From 7eae0d74dc47743b83c532719af2697173bc33ba Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Tue, 1 Nov 2022 12:03:05 -0400 Subject: [PATCH 01/12] Update manifest.yml for studio cloud.gov org --- deploy-config/production.yml | 2 ++ deploy-config/staging.yml | 2 ++ manifest.yml | 11 ++++------- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/deploy-config/production.yml b/deploy-config/production.yml index c16fff8a0..20b350795 100644 --- a/deploy-config/production.yml +++ b/deploy-config/production.yml @@ -3,3 +3,5 @@ web_instances: 2 web_memory: 1G worker_instances: 1 worker_memory: 512M +public_api_route: notifications-api.app.cloud.gov +admin_base_url: https://notifications-admin.app.cloud.gov diff --git a/deploy-config/staging.yml b/deploy-config/staging.yml index 43478a524..d62a18434 100644 --- a/deploy-config/staging.yml +++ b/deploy-config/staging.yml @@ -3,3 +3,5 @@ web_instances: 1 web_memory: 1G worker_instances: 1 worker_memory: 512M +public_api_route: notifications-api-staging.app.cloud.gov +admin_base_url: https://notifications-admin-staging.app.cloud.gov diff --git a/manifest.yml b/manifest.yml index 77ee86a1c..34ba768ff 100644 --- a/manifest.yml +++ b/manifest.yml @@ -1,14 +1,11 @@ --- applications: - name: notifications-api-((env)) - buildpack: https://github.com/cloudfoundry/python-buildpack.git#v1.7.58 + buildpack: python_buildpack instances: 1 - memory: 1G disk_quota: 1G - health-check-type: process - health-check-invocation-timeout: 1 routes: - - route: notifications-api.app.cloud.gov + - route: ((public_api_route)) - route: notifications-api-((env)).apps.internal services: @@ -34,8 +31,8 @@ applications: FLASK_ENV: production NOTIFY_ENVIRONMENT: ((env)) - API_HOST_NAME: https://notifications-api.app.cloud.gov - ADMIN_BASE_URL: https://notifications-admin.app.cloud.gov + API_HOST_NAME: https://((public_api_route)) + ADMIN_BASE_URL: ((admin_base_url)) # Credentials variables INTERNAL_CLIENT_API_KEYS: '{"notify-admin":["((ADMIN_CLIENT_SECRET))"]}' From 507c6b06c6168267f938538ef7e3dbb3a7593cc2 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Tue, 1 Nov 2022 12:22:20 -0400 Subject: [PATCH 02/12] Update terraform for new org and space names --- terraform/bootstrap/main.tf | 4 ++-- terraform/bootstrap/run.sh | 2 +- terraform/bootstrap/teardown_creds.sh | 2 +- terraform/bootstrap/variables.tf | 4 +++- terraform/production/main.tf | 30 +++++++++++++++++++++++---- terraform/production/providers.tf | 2 +- terraform/production/variables.tf | 4 +++- terraform/staging/main.tf | 4 ++-- terraform/staging/providers.tf | 2 +- terraform/staging/variables.tf | 4 +++- 10 files changed, 43 insertions(+), 15 deletions(-) diff --git a/terraform/bootstrap/main.tf b/terraform/bootstrap/main.tf index f00fff4c5..f51d5bd2d 100644 --- a/terraform/bootstrap/main.tf +++ b/terraform/bootstrap/main.tf @@ -9,8 +9,8 @@ module "s3" { cf_api_url = local.cf_api_url cf_user = var.cf_user cf_password = var.cf_password - cf_org_name = "gsa-10x-prototyping" - cf_space_name = "10x-notifications" + cf_org_name = "gsa-tts-benefits-studio-prototyping" + cf_space_name = "notify-management" s3_service_name = local.s3_service_name } diff --git a/terraform/bootstrap/run.sh b/terraform/bootstrap/run.sh index 404987590..1ac395444 100755 --- a/terraform/bootstrap/run.sh +++ b/terraform/bootstrap/run.sh @@ -1,7 +1,7 @@ #!/usr/bin/env bash if [[ ! -f "secrets.auto.tfvars" ]]; then - ../create_service_account.sh -s 10x-notifications -u config-bootstrap-deployer > secrets.auto.tfvars + ../create_service_account.sh -s notify-management -u config-bootstrap-deployer > secrets.auto.tfvars fi if [[ $# -gt 0 ]]; then diff --git a/terraform/bootstrap/teardown_creds.sh b/terraform/bootstrap/teardown_creds.sh index 196e3756f..77207a69b 100755 --- a/terraform/bootstrap/teardown_creds.sh +++ b/terraform/bootstrap/teardown_creds.sh @@ -1,5 +1,5 @@ #!