Merge pull request #3 from pagopa/update-actions-and-readme

Actions update and docs

Author: uolter

.github/workflows/apply/action.yml

@@ -0,0 +1,41 @@
+name: apply
+description: "Run terraform apply"
+
+inputs:
+  env:
+    required: true
+    type: string
+  working-directory:
+    required: true
+    type: string
+
+runs:
+  using: "composite"
+  steps:
+    - name: Read terraform version 
+      id: read-version
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        echo "TERRAFORM_VERSION=`cat ../.terraform-version`" >> $GITHUB_ENV
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
+      with:
+        terraform_version: ${{ env.TERRAFORM_VERSION }}
+
+    - name: Terraform Init
+      id: init
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        e=${{ inputs.env }}
+        ./terraform.sh init ${e%"_w"}
+
+    - name: Terraform Apply
+      id: apply
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: |
+        e=${{ inputs.env }}
+        ./terraform.sh apply ${e%"_w"} -auto-approve

.github/workflows/terraform-apply.yml

@@ -21,69 +21,70 @@ on:
       environment:
         description: 'Which environment to update.'
         type: choice
-        default: uat
-        required: true 
+        required: true
+        default: dev
         options:
+        - dev
         - uat
-        - prod
 
-defaults:
-  run:
-    shell: bash
-    working-directory: src/main
 
 jobs:
-  get-env:
-    name: "get-environment"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Get Environment
-        id: get-env
-        run: | 
-          USER_INPUT=${{ github.event.inputs.environment }}
-          echo "ret=${USER_INPUT:-"uat"}" >> $GITHUB_OUTPUT
-    outputs:
-     ret: ${{ steps.get-env.outputs.ret }}
-  terraform:
-    needs: [get-env]
+  manual-trigger:
+    if: "${{ github.event.inputs.environment != '' }}"
     name: "terraform-apply"
     runs-on: ubuntu-latest
+    continue-on-error: false
     permissions:
       id-token: write   # This is required for requesting the JWT
       contents: read    # This is required for actions/checkout
-    environment:
-      name: ${{ needs.get-env.outputs.ret }}
+    environment: ${{ inputs.environment }}
+
     steps:
       - name: Checkout
-        uses: actions/checkout@v2
-         
+        uses: actions/checkout@v3
+
       - name: Configure AWS Credentials
         env:
           AWS_REGION: eu-south-1
-          
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
         with:
           role-to-assume: ${{ secrets.IAM_ROLE }}
           aws-region: ${{ env.AWS_REGION }}
-
-      - name: Read terraform version 
-        id: read-version
-        run: |
-          echo "TERRAFORM_VERSION=`cat ../.terraform-version`" >> $GITHUB_ENV
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+      
+      - name: Apply
+        uses: ./.github/workflows/apply
         with:
-          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          env: ${{ inputs.environment }}
+          working-directory: src/main
+
+  merge-trigger:
+      if: "${{ github.event.inputs.environment == '' }} && github.ref == 'refs/heads/main'"
+      name: "terraform-apply"
+      strategy:
+        max-parallel: 1
+        matrix:
+          environment: [dev, uat, prod_w]
+      runs-on: ubuntu-latest
+      continue-on-error: false
+      environment: ${{ matrix.environment }}
+      permissions:
+        id-token: write   # This is required for requesting the JWT
+        contents: read    # This is required for actions/checkout
 
-      - name: Terraform Init
-        id: init
-        run: |
-          ./terraform.sh init ${{ needs.get-env.outputs.ret }}
+      steps:
+        - name: Checkout
+          uses: actions/checkout@v3
 
-      - name: Terraform Apply
-        id: apply
-        run: |
-          ./terraform.sh apply ${{ needs.get-env.outputs.ret }} -auto-approve
+        - name: Configure AWS Credentials
+          env:
+            AWS_REGION: eu-south-1
+          uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
+          with:
+            role-to-assume: ${{ secrets.IAM_ROLE }}
+            aws-region: ${{ env.AWS_REGION }}
+        
+        - name: Apply
+          uses: ./.github/workflows/apply
+          with:
+            env: ${{ matrix.environment }}
+            working-directory: src/main

