From b10acaffec11ee14d6bf30045fece1a75f249e96 Mon Sep 17 00:00:00 2001 From: William Black <125844868+smokestacklightnin@users.noreply.github.com> Date: Thu, 31 Oct 2024 06:30:51 -0700 Subject: [PATCH] Add workflows to deploy AWS infrastructure with OpenTofu and to deploy Docker (#69) --- .github/workflows/build-docker.yml | 75 ++++++++++ .github/workflows/deploy-docker.yml | 93 +++++++++++++ .github/workflows/deploy-opentofu.yml | 130 ++++++++++++++++++ .github/workflows/{ => deprecated}/deploy.yml | 0 .github/workflows/docker-up.yml | 77 +++++++++++ .github/workflows/tests.yml | 3 + osm/schemas/schema_helpers.py | 6 +- web/api/Dockerfile | 3 +- web/dashboard/Dockerfile | 3 +- web/deploy/{ => deprecated}/deploy.py | 0 .../{ => deprecated}/docker-compose.yaml.j2 | 0 web/deploy/docker-compose.yaml | 73 ++++++++++ web/deploy/terraform/modules/ec2/main.tf | 8 +- .../modules/ec2/scripts/install-docker.sh | 22 +-- web/deploy/terraform/modules/ec2/variables.tf | 5 + web/deploy/terraform/modules/iam/main.tf | 17 ++- ...ssume-role.json => assume-role.json.tftpl} | 3 +- .../iam/policies/gha-policy.json.tftpl | 8 +- web/deploy/terraform/modules/iam/variables.tf | 6 + web/deploy/terraform/production/main.tf | 1 + web/deploy/terraform/production/variables.tf | 5 + web/deploy/terraform/shared/main.tf | 1 + web/deploy/terraform/shared/variables.tf | 6 + web/deploy/terraform/staging/main.tf | 1 + web/deploy/terraform/staging/variables.tf | 5 + 25 files changed, 531 insertions(+), 20 deletions(-) create mode 100644 .github/workflows/build-docker.yml create mode 100644 .github/workflows/deploy-docker.yml create mode 100644 .github/workflows/deploy-opentofu.yml rename .github/workflows/{ => deprecated}/deploy.yml (100%) create mode 100644 .github/workflows/docker-up.yml rename web/deploy/{ => deprecated}/deploy.py (100%) rename web/deploy/{ => deprecated}/docker-compose.yaml.j2 (100%) create mode 100644 web/deploy/docker-compose.yaml rename web/deploy/terraform/modules/iam/policies/{assume-role.json => assume-role.json.tftpl} (83%) diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml new file mode 100644 index 00000000..b709f90a --- /dev/null +++ b/.github/workflows/build-docker.yml @@ -0,0 +1,75 @@ +name: Docker Build Workflow + +on: + workflow_call: + inputs: + deployment: + required: true + type: string + aws_region: + description: 'AWS region' + type: string + required: false + default: 'us-east-1' + +jobs: + build: + runs-on: ubuntu-latest + services: + registry: + image: registry:2 + ports: + - 5000:5000 + steps: + - name: Checkout code + uses: actions/checkout@v4.2.2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ inputs.aws_region }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role-shared + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + driver-opts: network=host + + - name: Login to Amazon ECR + id: login-ecr + uses: aws-actions/amazon-ecr-login@v2 + + - name: Compute image tag + id: compute-image-tag + run: | + short_sha=$(git rev-parse --short ${{ github.sha }}) + echo "tag=${{ steps.login-ecr.outputs.registry }}/${{ inputs.deployment }}-shared:$short_sha" >> $GITHUB_OUTPUT + echo "short_sha=$short_sha" >> $GITHUB_OUTPUT + + - name: Check for image tag + id: check-image-tag + run: | + found_tag=$(aws ecr list-images --repository-name ${{ inputs.deployment }}-shared --region ${{ inputs.aws_region }} --query 'imageIds[*].imageTag' | grep -q "${{ steps.compute-image-tag.outputs.short_sha }}"; echo $?) + echo "found_tag=$found_tag" >> $GITHUB_OUTPUT + + - name: Build base Docker image + # only build if the image tag doesn't exist + if: steps.check-image-tag.outputs.found_tag == 1 + uses: docker/build-push-action@v6 + with: + context: . + push: true + file: Dockerfile.base + tags: localhost:5000/osm/osm_base + + - name: Build and push Docker image + # only build if the image tag doesn't exist + if: steps.check-image-tag.outputs.found_tag == 1 + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.compute-image-tag.outputs.tag }} + file: