aodn · digorgonzola · Dec 11, 2023 · Dec 11, 2023 · Dec 11, 2023
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -58,7 +58,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'run-all plan'
+          tg_command: 'run plan -out=tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true
@@ -72,7 +72,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'run-all apply'
+          tg_command: 'run apply tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true

diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -85,7 +85,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'run-all plan'
+          tg_command: 'run plan -out=tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true
@@ -99,7 +99,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'run-all apply'
+          tg_command: 'run apply tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true

diff --git a/deploy/tf/ecs/alb.tf → deploy/tf/alb.tf b/deploy/tf/ecs/alb.tf → deploy/tf/alb.tf
diff --git a/deploy/tf/aws_details.tf b/deploy/tf/aws_details.tf
@@ -0,0 +1,2 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
diff --git a/deploy/tf/ecs/ecs.tf → deploy/tf/ecs.tf b/deploy/tf/ecs/ecs.tf → deploy/tf/ecs.tf
@@ -1,16 +1,22 @@
 locals {
   # set container definition variables with default fallback values from ssm if available
   app_vars = {
-    allowed_hosts            = var.allowed_hosts
-    allowed_cidr_nets        = coalesce(var.allowed_cidr_nets, local.private_subnet_cidrs)
-    django_secret_key        = var.django_secret_key
-    db_host                  = coalesce(var.db_host, local.rds_url)
-    db_name                  = var.db_name
-    db_user                  = var.db_user
-    db_secret_name           = var.db_secret_name
-    db_secret_region         = var.db_secret_region
-    s3_storage_bucket_name   = var.s3_storage_bucket_name
-    s3_storage_bucket_region = var.s3_storage_bucket_region
+    allowed_hosts     = var.allowed_hosts
+    allowed_cidr_nets = coalesce(var.allowed_cidr_nets, local.private_subnet_cidrs)
+    django_secret_key = var.django_secret_key
+    db_host           = coalesce(var.db_host, local.rds_url)
+    db_name           = var.db_name
+    db_user           = var.db_user
+    db_secret_name    = var.db_secret_name
+    db_secret_region  = var.db_secret_region
+    s3_storage_bucket_name = coalesce(
+      var.s3_storage_bucket_name,
+      "sample-django-app-${local.bucket_suffix}"
+    )
+    s3_storage_bucket_region = coalesce(
+      var.s3_storage_bucket_region,
+      data.aws_region.current.name
+    )
   }
 
   nginx_vars = {
@@ -28,6 +34,8 @@ module "ecs" {
   source  = "terraform-aws-modules/ecs/aws"
   version = "~> 5.7.0"
 
+  depends_on = [module.s3.wrapper]
+
   # Cluster Configuration
   cluster_name = "${var.app_name}-${var.environment}"
   cluster_configuration = {