/usr/bin/env bash -../destroy_service_account.sh -s 10x-notifications -u config-bootstrap-deployer +../destroy_service_account.sh -s notify-management -u config-bootstrap-deployer rm secrets.auto.tfvars diff --git a/terraform/bootstrap/variables.tf b/terraform/bootstrap/variables.tf index 2fe500544..a24f2f3f8 100644 --- a/terraform/bootstrap/variables.tf +++ b/terraform/bootstrap/variables.tf @@ -1,2 +1,4 @@ -variable "cf_password" {} +variable "cf_password" { + sensitive = true +} variable "cf_user" {} diff --git a/terraform/production/main.tf b/terraform/production/main.tf index 3a02bec22..7be376ba4 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -1,6 +1,6 @@ locals { - cf_org_name = "TKTK" - cf_space_name = "TKTK" + cf_org_name = "gsa-tts-benefits-studio-prototyping" + cf_space_name = "notify-demo" env = "production" app_name = "notifications-api" recursive_delete = false @@ -16,7 +16,7 @@ module "database" { env = local.env app_name = local.app_name recursive_delete = local.recursive_delete - rds_plan_name = "TKTK-production-rds-plan" + rds_plan_name = "micro-psql" } module "redis" { @@ -29,7 +29,29 @@ module "redis" { env = local.env app_name = local.app_name recursive_delete = local.recursive_delete - redis_plan_name = "TKTK-production-redis-plan" + redis_plan_name = "redis-dev" +} + +module "csv_upload_bucket" { + source = "github.com/18f/terraform-cloudgov//s3" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + recursive_delete = local.recursive_delete + s3_service_name = "${local.app_name}-csv-upload-bucket-${local.env}" +} + +module "contact_list_bucket" { + source = "github.com/18f/terraform-cloudgov//s3" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + recursive_delete = local.recursive_delete + s3_service_name = "${local.app_name}-contact-list-bucket-${local.env}" } ########################################################################### diff --git a/terraform/production/providers.tf b/terraform/production/providers.tf index 00f7c902d..b11f77c29 100644 --- a/terraform/production/providers.tf +++ b/terraform/production/providers.tf @@ -8,7 +8,7 @@ terraform { } backend "s3" { - bucket = "cg-31204bcc-aae3-4cd3-8b59-5055a338d44f" + bucket = "TKTK" key = "api.tfstate.prod" encrypt = "true" region = "us-gov-west-1" diff --git a/terraform/production/variables.tf b/terraform/production/variables.tf index 2fe500544..a24f2f3f8 100644 --- a/terraform/production/variables.tf +++ b/terraform/production/variables.tf @@ -1,2 +1,4 @@ -variable "cf_password" {} +variable "cf_password" { + sensitive = true +} variable "cf_user" {} diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf index 3a81e21d5..ef7c46ffe 100644 --- a/terraform/staging/main.tf +++ b/terraform/staging/main.tf @@ -1,6 +1,6 @@ locals { - cf_org_name = "gsa-10x-prototyping" - cf_space_name = "10x-notifications" + cf_org_name = "gsa-tts-benefits-studio-prototyping" + cf_space_name = "notify-staging" env = "staging" app_name = "notifications-api" recursive_delete = true diff --git a/terraform/staging/providers.tf b/terraform/staging/providers.tf index bd8c56c11..46eaa537a 100644 --- a/terraform/staging/providers.tf +++ b/terraform/staging/providers.tf @@ -8,7 +8,7 @@ terraform { } backend "s3" { - bucket = "cg-31204bcc-aae3-4cd3-8b59-5055a338d44f" + bucket = "TKTK" key = "api.tfstate.stage" encrypt = "true" region = "us-gov-west-1" diff --git a/terraform/staging/variables.tf b/terraform/staging/variables.tf index 2fe500544..a24f2f3f8 100644 --- a/terraform/staging/variables.tf +++ b/terraform/staging/variables.tf @@ -1,2 +1,4 @@ -variable "cf_password" {} +variable "cf_password" { + sensitive = true +} variable "cf_user" {} From a46e3dbefc70c86161fe44dfb18ab5a203312b06 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 09:08:08 -0400 Subject: [PATCH 03/12] Add demo terraform environment --- deploy-config/demo.yml | 7 ++++ terraform/create_service_account.sh | 2 +- terraform/demo/main.tf | 55 ++++++++++++++++++++++++++++ terraform/demo/providers.tf | 17 +++++++++ terraform/demo/variables.tf | 4 ++ terraform/destroy_service_account.sh | 2 +- terraform/production/main.tf | 6 +-- terraform/set_space_egress.sh | 2 +- 8 files changed, 89 insertions(+), 6 deletions(-) create mode 100644 deploy-config/demo.yml create mode 100644 terraform/demo/main.tf create mode 100644 terraform/demo/providers.tf create mode 100644 terraform/demo/variables.tf diff --git a/deploy-config/demo.yml b/deploy-config/demo.yml new file mode 100644 index 000000000..5a42ba5c2 --- /dev/null +++ b/deploy-config/demo.yml @@ -0,0 +1,7 @@ +env: demo +web_instances: 1 +web_memory: 1G +worker_instances: 1 +worker_memory: 512M +public_api_route: notifications-api-demo.app.cloud.gov +admin_base_url: https://notifications-admin.app.cloud.gov diff --git a/terraform/create_service_account.sh b/terraform/create_service_account.sh index 1a6b0eb1c..fafe83adf 100755 --- a/terraform/create_service_account.sh +++ b/terraform/create_service_account.