From a3ce5e547e18112601ef21ccddc73a9e9db86a61 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 8 May 2023 15:27:55 -0400 Subject: [PATCH 1/2] Stop setting redis_enabled in secrets --- .github/workflows/deploy-demo.yml | 2 -- .github/workflows/deploy.yml | 2 -- deploy-config/demo.yml | 1 + deploy-config/production.yml | 1 + deploy-config/sandbox.yml | 2 +- deploy-config/staging.yml | 1 + manifest.yml | 2 +- 7 files changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index 8dfe9905c..15834c6d1 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -53,7 +53,6 @@ jobs: SECRET_KEY: ${{ secrets.SECRET_KEY }} ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} - REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }} NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }} with: @@ -65,7 +64,6 @@ jobs: --vars-file deploy-config/demo.yml --var DANGEROUS_SALT="$DANGEROUS_SALT" --var SECRET_KEY="$SECRET_KEY" - --var REDIS_ENABLED="$REDIS_ENABLED" --var ADMIN_CLIENT_USERNAME="notify-admin" --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" --var BASIC_AUTH_USERNAME="curiousabout" diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e496fd1ec..866b84d62 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -58,7 +58,6 @@ jobs: SECRET_KEY: ${{ secrets.SECRET_KEY }} ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} - REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }} NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }} with: @@ -70,7 +69,6 @@ jobs: --vars-file deploy-config/staging.yml --var DANGEROUS_SALT="$DANGEROUS_SALT" --var SECRET_KEY="$SECRET_KEY" - --var REDIS_ENABLED="$REDIS_ENABLED" --var ADMIN_CLIENT_USERNAME="notify-admin" --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" --var BASIC_AUTH_USERNAME="curiousabout" diff --git a/deploy-config/demo.yml b/deploy-config/demo.yml index d8cd8e2b0..1b53947f7 100644 --- a/deploy-config/demo.yml +++ b/deploy-config/demo.yml @@ -2,5 +2,6 @@ env: demo instances: 1 memory: 1G public_admin_route: notify-demo.app.cloud.gov +redis_enabled: 1 nr_agent_id: "1134302465" nr_app_id: "1083160688" diff --git a/deploy-config/production.yml b/deploy-config/production.yml index 9b9249bfd..1ed5010d7 100644 --- a/deploy-config/production.yml +++ b/deploy-config/production.yml @@ -2,5 +2,6 @@ env: production instances: 2 memory: 1G public_admin_route: notify.app.cloud.gov +redis_enabled: 1 nr_agent_id: "" nr_app_id: "" diff --git a/deploy-config/sandbox.yml b/deploy-config/sandbox.yml index 0bd9ddd03..a4df696c9 100644 --- a/deploy-config/sandbox.yml +++ b/deploy-config/sandbox.yml @@ -2,13 +2,13 @@ env: sandbox instances: 1 memory: 1G public_admin_route: notify-sandbox.app.cloud.gov +redis_enabled: 1 ADMIN_CLIENT_USERNAME: notify-admin ADMIN_CLIENT_SECRET: sandbox-notify-secret-key DANGEROUS_SALT: sandbox-notify-salt SECRET_KEY: sandbox-notify-secret-key BASIC_AUTH_USERNAME: sandbox BASIC_AUTH_PASSWORD: sandbox -REDIS_ENABLED: 1 nr_agent_id: "" nr_app_id: "" NR_BROWSER_KEY: "" diff --git a/deploy-config/staging.yml b/deploy-config/staging.yml index e16b81f4b..2426d4930 100644 --- a/deploy-config/staging.yml +++ b/deploy-config/staging.yml @@ -2,5 +2,6 @@ env: staging instances: 1 memory: 1G public_admin_route: notify-staging.app.cloud.gov +redis_enabled: 1 nr_agent_id: "1134291385" nr_app_id: "1031640326" diff --git a/manifest.yml b/manifest.yml index 9c833a1a7..aa658af17 100644 --- a/manifest.yml +++ b/manifest.yml @@ -32,7 +32,7 @@ applications: NR_APP_ID: ((nr_app_id)) NR_BROWSER_KEY: ((NR_BROWSER_KEY)) - REDIS_ENABLED: ((REDIS_ENABLED)) + REDIS_ENABLED: ((redis_enabled)) ADMIN_BASE_URL: https://((public_admin_route)) API_HOST_NAME: https://notify-api-((env)).apps.internal:61443 From 84123c31fb5c25438143bbc799e5fe66719d9c0c Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Mon, 8 May 2023 15:41:09 -0400 Subject: [PATCH 2/2] Workflows for enabling production space deploys --- .github/workflows/deploy-prod.yml | 87 +++++++++++++++++++ .github/workflows/drift.yml | 36 ++++---- .github/workflows/terraform-production.yml | 2 +- .../notify-admin-production.allow.acl | 2 + .../notify-admin-production.deny.acl | 0 .../notify-admin-production.deploy.acl | 1 + terraform/production/main.tf | 6 +- 7 files changed, 112 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/deploy-prod.yml create mode 100644 deploy-config/egress_proxy/notify-admin-production.allow.acl create mode 100644 deploy-config/egress_proxy/notify-admin-production.deny.acl create mode 100644 deploy-config/egress_proxy/notify-admin-production.deploy.acl diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml new file mode 100644 index 000000000..647ccbd3b --- /dev/null +++ b/.github/workflows/deploy-prod.yml @@ -0,0 +1,87 @@ +name: Deploy to production environment + +on: + push: + branches: [ production ] + +permissions: + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + environment: production + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 2 + + - name: Check for changes to Terraform + id: changed-terraform-files + uses: tj-actions/changed-files@v1.1.2 + with: + files: | + terraform/production + terraform/shared + .github/workflows/deploy-prod.yml + - name: Terraform init + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/production + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + run: terraform init + - name: Terraform apply + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/production + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + run: terraform apply -auto-approve -input=false + + - uses: ./.github/actions/setup-project + + - name: Create requirements.txt because Cloud Foundry does a weird pipenv thing + run: pipenv requirements > requirements.txt + + - name: Deploy to cloud.gov + uses: 18f/cg-deploy-action@main + env: + DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} + ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} + BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} + NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }} + NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }} + with: + cf_username: ${{ secrets.CLOUDGOV_USERNAME }} + cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + cf_org: gsa-tts-benefits-studio-prototyping + cf_space: notify-production + push_arguments: >- + --vars-file deploy-config/production.yml + --var DANGEROUS_SALT="$DANGEROUS_SALT" + --var SECRET_KEY="$SECRET_KEY" + --var ADMIN_CLIENT_USERNAME="notify-admin" + --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" + --var BASIC_AUTH_USERNAME="curiousabout" + --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD" + --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY" + --var NR_BROWSER_KEY="$NR_BROWSER_KEY" + + - name: Check for changes to egress config + id: changed-egress-config + uses: tj-actions/changed-files@v34 + with: + files: | + deploy-config/egress_proxy/notify-admin-production.*.acl + .github/actions/deploy-proxy/action.yml + .github/workflows/deploy-prod.yml + - name: Deploy egress proxy + if: steps.changed-egress-config.outputs.any_changed == 'true' + uses: ./.github/actions/deploy-proxy + with: + cf_space: notify-production + app: notify-admin-production diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml index 412290a49..616e72689 100644 --- a/.github/workflows/drift.yml +++ b/.github/workflows/drift.yml @@ -45,22 +45,22 @@ jobs: with: path: terraform/demo - # check_prod_drift: - # runs-on: ubuntu-latest - # name: Check for drift of production terraform configuration - # environment: production - # steps: - # - name: Checkout - # uses: actions/checkout@v3 - # with: - # ref: 'production' + check_prod_drift: + runs-on: ubuntu-latest + name: Check for drift of production terraform configuration + environment: production + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: 'production' - # - name: Check for drift - # uses: dflook/terraform-check@v1 - # env: - # AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} - # AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} - # TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} - # TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} - # with: - # path: terraform/production + - name: Check for drift + uses: dflook/terraform-check@v1 + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + with: + path: terraform/production diff --git a/.github/workflows/terraform-production.yml b/.github/workflows/terraform-production.yml index e48000438..afb10dcfb 100644 --- a/.github/workflows/terraform-production.yml +++ b/.github/workflows/terraform-production.yml @@ -2,7 +2,7 @@ name: Run Terraform plan in production on: pull_request: - branches: [ production-disabled-for-now ] + branches: [ production ] paths: [ 'terraform/**' ] defaults: diff --git a/deploy-config/egress_proxy/notify-admin-production.allow.acl b/deploy-config/egress_proxy/notify-admin-production.allow.acl new file mode 100644 index 000000000..2173a6b4b --- /dev/null +++ b/deploy-config/egress_proxy/notify-admin-production.allow.acl @@ -0,0 +1,2 @@ +gov-collector.newrelic.com +egress-proxy-notify-admin-production.apps.internal diff --git a/deploy-config/egress_proxy/notify-admin-production.deny.acl b/deploy-config/egress_proxy/notify-admin-production.deny.acl new file mode 100644 index 000000000..e69de29bb diff --git a/deploy-config/egress_proxy/notify-admin-production.deploy.acl b/deploy-config/egress_proxy/notify-admin-production.deploy.acl new file mode 100644 index 000000000..ecbb75b60 --- /dev/null +++ b/deploy-config/egress_proxy/notify-admin-production.deploy.acl @@ -0,0 +1 @@ +Update this file to force a re-deploy of the egress proxy even when notify-admin-production..acl haven't changed diff --git a/terraform/production/main.tf b/terraform/production/main.tf index aeb417dbd..f339a7366 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -13,7 +13,7 @@ module "redis" { cf_space_name = local.cf_space_name name = "${local.app_name}-redis-${local.env}" recursive_delete = local.recursive_delete - redis_plan_name = "TKTK-production-redis-plan" + redis_plan_name = "redis-3node-large" } module "logo_upload_bucket" { @@ -45,7 +45,7 @@ module "logo_upload_bucket" { # It can be re-enabled after: # 1) the app has first been deployed # 2) the route has been manually created by an OrgManager: -# `cf create-domain TKTK-org-name TKTK-production-domain-name` +# `cf create-domain gsa-tts-benefits-studio-prototyping beta.notify.gov` ########################################################################### # module "domain" { # source = "github.com/18f/terraform-cloudgov//domain?ref=v0.2.0" @@ -56,5 +56,5 @@ module "logo_upload_bucket" { # name = "${local.app_name}-domain-${local.env}" # recursive_delete = local.recursive_delete # cdn_plan_name = "domain" -# domain_name = "TKTK-production-domain-name" +# domain_name = "beta.notify.gov" # }