.github/workflows/terraform-plan.yml

@@ -1,7 +1,11 @@
 name: "Terraform-Plan"
 
 on:
-  pull_request:
+  push:
+    branches:
+      - '**'        # matches every branch
+      - '!main'     # excludes main
+      - '!master'     # excludes master
     paths:
       - 'src/main/**'
       - '.github/workflows/*.yml'
@@ -19,7 +23,7 @@ jobs:
   terraform:
     strategy:
       matrix:
-        environment: [uat, prod]
+        environment: [dev, uat, prod]
     name: "terraform-plan"
     runs-on: ubuntu-latest
     environment: ${{ matrix.environment }}
@@ -31,7 +35,7 @@ jobs:
       - name: Configure AWS Credentials
         env:
           AWS_REGION: eu-south-1
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
         with:
           role-to-assume: ${{ secrets.IAM_ROLE }}
           aws-region: ${{ env.AWS_REGION }}
@@ -42,7 +46,7 @@ jobs:
           echo "TERRAFORM_VERSION=`cat ../.terraform-version`" >> $GITHUB_ENV
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
+        uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1
         with:
           terraform_version: ${{ env.TERRAFORM_VERSION }}
 

README.md

@@ -1,18 +1,18 @@
 # Project Name
-Template useful to create a AWS terraform projects
+Template useful to create a AWS infrastructures with terraform
 
 
 ## Howo to use this template
 
 1. Create your github repository starting form this template.
-2. Configure your aws cli and set the [credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Also refer the conflunece page to work with [AWS SSO](https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/466846955/AWS+-+Users+groups+and+roles#SSO-with-GSuite).
-3. The __src/init__ directory contains the terraform code to setup the S3 backend the Dynamodb lock table and the iam role to use in the github actions
-4. The __src/main__ directory cointains the terraform code to setup the infrastructure core infrastructure.
+2. Configure your **aws cli** and set the [credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html). Also refer the confluence page to work with [AWS SSO](https://pagopa.atlassian.net/wiki/spaces/DEVOPS/pages/466846955/AWS+-+Users+groups+and+roles#SSO-with-GSuite).
+3. The __./src/init__ directory contains the terraform code to setup the S3 backend, the Dynamodb lock table, github openid connection and the iam role to use in the github actions
+4. The __./src/main__ directory cointains the terraform code to setup the core infrastructure.
 5. The __.github/workflows__ directory contains two yaml files to run a terraform plan and apply actions. They need a github environment secret to be created: IAM_ROLE (see below.)
 
 ## Requirements
 
-You need the following tools to work on your laptop 
+The following tools are required to setup the project locally. 
 
 1. [aws cli](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) installed.
 2. [tfenv](https://github.com/tfutils/tfenv) to mange terraform versions.
@@ -47,15 +47,26 @@ cd src/main
 
 In the repository two github actions are already provided:
 
-* **terraform-plan**: it runs every time a new Pull request(PR) is created and every time a push is made within the PR branch. It runs terraform plan through all the environments.
+* **terraform-plan**: it runs every time new code is pushed in every branch excluded main and master. It runs terraform plan through all the environments in parallel.
+
+* **terraform-apply**: it run terraform apply in all the environments once a PR is merged with main.
+  * The apply in PROD should require an approval: it depends on the Environment protection rules.
+  * It can also be triggerd manually in all the environment expect main.
+
+
+![](./docs/gitaction-workflow.png)
 
-* **terraform-apply**: it runs terraform apply in one of the environment (uat by default) every time a PR is merged into main branch or it can be triggered manually and users have the facolty to choose on which environment to apply it.
 
 ### Configurations
 
-* Create [github environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) for uat and prod.
+* Create [github environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) for every environments:**dev**, **uat**, **prod**, and **prod_w**.
+* **prod_w** is like prod but it is meant to be used only in the apply action in production. 
+
+![](docs/github-environments.png)
 
-* In each environmen create a secret named **IAM_ROLE** and set as a value the **arn** of the role created at the very beginnig when you set up the environment. 
+* In each environment create a secret named **IAM_ROLE** and set its value with the **arn** of the role created at the very beginnig (init).
+* Within **prod_w** set two **Environment protection rules** as shown in the screenshot below:
+![](docs/protection-rules-and-secrets.png)
 
 
 ## Referencees