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -org="gsa-10x-prototyping" +org="gsa-tts-benefits-studio-prototyping" usage=" $0: Create a Service User Account for a given space diff --git a/terraform/demo/main.tf b/terraform/demo/main.tf new file mode 100644 index 000000000..8326175c8 --- /dev/null +++ b/terraform/demo/main.tf @@ -0,0 +1,55 @@ +locals { + cf_org_name = "gsa-tts-benefits-studio-prototyping" + cf_space_name = "notify-demo" + env = "demo" + app_name = "notifications-api" + recursive_delete = false +} + +module "database" { + source = "github.com/18f/terraform-cloudgov//database" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + env = local.env + app_name = local.app_name + recursive_delete = local.recursive_delete + rds_plan_name = "micro-psql" +} + +module "redis" { + source = "github.com/18f/terraform-cloudgov//redis" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + env = local.env + app_name = local.app_name + recursive_delete = local.recursive_delete + redis_plan_name = "redis-dev" +} + +module "csv_upload_bucket" { + source = "github.com/18f/terraform-cloudgov//s3" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + recursive_delete = local.recursive_delete + s3_service_name = "${local.app_name}-csv-upload-bucket-${local.env}" +} + +module "contact_list_bucket" { + source = "github.com/18f/terraform-cloudgov//s3" + + cf_user = var.cf_user + cf_password = var.cf_password + cf_org_name = local.cf_org_name + cf_space_name = local.cf_space_name + recursive_delete = local.recursive_delete + s3_service_name = "${local.app_name}-contact-list-bucket-${local.env}" +} diff --git a/terraform/demo/providers.tf b/terraform/demo/providers.tf new file mode 100644 index 000000000..b11f77c29 --- /dev/null +++ b/terraform/demo/providers.tf @@ -0,0 +1,17 @@ +terraform { + required_version = "~> 1.0" + required_providers { + cloudfoundry = { + source = "cloudfoundry-community/cloudfoundry" + version = "0.15.5" + } + } + + backend "s3" { + bucket = "TKTK" + key = "api.tfstate.prod" + encrypt = "true" + region = "us-gov-west-1" + profile = "notify-terraform-backend" + } +} diff --git a/terraform/demo/variables.tf b/terraform/demo/variables.tf new file mode 100644 index 000000000..a24f2f3f8 --- /dev/null +++ b/terraform/demo/variables.tf @@ -0,0 +1,4 @@ +variable "cf_password" { + sensitive = true +} +variable "cf_user" {} diff --git a/terraform/destroy_service_account.sh b/terraform/destroy_service_account.sh index caeb12901..e8db20474 100755 --- a/terraform/destroy_service_account.sh +++ b/terraform/destroy_service_account.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -org="gsa-10x-prototyping" +org="gsa-tts-benefits-studio-prototyping" usage=" $0: Destroy a Service User Account in a given space diff --git a/terraform/production/main.tf b/terraform/production/main.tf index 7be376ba4..d5103c27f 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -1,6 +1,6 @@ locals { cf_org_name = "gsa-tts-benefits-studio-prototyping" - cf_space_name = "notify-demo" + cf_space_name = "notify-prod" env = "production" app_name = "notifications-api" recursive_delete = false @@ -16,7 +16,7 @@ module "database" { env = local.env app_name = local.app_name recursive_delete = local.recursive_delete - rds_plan_name = "micro-psql" + rds_plan_name = "TKTK-production-rds-plan" } module "redis" { @@ -29,7 +29,7 @@ module "redis" { env = local.env app_name = local.app_name recursive_delete = local.recursive_delete - redis_plan_name = "redis-dev" + redis_plan_name = "TKTK-production-redis-plan" } module "csv_upload_bucket" { diff --git a/terraform/set_space_egress.sh b/terraform/set_space_egress.sh index 7eeaaf989..e3893e809 100755 --- a/terraform/set_space_egress.sh +++ b/terraform/set_space_egress.sh @@ -1,6 +1,6 @@ #!/usr/bin/env bash -org="gsa-10x-prototyping" +org="gsa-tts-benefits-studio-prototyping" usage=" $0: Set egress rules for given space From 04e3b35a2facb7e7bb43e2d98724d0095b4ea969 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 09:09:16 -0400 Subject: [PATCH 04/12] Create demo app environment --- app/config.