mvp cicd

.github/workflows/build-image.yml

@@ -0,0 +1,60 @@
+name: Build Image MVP cicd
+
+on:
+  # push:
+  #   branches:
+  #     - mvp-cicd
+  workflow_dispatch:
+
+permissions:
+  id-token: write   # JWT
+  contents: read    # actions/checkout
+
+jobs:
+  ogcapi_app_build:
+    runs-on: ubuntu-latest
+    environment: tfintegration
+    steps:
+      - name: Checkout Repo ogcapi
+        uses: actions/checkout@v4
+        with:
+          ref: mvp-cicd
+
+      - name: Set up QEMU Cross Platform Support
+        uses: docker/setup-qemu-action@v3
+
+      - name: Create Docker Buildx Worker
+        uses: docker/setup-buildx-action@v3
+
+      - name: Install JDK 17
+        uses: actions/setup-java@v3
+        with:
+          distribution: 'temurin'
+          java-version: '17'
+          cache: 'maven'
+
+      - name: Build with Maven
+        run: mvn -B package --file pom.xml
+
+      - name: Set AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.ROLE_ARN }}
+          role-session-name: GitHub_to_AWS_OIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      # - name: Display Sts CallerIdentity
+      #   run: |
+      #     aws sts get-caller-identity
+
+      - name: Login ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Build and Push Application Image to ECR
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest

.github/workflows/deploy-dev.yml

@@ -0,0 +1,81 @@
+name: Deploy Image MVP cicd
+
+on:
+  push:
+    branches:
+      - mvp-cicd
+  workflow_dispatch:
+
+env:
+  TURNIP: An edible tuba
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy_application:
+    runs-on: ubuntu-latest
+    environment: tfintegration
+    env:
+      tf_version: '1.5.7'
+      tg_version: '0.54.0'
+      tg_dir: './deploy/tg'
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: mvp-cicd
+
+      - name: Set AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ vars.ROLE_ARN }}
+          role-session-name: GitHub_OIDC
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Expose github environment as shell variables
+        env:
+          SECRETS_CONTEXT: ${{ toJson(secrets) }}
+          VARS_CONTEXT: ${{ toJson(vars) }}
+        run: |
+          EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
+          to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; }
+          echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV
+          echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.tf_version }}
+
+      - name: Install Terragrunt
+        id: setup_terragrunt
+        run: |
+          wget https://github.com/gruntwork-io/terragrunt/releases/download/v${terragrunt_version}/terragrunt_linux_amd64 \
+            && mv terragrunt_linux_amd64 terragrunt \
+            && chmod +x terragrunt \
+            && mv terragrunt /usr/local/bin/terragrunt
+        env:
+          terragrunt_version: ${{ env.tg_version }}
+
+      - name: Terragrunt Plan
+        id: terragrunt_plan
+        run: terragrunt plan -out=tf.plan
+        working-directory: ${{ env.tg_dir }}
+        env:
+          TF_INPUT: 0
+          TF_IN_AUTOMATION: true
+          # get the image digest from the build job with optional override from vars context
+          TF_VAR_image: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest
+
+      - name: Terragrunt Apply
+        id: terragrunt_apply
+        run: terragrunt apply -auto-approve tf.plan
+        working-directory: ${{ env.tg_dir }}
+        env:
+          TF_INPUT: 0
+          TF_IN_AUTOMATION: true
+          # get the image digest from the build job with optional override from vars context
+          TF_VAR_image: ${{ vars.ECR_REGISTRY }}/${{ vars.ECR_REPOSITORY }}:latest

.gitignore

@@ -1,4 +1,15 @@
-.env
-**/target/**/*
+# IDE
 .idea
-*.iml
+
+# Local directories
+**/.terraform/*
+**/.terragrunt-cache/
+
+# Local files
+*.tfstate
+*.tfstate.*
+.terraform.lock.hcl
+
+# Crash log files
+crash.log
+crash.*.log

Dockerfile

@@ -2,4 +2,4 @@ FROM amazoncorretto:17
 VOLUME /tmp
 
 COPY ./server/target/server-java-1.0.0-SNAPSHOT-exec.jar app.jar
-ENTRYPOINT ["java","-Dapi.host=${HOST}:${PORT}","-Dserver.port=${PORT}","-Delasticsearch.serverUrl=${ELASTIC_URL}","-Delasticsearch.apiKey=${ELASTIC_KEY}","-jar","/app.jar"]
+ENTRYPOINT ["java","-Dapi.host=${HOST}:${PORT}","-Dserver.port=${PORT}","-Delasticsearch.serverUrl=${ELASTIC_URL}","-Delasticsearch.apiKey=${ELASTIC_KEY}","-jar","/app.jar"]

deploy/Dockerfile

@@ -0,0 +1,26 @@
+ARG TF_VERSION=1.5.7
+
+FROM hashicorp/terraform:$TF_VERSION
+
+LABEL maintainer="[email protected]"
+
+ARG TG_VERSION=0.54.0
+ARG USER_ID=1000
+ARG GROUP_ID=1000
+ARG USERNAME=appdeploy
+
+RUN wget https://github.com/gruntwork-io/terragrunt/releases/download/v${TG_VERSION}/terragrunt_linux_amd64 \
+    && mv terragrunt_linux_amd64 terragrunt \
+    && chmod +x terragrunt \
+    && mv terragrunt /usr/local/bin/terragrunt
+
+RUN apk add --no-cache aws-cli
+
+RUN echo 'alias tf="terraform"' >> /etc/profile.d/custom_aliases.sh \
+    && echo 'alias tg="terragrunt"' >> /etc/profile.d/custom_aliases.sh
+
+ENV ENV="/etc/profile"
+
+RUN adduser -D -u $USER_ID -h /home/$USERNAME $USERNAME
+
+USER $USERNAME:$USERNAME