diff --git a/deploy/tf/ecs/outputs.tf b/deploy/tf/ecs/outputs.tf
diff --git a/deploy/tf/ecs/get-parameters.tf → deploy/tf/get-parameters.tf b/deploy/tf/ecs/get-parameters.tf → deploy/tf/get-parameters.tf
diff --git a/deploy/tf/ecs/main.tf → deploy/tf/main.tf b/deploy/tf/ecs/main.tf → deploy/tf/main.tf
diff --git a/deploy/tf/outputs.tf b/deploy/tf/outputs.tf
@@ -0,0 +1,7 @@
+output "buckets" {
+  value = module.s3.wrapper
+}
+
+output "ecs" {
+  value = module.ecs
+}
diff --git a/deploy/tf/s3.tf b/deploy/tf/s3.tf
@@ -0,0 +1,33 @@
+locals {
+  bucket_suffix = join("-", [var.environment, data.aws_caller_identity.current.account_id])
+}
+
+module "s3" {
+  source  = "terraform-aws-modules/s3-bucket/aws//wrappers"
+  version = "~> 3.15.1"
+
+  defaults = {
+    attach_deny_insecure_transport_policy = true
+    server_side_encryption_configuration = {
+      rule = {
+        bucket_key_enabled = true
+        apply_server_side_encryption_by_default = {
+          sse_algorithm = "AES256"
+        }
+      }
+    }
+  }
+
+  items = {
+    "sample-django-app-${local.bucket_suffix}" = {
+      bucket                   = "sample-django-app-${local.bucket_suffix}"
+      acl                      = "public-read"
+      block_public_acls        = false
+      block_public_policy      = false
+      ignore_public_acls       = false
+      control_object_ownership = true
+      object_ownership         = "BucketOwnerPreferred"
+      restrict_public_buckets  = false
+    }
+  }
+}
diff --git a/deploy/tf/ecs/vars-container.tf → deploy/tf/vars-container.tf b/deploy/tf/ecs/vars-container.tf → deploy/tf/vars-container.tf
diff --git a/deploy/tf/ecs/vars-shared.tf → deploy/tf/vars-shared.tf b/deploy/tf/ecs/vars-shared.tf → deploy/tf/vars-shared.tf
diff --git a/deploy/tf/ecs/versions.tf → deploy/tf/versions.tf b/deploy/tf/ecs/versions.tf → deploy/tf/versions.tf
diff --git a/deploy/tg/ecs/.terraform.lock.hcl → deploy/tg/.terraform.lock.hcl b/deploy/tg/ecs/.terraform.lock.hcl → deploy/tg/.terraform.lock.hcl
diff --git a/deploy/tg/ecs/terragrunt.hcl b/deploy/tg/ecs/terragrunt.hcl
diff --git a/deploy/tg/global.hcl b/deploy/tg/global.hcl
@@ -0,0 +1,51 @@
+locals {
+  aws_account  = get_env("AWS_ACCOUNT_ID")
+  aws_region   = get_env("AWS_REGION")
+  environment  = get_env("ENVIRONMENT")
+  project_name = "sample-django-app"
+  state_bucket = "tfstate-${local.aws_account}-${local.aws_region}"
+  state_key    = "apps/${local.project_name}/${local.environment}/ecs.tfstate"
+}
+
+generate "providers" {
+  path      = "providers.tf"
+  if_exists = "overwrite_terragrunt"
+  contents  = <<EOF
+provider "aws" {
+  region              = "${local.aws_region}"
+  allowed_account_ids = ["${local.aws_account}"]
+  default_tags {
+    tags = {
+      "Environment" = "apps"
+      "ManagedBy" = "Apps - ${local.state_bucket}/${local.state_key}"
+      "Owner" = "Platform Engineering"
+      "Project" = "AODN Applications"
+      "Repository" = "aodn/sample-django-app"
+    }
+  }
+}
+EOF
+}
+
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    bucket                      = local.state_bucket
+    key                         = local.state_key
+    region                      = local.aws_region
+    dynamodb_table              = local.state_bucket
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    disable_bucket_update       = true
+    encrypt                     = true
+  }
+}
+
+terraform {
+  source = "${get_repo_root()}//deploy/tf"
+}
diff --git a/deploy/tg/s3/.terraform.lock.hcl b/deploy/tg/s3/.terraform.lock.hcl
diff --git a/deploy/tg/s3/terragrunt.hcl b/deploy/tg/s3/terragrunt.hcl
diff --git a/deploy/tg/terragrunt.hcl b/deploy/tg/terragrunt.hcl
@@ -1,47 +1,33 @@
-locals {
-  aws_account  = get_env("AWS_ACCOUNT_ID")
-  aws_region   = get_env("AWS_REGION")
-  environment  = get_env("ENVIRONMENT")
-  project_name = "sample-django-app"
-  state_bucket = "tfstate-${local.aws_account}-${local.aws_region}"
-  state_key    = "apps/${local.project_name}/${local.environment}/${basename(get_terragrunt_dir())}.tfstate"
+include "global" {
+  path   = "./global.hcl"
+  expose = true
 }
 
-generate "providers" {
-  path      = "providers.tf"
-  if_exists = "overwrite_terragrunt"
-  contents  = <<EOF
-provider "aws" {
-  region              = "${local.aws_region}"
-  allowed_account_ids = ["${local.aws_account}"]
-  default_tags {
-    tags = {
-      "Environment" = "apps"
-      "ManagedBy" = "Apps - ${local.state_bucket}/${local.state_key}"
-      "Owner" = "Platform Engineering"
-      "Project" = "AODN Applications"
-      "Repository" = "aodn/sample-django-app"
-    }
-  }
-}
-EOF
+inputs = {
+  app_name    = get_env("APP_NAME")
+  environment = local.global.environment
+
+  # fetch the ssm parameter names
+  alb_parameter_name = get_env("ALB_PARAMETER_NAME")
+  ecr_parameter_name = get_env("ECR_PARAMETER_NAME")
+  rds_parameter_name = get_env("RDS_PARAMETER_NAME")
+
+  # DNS hostnames to associate with the container
+  app_hostnames = ["api-${local.global.environment}"]
+
+  # get docker environment variable values with default fallback values
+  allowed_hosts            = get_env("ALLOWED_HOSTS", "*")
+  allowed_cidr_nets        = get_env("ALLOWED_CIDR_NETS", "")
+  django_secret_key        = get_env("DJANGO_SECRET_KEY", "changeme")
+  db_host                  = get_env("DB_HOST", "")
+  db_name                  = get_env("DB_NAME", "api")
+  db_user                  = get_env("DB_USER", "api")
+  db_secret_name           = get_env("DB_SECRET_NAME", "/rds/stefan-db/primary/evaluation/api")
+  db_secret_region         = get_env("DB_SECRET_REGION", "ap-southeast-2")
+  s3_storage_bucket_name   = get_env("S3_STORAGE_BUCKET_NAME", "")
+  s3_storage_bucket_region = get_env("S3_STORAGE_BUCKET_REGION", "")
 }
 
-remote_state {
-  backend = "s3"
-  generate = {
-    path      = "backend.tf"
-    if_exists = "overwrite_terragrunt"
-  }
-  config = {
-    bucket                      = local.state_bucket
-    key                         = local.state_key
-    region                      = local.aws_region
-    dynamodb_table              = local.state_bucket
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    skip_region_validation      = true
-    disable_bucket_update       = true
-    encrypt                     = true
-  }
+locals {
+  global = include.global.locals
 }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		data "aws_caller_identity" "current" {}
		data "aws_region" "current" {}