Merge pull request #499 from GSA/prod-deploy-prep

Prod deploy prep

.github/workflows/deploy-demo.yml

@@ -53,7 +53,6 @@ jobs:
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
-          REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
           NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
           NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
         with:
@@ -65,7 +64,6 @@ jobs:
             --vars-file deploy-config/demo.yml
             --var DANGEROUS_SALT="$DANGEROUS_SALT"
             --var SECRET_KEY="$SECRET_KEY"
-            --var REDIS_ENABLED="$REDIS_ENABLED"
             --var ADMIN_CLIENT_USERNAME="notify-admin"
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var BASIC_AUTH_USERNAME="curiousabout"

.github/workflows/deploy-prod.yml

@@ -0,0 +1,87 @@
+name: Deploy to production environment
+
+on:
+  push:
+    branches: [ production ]
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Check for changes to Terraform
+        id: changed-terraform-files
+        uses: tj-actions/changed-files@v1.1.2
+        with:
+          files: |
+            terraform/production
+            terraform/shared
+            .github/workflows/deploy-prod.yml
+      - name: Terraform init
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/production
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+      - name: Terraform apply
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/production
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        run: terraform apply -auto-approve -input=false
+
+      - uses: ./.github/actions/setup-project
+
+      - name: Create requirements.txt because Cloud Foundry does a weird pipenv thing
+        run: pipenv requirements > requirements.txt
+
+      - name: Deploy to cloud.gov
+        uses: 18f/cg-deploy-action@main
+        env:
+          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
+          BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
+          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
+          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
+        with:
+          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
+          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+          cf_org: gsa-tts-benefits-studio-prototyping
+          cf_space: notify-production
+          push_arguments: >-
+            --vars-file deploy-config/production.yml
+            --var DANGEROUS_SALT="$DANGEROUS_SALT"
+            --var SECRET_KEY="$SECRET_KEY"
+            --var ADMIN_CLIENT_USERNAME="notify-admin"
+            --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
+            --var BASIC_AUTH_USERNAME="curiousabout"
+            --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD"
+            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
+            --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
+
+      - name: Check for changes to egress config
+        id: changed-egress-config
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            deploy-config/egress_proxy/notify-admin-production.*.acl
+            .github/actions/deploy-proxy/action.yml
+            .github/workflows/deploy-prod.yml
+      - name: Deploy egress proxy
+        if: steps.changed-egress-config.outputs.any_changed == 'true'
+        uses: ./.github/actions/deploy-proxy
+        with:
+          cf_space: notify-production
+          app: notify-admin-production

.github/workflows/deploy.yml

@@ -58,7 +58,6 @@ jobs:
           SECRET_KEY: ${{ secrets.SECRET_KEY }}
           ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
           BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
-          REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
           NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
           NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
         with:
@@ -70,7 +69,6 @@ jobs:
             --vars-file deploy-config/staging.yml
             --var DANGEROUS_SALT="$DANGEROUS_SALT"
             --var SECRET_KEY="$SECRET_KEY"
-            --var REDIS_ENABLED="$REDIS_ENABLED"
             --var ADMIN_CLIENT_USERNAME="notify-admin"
             --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
             --var BASIC_AUTH_USERNAME="curiousabout"

.github/workflows/drift.yml

@@ -45,22 +45,22 @@ jobs:
         with:
           path: terraform/demo
 
-  # check_prod_drift:
-  #   runs-on: ubuntu-latest
-  #   name: Check for drift of production terraform configuration
-  #   environment: production
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v3
-  #       with:
-  #         ref: 'production'
+  check_prod_drift:
+    runs-on: ubuntu-latest
+    name: Check for drift of production terraform configuration
+    environment: production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: 'production'
 
-  #     - name: Check for drift
-  #       uses: dflook/terraform-check@v1
-  #       env:
-  #         AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-  #         AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-  #         TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
-  #         TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-  #       with:
-  #         path: terraform/production
+      - name: Check for drift
+        uses: dflook/terraform-check@v1
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        with:
+          path: terraform/production