deploy/README.md

@@ -0,0 +1,60 @@
+# Deployments
+Deployment of this application uses [Github Deployment Environments](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment).
+
+A successful deployment relies on the correct variables being defined in order to deploy to the correct AWS account etc.
+
+### Managing Environments
+You can view the current environment settings by visiting https://github.com/aodn/sample-django-app/settings/environments.
+
+You can view the currently defined variables there or from the cli using:
+```bash
+gh variable list -R aodn/sample-django-app -e staging
+```
+
+### Updating Variables
+Manually updating vars can be tedious and error-prone. Instead, you may define the variables you need as a .env file and push these values:
+```bash
+gh variable set -R aodn/sample-django-app -e staging -f staging.env
+```
+
+### Deploying From the CLI
+The Terragrunt module for this application depends on variables being present and will fail if they are not.
+
+To test locally, you may want to populate these into your local environment using the following command:
+```bash
+set -a; source ./github/staging.env; set +a
+terragrunt plan
+terragrunt apply
+```
+
+### Using Docker
+A Dockerfile is provided to simplify local deployment, removing the need to install the required binaries on the local system.
+
+N.B. The Dockerfile does assume a valid AWS CLI configuration.
+
+### Example deployment
+Modify the environment variables in `dev.env`:
+```text
+ALB_PARAMETER_NAME=shared-alb-dev-sydney
+APP_NAME=sample-django-app-mybranch
+AWS_ACCOUNT_ID=123456789012
+AWS_REGION=ap-southeast-2
+ECR_PARAMETER_NAME=api
+ECR_REGISTRY=123456789012.dkr.ecr.ap-southeast-2.amazonaws.com
+ECR_REPOSITORY=api
+ENVIRONMENT=mydev-stack
+RDS_PARAMETER_NAME=db01/primary/development
+```
+
+```bash
+export AWS_PROFILE=myprofile
+cd deploy
+docker-compose -f docker-compose.yml run terragrunt
+```
+
+On the container run the following:
+```bash
+set -a; source ./github/dev.env; set +a
+TF_VAR_image=latest terragrunt plan -out=tf.plan
+TF_VAR_image=latest terragrunt apply -auto-approve tf.plan
+```

deploy/container/vars.yaml

@@ -0,0 +1,4 @@
+HOST: http://localhost
+PORT: 8081
+ELASTIC_KEY: U3lLRDlZc0J1S0QtWFFCaXd1SnI6ektlOU5fNTNRcHVBZlpJMHVRWTlmUQ==
+ELASTIC_URL: https://dev-discovery-index.es.ap-southeast-2.aws.found.io

deploy/docker-compose.yml

@@ -0,0 +1,18 @@
+version: '3.7'
+
+services:
+  terragrunt:
+    build:
+      context: .
+      dockerfile: Dockerfile
+      args:
+        TF_VERSION: 1.5.7
+        TG_VERSION: 0.54.0
+    image: appdeploy:latest
+    volumes:
+      - .:/deploy
+      - ${HOME}/.aws:/home/appdeploy/.aws
+    working_dir: /deploy/tg
+    environment:
+      - AWS_PROFILE=${AWS_PROFILE}
+    entrypoint: ["sh"]

deploy/github/development.env

@@ -0,0 +1,15 @@
+# General environment variables for terragrunt
+
+ALB_PARAMETER_NAME=shared-alb-devops-melbourne
+AWS_ACCOUNT_ID=450356697252
+AWS_REGION=ap-southeast-4
+ECR_REGISTRY=450356697252.dkr.ecr.ap-southeast-4.amazonaws.com
+ECR_REPOSITORY=ogcapi-java
+ENVIRONMENT=tfintegration
+
+# App specific environment variables for terragrunt
+APP_NAME=ogcapi-java
+APP_HOST=http://localhost
+APP_PORT=8081
+ELASTIC_KEY=000000000000000000000000000000000000000000000000000==
+ELASTIC_URL=https://dev-discovery-index.es.ap-southeast-2.aws.found.io

deploy/tf/alb.tf

@@ -0,0 +1,41 @@
+resource "aws_lb_target_group" "app" {
+  name        = "${var.app_name}-${var.environment}"
+  port        = var.app_port
+  protocol    = "HTTP"
+  target_type = "ip"
+  vpc_id      = local.vpc_id
+
+  health_check {
+    enabled = true
+    path    = "/health"
+  }
+}
+
+resource "aws_route53_record" "app" {
+  for_each = toset(var.app_hostnames)
+  zone_id  = local.domain_zone_id
+  name     = each.value
+  type     = "A"
+
+  alias {
+    name                   = local.alb_dns_name
+    zone_id                = local.alb_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "aws_lb_listener_rule" "app_fgate" {
+  for_each     = toset(var.app_hostnames)
+  listener_arn = local.alb_https_listener_arn
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.app.arn
+  }
+
+  condition {
+    host_header {
+      values = [aws_route53_record.app[each.value].fqdn]
+    }
+  }
+}

deploy/tf/aws_details.tf

@@ -0,0 +1,2 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}