Merge pull request #170 from GSA/studio-cloud-gov

Set up Studio cloud.gov environment
This commit is contained in:
Ryan Ahearn
2022-11-03 11:12:26 -04:00
committed by GitHub
25 changed files with 303 additions and 70 deletions

68
.github/workflows/deploy-demo.yml vendored Normal file
View File

@@ -0,0 +1,68 @@
name: Deploy to demo environment
on:
push:
branches: [ production ]
permissions:
contents: read
jobs:
deploy:
runs-on: ubuntu-latest
environment: demo
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 2
- name: Check for changes to Terraform
id: changed-terraform-files
uses: tj-actions/changed-files@v1.1.2
with:
files: terraform/demo
- name: Terraform init
if: steps.changed-terraform-files.outputs.any_changed == 'true'
working-directory: terraform/demo
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
run: terraform init
- name: Terraform apply
if: steps.changed-terraform-files.outputs.any_changed == 'true'
working-directory: terraform/demo
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
run: terraform apply -auto-approve -input=false
- uses: ./.github/actions/setup-project
- name: Deploy to cloud.gov
uses: 18f/cg-deploy-action@main
env:
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
SECRET_KEY: ${{ secrets.SECRET_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
with:
cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
cf_org: gsa-tts-benefits-studio-prototyping
cf_space: notify-demo
push_arguments: >-
--vars-file deploy-config/staging.yml
--var DANGEROUS_SALT="$DANGEROUS_SALT"
--var SECRET_KEY="$SECRET_KEY"
--var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
--var AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY"
--var REDIS_ENABLED="$REDIS_ENABLED"
--var ADMIN_CLIENT_USERNAME="notify-admin"
--var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET"
--var BASIC_AUTH_USERNAME="curiousabout"
--var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD"

View File

@@ -15,13 +15,8 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
environment: staging
steps:
- name: Install container dependencies
run: |
sudo apt-get update \
&& sudo apt-get install -y --no-install-recommends \
libcurl4-openssl-dev
- uses: actions/checkout@v3
with:
fetch-depth: 2
@@ -48,31 +43,25 @@ jobs:
TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
run: terraform apply -auto-approve -input=false
- name: Set up Python 3.9
uses: actions/setup-python@v3
with:
python-version: "3.9"
- name: Install application dependencies
run: make bootstrap
- uses: ./.github/actions/setup-project
- name: Deploy to cloud.gov
uses: 18f/cg-deploy-action@main
env:
DANGEROUS_SALT: ${{ secrets.PROD_DANGEROUS_SALT }}
SECRET_KEY: ${{ secrets.PROD_SECRET_KEY }}
DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }}
SECRET_KEY: ${{ secrets.SECRET_KEY }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
ADMIN_CLIENT_SECRET: ${{ secrets.PROD_ADMIN_CLIENT_SECRET }}
ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }}
BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }}
REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }}
with:
cf_username: ${{ secrets.CLOUDGOV_USERNAME }}
cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
cf_org: gsa-10x-prototyping
cf_space: 10x-notifications
cf_org: gsa-tts-benefits-studio-prototyping
cf_space: notify-staging
push_arguments: >-
--var env=staging
--vars-file deploy-config/staging.yml
--var DANGEROUS_SALT="$DANGEROUS_SALT"
--var SECRET_KEY="$SECRET_KEY"
--var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID"
@@ -87,4 +76,6 @@ jobs:
runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'failure' }}
steps:
- run: echo 'Checks failed, not deploying'
- uses: actions/github-script@v6
with:
script: core.setFailed('Checks failed, not deploying')

79
.github/workflows/terraform-demo.yml vendored Normal file
View File

@@ -0,0 +1,79 @@
name: Run Terraform plan in demo
on:
pull_request:
branches: [ production ]
paths: [ 'terraform/**' ]
defaults:
run:
working-directory: terraform/demo
jobs:
terraform:
name: Terraform plan
runs-on: ubuntu-latest
environment: demo
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Terraform format
id: format
run: terraform fmt -check
- name: Terraform init
id: init
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
run: terraform init
- name: Terraform validate
id: validation
run: terraform validate -no-color
- name: Terraform plan
id: plan
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt
- name: Read Terraform plan output file
id: terraform_output
uses: juliangruber/read-file-action@v1
if: ${{ always() }}
with:
path: ./terraform/demo/plan_output.txt
# inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
- name: Update PR
uses: actions/github-script@v6
# we would like to update the PR even when a prior step failed
if: ${{ always() }}
with:
script: |
const output = `Terraform Format and Style: ${{ steps.format.outcome }}
Terraform Initialization: ${{ steps.init.outcome }}
Terraform Validation: ${{ steps.validation.outcome }}
Terraform Plan: ${{ steps.plan.outcome }}
<details><summary>Show Plan</summary>
\`\`\`\n
${{ steps.terraform_output.outputs.content }}
\`\`\`
</details>
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})