web/${{ inputs.deployment }}/Dockerfile + build-args: | + BASE_IMAGE=localhost:5000/osm/osm_base diff --git a/.github/workflows/deploy-docker.yml b/.github/workflows/deploy-docker.yml new file mode 100644 index 00000000..72889d18 --- /dev/null +++ b/.github/workflows/deploy-docker.yml @@ -0,0 +1,93 @@ +name: Push to Docker image to AWS ECR and deploy to AWS EC2 + +on: + workflow_dispatch: + inputs: + development-environment: + description: Development environment to deploy to. + required: true + default: staging + type: choice + options: + - staging + - production + pull_request: + branches: + - main + types: + - closed + paths-ignore: + - 'web/deploy/terraform/**' + workflow_call: + inputs: + development-environment: + description: Development environment to deploy to. Usually `staging` or `production` + required: true + default: staging + type: string + +permissions: + id-token: write + contents: read + +jobs: + set-development-environment: + runs-on: ubuntu-latest + name: Set development environment + outputs: + development-environment: ${{ steps.set-development-environment.outputs.development-environment }} + steps: + - name: Set development environment + id: set-development-environment + run: | + if [[ "${{ github.event_name }}" == 'pull_request' || "${{ inputs.development-environment }}" == 'staging' ]]; then + echo "development-environment=staging" >> $GITHUB_OUTPUT + else + echo "development-environment=production" >> $GITHUB_OUTPUT + fi + cat "$GITHUB_OUTPUT" + cat "$GITHUB_OUTPUT" | grep 'development-environment' + + infrastructure-modified: + runs-on: ubuntu-latest + name: Check for modified infrastructure + outputs: + modified-files: ${{ steps.set-output.outputs.modified-files }} + steps: + - uses: actions/checkout@v4 + name: Checkout repository + + - name: Get modified infrastructure configuration + id: infrastructure-modified + uses: tj-actions/changed-files@v45 + with: + files: | + web/deploy/terraform/** + + - name: Set modified output + id: set-output + env: + MODIFIED_FILES: ${{ steps.infrastructure-modified.outputs.any_modified }} + run: | + echo "modified-files=${MODIFIED_FILES}" >> $GITHUB_OUTPUT + + build-and-push: + needs: [infrastructure-modified, set-development-environment] + strategy: + matrix: + deployment: ["api", "dashboard"] + uses: ./.github/workflows/build-docker.yml + if: ( (github.event_name == 'pull_request' && github.event.pull_request.merged == true && needs.infrastructure-modified.outputs.modified-files != 'true' && needs.set-development-environment.result == 'success') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'workflow_call') ) + secrets: inherit + with: + deployment: ${{ matrix.deployment }} + + docker-up: + needs: [build-and-push, set-development-environment, infrastructure-modified] + if: ${{ always() && !cancelled() && needs.build-and-push.result == 'success' && ( (github.event_name == 'pull_request' && github.event.pull_request.merged == 'true' && needs.infrastructure-modified.outputs.modified-files != 'true') || (github.event_name == 'workflow_dispatch') || (github.event_name == 'push') || (github.event_name == 'workflow_call') )}} + name: Deploy and run Docker images on EC2 + uses: ./.github/workflows/docker-up.yml + secrets: inherit + with: + development-environment: ${{ needs.set-development-environment.outputs.development-environment }} + diff --git a/.github/workflows/deploy-opentofu.yml b/.github/workflows/deploy-opentofu.yml new file mode 100644 index 00000000..6a95f2fd --- /dev/null +++ b/.github/workflows/deploy-opentofu.yml @@ -0,0 +1,130 @@ +name: Deploy OpenTofu + +on: + push: + branches: + - '**' + - '!main' + paths: + - 'web/deploy/terraform/**' + workflow_dispatch: + inputs: + development-environment: + description: Development environment to deploy to. + required: true + default: staging + type: choice + options: + - staging + - production + pull_request: + branches: + - main + types: + - closed + paths: + - 'web/deploy/terraform/**' +env: + working_directory_parent: ./web/deploy/terraform + TF_VAR_AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + +permissions: + id-token: write + contents: read + +jobs: + set-development-environment: + runs-on: ubuntu-latest + name: Set development environment + outputs: + development-environment: ${{ steps.set-development-environment.outputs.development-environment }} + steps: + - name: Set development environment + id: set-development-environment + run: | + if [[ "${{ github.event_name }}" == 'workflow_dispatch' && "${{ inputs.development-environment }}" == 'production' ]]; then + echo 'development-environment=production' >> "$GITHUB_OUTPUT" + else + echo 'development-environment=staging' >> "$GITHUB_OUTPUT" + fi + cat "$GITHUB_OUTPUT" + cat "$GITHUB_OUTPUT" | grep 'development-environment' + + deploy-shared-resources: + needs: [set-development-environment] + if: ${{ always() && !cancelled() && needs.set-development-environment.result == 'success' && needs.set-development-environment.outputs.development-environment == 'staging' }} + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4.2.2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role-shared + + - name: Setup OpenTofu + uses: opentofu/setup-opentofu@v1 + + - name: Initialize shared resources + working-directory: ${{ env.working_directory_parent }}/shared + run: | + tofu init + + - name: Plan resources + working-directory: ${{ env.working_directory_parent }}/shared + run: | + tofu plan -no-color -detailed-exitcode -out=tfplan + continue-on-error: true + + - name: Deploy shared resources + if: ${{ github.event_name != 'push' }} + working-directory: ${{ env.working_directory_parent }}/shared + run: | + tofu apply -no-color -auto-approve tfplan + + deploy-environments: + needs: [deploy-shared-resources, set-development-environment] + runs-on: ubuntu-latest + if: ${{ always() && !cancelled() && (needs.deploy-shared-resources.result == 'success' || (needs.deploy-shared-resources.result == 'skipped' && github.event_name == 'workflow_dispatch')) }} + env: + TF_VAR_PUBLIC_KEY: ${{ secrets.SSH_PUBLIC_KEY }} + steps: + - name: Checkout code + uses: actions/checkout@v4.2.2 + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{ secrets.AWS_REGION }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/github-actions-role-shared + + - name: Setup OpenTofu + uses: opentofu/setup-opentofu@v1 + + - name: Initialize resources + working-directory: ${{ env.working_directory_parent }}/${{ needs.set-development-environment.outputs.development-environment }} + run: | + tofu init + + - name: Plan resources + working-directory: ${{ env.working_directory_parent }}/${{ needs.set-development-environment.outputs.development-environment }} + run: | + tofu plan -no-color -detailed-exitcode -out=tfplan + continue-on-error: true + + - name: Deploy resources + if: ${{ github.event_name != 'push' }} + working-directory: ${{ env.working_directory_parent }}/${{ needs.set-development-environment.outputs.development-environment }} + run: | + tofu apply -no-color -auto-approve tfplan + + deploy-docker: + needs: [deploy-environments, set-development-environment] + if: ${{ always() && !cancelled() && needs.deploy-environments.result == 'success' && github.event_name != 'push' }} + name: Push and deploy Docker images to EC2 + uses: ./.github/workflows/deploy-docker.yml + secrets: inherit + with: + development-environment: ${{ needs.set-development-environment.outputs.development-environment }} diff --git a/.github/workflows/deploy.yml b/.github/workflows/deprecated/deploy.yml similarity index 100% rename from .github/workflows/deploy.yml rename to .github/workflows/deprecated/deploy.yml diff --git a/.github/workflows/docker-up.yml b/.github/workflows/docker-up.yml new file mode 100644 index 00000000..af723da8 --- /dev/null +++ b/.github/workflows/docker-up.yml @@ -0,0 +1,77 @@ +name: Execute `docker compose up` + +on: + workflow_call: + inputs: + development-environment: + description: Development environment to deploy to. Usually `staging` or `production` + required: true + default: staging + type: string + +jobs: + deploy: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4.2.2 + + - name: Get image tag + run: | + echo "RELEASE_TAG=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV + + - name: Set host URI + env: + SSH_PROD_HOST: ${{ secrets.SSH_PROD_HOST }} + SSH_STAGE_HOST: ${{ secrets.SSH_STAGE_HOST }} + run: | + if [[ ${{ inputs.development-environment }} == 'production' ]]; then + echo "HOST_URI=${SSH_PROD_HOST}" >> $GITHUB_ENV + else + echo "HOST_URI=${SSH_STAGE_HOST}" >> $GITHUB_ENV + fi + + - name: Configure SSH + env: + PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }} + DEPLOY_USERNAME: ${{ secrets.DEPLOYMENT_USERNAME }} + run: | + mkdir -p ~/.ssh/ + echo "$PRIVATE_KEY" > ~/.ssh/aws + chmod 600 ~/.ssh/aws + cat >>~/.ssh/config < Iterator[dict] if aggregation is None: aggregation = [ { - "$match": { - "metrics_group": { - "$regex": "R" - } - }, + "$match": {"metrics_group": {"$regex": "R"}}, }, { "$project": { diff --git a/web/api/Dockerfile b/web/api/Dockerfile index fe703eb7..89a18f61 100644 --- a/web/api/Dockerfile +++ b/web/api/Dockerfile @@ -1,3 +1,4 @@ -FROM osm_base +ARG BASE_IMAGE=osm/osm_base +FROM ${BASE_IMAGE} COPY ./web/api/main.py /app/app/main.py CMD ["fastapi", "run", "--host", "0.0.0.0", "--port", "80", "--root-path", "/api"] diff --git a/web/dashboard/Dockerfile b/web/dashboard/Dockerfile index ebfbf1bb..1163b835 100644 --- a/web/dashboard/Dockerfile +++ b/web/dashboard/Dockerfile @@ -1,4 +1,5 @@ -FROM osm_base +ARG BASE_IMAGE=osm/osm_base +FROM ${BASE_IMAGE} COPY web/dashboard/ /app ENV LOCAL_DATA_PATH=/opt/data/matches.parquet CMD ["python", "app.py"] diff --git a/web/deploy/deploy.py b/web/deploy/deprecated/deploy.py similarity index 100% rename from web/deploy/deploy.py rename to web/deploy/deprecated/deploy.py diff --git a/web/deploy/docker-compose.yaml.j2 b/web/deploy/deprecated/docker-compose.yaml.j2 similarity index 100% rename from web/deploy/docker-compose.yaml.j2 rename to web/deploy/deprecated/docker-compose.yaml.j2 diff --git a/web/deploy/docker-compose.yaml b/web/deploy/docker-compose.yaml new file mode 100644 index 00000000..a360791d --- /dev/null +++ b/web/deploy/docker-compose.yaml @@ -0,0 +1,73 @@ +name: osm +services: + web_api: + image: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/api-shared:${RELEASE_TAG}" + pull_policy: always + environment: + - MONGODB_URI="${MONGODB_URI}" + working_dir: /app/app + expose: + - "80" + labels: + - traefik.enable=true + - traefik.docker.network=osm_traefik-public + - traefik.http.routers.osm_web_api.rule=Host("`${HOST_URI}`") && PathPrefix(`/api`) + - "traefik.http.routers.osm_web_api.entrypoints=web,websecure" + - traefik.http.services.osm_web_api.loadbalancer.server.port=80 + - traefik.http.routers.osm_web_api.tls=true + - traefik.http.routers.osm_web_api.tls.certresolver=le + networks: + - traefik-public + restart: always + + dashboard: + image: "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com/dashboard-shared:${RELEASE_TAG}" + pull_policy: always + environment: + - MONGODB_URI="${MONGODB_URI}" + working_dir: /app + labels: + - traefik.enable=true + - traefik.docker.network=osm_traefik-public + - traefik.http.routers.dashboard.rule=Host("`${HOST_URI}`") + - traefik.http.routers.dashboard.entrypoints=web,websecure + - traefik.http.services.dashboard.loadbalancer.server.port=8501 + - traefik.http.routers.dashboard.tls=true + - traefik.http.routers.dashboard.tls.certresolver=le + expose: + - "8501" + + networks: + - traefik-public + restart: always + + reverse_proxy: + image: traefik + restart: always + command: + - --providers.docker=true + - --providers.docker.exposedbydefault=false + - --entrypoints.web.address=:80 + - --entrypoints.websecure.address=:443 + - --entryPoints.web.http.redirections.entryPoint.to=websecure + - "--certificatesresolvers.le.acme.email=${LETSENCRYPT_ADMIN_EMAIL}" + - --certificatesresolvers.le.acme.storage=/certificates/acme.json + - --certificatesresolvers.le.acme.tlschallenge=true + - --log + - --accesslog + - --log.level=DEBUG + ports: + - 80:80 + - 8080:8080 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - traefik-public-certificates:/certificates + networks: + - traefik-public + +volumes: + traefik-public-certificates: + +networks: + traefik-public: diff --git a/web/deploy/terraform/modules/ec2/main.tf b/web/deploy/terraform/modules/ec2/main.tf index 9905395e..017b9da4 100644 --- a/web/deploy/terraform/modules/ec2/main.tf +++ b/web/deploy/terraform/modules/ec2/main.tf @@ -31,7 +31,8 @@ resource "aws_instance" "deployment" { Name = var.environment } - user_data = file("${path.module}/scripts/install-docker.sh") + user_data = file("${path.module}/scripts/install-docker.sh") + user_data_replace_on_change = true } resource "aws_eip" "deployment" { @@ -46,3 +47,8 @@ resource "aws_eip_association" "deployment" { instance_id = aws_instance.deployment.id allocation_id = aws_eip.deployment.id } + +resource "aws_key_pair" "deployer" { + key_name = "deployer-key-${var.environment}" + public_key = var.public_key +} diff --git a/web/deploy/terraform/modules/ec2/scripts/install-docker.sh b/web/deploy/terraform/modules/ec2/scripts/install-docker.sh index afd07760..0fecde07 100644 --- a/web/deploy/terraform/modules/ec2/scripts/install-docker.sh +++ b/web/deploy/terraform/modules/ec2/scripts/install-docker.sh @@ -1,9 +1,15 @@ #!/bin/bash -apt-get update -y -apt install -y curl -apt-get install -y docker.io -curl -SL https://github.com/docker/compose/releases/download/v2.29.1/docker-compose-linux-x86_64 -o /usr/local/bin/docker-compose -chmod a+x /usr/local/bin/docker-compose -systemctl restart sshd -systemctl start docker -systemctl enable docker +apt-get update +apt-get install ca-certificates curl +install -m 0755 -d /etc/apt/keyrings +curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc +chmod a+r /etc/apt/keyrings/docker.asc + +# Add the repository to Apt sources: +echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null +apt-get update +apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin awscli +usermod -aG docker ubuntu diff --git a/web/deploy/terraform/modules/ec2/variables.tf b/web/deploy/terraform/modules/ec2/variables.tf index 90ad3a4b..c7d1d148 100644 --- a/web/deploy/terraform/modules/ec2/variables.tf +++ b/web/deploy/terraform/modules/ec2/variables.tf @@ -44,3 +44,8 @@ variable "ubuntu_ami_release" { default = "20.04" type = string } + +variable "public_key" { + description = "The public key used to deploy to the EC2 instance via ssh" + type = string +} diff --git a/web/deploy/terraform/modules/iam/main.tf b/web/deploy/terraform/modules/iam/main.tf index 928a0142..4c90cc9b 100644 --- a/web/deploy/terraform/modules/iam/main.tf +++ b/web/deploy/terraform/modules/iam/main.tf @@ -52,11 +52,24 @@ resource "aws_iam_policy" "cd" { } resource "aws_iam_role" "cd" { - name = "${var.cd_iam_role_policy_name}-${var.environment}" - assume_role_policy = file("${path.module}/policies/assume-role.json") + name = "${var.cd_iam_role_policy_name}-${var.environment}" + assume_role_policy = templatefile("${path.module}/policies/assume-role.json.tftpl", + { + AWS_ACCOUNT_ID = var.AWS_ACCOUNT_ID + }, + ) } resource "aws_iam_role_policy_attachment" "cd" { role = aws_iam_role.cd.name policy_arn = aws_iam_policy.cd.arn } + +resource "aws_iam_openid_connect_provider" "github" { + url = "https://token.actions.githubusercontent.com" + + client_id_list = [ + "sts.amazonaws.com", + ] + thumbprint_list = ["1b511abead59c6ce207077c0bf0e0043b1382612"] +} diff --git a/web/deploy/terraform/modules/iam/policies/assume-role.json b/web/deploy/terraform/modules/iam/policies/assume-role.json.tftpl similarity index 83% rename from web/deploy/terraform/modules/iam/policies/assume-role.json rename to web/deploy/terraform/modules/iam/policies/assume-role.json.tftpl index e1f1d1bf..86dc0c12 100644 --- a/web/deploy/terraform/modules/iam/policies/assume-role.json +++ b/web/deploy/terraform/modules/iam/policies/assume-role.json.tftpl @@ -4,7 +4,7 @@ { "Effect": "Allow", "Principal": { - "Federated": "arn:aws:iam::123456123456:oidc-provider/token.actions.githubusercontent.com" + "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/token.actions.githubusercontent.