diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml new file mode 100644 index 000000000..a0ae9f598 --- /dev/null +++ b/.github/workflows/deploy-demo.yml @@ -0,0 +1,68 @@ +name: Deploy to demo environment + +on: + push: + branches: [ production ] + +permissions: + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + environment: demo + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 2 + + - name: Check for changes to Terraform + id: changed-terraform-files + uses: tj-actions/changed-files@v1.1.2 + with: + files: terraform/demo + - name: Terraform init + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/demo + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + run: terraform init + - name: Terraform apply + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/demo + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + run: terraform apply -auto-approve -input=false + + - uses: ./.github/actions/setup-project + + - name: Deploy to cloud.gov + uses: 18f/cg-deploy-action@main + env: + DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} + BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} + REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }} + with: + cf_username: ${{ secrets.CLOUDGOV_USERNAME }} + cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + cf_org: gsa-tts-benefits-studio-prototyping + cf_space: notify-demo + push_arguments: >- + --vars-file deploy-config/staging.yml + --var DANGEROUS_SALT="$DANGEROUS_SALT" + --var SECRET_KEY="$SECRET_KEY" + --var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" + --var AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" + --var REDIS_ENABLED="$REDIS_ENABLED" + --var ADMIN_CLIENT_USERNAME="notify-admin" + --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" + --var BASIC_AUTH_USERNAME="curiousabout" + --var BASIC_AUTH_PASSWORD="$BASIC_AUTH_PASSWORD" diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 1efb81a27..5795c1f15 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -15,13 +15,8 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'success' }} + environment: staging steps: - - name: Install container dependencies - run: | - sudo apt-get update \ - && sudo apt-get install -y --no-install-recommends \ - libcurl4-openssl-dev - - uses: actions/checkout@v3 with: fetch-depth: 2 @@ -48,31 +43,25 @@ jobs: TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} run: terraform apply -auto-approve -input=false - - name: Set up Python 3.9 - uses: actions/setup-python@v3 - with: - python-version: "3.9" - - - name: Install application dependencies - run: make bootstrap + - uses: ./.github/actions/setup-project - name: Deploy to cloud.gov uses: 18f/cg-deploy-action@main env: - DANGEROUS_SALT: ${{ secrets.PROD_DANGEROUS_SALT }} - SECRET_KEY: ${{ secrets.PROD_SECRET_KEY }} + DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - ADMIN_CLIENT_SECRET: ${{ secrets.PROD_ADMIN_CLIENT_SECRET }} + ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} BASIC_AUTH_PASSWORD: ${{ secrets.BASIC_AUTH_PASSWORD }} REDIS_ENABLED: ${{ secrets.REDIS_ENABLED }} with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} - cf_org: gsa-10x-prototyping - cf_space: 10x-notifications + cf_org: gsa-tts-benefits-studio-prototyping + cf_space: notify-staging push_arguments: >- - --var env=staging + --vars-file deploy-config/staging.yml --var DANGEROUS_SALT="$DANGEROUS_SALT" --var SECRET_KEY="$SECRET_KEY" --var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" @@ -87,4 +76,6 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'failure' }} steps: - - run: echo 'Checks failed, not deploying' + - uses: actions/github-script@v6 + with: + script: core.setFailed('Checks failed, not deploying') diff --git a/.github/workflows/terraform-demo.yml b/.github/workflows/terraform-demo.yml new file mode 100644 index 000000000..29b8fa397 --- /dev/null +++ b/.github/workflows/terraform-demo.yml @@ -0,0 +1,79 @@ +name: Run Terraform plan in demo + +on: + pull_request: + branches: [ production ] + paths: [ 'terraform/**' ] + +defaults: + run: + working-directory: terraform/demo + +jobs: + terraform: + name: Terraform plan + runs-on: ubuntu-latest + environment: demo + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Terraform format + id: format + run: terraform fmt -check + + - name: Terraform init + id: init + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + run: terraform init + + - name: Terraform validate + id: validation + run: terraform validate -no-color + + - name: Terraform plan + id: plan + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt + + - name: Read Terraform plan output file + id: terraform_output + uses: juliangruber/read-file-action@v1 + if: ${{ always() }} + with: + path: ./terraform/demo/plan_output.txt + + # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow + - name: Update PR + uses: actions/github-script@v6 + # we would like to update the PR even when a prior step failed + if: ${{ always() }} + with: + script: | + const output = `Terraform Format and Style: ${{ steps.format.outcome }} + Terraform Initialization: ${{ steps.init.outcome }} + Terraform Validation: ${{ steps.validation.outcome }} + Terraform Plan: ${{ steps.plan.outcome }} + +
Show Plan + + \`\`\`\n + ${{ steps.terraform_output.outputs.content }} + \`\`\` + +
+ + *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) diff --git a/.github/workflows/terraform-production.yml b/.github/workflows/terraform-production.yml index 7861c3205..e48000438 100644 --- a/.github/workflows/terraform-production.yml +++ b/.github/workflows/terraform-production.yml @@ -2,7 +2,7 @@ name: Run Terraform plan in production on: pull_request: - branches: [ production ] + branches: [ production-disabled-for-now ] paths: [ 'terraform/**' ] defaults: @@ -38,8 +38,8 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} - TF_VAR_cf_user: ${{ secrets.CF_USERNAME }} - TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt - name: Read Terraform plan output file @@ -51,7 +51,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v4 + uses: actions/github-script@v6 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: @@ -71,7 +71,7 @@ jobs: *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - github.issues.createComment({ + github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, diff --git a/.github/workflows/terraform-staging.yml b/.github/workflows/terraform-staging.yml index 5c7d2a6ff..b1ac54f8f 100644 --- a/.github/workflows/terraform-staging.yml +++ b/.github/workflows/terraform-staging.yml @@ -13,6 +13,7 @@ jobs: terraform: name: Terraform plan runs-on: ubuntu-latest + environment: staging steps: - name: Checkout uses: actions/checkout@v2 @@ -50,7 +51,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v4 + uses: actions/github-script@v6 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: @@ -70,7 +71,7 @@ jobs: *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - github.issues.createComment({ + github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, diff --git a/deploy-config/demo.yml b/deploy-config/demo.yml new file mode 100644 index 000000000..2f82ea6e6 --- /dev/null +++ b/deploy-config/demo.yml @@ -0,0 +1,4 @@ +env: demo +instances: 1 +memory: 1G +public_admin_route: notify-demo.app.cloud.gov diff --git a/deploy-config/production.yml b/deploy-config/production.yml new file mode 100644 index 000000000..add5bbef2 --- /dev/null +++ b/deploy-config/production.yml @@ -0,0 +1,4 @@ +env: production +instances: 2 +memory: 1G +public_admin_route: notify.app.cloud.gov diff --git a/deploy-config/staging.yml b/deploy-config/staging.yml new file mode 100644 index 000000000..9478a72a2 --- /dev/null +++ b/deploy-config/staging.yml @@ -0,0 +1,4 @@ +env: staging +instances: 1 +memory: 1G +public_admin_route: notify-staging.app.cloud.gov