View File

@@ -2,7 +2,7 @@ name: Run Terraform plan in production
on:
pull_request:
branches: [ production ]
branches: [ production-disabled-for-now ]
paths: [ 'terraform/**' ]
defaults:
@@ -38,8 +38,8 @@ jobs:
env:
AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }}
TF_VAR_cf_user: ${{ secrets.CF_USERNAME }}
TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }}
TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }}
TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }}
run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt
- name: Read Terraform plan output file
@@ -51,7 +51,7 @@ jobs:
# inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
- name: Update PR
uses: actions/github-script@v4
uses: actions/github-script@v6
# we would like to update the PR even when a prior step failed
if: ${{ always() }}
with:
@@ -71,7 +71,7 @@ jobs:
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.issues.createComment({
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,

View File

@@ -13,6 +13,7 @@ jobs:
terraform:
name: Terraform plan
runs-on: ubuntu-latest
environment: staging
steps:
- name: Checkout
uses: actions/checkout@v2
@@ -50,7 +51,7 @@ jobs:
# inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow
- name: Update PR
uses: actions/github-script@v4
uses: actions/github-script@v6
# we would like to update the PR even when a prior step failed
if: ${{ always() }}
with:
@@ -70,7 +71,7 @@ jobs:
*Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
github.issues.createComment({
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,

View File

@@ -148,6 +148,10 @@ class Staging(Production):
HEADER_COLOUR = '#6F72AF' # $mauve
class Demo(Staging):
pass
class Scanning(Production):
BASIC_AUTH_FORCE = False
HTTP_PROTOCOL = 'http'
@@ -162,5 +166,6 @@ configs = {
'test': Test,
'scanning': Scanning,
'staging': Staging,
'demo': Demo,
'production': Production
}

4
deploy-config/demo.yml Normal file
View File

@@ -0,0 +1,4 @@
env: demo
instances: 1
memory: 1G
public_admin_route: notify-demo.app.cloud.gov

View File

@@ -0,0 +1,4 @@
env: production
instances: 2
memory: 1G
public_admin_route: notify.app.cloud.gov

View File

@@ -0,0 +1,4 @@
env: staging
instances: 1
memory: 1G
public_admin_route: notify-staging.app.cloud.gov

View File

@@ -1,45 +1,44 @@
---
applications:
- name: notifications-admin-((env))
- name: notify-admin-((env))
buildpack: python_buildpack
memory: 1G
instances: ((instances))
memory: ((memory))
health-check-type: http
health-check-http-endpoint: '/_status?simple=true'
health-check-invocation-timeout: 10
routes:
- route: notifications-admin.app.cloud.gov
- route: ((public_admin_route))
services:
- notifications-admin-redis-((env))
- notifications-api-csv-upload-bucket-((env))
- notifications-api-contact-list-bucket-((env))
- notifications-admin-logo-upload-bucket-((env))
- notify-admin-redis-((env))
- notify-api-csv-upload-bucket-((env))
- notify-api-contact-list-bucket-((env))
- notify-admin-logo-upload-bucket-((env))
env:
NOTIFY_ENVIRONMENT: ((env))
NOTIFY_APP_NAME: admin
NOTIFY_LOG_PATH: /home/vcap/logs/app.log
NOTIFY_LOG_LEVEL: INFO
FLASK_APP: application.py
FLASK_ENV: production
DEPLOY_ENV: ((env))
REDIS_ENABLED: ((REDIS_ENABLED))
NOTIFY_ENVIRONMENT: ((env))
ADMIN_BASE_URL: https://((public_admin_route))
API_HOST_NAME: https://notify-api-((env)).apps.internal:61443
# Credentials variables
ADMIN_CLIENT_SECRET: ((ADMIN_CLIENT_SECRET))
ADMIN_CLIENT_USERNAME: ((ADMIN_CLIENT_USERNAME))
ADMIN_BASE_URL: https://notifications-admin.app.cloud.gov
API_HOST_NAME: https://notifications-api-((env)).apps.internal:61443
DANGEROUS_SALT: ((DANGEROUS_SALT))
SECRET_KEY: ((SECRET_KEY))
BASIC_AUTH_USERNAME: ((BASIC_AUTH_USERNAME))
BASIC_AUTH_PASSWORD: ((BASIC_AUTH_PASSWORD))
AWS_REGION: us-west-2
AWS_ACCESS_KEY_ID: ((AWS_ACCESS_KEY_ID))
AWS_SECRET_ACCESS_KEY: ((AWS_SECRET_ACCESS_KEY))
BASIC_AUTH_USERNAME: ((BASIC_AUTH_USERNAME))
BASIC_AUTH_PASSWORD: ((BASIC_AUTH_PASSWORD))
NOTIFY_BILLING_DETAILS: []
NOTIFY_BILLING_DETAILS: '[]'
REQUESTS_CA_BUNDLE: "/etc/ssl/certs/ca-certificates.crt"