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { @@ -20,3 +20,4 @@ } ] } + diff --git a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl index 6756f3dd..e5bca303 100644 --- a/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl +++ b/web/deploy/terraform/modules/iam/policies/gha-policy.json.tftpl @@ -13,7 +13,13 @@ }, { "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", + "Action": [ + "ecr:GetAuthorizationToken", + "s3:*", + "dynamodb:*", + "iam:*", + "ec2:*" + ], "Resource": "*" } ] diff --git a/web/deploy/terraform/modules/iam/variables.tf b/web/deploy/terraform/modules/iam/variables.tf index 7cf2733e..e0ae8cbd 100644 --- a/web/deploy/terraform/modules/iam/variables.tf +++ b/web/deploy/terraform/modules/iam/variables.tf @@ -37,3 +37,9 @@ variable "cd_iam_role_policy_name" { default = "github-actions-role" type = string } + +variable "AWS_ACCOUNT_ID" { + # All caps variable name because this is read in as an environment variable + description = "The ID of your AWS account. This should be set as an environment variable `TF_VAR_AWS_ACCOUNT_ID`." + type = string +} diff --git a/web/deploy/terraform/production/main.tf b/web/deploy/terraform/production/main.tf index afe22b53..dc063336 100644 --- a/web/deploy/terraform/production/main.tf +++ b/web/deploy/terraform/production/main.tf @@ -21,4 +21,5 @@ module "ec2" { source = "../modules/ec2/" environment = var.environment instance_type = var.instance_type + public_key = var.PUBLIC_KEY } diff --git a/web/deploy/terraform/production/variables.tf b/web/deploy/terraform/production/variables.tf index f675f09e..47a33e37 100644 --- a/web/deploy/terraform/production/variables.tf +++ b/web/deploy/terraform/production/variables.tf @@ -9,3 +9,8 @@ variable "instance_type" { default = "t3.large" type = string } + +variable "PUBLIC_KEY" { + description = "The public key used to deploy to the EC2 instance via ssh. All caps because this should be set via an environment variable." + type = string +} diff --git a/web/deploy/terraform/shared/main.tf b/web/deploy/terraform/shared/main.tf index 5595b025..94ee385c 100644 --- a/web/deploy/terraform/shared/main.tf +++ b/web/deploy/terraform/shared/main.tf @@ -38,4 +38,5 @@ module "iam_role_and_policy" { source = "../modules/iam/" environment = var.environment cd_iam_policy_resources = [module.ecr_api.arn, module.ecr_dashboard.arn] + AWS_ACCOUNT_ID = var.AWS_ACCOUNT_ID } diff --git a/web/deploy/terraform/shared/variables.tf b/web/deploy/terraform/shared/variables.tf index 62bad9f4..3329d673 100644 --- a/web/deploy/terraform/shared/variables.tf +++ b/web/deploy/terraform/shared/variables.tf @@ -3,3 +3,9 @@ variable "environment" { default = "shared" type = string } + +variable "AWS_ACCOUNT_ID" { + # All caps variable name because this is read in as an environment variable + description = "The ID of your AWS account. This should be set as an environment variable `TF_VAR_AWS_ACCOUNT_ID`." + type = string +} diff --git a/web/deploy/terraform/staging/main.tf b/web/deploy/terraform/staging/main.tf index afe22b53..dc063336 100644 --- a/web/deploy/terraform/staging/main.tf +++ b/web/deploy/terraform/staging/main.tf @@ -21,4 +21,5 @@ module "ec2" { source = "../modules/ec2/" environment = var.environment instance_type = var.instance_type + public_key = var.PUBLIC_KEY } diff --git a/web/deploy/terraform/staging/variables.tf b/web/deploy/terraform/staging/variables.tf index a97198da..bb373efb 100644 --- a/web/deploy/terraform/staging/variables.tf +++ b/web/deploy/terraform/staging/variables.tf @@ -9,3 +9,8 @@ variable "instance_type" { default = "t3.large" type = string } + +variable "PUBLIC_KEY" { + description = "The public key used to deploy to the EC2 instance via ssh. All caps because this should be set via an environment variable." + type = string +}