Workflows for enabling production space deploys

2025-12-09 06:33:52 -05:00 · 2023-05-08 15:41:09 -04:00
parent a3ce5e547e
commit 84123c31fb
7 changed files with 112 additions and 22 deletions
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -0,0 +1,87 @@
+name: Deploy to production environment
+
+on:
+  push:
+    branches: [ production ]
+
+permissions:
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: production
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 2
+
+      - name: Check for changes to Terraform
+        id: changed-terraform-files
+        uses: tj-actions/changed-files@v1.1.2
+        with:
+          files: |
+            terraform/production
+            terraform/shared
+            .github/workflows/deploy-prod.yml
+      - name: Terraform init
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/production
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+        run: terraform init
+      - name: Terraform apply
+        if: steps.changed-terraform-files.outputs.any_changed == 'true'
+        working-directory: terraform/production
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        run: terraform apply -auto-approve -input=false
+
+      - uses: ./.github/actions/setup-project
+
+      - name: Create requirements.txt because Cloud Foundry does a weird pipenv thing
+        run: pipenv requirements > requirements.txt
+
+      - name: Deploy to cloud.gov
+        uses: 18f/cg-deploy-action@main
+        env:
+          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
+          SECRET_KEY: ${{ secrets.SECRET_KEY }}
+          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
+          BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
+          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
+          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
+        with:
+          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
+          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+          cf_org: gsa-tts-benefits-studio-prototyping
+          cf_space: notify-production
+          push_arguments: >-
+            --vars-file deploy-config/production.yml
+            --var DANGEROUS_SALT="$DANGEROUS_SALT"
+            --var SECRET_KEY="$SECRET_KEY"
+            --var ADMIN_CLIENT_USERNAME="notify-admin"
+            --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
+            --var BASIC_AUTH_USERNAME="curiousabout"
+            --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD"
+            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
+            --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
+
+      - name: Check for changes to egress config
+        id: changed-egress-config
+        uses: tj-actions/changed-files@v34
+        with:
+          files: |
+            deploy-config/egress_proxy/notify-admin-production.*.acl
+            .github/actions/deploy-proxy/action.yml
+            .github/workflows/deploy-prod.yml
+      - name: Deploy egress proxy
+        if: steps.changed-egress-config.outputs.any_changed == 'true'
+        uses: ./.github/actions/deploy-proxy
+        with:
+          cf_space: notify-production
+          app: notify-admin-production
--- a/.github/workflows/drift.yml
+++ b/.github/workflows/drift.yml
@@ -45,22 +45,22 @@ jobs:
        with:
          path: terraform/demo

-  # check_prod_drift:
-  #   runs-on: ubuntu-latest
-  #   name: Check for drift of production terraform configuration
-  #   environment: production
-  #   steps:
-  #     - name: Checkout
-  #       uses: actions/checkout@v3
-  #       with:
-  #         ref: 'production'
+  check_prod_drift:
+    runs-on: ubuntu-latest
+    name: Check for drift of production terraform configuration
+    environment: production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          ref: 'production'

-  #     - name: Check for drift
-  #       uses: dflook/terraform-check@v1
-  #       env:
-  #         AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-  #         AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-  #         TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
-  #         TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-  #       with:
-  #         path: terraform/production
+      - name: Check for drift
+        uses: dflook/terraform-check@v1
+        env:
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+        with:
+          path: terraform/production
--- a/.github/workflows/terraform-production.yml
+++ b/.github/workflows/terraform-production.yml
@@ -2,7 +2,7 @@ name: Run Terraform plan in production

 on:
  pull_request:
-    branches: [ production-disabled-for-now ]
+    branches: [ production ]
    paths: [ 'terraform/**' ]

 defaults:
--- a/deploy-config/egress_proxy/notify-admin-production.allow.acl
+++ b/deploy-config/egress_proxy/notify-admin-production.allow.acl
@@ -0,0 +1,2 @@
+gov-collector.newrelic.com
+egress-proxy-notify-admin-production.apps.internal
--- a/deploy-config/egress_proxy/notify-admin-production.deny.acl
+++ b/deploy-config/egress_proxy/notify-admin-production.deny.acl
--- a/deploy-config/egress_proxy/notify-admin-production.deploy.acl
+++ b/deploy-config/egress_proxy/notify-admin-production.deploy.acl
@@ -0,0 +1 @@
+Update this file to force a re-deploy of the egress proxy even when notify-admin-production.<allow|deny>.acl haven't changed
--- a/terraform/production/main.tf
+++ b/terraform/production/main.tf
@@ -13,7 +13,7 @@ module "redis" {
  cf_space_name    = local.cf_space_name
  name             = "${local.app_name}-redis-${local.env}"
  recursive_delete = local.recursive_delete
-  redis_plan_name  = "TKTK-production-redis-plan"
+  redis_plan_name  = "redis-3node-large"
 }

 module "logo_upload_bucket" {
@@ -45,7 +45,7 @@ module "logo_upload_bucket" {
 # It can be re-enabled after:
 # 1) the app has first been deployed
 # 2) the route has been manually created by an OrgManager:
-#     `cf create-domain TKTK-org-name TKTK-production-domain-name`
+#     `cf create-domain gsa-tts-benefits-studio-prototyping beta.notify.gov`
 ###########################################################################
 # module "domain" {
 #   source = "github.com/18f/terraform-cloudgov//domain?ref=v0.2.0"
@@ -56,5 +56,5 @@ module "logo_upload_bucket" {
 #   name             = "${local.app_name}-domain-${local.env}"
 #   recursive_delete = local.recursive_delete
 #   cdn_plan_name    = "domain"
-#   domain_name      = "TKTK-production-domain-name"
+#   domain_name      = "beta.notify.gov"
 # }
				`@@ -0,0 +1 @@`
				`Update this file to force a re-deploy of the egress proxy even when notify-admin-production.<allow\|deny>.acl haven't changed`