.github/workflows/terraform-production.yml

@@ -2,7 +2,7 @@ name: Run Terraform plan in production
 
 on:
   pull_request:
-    branches: [ production-disabled-for-now ]
+    branches: [ production ]
     paths: [ 'terraform/**' ]
 
 defaults:

deploy-config/demo.yml

@@ -2,5 +2,6 @@ env: demo
 instances: 1
 memory: 1G
 public_admin_route: notify-demo.app.cloud.gov
+redis_enabled: 1
 nr_agent_id: "1134302465"
 nr_app_id: "1083160688"

deploy-config/egress_proxy/notify-admin-production.allow.acl

@@ -0,0 +1,2 @@
+gov-collector.newrelic.com
+egress-proxy-notify-admin-production.apps.internal

deploy-config/egress_proxy/notify-admin-production.deploy.acl

@@ -0,0 +1 @@
+Update this file to force a re-deploy of the egress proxy even when notify-admin-production.<allow|deny>.acl haven't changed

deploy-config/production.yml

@@ -2,5 +2,6 @@ env: production
 instances: 2
 memory: 1G
 public_admin_route: notify.app.cloud.gov
+redis_enabled: 1
 nr_agent_id: ""
 nr_app_id: ""

deploy-config/sandbox.yml

@@ -2,13 +2,13 @@ env: sandbox
 instances: 1
 memory: 1G
 public_admin_route: notify-sandbox.app.cloud.gov
+redis_enabled: 1
 ADMIN_CLIENT_USERNAME: notify-admin
 ADMIN_CLIENT_SECRET: sandbox-notify-secret-key
 DANGEROUS_SALT: sandbox-notify-salt
 SECRET_KEY: sandbox-notify-secret-key
 BASIC_AUTH_USERNAME: sandbox
 BASIC_AUTH_PASSWORD: sandbox
-REDIS_ENABLED: 1
 nr_agent_id: ""
 nr_app_id: ""
 NR_BROWSER_KEY: ""

deploy-config/staging.yml

@@ -2,5 +2,6 @@ env: staging
 instances: 1
 memory: 1G
 public_admin_route: notify-staging.app.cloud.gov
+redis_enabled: 1
 nr_agent_id: "1134291385"
 nr_app_id: "1031640326"

manifest.yml

@@ -32,7 +32,7 @@ applications:
       NR_APP_ID: ((nr_app_id))
       NR_BROWSER_KEY: ((NR_BROWSER_KEY))
 
-      REDIS_ENABLED: ((REDIS_ENABLED))
+      REDIS_ENABLED: ((redis_enabled))
       ADMIN_BASE_URL: https://((public_admin_route))
       API_HOST_NAME: https://notify-api-((env)).apps.internal:61443
 

terraform/production/main.tf

@@ -13,7 +13,7 @@ module "redis" {
   cf_space_name    = local.cf_space_name
   name             = "${local.app_name}-redis-${local.env}"
   recursive_delete = local.recursive_delete
-  redis_plan_name  = "TKTK-production-redis-plan"
+  redis_plan_name  = "redis-3node-large"
 }
 
 module "logo_upload_bucket" {
@@ -45,7 +45,7 @@ module "logo_upload_bucket" {
 # It can be re-enabled after:
 # 1) the app has first been deployed
 # 2) the route has been manually created by an OrgManager:
-#     `cf create-domain TKTK-org-name TKTK-production-domain-name`
+#     `cf create-domain gsa-tts-benefits-studio-prototyping beta.notify.gov`
 ###########################################################################
 # module "domain" {
 #   source = "github.com/18f/terraform-cloudgov//domain?ref=v0.2.0"
@@ -56,5 +56,5 @@ module "logo_upload_bucket" {
 #   name             = "${local.app_name}-domain-${local.env}"
 #   recursive_delete = local.recursive_delete
 #   cdn_plan_name    = "domain"
-#   domain_name      = "TKTK-production-domain-name"
+#   domain_name      = "beta.notify.gov"
 # }