API_KEY }}"
 
-
   aws-dev-deployment-frontend:
     needs: aws-dev-deployment-server
     uses: ./.github/workflows/reusable_terraform_frontend.yml
@@ -39,4 +42,3 @@ jobs:
       tf_subcommand: apply
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
diff --git a/.github/workflows/dev_deployment_frontend.yml b/.github/workflows/dev_deployment_frontend.yml
@@ -5,13 +5,10 @@ on:
   workflow_dispatch:
 
 jobs:
-
   aws-test-deployment-frontend:
     uses: ./.github/workflows/reusable_terraform_frontend.yml
     with:
       environment_name: dev
       tf_subcommand: apply
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
-
diff --git a/.github/workflows/dev_destruction.yml b/.github/workflows/dev_destruction.yml
@@ -3,16 +3,19 @@ name: DESTROY Development Backend
 on:
   workflow_dispatch:
 
-jobs:
+# permission can be added at job level or workflow level
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
 
+jobs:
   aws-dev-destruction-server:
     uses: ./.github/workflows/reusable_terraform_server.yml
     with:
       environment_name: dev
       tf_subcommand: destroy
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_idir_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"
@@ -37,4 +40,3 @@ jobs:
   #     tf_subcommand: destroy
   #   secrets:
   #     licenceplate: ${{ secrets.LICENCEPLATE}}
-  #     tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
diff --git a/.github/workflows/prod_deployment.yml b/.github/workflows/prod_deployment.yml
@@ -3,8 +3,13 @@ name: Caution!! DEPLOY Production Environment
 on:
   workflow_dispatch:
 
-jobs:
+# When use GHA OIDC provider and for action to create the JWT, it is required to have the id-token: write permission
+# permission can be added at job level or workflow level. Ref: https://github.com/aws-actions/configure-aws-credentials#OIDC
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
 
+jobs:
   aws-prod-deployment-server:
     uses: ./.github/workflows/reusable_terraform_server.yml
     with:
@@ -13,7 +18,6 @@ jobs:
       execute_flyway: true
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_idir_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"
@@ -35,4 +39,3 @@ jobs:
       tf_subcommand: apply
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
diff --git a/.github/workflows/prod_destruction.yml b/.github/workflows/prod_destruction.yml
@@ -3,16 +3,20 @@ name: Caution!! DESTROY Production Backend
 on:
   workflow_dispatch:
 
-jobs:
+# permission can be added at job level or workflow level
+# Enable this if you really consider to destory prod!!
+# permissions:
+#   id-token: write # This is required for requesting the JWT
+#   contents: read # This is required for actions/checkout
 
+jobs:
   aws-prod-destruction-server:
     uses: ./.github/workflows/reusable_terraform_server.yml
     with:
       environment_name: prod
       tf_subcommand: destroy
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_idir_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"
@@ -37,4 +41,3 @@ jobs:
   #     tf_subcommand: destroy
   #   secrets:
   #     licenceplate: ${{ secrets.LICENCEPLATE}}
-  #     tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
diff --git a/.github/workflows/reusable_terraform_frontend.yml b/.github/workflows/reusable_terraform_frontend.yml
@@ -12,21 +12,23 @@ on:
     secrets:
       licenceplate:
         required: true
-      tfc_team_token:
-        required: true
 
 env:
   TF_VERSION: 1.2.2
   TG_VERSION: 0.37.1
   TG_SRC_PATH: terraform-frontend
   TG_SERVER_SRC_PATH: terraform
+  AWS_REGION: ca-central-1
 
 jobs:
   aws-frontend-deployment:
     name: Run Terraform to Deploy Frontend
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment_name }}
 
+    env:
+      AWS_OIDC_GHA_ROLE: ${{ vars.FAM_GHA_ROLE }} # AWS-GHA OIDC auth role.
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2.5.0
@@ -39,11 +41,12 @@ jobs:
           mkdir ../infrastructure/frontend/dist
           rsync -r dist/* ../infrastructure/frontend/dist
 
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2.0.2
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          terraform_version: ${{ env.TF_VERSION }}
-          cli_config_credentials_token: ${{ secrets.tfc_team_token }}
+          role-to-assume: ${{ env.AWS_OIDC_GHA_ROLE }}
+          role-session-name: frontend-${{ inputs.environment_name }}-deployment
+          aws-region: ${{ env.AWS_REGION }}
 
       - name: Setup Terragrunt
         uses: peter-murray/terragrunt-github-action@v1.0.0
@@ -54,7 +57,8 @@ jobs:
         name: Terragrunt Server Output
         working-directory: ${{ env.TG_SERVER_SRC_PATH }}/${{ inputs.environment_name }}
         env:
-          tfc_workspace: "${{ secrets.licenceplate }}-${{ inputs.environment_name }}"
+          licenceplate: ${{ secrets.licenceplate }}
+          target_env: ${{ inputs.environment_name }}
         run: |
           # Run terraform
           cat > github.auto.tfvars <<EOF
@@ -63,15 +67,7 @@ jobs:
           db_cluster_snapshot_identifier = "NA"
           execute_flyway = false
           EOF
-          terragrunt run-all output -json
-
-      - name: Create env.json file
-        uses: DamianReeves/write-file-action@master
-        with:
-          path: infrastructure/frontend/dist/env.json
-          contents: |
-            ${{ steps.terragrunt-server-output.outputs.stdout }}
-          write-mode: overwrite
+          terragrunt run-all output -json > ../../infrastructure/frontend/dist/env.json
 
