diff --git a/.circleci/config.yml b/.circleci/config.yml new file mode 100644 index 0000000..7c21de1 --- /dev/null +++ b/.circleci/config.yml @@ -0,0 +1,129 @@ +version: 2.1 + +jobs: + terraform-validate: &terraform-validate + docker: + - image: docker.mirror.hashicorp.services/hashicorp/terraform:light + steps: + - checkout + - run: + name: Setup AWS key + command: | + eval "echo 'export AWS_ACCESS_KEY_ID=\$$AWS_ACCESS_KEY_ID_ENV_VAR'" >> $BASH_ENV + eval "echo 'export AWS_SECRET_ACCESS_KEY=\$$AWS_SECRET_ACCESS_KEY_ENV_VAR'" >> $BASH_ENV + eval "echo 'export AWS_DEFAULT_REGION=\$$AWS_REGION_ENV_VAR'" >> $BASH_ENV + - run: + name: terraform validate + command: | + cd deploy/${STAGE} && terraform init -backend-config="access_key=${AWS_ACCESS_KEY_ID_ENV_VAR}" -backend-config="secret_key=${AWS_SECRET_ACCESS_KEY_ENV_VAR}" && \ + terraform validate + + terraform-deploy: &terraform-deploy + docker: + - image: docker.mirror.hashicorp.services/hashicorp/terraform:light + steps: + - checkout + - run: + name: Setup AWS key + command: | + eval "echo 'export AWS_ACCESS_KEY_ID=\$$AWS_ACCESS_KEY_ID_ENV_VAR'" >> $BASH_ENV + eval "echo 'export AWS_SECRET_ACCESS_KEY=\$$AWS_SECRET_ACCESS_KEY_ENV_VAR'" >> $BASH_ENV + eval "echo 'export AWS_DEFAULT_REGION=\$$AWS_REGION_ENV_VAR'" >> $BASH_ENV + - run: + name: terraform init & plan + command: | + cd deploy/${STAGE} && terraform init -backend-config="access_key=${AWS_ACCESS_KEY_ID_ENV_VAR}" -backend-config="secret_key=${AWS_SECRET_ACCESS_KEY_ENV_VAR}" && terraform plan -out tfapply \ + -var eg_aws_region=${AWS_REGION_ENV_VAR} \ + -var aws_secret_key=${AWS_SECRET_ACCESS_KEY_ENV_VAR} \ + -var aws_access_key=${AWS_ACCESS_KEY_ID_ENV_VAR} && ls && pwd \ + - run: + name: terraform deploy + command: | + cd deploy/${STAGE} && terraform apply -auto-approve tfapply + validate_dev: + <<: *terraform-validate + environment: + AWS_ACCESS_KEY_ID_ENV_VAR: AWS_ACCESS_KEY_ID_DEV + AWS_SECRET_ACCESS_KEY_ENV_VAR: AWS_SECRET_ACCESS_KEY_DEV + AWS_REGION_ENV_VAR: AWS_REGION_DEV + STAGE: dev + validate_prod: + <<: *terraform-validate + environment: + AWS_ACCESS_KEY_ID_ENV_VAR: AWS_ACCESS_KEY_ID_PROD + AWS_SECRET_ACCESS_KEY_ENV_VAR: AWS_SECRET_ACCESS_KEY_PROD + AWS_REGION_ENV_VAR: AWS_REGION_PROD + STAGE: prod + validate_test: + <<: *terraform-validate + environment: + AWS_ACCESS_KEY_ID_ENV_VAR: AWS_ACCESS_KEY_ID_TEST + AWS_SECRET_ACCESS_KEY_ENV_VAR: AWS_SECRET_ACCESS_KEY_TEST + AWS_REGION_ENV_VAR: AWS_REGION_TEST + STAGE: test + deploy_dev: + <<: *terraform-deploy + environment: + AWS_ACCESS_KEY_ID_ENV_VAR: AWS_ACCESS_KEY_ID_DEV + AWS_SECRET_ACCESS_KEY_ENV_VAR: AWS_SECRET_ACCESS_KEY_DEV + AWS_REGION_ENV_VAR: AWS_REGION_DEV + STAGE: dev + deploy_test: + <<: *terraform-deploy + environment: + AWS_ACCESS_KEY_ID_ENV_VAR: AWS_ACCESS_KEY_ID_TEST + AWS_SECRET_ACCESS_KEY_ENV_VAR: AWS_SECRET_ACCESS_KEY_TEST + AWS_REGION_ENV_VAR: AWS_REGION_TEST + STAGE: test + deploy_prod: + <<: *terraform-deploy + environment: + AWS_ACCESS_KEY_ID_ENV_VAR: AWS_ACCESS_KEY_ID_PROD + AWS_SECRET_ACCESS_KEY_ENV_VAR: AWS_SECRET_ACCESS_KEY_PROD + AWS_REGION_ENV_VAR: AWS_REGION_PROD + STAGE: prod +workflows: + plan_approve_apply: + jobs: + - validate_dev + - deploy_dev: + filters: + branches: + only: main + requires: + - validate_dev + - validate_test: + filters: + branches: + ignore: /.*/ + tags: + only: /^v\d+(\.\d+)?(\.\d+)?$/ + - deploy_test: + filters: + branches: + ignore: /.*/ + tags: + only: /^v\d+(\.\d+)?(\.\d+)?$/ + requires: + - validate_test + - validate_prod: + filters: + branches: + ignore: /.*/ + tags: + only: /^v\d+(\.\d+)?(\.\d+)?$/ + - approve-prod: + type: approval + filters: + branches: + ignore: /.*/ + tags: + only: /^v\d+(\.\d+)?(\.\d+)?$/ + requires: + - validate_prod + - deploy_prod: + filters: + branches: + ignore: /.*/ + tags: + only: /^v\d+(\.\d+)?(\.\d+)?