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/config.py b/app/config.py index f10767bcd..470ca89a3 100644 --- a/app/config.py +++ b/app/config.py @@ -415,10 +415,13 @@ class Production(Config): class Staging(Production): pass +class Demo(Production): + pass configs = { 'development': Development, 'test': Test, 'staging': Staging, + 'demo': Demo, 'production': Production } From 1d5438ed32a49871487ac0dea948e5900c8aee2a Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 09:55:56 -0400 Subject: [PATCH 05/12] Create demo deploy workflows --- .github/workflows/deploy-demo.yml | 66 ++++++++++++++++++ .github/workflows/deploy.yml | 16 +++-- .github/workflows/terraform-demo.yml | 79 ++++++++++++++++++++++ .github/workflows/terraform-production.yml | 8 +-- .github/workflows/terraform-staging.yml | 3 +- docs/deploying.md | 14 ++-- 6 files changed, 169 insertions(+), 17 deletions(-) create mode 100644 .github/workflows/deploy-demo.yml create mode 100644 .github/workflows/terraform-demo.yml diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml new file mode 100644 index 000000000..0eaef148c --- /dev/null +++ b/.github/workflows/deploy-demo.yml @@ -0,0 +1,66 @@ +name: Deploy to demo environment + +on: + push: [ production ] + +permissions: + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + environment: demo + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 2 + + - name: Check for changes to Terraform + id: changed-terraform-files + uses: tj-actions/changed-files@v1.1.2 + with: + files: terraform/demo + - name: Terraform init + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/demo + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + run: terraform init + - name: Terraform apply + if: steps.changed-terraform-files.outputs.any_changed == 'true' + working-directory: terraform/demo + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + run: terraform apply -auto-approve -input=false + + - uses: ./.github/actions/setup-project + - name: Install application dependencies + run: make bootstrap + + - name: Create requirements.txt because Cloud Foundry does a weird pipenv thing + run: pipenv requirements > requirements.txt + + - name: Deploy to cloud.gov + uses: 18f/cg-deploy-action@main + env: + DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} + ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + with: + cf_username: ${{ secrets.CLOUDGOV_USERNAME }} + cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + cf_org: gsa-10x-prototyping + cf_space: 10x-notifications + push_arguments: >- + --vars-file deploy-config/demo.yml + --var DANGEROUS_SALT="$DANGEROUS_SALT" + --var SECRET_KEY="$SECRET_KEY" + --var ADMIN_CLIENT_SECRET="$ADMIN_CLIENT_SECRET" + --var AWS_ACCESS_KEY_ID="$AWS_ACCESS_KEY_ID" + --var AWS_SECRET_ACCESS_KEY="$AWS_SECRET_ACCESS_KEY" diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index dad470e5d..2a73317d3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,4 +1,4 @@ -name: Deploy to prototype environment +name: Deploy to staging environment on: workflow_run: @@ -15,6 +15,7 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'success' }} + environment: staging steps: - uses: actions/checkout@v3 with: @@ -52,14 +53,14 @@ jobs: - name: Deploy to cloud.gov uses: 18f/cg-deploy-action@main env: - DANGEROUS_SALT: ${{ secrets.PROD_DANGEROUS_SALT }} - SECRET_KEY: ${{ secrets.PROD_SECRET_KEY }} - ADMIN_CLIENT_SECRET: ${{ secrets.PROD_ADMIN_CLIENT_SECRET }} + DANGEROUS_SALT: ${{ secrets.DANGEROUS_SALT }} + SECRET_KEY: ${{ secrets.SECRET_KEY }} + ADMIN_CLIENT_SECRET: ${{ secrets.ADMIN_CLIENT_SECRET }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} with: - cf_username: ${{ secrets.cloudgov_username }} - cf_password: ${{ secrets.cloudgov_password }} + cf_username: ${{ secrets.CLOUDGOV_USERNAME }} + cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} cf_org: gsa-10x-prototyping cf_space: 10x-notifications push_arguments: >- @@ -74,4 +75,5 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'failure' }} steps: - - run: echo 'Checks failed, not deploying' + - uses: actions/github-script@v6 + script: core.setFailed('Checks failed, not deploying') diff --git a/.github/workflows/terraform-demo.yml b/.github/workflows/terraform-demo.yml new file mode 100644 index 000000000..82c828152 --- /dev/null +++ b/.github/workflows/terraform-demo.yml @@ -0,0 +1,79 @@ +name: Run Terraform plan in demo + +on: + pull_request: + branches: [ production ] + paths: [ 'terraform/**' ] + +defaults: + run: + working-directory: terraform/demo + +jobs: + terraform: + name: Terraform plan + runs-on: ubuntu-latest + environment: demo + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Terraform format + id: format + run: terraform fmt -check + + - name: Terraform init + id: init + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + run: terraform init + + - name: Terraform validate + id: validation + run: terraform validate -no-color + + - name: Terraform plan + id: plan + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} + run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt + + - name: Read Terraform plan output file + id: terraform_output + uses: juliangruber/read-file-action@v1 + if: ${{ always() }} + with: + path: ./terraform/demo/plan_output.txt + + # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow + - name: Update PR + uses: actions/github-script@v6 + # we would like to update the PR even when a prior step failed + if: ${{ always() }} + with: + script: | + const output = `Terraform Format and Style: ${{ steps.format.outcome }} + Terraform Initialization: ${{ steps.init.outcome }} + Terraform Validation: ${{ steps.validation.outcome }} + Terraform Plan: ${{ steps.plan.outcome }} + +
