chore(app): define infrastructure with iac (#97)

* chore(backend): define infrastructure using iac * fix: tf var * fix: tf var * fix: tf plan comment * fix: tf plan comment * fix: tf plan comment * fix: tf dns zone * fix: run plan on change * fix: run plan on change * fix: run plan on change * fix: run plan on change * fix: run plan on change * fix: run all folder * fix: run all folders * fix: run all folders * fix: run all folders * fix: define actions for tf apply * fix: plan output comment
tericcabrel · Aug 4, 2024 · d454b52 · d454b52
1 parent 2d803b4
commit d454b52
Show file tree

Hide file tree

Showing 32 changed files with 1,272 additions and 5 deletions.
diff --git a/.github/actions/terraform-apply/action.yml b/.github/actions/terraform-apply/action.yml
@@ -0,0 +1,42 @@
+name: Run Terraform apply on every applicable directory
+description: 'Terraform apply'
+inputs:
+  APP_NAME:
+    required: true
+    description: 'The name of the application'
+  TF_DIRECTORY:
+    required: true
+    description: 'The directory to run Terraform apply on'
+  TF_WORKSPACE:
+    required: true
+    description: 'The Terraform workspace to use'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.9.2
+
+    - name: Upload Configuration
+      uses: hashicorp/tfc-workflows-github/actions/[email protected]
+      id: apply-upload
+      with:
+        workspace: ${{ inputs.TF_WORKSPACE }}
+        directory: ${{ inputs.TF_DIRECTORY }}
+
+    - name: Create Apply Run
+      uses: hashicorp/tfc-workflows-github/actions/[email protected]
+      id: apply-run
+      with:
+        workspace: ${{ env.TF_WORKSPACE }}
+        configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
+
+    - name: Apply
+      uses: hashicorp/tfc-workflows-github/actions/[email protected]
+      if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
+      id: apply
+      with:
+        run: ${{ steps.apply-run.outputs.run_id }}
+        comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"
diff --git a/.github/actions/terraform-plan/action.yml b/.github/actions/terraform-plan/action.yml
@@ -0,0 +1,79 @@
+name: Run Terraform Plan on every applicable directory
+description: 'Terraform Plan'
+inputs:
+  APP_NAME:
+    required: true
+    description: 'The name of the application'
+  TF_DIRECTORY:
+    required: true
+    description: 'The directory to run Terraform Plan on'
+  TF_WORKSPACE:
+    required: true
+    description: 'The Terraform workspace to use'
+  GITHUB_TOKEN:
+    required: true
+    description: 'The GitHub token to use'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: 1.9.2
+
+    - name: Upload Configuration
+      uses: hashicorp/tfc-workflows-github/actions/[email protected]
+      id: plan-upload
+      with:
+        workspace: ${{ inputs.TF_WORKSPACE }}
+        directory: ${{ inputs.TF_DIRECTORY }}
+        speculative: true
+
+    - name: Create Plan Run
+      uses: hashicorp/tfc-workflows-github/actions/[email protected]
+      id: plan-run
+      with:
+        workspace: ${{ inputs.TF_WORKSPACE }}
+        configuration_version: ${{ steps.plan-upload.outputs.configuration_version_id }}
+        plan_only: true
+
+    - name: Get Plan Output
+      uses: hashicorp/tfc-workflows-github/actions/[email protected]
+      id: plan-output
+      with:
+        plan: ${{ fromJSON(steps.plan-run.outputs.payload).data.relationships.plan.data.id }}
+
+    - name: Update Pull Request
+      uses: actions/github-script@v6
+      id: plan-comment
+      with:
+        github-token: ${{ inputs.GITHUB_TOKEN }}
+        script: |
+          const { data: comments } = await github.rest.issues.listComments({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            issue_number: context.issue.number,
+          });
+          const botComment = comments.find(comment => {
+            return comment.user.type === 'Bot' && comment.body.includes('${{ inputs.APP_NAME }} - HCP Terraform Plan Output')
+          });
+          const output = `#### ${{ inputs.APP_NAME }} - HCP Terraform Plan Output
+          \`\`\`
+          Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
+          \`\`\`
+          [View changes in detail](${{ steps.plan-run.outputs.run_link }})
+          `;
+          if (botComment) {
+            github.rest.issues.deleteComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              comment_id: botComment.id,
+            });
+          }
+          github.rest.issues.createComment({
+            issue_number: context.issue.number,
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+            body: output
+          });
diff --git a/.github/workflows/deploy-backend.yml b/.github/workflows/deploy-backend.yml
@@ -58,7 +58,7 @@ jobs:
         env:
           REGISTRY: public.ecr.aws/x9y5g9l2
           REGION: us-east-1 # Public ECR aren't region specific
-          REPOSITORY: ${{ (github.ref == 'refs/heads/main' && 'snipcode') || 'snipcode-dev' }}
+          REPOSITORY: ${{ (github.ref == 'refs/heads/main' && 'snipcode-backend-prod') || 'snipcode-backend-dev' }}
           IMAGE_TAG: ${{ inputs.version }}
         run: |
           aws ecr-public get-login-password --region $REGION | docker login --username AWS --password-stdin $REGISTRY