$/ \ No newline at end of file diff --git a/deploy/main.tf b/deploy/dev/main.tf similarity index 75% rename from deploy/main.tf rename to deploy/dev/main.tf index 6973cfd..a8aa3d3 100644 --- a/deploy/main.tf +++ b/deploy/dev/main.tf @@ -4,6 +4,54 @@ provider "aws" { access_key = var.aws_access_key } +terraform { + backend "s3" { + bucket = "insights-v2-dev" + key = "terraform/terraform.tfstate" + region = "us-east-2" # this cant be replaced with the variable + encrypt = true + kms_key_id = "alias/terraform-bucket-key" + } +} + +resource "aws_kms_key" "terraform-bucket-key" { + description = "This key is used to encrypt bucket objects" + deletion_window_in_days = 10 + enable_key_rotation = true +} + +resource "aws_kms_alias" "key-alias" { + name = "alias/terraform-bucket-key" + target_key_id = aws_kms_key.terraform-bucket-key.key_id +} + +resource "aws_s3_bucket" "terraform-state" { + bucket = "insights-v2-dev" + acl = "private" + + versioning { + enabled = true + } + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + kms_master_key_id = aws_kms_key.terraform-bucket-key.arn + sse_algorithm = "aws:kms" + } + } + } +} + +resource "aws_s3_bucket_public_access_block" "block" { + bucket = aws_s3_bucket.terraform-state.id + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + /* ECS cluster */ resource "aws_ecs_cluster" "insights-git-cluster" { name = "insights-ecs-cluster" @@ -15,8 +63,8 @@ resource "aws_ecs_cluster" "insights-git-cluster" { } /* ECS task definitions */ -resource "aws_ecs_task_definition" "insights-git-task" { - family = "insights-git-task" +resource "aws_ecs_task_definition" "insights-connector-git-task" { + family = "insights-connector-git-task" requires_compatibilities = ["FARGATE"] network_mode = "awsvpc" cpu = "256" @@ -25,8 +73,8 @@ resource "aws_ecs_task_definition" "insights-git-task" { task_role_arn = aws_iam_role.ecs_task_role.arn container_definitions = jsonencode([ { - name = "insights-git" - image = "linonymous/insights-git-binary:latest" + name = "insights-connector-git" + image = "395594542180.dkr.ecr.${var.eg_aws_region}.amazonaws.com/insights-connector-git:latest" cpu = 128 memory = 512 essential = true @@ -34,7 +82,7 @@ resource "aws_ecs_task_definition" "insights-git-task" { "logDriver": "awslogs", "options": { "awslogs-group": "insights-ecs-git", - "awslogs-region": "us-east-2", + "awslogs-region": var.eg_aws_region, "awslogs-create-group": "true", "awslogs-stream-prefix": "ecs" } @@ -56,7 +104,7 @@ resource "aws_ecs_task_definition" "insights-connector-jira-task" { container_definitions = jsonencode([ { name = "insights-connector-jira" - image = "395594542180.dkr.ecr.us-east-1.amazonaws.com/insights-connector-jira:latest" + image = "395594542180.dkr.ecr.${var.eg_aws_region}.amazonaws.com/insights-connector-jira:latest" cpu = 128 memory = 512 essential = true @@ -64,7 +112,7 @@ resource "aws_ecs_task_definition" "insights-connector-jira-task" { "logDriver": "awslogs", "options": { "awslogs-group": "insights-connector-jira-logs", - "awslogs-region": "us-east-2", + "awslogs-region": var.eg_aws_region, "awslogs-create-group": "true", "awslogs-stream-prefix": "ecs" } @@ -94,7 +142,7 @@ resource "aws_ecs_task_definition" "insights-connector-gerrit-task" { "logDriver": "awslogs", "options": { "awslogs-group": "insights-connector-gerrit-task", - "awslogs-region": "us-east-2", + "awslogs-region": var.eg_aws_region, "awslogs-create-group": "true", "awslogs-stream-prefix": "ecs" } @@ -162,7 +210,7 @@ resource "aws_subnet" "main" { resource "aws_ecs_service" "git" { name = "insights-git" cluster = aws_ecs_cluster.insights-git-cluster.id - task_definition = aws_ecs_task_definition.insights-git-task.arn + task_definition = aws_ecs_task_definition.insights-connector-git-task.arn desired_count = 1 launch_type = "FARGATE" scheduling_strategy = "REPLICA" @@ -178,7 +226,7 @@ resource "aws_ecs_service" "git" { /* iam roles */ resource "aws_iam_role" "ecs_task_execution_role" { - name = "role-name" + name = "ecs-ta-role" assume_role_policy = <