Show Plan + + \`\`\`\n + ${{ steps.terraform_output.outputs.content }} + \`\`\` + +
+ + *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + + github.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) diff --git a/.github/workflows/terraform-production.yml b/.github/workflows/terraform-production.yml index 7861c3205..dd700a12b 100644 --- a/.github/workflows/terraform-production.yml +++ b/.github/workflows/terraform-production.yml @@ -2,7 +2,7 @@ name: Run Terraform plan in production on: pull_request: - branches: [ production ] + branches: [ production-disabled-for-now ] paths: [ 'terraform/**' ] defaults: @@ -38,8 +38,8 @@ jobs: env: AWS_ACCESS_KEY_ID: ${{ secrets.TERRAFORM_STATE_ACCESS_KEY }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TERRAFORM_STATE_SECRET_ACCESS_KEY }} - TF_VAR_cf_user: ${{ secrets.CF_USERNAME }} - TF_VAR_cf_password: ${{ secrets.CF_PASSWORD }} + TF_VAR_cf_user: ${{ secrets.CLOUDGOV_USERNAME }} + TF_VAR_cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} run: terraform plan -no-color -input=false 2>&1 | tee plan_output.txt - name: Read Terraform plan output file @@ -51,7 +51,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v4 + uses: actions/github-script@v6 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: diff --git a/.github/workflows/terraform-staging.yml b/.github/workflows/terraform-staging.yml index 5c7d2a6ff..fa5d2dbd8 100644 --- a/.github/workflows/terraform-staging.yml +++ b/.github/workflows/terraform-staging.yml @@ -13,6 +13,7 @@ jobs: terraform: name: Terraform plan runs-on: ubuntu-latest + environment: staging steps: - name: Checkout uses: actions/checkout@v2 @@ -50,7 +51,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v4 + uses: actions/github-script@v6 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: diff --git a/docs/deploying.md b/docs/deploying.md index 5fa129b01..ff1041b91 100644 --- a/docs/deploying.md +++ b/docs/deploying.md @@ -1,18 +1,22 @@ # Deploying -We deploy automatically to cloud.gov for production and staging environments. +We deploy automatically to cloud.gov for demo and staging environments. -Deployment runs via the [deployment action](../.github/workflows/deploy.yml) on GitHub, which pulls credentials from GitHub's secrets store. +Deployment to staging runs via the [base deployment action](../.github/workflows/deploy.yml) on GitHub, which pulls credentials from GitHub's secrets store in the staging environment. + +Deployment to demo runs via the [demo deployment action](../.github/workflows/deploy-demo.yml) on GitHub, which pulls credentials from GitHub's secrets store in the demo environment. The [action that we use](https://github.com/18F/cg-deploy-action) deploys using [a rolling strategy](https://docs.cloudfoundry.org/devguide/deploy-apps/rolling-deploy.html), so all deployments should have zero downtime. The API has 2 deployment environments: -- Production, which deploys from `main` -- Staging, which does not, in fact, exist +- Staging, which deploys from `main` +- Demo, which deploys from `production` + +In the future, we will add a Production deploy environment, which will deploy in parallel to Demo. Configurations for these are located in [the `deploy-config` folder](../deploy-config/). In the event that a deployment includes a Terraform change, that change will run before any code is deployed to the environment. Each environment has its own Terraform GitHub Action to handle that change. -Failures in any of these GitHub workflows will be surfaced in the Pull Request related to the code change, and in the case of `checks.yml` actively prevent the PR from being merged. Failure in the Terraform workflow will not actively prevent the PR from being merged, but reviewers should not approve a PR with a failing terraform plan. \ No newline at end of file +Failures in any