View File

@@ -4,8 +4,8 @@ read -p "Are you sure you want to import terraform state (y/n)? " verify
if [[ $verify == "y" ]]; then
echo "Importing bootstrap state"
./run.sh import module.s3.cloudfoundry_service_instance.bucket 31204bcc-aae3-4cd3-8b59-5055a338d44f
./run.sh import cloudfoundry_service_key.bucket_creds 483a6ac5-4ba0-48ad-9850-ef87b51aaa08
./run.sh import module.s3.cloudfoundry_service_instance.bucket 6b759c13-6253-4a64-9bda-dd1f620185b0
./run.sh import cloudfoundry_service_key.bucket_creds a8e40295-68b7-42ba-8955-d82ba262e948
./run.sh plan
else
echo "Not importing bootstrap state"

View File

@@ -9,8 +9,8 @@ module "s3" {
cf_api_url = local.cf_api_url
cf_user = var.cf_user
cf_password = var.cf_password
cf_org_name = "gsa-10x-prototyping"
cf_space_name = "10x-notifications"
cf_org_name = "gsa-tts-benefits-studio-prototyping"
cf_space_name = "notify-management"
s3_service_name = local.s3_service_name
}

View File

@@ -1,7 +1,7 @@
#!/usr/bin/env bash
if [[ ! -f "secrets.auto.tfvars" ]]; then
../create_service_account.sh -s 10x-notifications -u config-bootstrap-deployer > secrets.auto.tfvars
../create_service_account.sh -s notify-management -u config-bootstrap-deployer > secrets.auto.tfvars
fi
if [[ $# -gt 0 ]]; then

View File

@@ -1,5 +1,5 @@
#!/usr/bin/env bash
../destroy_service_account.sh -s 10x-notifications -u config-bootstrap-deployer
../destroy_service_account.sh -s notify-management -u config-bootstrap-deployer
rm secrets.auto.tfvars

View File

@@ -1,2 +1,4 @@
variable "cf_password" {}
variable "cf_password" {
sensitive = true
}
variable "cf_user" {}

View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
org="gsa-10x-prototyping"
org="gsa-tts-benefits-studio-prototyping"
usage="
$0: Create a Service User Account for a given space

48
terraform/demo/main.tf Normal file
View File

@@ -0,0 +1,48 @@
locals {
cf_org_name = "gsa-tts-benefits-studio-prototyping"
cf_space_name = "notify-demo"
env = "demo"
app_name = "notify-admin"
recursive_delete = false
}
module "redis" {
source = "github.com/18f/terraform-cloudgov//redis"
cf_user = var.cf_user
cf_password = var.cf_password
cf_org_name = local.cf_org_name
cf_space_name = local.cf_space_name
env = local.env
app_name = local.app_name
recursive_delete = local.recursive_delete
redis_plan_name = "redis-dev"
}
module "logo_upload_bucket" {
source = "github.com/18f/terraform-cloudgov//s3"
cf_user = var.cf_user
cf_password = var.cf_password
cf_org_name = local.cf_org_name
cf_space_name = local.cf_space_name
recursive_delete = local.recursive_delete
s3_service_name = "${local.app_name}-logo-upload-bucket-${local.env}"
}
# ##########################################################################
# The following lines need to be commented out for the initial `terraform apply`
# It can be re-enabled after:
# 1) the api app has first been deployed
# 2) the admin app has first been deployed
###########################################################################
# module "api_network_route" {
# source = "../shared/container_networking"
# cf_user = var.cf_user
# cf_password = var.cf_password
# cf_org_name = local.cf_org_name
# cf_space_name = local.cf_space_name
# source_app_name = "${local.app_name}-${local.env}"
# destination_app_name = "notify-api-${local.env}"
# }