@@ -76,6 +76,4 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Deploy the application
-        run: |
-          touch file.json && echo '${{ secrets.CORE_APP_ARN }}' > file.json
-          aws apprunner start-deployment --region $AWS_DEFAULT_REGION --cli-input-json file://file.json
+        run: aws apprunner start-deployment --region $AWS_DEFAULT_REGION --service-arn ${{ secrets.CORE_APP_ARN }}
diff --git a/.github/workflows/infra-deploy.yml b/.github/workflows/infra-deploy.yml
@@ -0,0 +1,117 @@
+name: Infrastructure Deploy
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - '_infra/credentials/**/*.tf'
+      - '_infra/global/**/*.tf'
+      - 'apps/backend/_infra/prod/storage/**/*.tf'
+      - 'apps/backend/_infra/prod/compute/**/*.tf'
+
+env:
+  TF_API_TOKEN: "${{ secrets.TERRAFORM_API_TOKEN }}"
+  TF_CLOUD_ORGANIZATION: ${{ secrets.TERRAFORM_CLOUD_ORGANIZATION }}
+  TF_VAR_organization: "\"${{ secrets.TERRAFORM_CLOUD_ORGANIZATION }}\""
+
+jobs:
+  apply-credentials:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            _infra/credentials/**/*.tf
+
+      - name: Run terraform apply
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-apply
+        with:
+          APP_NAME: 'App Credentials'
+          TF_DIRECTORY: '_infra/credentials'
+          TF_WORKSPACE: 'snipcode-credentials'
+
+  apply-global:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            _infra/global/**/*.tf
+
+      - name: Run terraform apply
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-apply
+        with:
+          APP_NAME: 'App Global'
+          TF_DIRECTORY: '_infra/global'
+          TF_WORKSPACE: 'snipcode-global-prod'
+
+  apply-backend-storage:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            apps/backend/_infra/prod/storage/**/*.tf
+
+      - name: Run terraform apply
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-apply
+        with:
+          APP_NAME: 'Backend Storage'
+          TF_DIRECTORY: 'apps/backend/_infra/prod/storage'
+          TF_WORKSPACE: 'snipcode-backend-storage-prod'
+
+  apply-backend-compute:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            apps/backend/_infra/prod/compute/**/*.tf
+
+      - name: Run terraform apply
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-apply
+        with:
+          APP_NAME: 'Backend Compute'
+          TF_DIRECTORY: 'apps/backend/_infra/prod/compute'
+          TF_WORKSPACE: 'snipcode-backend-compute-prod'
diff --git a/.github/workflows/infra-plan.yml b/.github/workflows/infra-plan.yml
@@ -0,0 +1,119 @@
+name: Infrastructure Plan
+
+on:
+  pull_request:
+    paths:
+      - '_infra/credentials/**/*.tf'
+      - '_infra/global/**/*.tf'
+      - 'apps/backend/_infra/prod/storage/**/*.tf'
+      - 'apps/backend/_infra/prod/compute/**/*.tf'
+
+env:
+  TF_API_TOKEN: "${{ secrets.TERRAFORM_API_TOKEN }}"
+  TF_CLOUD_ORGANIZATION: ${{ secrets.TERRAFORM_CLOUD_ORGANIZATION }}
+  TF_VAR_organization: "\"${{ secrets.TERRAFORM_CLOUD_ORGANIZATION }}\""
+
+jobs:
+  plan-credentials:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            _infra/credentials/**/*.tf
+
+      - name: Run terraform plan
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-plan
+        with:
+          APP_NAME: 'App Credentials'
+          TF_DIRECTORY: '_infra/credentials'
+          TF_WORKSPACE: 'snipcode-credentials'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  plan-global:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            _infra/global/**/*.tf
+
+      - name: Run terraform plan
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-plan
+        with:
+          APP_NAME: 'App Global'
+          TF_DIRECTORY: '_infra/global'
+          TF_WORKSPACE: 'snipcode-global-prod'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  plan-backend-storage:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            apps/backend/_infra/prod/storage/**/*.tf
+
+      - name: Run terraform plan
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-plan
+        with:
+          APP_NAME: 'Backend Storage'
+          TF_DIRECTORY: 'apps/backend/_infra/prod/storage'
+          TF_WORKSPACE: 'snipcode-backend-storage-prod'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  plan-backend-compute:
+    runs-on: ubuntu-latest
+
+    outputs:
+      infraChanged: ${{ steps.infra-changed.outputs.any_changed }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if infra files changed
+        id: infra-changed
+        uses: tj-actions/changed-files@v44
+        with:
+          files: |
+            apps/backend/_infra/prod/compute/**/*.tf
+
+      - name: Run terraform plan
+        if: ${{ steps.infra-changed.outputs.any_changed == 'true' }}
+        uses: ./.github/actions/terraform-plan
+        with:
+          APP_NAME: 'Backend Compute'
+          TF_DIRECTORY: 'apps/backend/_infra/prod/compute'
+          TF_WORKSPACE: 'snipcode-backend-compute-prod'
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -52,3 +52,7 @@ key.txt
 .yarn/build-state.yml
 .yarn/install-state.gz
 .vercel
+
+.env
+
+.terraform
diff --git a/_infra/.env.template b/_infra/.env.template
@@ -0,0 +1,2 @@
+TF_CLOUD_ORGANIZATION=
+TF_VAR_organization=