of these GitHub workflows will be surfaced in the Pull Request related to the code change, and in the case of `checks.yml` actively prevent the PR from being merged. Failure in the Terraform workflow will not actively prevent the PR from being merged, but reviewers should not approve a PR with a failing terraform plan. From 9969a2b2e87ce0efc551ccc5c0b01164dd8df975 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 11:07:45 -0400 Subject: [PATCH 06/12] Rename app to avoid route collisions with 10x space --- deploy-config/demo.yml | 4 ++-- deploy-config/production.yml | 4 ++-- deploy-config/staging.yml | 4 ++-- manifest.yml | 12 ++++++------ terraform/demo/main.tf | 2 +- terraform/production/main.tf | 2 +- terraform/staging/main.tf | 2 +- 7 files changed, 15 insertions(+), 15 deletions(-) diff --git a/deploy-config/demo.yml b/deploy-config/demo.yml index 5a42ba5c2..571e749e5 100644 --- a/deploy-config/demo.yml +++ b/deploy-config/demo.yml @@ -3,5 +3,5 @@ web_instances: 1 web_memory: 1G worker_instances: 1 worker_memory: 512M -public_api_route: notifications-api-demo.app.cloud.gov -admin_base_url: https://notifications-admin.app.cloud.gov +public_api_route: notify-api-demo.app.cloud.gov +admin_base_url: https://notify-demo.app.cloud.gov diff --git a/deploy-config/production.yml b/deploy-config/production.yml index 20b350795..9e24b5864 100644 --- a/deploy-config/production.yml +++ b/deploy-config/production.yml @@ -3,5 +3,5 @@ web_instances: 2 web_memory: 1G worker_instances: 1 worker_memory: 512M -public_api_route: notifications-api.app.cloud.gov -admin_base_url: https://notifications-admin.app.cloud.gov +public_api_route: notify-api.app.cloud.gov +admin_base_url: https://notify.app.cloud.gov diff --git a/deploy-config/staging.yml b/deploy-config/staging.yml index d62a18434..ac41c5d26 100644 --- a/deploy-config/staging.yml +++ b/deploy-config/staging.yml @@ -3,5 +3,5 @@ web_instances: 1 web_memory: 1G worker_instances: 1 worker_memory: 512M -public_api_route: notifications-api-staging.app.cloud.gov -admin_base_url: https://notifications-admin-staging.app.cloud.gov +public_api_route: notify-api-staging.app.cloud.gov +admin_base_url: https://notify-staging.app.cloud.gov diff --git a/manifest.yml b/manifest.yml index 34ba768ff..d032ed1bf 100644 --- a/manifest.yml +++ b/manifest.yml @@ -1,18 +1,18 @@ --- applications: - - name: notifications-api-((env)) + - name: notify-api-((env)) buildpack: python_buildpack instances: 1 disk_quota: 1G routes: - route: ((public_api_route)) - - route: notifications-api-((env)).apps.internal + - route: notify-api-((env)).apps.internal services: - - notifications-api-rds-((env)) - - notifications-api-redis-((env)) - - notifications-api-csv-upload-bucket-((env)) - - notifications-api-contact-list-bucket-((env)) + - notify-api-rds-((env)) + - notify-api-redis-((env)) + - notify-api-csv-upload-bucket-((env)) + - notify-api-contact-list-bucket-((env)) processes: - type: web diff --git a/terraform/demo/main.tf b/terraform/demo/main.tf index 8326175c8..d8d17cda9 100644 --- a/terraform/demo/main.tf +++ b/terraform/demo/main.tf @@ -2,7 +2,7 @@ locals { cf_org_name = "gsa-tts-benefits-studio-prototyping" cf_space_name = "notify-demo" env = "demo" - app_name = "notifications-api" + app_name = "notify-api" recursive_delete = false } diff --git a/terraform/production/main.tf b/terraform/production/main.tf index d5103c27f..767b11197 100644 --- a/terraform/production/main.tf +++ b/terraform/production/main.tf @@ -2,7 +2,7 @@ locals { cf_org_name = "gsa-tts-benefits-studio-prototyping" cf_space_name = "notify-prod" env = "production" - app_name = "notifications-api" + app_name = "notify-api" recursive_delete = false } diff --git a/terraform/staging/main.tf b/terraform/staging/main.tf index ef7c46ffe..abbb0a5be 100644 --- a/terraform/staging/main.tf +++ b/terraform/staging/main.tf @@ -2,7 +2,7 @@ locals { cf_org_name = "gsa-tts-benefits-studio-prototyping" cf_space_name = "notify-staging" env = "staging" - app_name = "notifications-api" + app_name = "notify-api" recursive_delete = true } From 0a89889897c1a56be246753522701c2435fbea35 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 11:17:34 -0400 Subject: [PATCH 07/12] Run terraform bootstrap --- terraform/bootstrap/import.sh | 4 ++-- terraform/demo/providers.tf | 4 ++-- terraform/production/providers.tf | 2 +- terraform/staging/providers.tf | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/bootstrap/import.sh b/terraform/bootstrap/import.sh index 