View File

@@ -0,0 +1,17 @@
terraform {
required_version = "~> 1.0"
required_providers {
cloudfoundry = {
source = "cloudfoundry-community/cloudfoundry"
version = "0.15.5"
}
}
backend "s3" {
bucket = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0"
key = "admin.tfstate.demo"
encrypt = "true"
region = "us-gov-west-1"
profile = "notify-terraform-backend"
}
}

View File

@@ -0,0 +1,5 @@
variable "cf_password" {
type = string
sensitive = true
}
variable "cf_user" {}

View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
org="gsa-10x-prototyping"
org="gsa-tts-benefits-studio-prototyping"
usage="
$0: Destroy a Service User Account in a given space

View File

@@ -1,8 +1,8 @@
locals {
cf_org_name = "TKTK"
cf_space_name = "TKTK"
cf_org_name = "gsa-tts-benefits-studio-prototyping"
cf_space_name = "notify-prod"
env = "production"
app_name = "notifications-admin"
app_name = "notify-admin"
recursive_delete = false
}
@@ -44,7 +44,7 @@ module "logo_upload_bucket" {
# cf_org_name = local.cf_org_name
# cf_space_name = local.cf_space_name
# source_app_name = "${local.app_name}-${local.env}"
# destination_app_name = "notifications-api-${local.env}"
# destination_app_name = "notify-api-${local.env}"
# }
# ##########################################################################

View File

@@ -8,7 +8,7 @@ terraform {
}
backend "s3" {
bucket = "cg-31204bcc-aae3-4cd3-8b59-5055a338d44f"
bucket = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0"
key = "admin.tfstate.prod"
encrypt = "true"
region = "us-gov-west-1"

View File

@@ -1,6 +1,6 @@
#!/usr/bin/env bash
org="gsa-10x-prototyping"
org="gsa-tts-benefits-studio-prototyping"
usage="
$0: Set egress rules for given space

View File

@@ -1,8 +1,8 @@
locals {
cf_org_name = "gsa-10x-prototyping"
cf_space_name = "10x-notifications"
cf_org_name = "gsa-tts-benefits-studio-prototyping"
cf_space_name = "notify-staging"
env = "staging"
app_name = "notifications-admin"
app_name = "notify-admin"
recursive_delete = true
}
@@ -30,13 +30,19 @@ module "logo_upload_bucket" {
s3_service_name = "${local.app_name}-logo-upload-bucket-${local.env}"
}
module "api_network_route" {
source = "../shared/container_networking"
# ##########################################################################
# The following lines need to be commented out for the initial `terraform apply`
# It can be re-enabled after:
# 1) the api app has first been deployed
# 2) the admin app has first been deployed
###########################################################################
# module "api_network_route" {
# source = "../shared/container_networking"
cf_user = var.cf_user
cf_password = var.cf_password
cf_org_name = local.cf_org_name
cf_space_name = local.cf_space_name
source_app_name = "${local.app_name}-${local.env}"
destination_app_name = "notifications-api-${local.env}"
}
# cf_user = var.cf_user
# cf_password = var.cf_password
# cf_org_name = local.cf_org_name
# cf_space_name = local.cf_space_name
# source_app_name = "${local.app_name}-${local.env}"
# destination_app_name = "notify-api-${local.env}"
# }

View File

@@ -8,7 +8,7 @@ terraform {
}
backend "s3" {
bucket = "cg-31204bcc-aae3-4cd3-8b59-5055a338d44f"
bucket = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0"
key = "admin.tfstate.stage"
encrypt = "true"
region = "us-gov-west-1"