Workflows for enabling production space deploys

2025-12-09 14:45:00 -05:00 · 2023-05-08 15:41:09 -04:00
parent a3ce5e547e
commit 84123c31fb
7 changed files with 112 additions and 22 deletions
--- a/.github/workflows/deploy-prod.yml
+++ b/.github/workflows/deploy-prod.yml
@@ -0,0 +1,87 @@
 name: Deploy to production environment
 on:
  push:
    branches: [ production ]
 permissions:
  contents: read
 jobs:
  deploy:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 2
      - name: Check for changes to Terraform
        id: changed-terraform-files
        uses: tj-actions/changed-files@v1.1.2
        with:
          files: |
            terraform/production
            terraform/shared
            .github/workflows/deploy-prod.yml
      - name: Terraform init
        if: steps.changed-terraform-files.outputs.any_changed == 'true'
        working-directory: terraform/production
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
        run: terraform init
      - name: Terraform apply
        if: steps.changed-terraform-files.outputs.any_changed == 'true'
        working-directory: terraform/production
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
        run: terraform apply -auto-approve -input=false
      - uses: ./.github/actions/setup-project
      - name: Create requirements.txt because Cloud Foundry does a weird pipenv thing
        run: pipenv requirements > requirements.txt
      - name: Deploy to cloud.gov
        uses: 18f/cg-deploy-action@main
        env:
          DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
          SECRET_KEY: ${{ secrets.SECRET_KEY }}
          ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
          BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
          NEW_RELIC_LICENSE_KEY: ${{ secrets.NEW_RELIC_LICENSE_KEY }}
          NR_BROWSER_KEY: ${{ secrets.NR_BROWSER_KEY }}
        with:
          cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
          cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
          cf_org: gsa-tts-benefits-studio-prototyping
          cf_space: notify-production
          push_arguments: >-
            --vars-file deploy-config/production.yml
            --var DANGEROUS_SALT="$DANGEROUS_SALT"
            --var SECRET_KEY="$SECRET_KEY"
            --var ADMIN_CLIENT_USERNAME="notify-admin"
            --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
            --var BASIC_AUTH_USERNAME="curiousabout"
            --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD"
            --var NEW_RELIC_LICENSE_KEY="$NEW_RELIC_LICENSE_KEY"
            --var NR_BROWSER_KEY="$NR_BROWSER_KEY"
      - name: Check for changes to egress config
        id: changed-egress-config
        uses: tj-actions/changed-files@v34
        with:
          files: |
            deploy-config/egress_proxy/notify-admin-production.*.acl
            .github/actions/deploy-proxy/action.yml
            .github/workflows/deploy-prod.yml
      - name: Deploy egress proxy
        if: steps.changed-egress-config.outputs.any_changed == 'true'
        uses: ./.github/actions/deploy-proxy
        with:
          cf_space: notify-production
          app: notify-admin-production
--- a/.github/workflows/drift.yml
+++ b/.github/workflows/drift.yml
@@ -45,22 +45,22 @@ jobs:
        with:
          path: terraform/demo
-  # check_prod_drift:
+  check_prod_drift:
-  #   runs-on: ubuntu-latest
+    runs-on: ubuntu-latest
-  #   name: Check for drift of production terraform configuration
+    name: Check for drift of production terraform configuration
-  #   environment: production
+    environment: production
-  #   steps:
+    steps:
-  #     - name: Checkout
+      - name: Checkout
-  #       uses: actions/checkout@v3
+        uses: actions/checkout@v3
-  #       with:
+        with:
-  #         ref: 'production'
+          ref: 'production'
-  #     - name: Check for drift
+      - name: Check for drift
-  #       uses: dflook/terraform-check@v1
+        uses: dflook/terraform-check@v1
-  #       env:
+        env:
-  #         AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
-  #         AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
-  #         TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
+          TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
-  #         TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
+          TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
-  #       with:
+        with:
-  #         path: terraform/production
+          path: terraform/production
--- a/.github/workflows/terraform-production.yml
+++ b/.github/workflows/terraform-production.yml
@@ -2,7 +2,7 @@ name: Run Terraform plan in production
 on:
  pull_request:
-    branches: [ production-disabled-for-now ]
+    branches: [ production ]
    paths: [ 'terraform/**' ]
 defaults:
--- a/deploy-config/egress_proxy/notify-admin-production.allow.acl
+++ b/deploy-config/egress_proxy/notify-admin-production.allow.acl
@@ -0,0 +1,2 @@
 gov-collector.newrelic.com
 egress-proxy-notify-admin-production.apps.internal
--- a/deploy-config/egress_proxy/notify-admin-production.deny.acl
+++ b/deploy-config/egress_proxy/notify-admin-production.deny.acl
--- a/deploy-config/egress_proxy/notify-admin-production.deploy.acl
+++ b/deploy-config/egress_proxy/notify-admin-production.deploy.acl
@@ -0,0 +1 @@
 Update this file to force a re-deploy of the egress proxy even when notify-admin-production.<allow|deny>.acl haven't changed
--- a/terraform/production/main.tf
+++ b/terraform/production/main.tf
@@ -13,7 +13,7 @@ module "redis" {
  cf_space_name    = local.cf_space_name
  name             = "${local.app_name}-redis-${local.env}"
  recursive_delete = local.recursive_delete
-  redis_plan_name  = "TKTK-production-redis-plan"
+  redis_plan_name  = "redis-3node-large"
 }
 module "logo_upload_bucket" {
@@ -45,7 +45,7 @@ module "logo_upload_bucket" {
 # It can be re-enabled after:
 # 1) the app has first been deployed
 # 2) the route has been manually created by an OrgManager:
-#     `cf create-domain TKTK-org-name TKTK-production-domain-name`
+#     `cf create-domain gsa-tts-benefits-studio-prototyping beta.notify.gov`
 ###########################################################################
 # module "domain" {
 #   source = "github.com/18f/terraform-cloudgov//domain?ref=v0.2.0"
@@ -56,5 +56,5 @@ module "logo_upload_bucket" {
 #   name             = "${local.app_name}-domain-${local.env}"
 #   recursive_delete = local.recursive_delete
 #   cdn_plan_name    = "domain"
-#   domain_name      = "TKTK-production-domain-name"
+#   domain_name      = "beta.notify.gov"
 # }
		`@@ -0,0 +1,2 @@`
							`gov-collector.newrelic.com`
							`egress-proxy-notify-admin-production.apps.internal`
		`@@ -0,0 +1 @@`
							`Update this file to force a re-deploy of the egress proxy even when notify-admin-production.<allow\|deny>.acl haven't changed`