88b1e40d2..9140711f5 100755 --- a/terraform/bootstrap/import.sh +++ b/terraform/bootstrap/import.sh @@ -4,8 +4,8 @@ read -p "Are you sure you want to import terraform state (y/n)? " verify if [[ $verify == "y" ]]; then echo "Importing bootstrap state" - ./run.sh import module.s3.cloudfoundry_service_instance.bucket 31204bcc-aae3-4cd3-8b59-5055a338d44f - ./run.sh import cloudfoundry_service_key.bucket_creds 483a6ac5-4ba0-48ad-9850-ef87b51aaa08 + ./run.sh import module.s3.cloudfoundry_service_instance.bucket 6b759c13-6253-4a64-9bda-dd1f620185b0 + ./run.sh import cloudfoundry_service_key.bucket_creds a8e40295-68b7-42ba-8955-d82ba262e948 ./run.sh plan else echo "Not importing bootstrap state" diff --git a/terraform/demo/providers.tf b/terraform/demo/providers.tf index b11f77c29..11d4c4457 100644 --- a/terraform/demo/providers.tf +++ b/terraform/demo/providers.tf @@ -8,8 +8,8 @@ terraform { } backend "s3" { - bucket = "TKTK" - key = "api.tfstate.prod" + bucket = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0" + key = "api.tfstate.demo" encrypt = "true" region = "us-gov-west-1" profile = "notify-terraform-backend" diff --git a/terraform/production/providers.tf b/terraform/production/providers.tf index b11f77c29..f4cfe869a 100644 --- a/terraform/production/providers.tf +++ b/terraform/production/providers.tf @@ -8,7 +8,7 @@ terraform { } backend "s3" { - bucket = "TKTK" + bucket = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0" key = "api.tfstate.prod" encrypt = "true" region = "us-gov-west-1" diff --git a/terraform/staging/providers.tf b/terraform/staging/providers.tf index 46eaa537a..72a7c30f6 100644 --- a/terraform/staging/providers.tf +++ b/terraform/staging/providers.tf @@ -8,7 +8,7 @@ terraform { } backend "s3" { - bucket = "TKTK" + bucket = "cg-6b759c13-6253-4a64-9bda-dd1f620185b0" key = "api.tfstate.stage" encrypt = "true" region = "us-gov-west-1" From 20992fff2df9937fda07f1f0b9c8757ccd0b3516 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 12:02:21 -0400 Subject: [PATCH 08/12] Fix workflow and python syntax issues --- .github/workflows/deploy-demo.yml | 3 ++- app/config.py | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index 0eaef148c..820dd8e49 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -1,7 +1,8 @@ name: Deploy to demo environment on: - push: [ production ] + push: + branches: [ production ] permissions: contents: read diff --git a/app/config.py b/app/config.py index 470ca89a3..197560aa7 100644 --- a/app/config.py +++ b/app/config.py @@ -415,9 +415,11 @@ class Production(Config): class Staging(Production): pass + class Demo(Production): pass + configs = { 'development': Development, 'test': Test, From 7b793724f21c8ae1d2f8de59b90ef8dcdf673248 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 12:16:37 -0400 Subject: [PATCH 09/12] Fix breaking change in updating actions/github-script to v6 --- .github/workflows/terraform-demo.yml | 2 +- .github/workflows/terraform-production.yml | 2 +- .github/workflows/terraform-staging.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/terraform-demo.yml b/.github/workflows/terraform-demo.yml index 82c828152..29b8fa397 100644 --- a/.github/workflows/terraform-demo.yml +++ b/.github/workflows/terraform-demo.yml @@ -71,7 +71,7 @@ jobs: *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - github.issues.createComment({ + github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, diff --git a/.github/workflows/terraform-production.yml b/.github/workflows/terraform-production.yml index dd700a12b..e48000438 100644 --- a/.github/workflows/terraform-production.yml +++ b/.github/workflows/terraform-production.yml @@ -71,7 +71,7 @@ jobs: *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - github.issues.createComment({ + github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, diff --git a/.github/workflows/terraform-staging.yml b/.github/workflows/terraform-staging.yml index fa5d2dbd8..b1ac54f8f 100644 --- a/.github/workflows/terraform-staging.yml +++ b/.github/workflows/terraform-staging.yml @@ -71,7 +71,7 @@ jobs: *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; - github.issues.createComment({ + github.rest.issues.createComment({ issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, From 35d771d64d8d0aefc7bf63aa1c640fb95331b662 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 13:58:56 -0400 Subject: [PATCH 10/12] Update org/space in deploy scripts --- .github/workflows/deploy-demo.yml | 4 ++-- .github/workflows/deploy.