diff --git a/.github/workflows/dogfood-deploy.yml b/.github/workflows/dogfood-deploy.yml new file mode 100644 index 0000000000..3473028197 --- /dev/null +++ b/.github/workflows/dogfood-deploy.yml @@ -0,0 +1,79 @@ +on: + workflow_dispatch: + inputs: + IMAGE_TAG: + description: 'The image tag wished to be deployed.' + required: true + +env: + AWS_REGION: us-east-2 + ECR_REPOSITORY: fleet-test + AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role + TF_ACTIONS_WORKING_DIR: infrastructure/dogfood/terraform/aws + TF_WORKSPACE: fleet + TF_VAR_fleet_backend_cpu: 512 + TF_VAR_fleet_backend_mem: 4096 + TF_VAR_redis_instance: cache.t3.micro + TF_VAR_fleet_min_capacity: 2 + TF_VAR_fleet_max_capacity: 5 + TF_VAR_fleet_image: ${{ github.event.inputs.IMAGE_TAG || 'fleetdm/fleet:main' }} + TF_VAR_logging_debug: true + TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }} + +permissions: + id-token: write + contents: read # This is required for actions/checkout@v2 + + +defaults: + run: + working-directory: infrastructure/dogfood/terraform/aws + +jobs: + deploy: + name: Deploy Fleet Dogfood Environment + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - uses: aws-actions/configure-aws-credentials@v1 + with: + role-to-assume: ${{env.AWS_IAM_ROLE}} + aws-region: ${{ env.AWS_REGION }} + - uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.0.4 + terraform_wrapper: false + - name: Terraform Init + id: init + run: terraform init + - name: Terraform fmt + id: fmt + run: terraform fmt -check + continue-on-error: true + - name: Terraform Validate + id: validate + run: terraform validate -no-color + - name: Terraform Plan + id: plan + run: terraform plan -no-color + continue-on-error: true + # first we'll scale everything down and create the new task definitions + - name: Terraform Apply Scale Down + id: apply_scale_down + run: terraform apply -auto-approve + env: + TF_VAR_fleet_min_capacity: 0 + TF_VAR_fleet_max_capacity: 0 + - name: Run migration task + id: run_migrate + run: | + CLUSTER_NAME=$(terraform output -raw ecs_cluster_name) + FAMILY=$(terraform output -raw migrate_task_definition_family) + REVISION=$(terraform output -raw fleet-migration-task-revision) + SUBNET=$(terraform output -raw private_subnet) + SECURITY_GROUP=$(terraform output -raw backend_security_group_id) + echo $CLUSTER_NAME $FAMILY $REVISION $SUBNET $SECURITY_GROUP + aws ecs run-task --cluster "${CLUSTER_NAME}" --task-definition "${FAMILY}":"${REVISION}" --launch-type FARGATE --network-configuration "awsvpcConfiguration={subnets=["${SUBNET}"],securityGroups=["${SECURITY_GROUP}"]}" + - name: Terraform Apply Scale Up + id: apply_scale_up + run: terraform apply -auto-approve diff --git a/infrastructure/dogfood/terraform/aws/github.tf b/infrastructure/dogfood/terraform/aws/github.tf new file mode 100644 index 0000000000..a46b5c4d9f --- /dev/null +++ b/infrastructure/dogfood/terraform/aws/github.tf @@ -0,0 +1,99 @@ +data "tls_certificate" "github" { + url = "https://token.actions.githubusercontent.com/.well-known/openid-configuration" +} + +/* +It's possible to use the following to add Github as an OpenID Connect Provider and integrate +Github Actions as your CI/CD mechanism. +*/ + +#resource "aws_iam_openid_connect_provider" "github" { +# url = "https://token.actions.githubusercontent.com" +# +# client_id_list = [ +# "sts.amazonaws.com", +# ] +# +# +# thumbprint_list = [ +# data.tls_certificate.github.certificates[0].sha1_fingerprint +# ] +#} +# +#resource "aws_iam_role" "gha_role" { +# name = "github-actions-role" +# assume_role_policy = data.aws_iam_policy_document.gha_assume_role.json +#} +# +#resource "aws_iam_role_policy" "gha_role_policy" { +# policy = data.aws_iam_policy_document.gha-permissions.json +# role = aws_iam_role.gha_role.id +#} + + +##################### +# AssumeRole +# +# Allow sts:AssumeRoleWithWebIdentity from GitHub via OIDC +# Customize your repository +##################### +data "aws_iam_policy_document" "gha_assume_role" { + statement { + effect = "Allow" + actions = ["sts:AssumeRoleWithWebIdentity"] + principals { + type = "Federated" + identifiers = [ + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com" + ] + } + condition { + test = "StringLike" + variable = "token.actions.githubusercontent.com:sub" + values = ["repo:fleetdm/fleet:*"] + } + + condition { + test = "StringEquals" + variable = "token.actions.githubusercontent.com:aud" + values = ["sts.amazonaws.com"] + } + } +} +// Customize the permissions for your deployment +#data "aws_iam_policy_document" "gha-permissions" { +# statement { +# effect = "Allow" +# actions = [ +# "ec2:*", +# "cloudwatch:*", +# "s3:*", +# "lambda:*", +# "ecs:*", +# "rds:*", +# "rds-data:*", +# "secretsmanager:*", +# "pi:*", +# "ecr:*", +# "iam:*", +# "aps:*", +# "vpc:*", +# "kms:*", +# "elasticloadbalancing:*", +# "ce:*", +# "cur:*", +# "logs:*", +# "cloudformation:*", +# "ssm:*", +# "sns:*", +# "elasticache:*", +# "application-autoscaling:*", +# "acm:*", +# "route53:*", +# "dynamodb:*", +# "kinesis:*", +# "firehose:*" +# ] +# resources = ["*"] +# } +#} \ No newline at end of file diff --git a/infrastructure/dogfood/terraform/aws/main.tf b/infrastructure/dogfood/terraform/aws/main.tf index 7a0d2a87e9..72b2a5d7f6 100644 --- a/infrastructure/dogfood/terraform/aws/main.tf +++ b/infrastructure/dogfood/terraform/aws/main.tf @@ -6,18 +6,29 @@ provider "aws" { region = var.region } + +provider "tls" { + # Configuration options +} + + terraform { // these values should match what is bootstrapped in ./remote-state backend "s3" { bucket = "fleet-terraform-remote-state" region = "us-east-2" - key = "fleet/" + key = "fleet" dynamodb_table = "fleet-terraform-state-lock" } required_providers { aws = { source = "hashicorp/aws" - version = "3.57.0" + version = "3.63.0" + } + + tls = { + source = "hashicorp/tls" + version = "3.3.0" } } } diff --git a/infrastructure/dogfood/terraform/aws/outputs.tf b/infrastructure/dogfood/terraform/aws/outputs.tf index 77d9912984..6553387cbf 100644 --- a/infrastructure/dogfood/terraform/aws/outputs.tf +++ b/infrastructure/dogfood/terraform/aws/outputs.tf @@ -7,7 +7,7 @@ output "backend_security_group" { } output "private_subnets" { - value = module.vpc.private_subnet_arns + value = module.vpc.private_subnets } output "fleet-backend-task-revision" { @@ -52,4 +52,20 @@ output "aws_alb_target_group_name" { output "aws_alb_name" { value = aws_alb.main.name +} + +output "backend_security_group_id" { + value = aws_security_group.backend.id +} + +output "private_subnet" { + value = module.vpc.private_subnets[0] +} + +output "ecs_cluster_name" { + value = aws_ecs_cluster.fleet.name +} + +output "migrate_task_definition_family" { + value = aws_ecs_task_definition.migration.family } \ No newline at end of file diff --git a/infrastructure/dogfood/terraform/aws/rds.tf b/infrastructure/dogfood/terraform/aws/rds.tf index 2a5ddb768c..4390d45231 100644 --- a/infrastructure/dogfood/terraform/aws/rds.tf +++ b/infrastructure/dogfood/terraform/aws/rds.tf @@ -66,7 +66,7 @@ module "aurora_mysql" { name = "${local.name}-mysql-iam" engine = "aurora-mysql" - engine_version = "5.7.mysql_aurora.2.10.0" + engine_version = "5.7.mysql_aurora.2.10.2" instance_type = var.db_instance_type_writer instance_type_replica = var.db_instance_type_reader