       - id: terragrunt-server-output-test
         working-directory: infrastructure/frontend/dist
@@ -85,6 +81,7 @@ jobs:
       - name: Terragrunt ${{ inputs.tf_subcommand }}
         working-directory: ${{ env.TG_SRC_PATH }}/${{ inputs.environment_name }}
         env:
-          tfc_workspace: "${{ secrets.licenceplate }}-${{ inputs.environment_name }}-frontend"
+          licenceplate: ${{ secrets.licenceplate }}
+          target_env: ${{ inputs.environment_name }}
         run: |
           terragrunt run-all ${{ inputs.tf_subcommand }} --terragrunt-non-interactive
diff --git a/.github/workflows/reusable_terraform_server.yml b/.github/workflows/reusable_terraform_server.yml
@@ -16,8 +16,6 @@ on:
     secrets:
       licenceplate:
         required: true
-      tfc_team_token:
-        required: true
       dev_oidc_idir_idp_client_secret:
         required: true
       test_oidc_idir_idp_client_secret:
@@ -47,23 +45,25 @@ env:
   TF_VERSION: 1.2.2
   TG_VERSION: 0.37.1
   TG_SRC_PATH: terraform
+  AWS_REGION: ca-central-1
 
 jobs:
-
   aws-server-deployment:
-
     name: Run Terraform to Deploy Server
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment_name }}
 
+    env:
+      AWS_OIDC_GHA_ROLE: ${{ vars.FAM_GHA_ROLE }} # AWS-GHA OIDC auth role.
+
     steps:
       - name: Checkout
         uses: actions/checkout@v2.5.0
 
       - name: Set up Python 3.8
         uses: actions/setup-python@v4
         with:
-          python-version: '3.8'
+          python-version: "3.8"
 
       - name: Auth function zip
         run: |
@@ -82,7 +82,6 @@ jobs:
           path: ./infrastructure/server/fam_auth_function.zip
           if-no-files-found: error
 
-      # Steps to deploy Ian's python as a lambda
       - name: Install and Package Dependencies - FAM API
         run: |
           cd server/backend
@@ -111,13 +110,12 @@ jobs:
           mkdir infrastructure/server/sql
           rsync -r server/flyway/sql/* infrastructure/server/sql
 
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2.0.2
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          terraform_version: ${{ env.TF_VERSION }}
-          cli_config_credentials_token: ${{ secrets.tfc_team_token }}
-          # This gets rid of the extra output that kills automated output readability
-          terraform_wrapper: false
+          role-to-assume: ${{ env.AWS_OIDC_GHA_ROLE }}
+          role-session-name: server-${{ inputs.environment_name }}-deployment
+          aws-region: ${{ env.AWS_REGION }}
 
       - name: Setup Terragrunt
         uses: peter-murray/terragrunt-github-action@v1.0.0
@@ -157,17 +155,18 @@ jobs:
       - name: Terragrunt ${{ inputs.tf_subcommand }}
         working-directory: ${{ env.TG_SRC_PATH }}/${{ inputs.environment_name }}
         env:
-          tfc_workspace: "${{ secrets.licenceplate }}-${{ inputs.environment_name }}"
+          licenceplate: ${{ secrets.licenceplate }}
+          target_env: ${{ inputs.environment_name }}
         run: |
           # Run terraform
           terragrunt run-all ${{ inputs.tf_subcommand }} --terragrunt-non-interactive
 
-
       - id: smoke_test
         name: Smoke Test
         working-directory: ${{ env.TG_SRC_PATH }}/${{ inputs.environment_name }}
         env:
-          tfc_workspace: "${{ secrets.licenceplate }}-${{ inputs.environment_name }}"
+          licenceplate: ${{ secrets.licenceplate }}
+          target_env: ${{ inputs.environment_name }}
         run: |
           if [[ "apply" == "${{ inputs.tf_subcommand }}" ]]
           then
@@ -178,8 +177,3 @@ jobs:
           else
             echo "Not executing terraform apply - smoke test skipped"
           fi
-
-
-
-
-
diff --git a/.github/workflows/test_deployment.yml b/.github/workflows/test_deployment.yml
@@ -3,8 +3,13 @@ name: DEPLOY Test Environment
 on:
   workflow_dispatch:
 
-jobs:
+# When use GHA OIDC provider and for action to create the JWT, it is required to have the id-token: write permission
+# permission can be added at job level or workflow level. Ref: https://github.com/aws-actions/configure-aws-credentials#OIDC
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: read # This is required for actions/checkout
 
+jobs:
   aws-test-deployment-server:
     uses: ./.github/workflows/reusable_terraform_server.yml
     with:
@@ -13,7 +18,6 @@ jobs:
       execute_flyway: true
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
       dev_oidc_idir_idp_client_secret: "${{ secrets.DEV_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       test_oidc_idir_idp_client_secret: "${{ secrets.TEST_OIDC_IDIR_IDP_CLIENT_SECRET }}"
       prod_oidc_idir_idp_client_secret: "${{ secrets.PROD_OIDC_IDIR_IDP_CLIENT_SECRET }}"
@@ -35,5 +39,3 @@ jobs:
       tf_subcommand: apply
     secrets:
       licenceplate: ${{ secrets.LICENCEPLATE}}
-      tfc_team_token: ${{ secrets.TFC_TEAM_TOKEN }}
-