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index 820dd8e49..813ca0c19 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -56,8 +56,8 @@ jobs: with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} - cf_org: gsa-10x-prototyping - cf_space: 10x-notifications + cf_org: gsa-tts-benefits-studio-prototyping + cf_space: notify-demo push_arguments: >- --vars-file deploy-config/demo.yml --var DANGEROUS_SALT="$DANGEROUS_SALT" diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2a73317d3..f5bd34310 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -61,8 +61,8 @@ jobs: with: cf_username: ${{ secrets.CLOUDGOV_USERNAME }} cf_password: ${{ secrets.CLOUDGOV_PASSWORD }} - cf_org: gsa-10x-prototyping - cf_space: 10x-notifications + cf_org: gsa-tts-benefits-studio-prototyping + cf_space: notify-staging push_arguments: >- --vars-file deploy-config/staging.yml --var DANGEROUS_SALT="$DANGEROUS_SALT" From 29ba3467a7a0d476038f6a989ca15cad0becd298 Mon Sep 17 00:00:00 2001 From: Ryan Ahearn Date: Wed, 2 Nov 2022 15:06:07 -0400 Subject: [PATCH 11/12] Insert forgotten key to deploy workflow --- .github/workflows/deploy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index f5bd34310..50c423ea3 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -76,4 +76,5 @@ jobs: if: ${{ github.event.workflow_run.conclusion == 'failure' }} steps: - uses: actions/github-script@v6 - script: core.setFailed('Checks failed, not deploying') + with: + script: core.setFailed('Checks failed, not deploying') From 14f82edcfc420b5e5d9d75ee97144c0195477158 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 7 Aug 2023 22:21:05 +0000 Subject: [PATCH 12/12] Bump freezegun from 1.2.1 to 1.2.2 Bumps [freezegun](https://github.com/spulec/freezegun) from 1.2.1 to 1.2.2. - [Changelog](https://github.com/spulec/freezegun/blob/master/CHANGELOG) - [Commits](https://github.com/spulec/freezegun/commits) --- updated-dependencies: - dependency-name: freezegun dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] --- Pipfile | 2 +- Pipfile.lock | 22 +++++++++++----------- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Pipfile b/Pipfile index 9f24d7a23..96e418c06 100644 --- a/Pipfile +++ b/Pipfile @@ -73,7 +73,7 @@ pytest-env = "==0.6.2" pytest-mock = "==3.11.1" pytest-cov = "==4.1.0" pytest-xdist = "==3.3.1" -freezegun = "==1.2.1" +freezegun = "==1.2.2" requests-mock = "==1.11.0" jinja2-cli = {version = "==0.8.2", extras = ["yaml"]} pip-audit = "*" diff --git a/Pipfile.lock b/Pipfile.lock index d4ef0a735..e5a13cb2d 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "74cb434bba7eb0a7300cdf83c6889c9ad889df92c5449a4b860b5dc72312bb58" + "sha256": "3ac420f9a597b613f634b150e444d1d1c590f82f53ad6798ba222821c7a48d43" }, "pipfile-spec": 6, "requires": { @@ -852,10 +852,10 @@ }, "phonenumbers": { "hashes": [ - "sha256:89671217c706cbaa3ced101deefafa779836feac3e059434d886ac31f09f32c0", - "sha256:e8ffd86b2e0b844fd6189fdb0927dbe8707cb03b59102cba5532b3ea305cc1bd" + "sha256:3d802739a22592e4127139349937753dee9b6a20bdd5d56847cd885bdc766b1f", + "sha256:b360c756252805d44b447b5bca6d250cf6bd6c69b6f0f4258f3bfe5ab81bef69" ], - "version": "==8.13.17" + "version": "==8.13.18" }, "prometheus-client": { "hashes": [ @@ -1114,7 +1114,7 @@ "sha256:78f9a9bf4e7be0c5ded4583326e7461e3a3c5aae24073648b4bdfa797d78c9d2", "sha256:9d689e6ca1b3038bc82bf8d23e944b6b6037bc02301a574935b2dd946e0353b9" ], - "markers": "python_version >= '3.5' and python_version < '4.0'", + "markers": "python_version < '4.0' and python_full_version >= '3.5.0'", "version": "==4.7.2" }, "s3transfer": { @@ -1779,11 +1779,11 @@ }, "freezegun": { "hashes": [ - "sha256:15103a67dfa868ad809a8f508146e396be2995172d25f927e48ce51c0bf5cb09", - "sha256:b4c64efb275e6bc68dc6e771b17ffe0ff0f90b81a2a5189043550b6519926ba4" + "sha256:cd22d1ba06941384410cd967d8a99d5ae2442f57dfafeff2fda5de8dc5c05446", + "sha256:ea1b963b993cb9ea195adbd893a48d573fda951b0da64f60883d7e988b606c9f" ], "index": "pypi", - "version": "==1.2.1" + "version": "==1.2.2" }, "frozenlist": { "hashes": [ @@ -2299,11 +2299,11 @@ }, "pygments": { "hashes": [ - "sha256:8ace4d3c1dd481894b2005f560ead0f9f19ee64fe983366be1a21e171d12775c", - "sha256:db2db3deb4b4179f399a09054b023b6a586b76499d36965813c71aa8ed7b5fd1" + "sha256:13fc09fa63bc8d8671a6d247e1eb303c4b343eaee81d861f3404db2935653692", + "sha256:1daff0494820c69bc8941e407aa20f577374ee88364ee10a98fdbe0aece96e29" ], "markers": "python_version >= '3.7'", - "version": "==2.15.1" + "version": "==2.16.1" }, "pyparsing": { "hashes": [