Refactor tg

.github/workflows/deploy-development.yml

@@ -110,7 +110,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'plan -out=tf.plan'
+          tg_command: 'run-all plan -out=tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true
@@ -123,7 +123,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: '--terragrunt-non-interactive --terragrunt-log-level info apply -auto-approve tf.plan'
+          tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true

.github/workflows/deploy-production.yml

@@ -101,7 +101,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'plan -out=tf.plan'
+          tg_command: 'run-all plan -out=tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true
@@ -114,7 +114,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: '--terragrunt-non-interactive --terragrunt-log-level info apply -auto-approve tf.plan'
+          tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true

.github/workflows/deploy-staging.yml

@@ -83,7 +83,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: 'plan -out=tf.plan'
+          tg_command: 'run-all plan -out=tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true
@@ -96,7 +96,7 @@ jobs:
           tf_version: ${{ env.tf_version }}
           tg_version: ${{ env.tg_version }}
           tg_dir: ${{ env.tg_dir }}
-          tg_command: '--terragrunt-non-interactive --terragrunt-log-level info apply -auto-approve tf.plan'
+          tg_command: '--terragrunt-non-interactive --terragrunt-log-level info run-all apply -auto-approve tf.plan'
         env:
           TF_INPUT: 0
           TF_IN_AUTOMATION: true

deploy/container/env_vars.yaml

@@ -0,0 +1,12 @@
+allowed_hosts: "*"
+allowed_cidr_nets: "0.0.0.0/0"
+django_secret_key: changeme
+db_host: # db_host
+db_name: # app_db
+db_user: # app_db
+db_secret_name: # /my/db/secret
+db_secret_region: # ap-southeast-2
+s3_storage_bucket_name: # appbucket
+s3_storage_bucket_region: # ap-southeast-2
+dummy_empty: ''
+dummy_null:

deploy/github/development.env

@@ -1,5 +1,6 @@
 # general environment variables for Terragrunt
 ALB_PARAMETER_NAME=shared-alb-devops-sydney
+APP_HEALTH_CHECK="CMD-SHELL,uwsgi-is-ready --stats-socket /tmp/statsock > /dev/null 2>&1 || exit 1"
 APP_NAME=sample-django-app
 AWS_ACCOUNT_ID=450356697252
 AWS_REGION=ap-southeast-2

deploy/github/production.env

@@ -1,5 +1,6 @@
 # general environment variables for Terragrunt
 ALB_PARAMETER_NAME=shared-alb-devops-sydney
+APP_HEALTH_CHECK="CMD-SHELL,uwsgi-is-ready --stats-socket /tmp/statsock > /dev/null 2>&1 || exit 1"
 APP_NAME=sample-django-app
 AWS_ACCOUNT_ID=450356697252
 AWS_REGION=ap-southeast-2

deploy/github/staging.env

@@ -1,5 +1,6 @@
 # general environment variables for Terragrunt
 ALB_PARAMETER_NAME=shared-alb-devops-sydney
+APP_HEALTH_CHECK="CMD-SHELL,uwsgi-is-ready --stats-socket /tmp/statsock > /dev/null 2>&1 || exit 1"
 APP_NAME=sample-django-app
 AWS_ACCOUNT_ID=450356697252
 AWS_REGION=ap-southeast-2

deploy/iam_statements/development.yaml

@@ -0,0 +1,14 @@
+- actions:
+    - s3:PutObject
+    - s3:GetObjectAcl
+    - s3:GetObject
+    - s3:ListBucket
+    - s3:DeleteObject
+    - s3:PutObjectAcl
+  resources:
+    - arn:aws:s3:::sample-django-bucket-${environment}-${aws_account}
+    - arn:aws:s3:::sample-django-bucket-${environment}-${aws_account}/*
+- actions:
+    - secretsmanager:GetSecretValue
+  resources:
+    - arn:aws:secretsmanager:${aws_region}:${aws_account}:secret:/rds/*

deploy/iam_statements/production.yaml

@@ -0,0 +1,16 @@
+- actions:
+    - s3:PutObject
+    - s3:GetObjectAcl
+    - s3:GetObject
+    - s3:ListBucket
+    - s3:DeleteObject
+    - s3:PutObjectAcl
+  resources:
+    - arn:aws:s3:::sample-django-bucket-${environment}-${aws_account}
+    - arn:aws:s3:::sample-django-bucket-${environment}-${aws_account}/*
+    - arn:aws:s3:::django-extra-bucket-${environment}-${aws_account}
+    - arn:aws:s3:::django-extra-bucket-${environment}-${aws_account}/*
+- actions:
+    - secretsmanager:GetSecretValue
+  resources:
+    - arn:aws:secretsmanager:${aws_region}:${aws_account}:secret:/rds/*

deploy/iam_statements/staging.yaml

@@ -0,0 +1,14 @@
+- actions:
+    - s3:PutObject
+    - s3:GetObjectAcl
+    - s3:GetObject
+    - s3:ListBucket
+    - s3:DeleteObject
+    - s3:PutObjectAcl
+  resources:
+    - arn:aws:s3:::sample-django-bucket-${environment}-${aws_account}
+    - arn:aws:s3:::sample-django-bucket-${environment}-${aws_account}/*
+- actions:
+    - secretsmanager:GetSecretValue
+  resources:
+    - arn:aws:secretsmanager:${aws_region}:${aws_account}:secret:/rds/*

deploy/tf/outputs.tf

@@ -1,7 +1,3 @@
-output "buckets" {
-  value = module.s3.wrapper
-}
-
 output "cluster" {
   value = module.cluster
 }

deploy/tf/service.tf

@@ -5,10 +5,15 @@ locals {
     listen_port = var.proxy_port
   }
 
-  app_container_vars   = [for k, v in var.container_vars : { name = upper(k), value = v }]
+  app_container_vars   = [for k, v in var.env_vars : { name = upper(k), value = v }]
   nginx_container_vars = [for k, v in local.nginx_vars : { name = upper(k), value = v }]
 
-  container_definitions = var.nginx_proxy ? merge(local.app_container_definition, local.nginx_container_definition) : local.app_container_definition
+  container_definitions = (
+    var.nginx_proxy ?
+    merge(local.app_container_definition, local.nginx_container_definition) :
+    local.app_container_definition
+  )
+
   app_container_definition = {
     app = {
       name = var.app_container_name
@@ -18,7 +23,7 @@ locals {
         "${var.ecr_registry}/${var.ecr_repository}:${var.image}"
       )
       health_check = {
-        command = ["CMD-SHELL", "uwsgi-is-ready --stats-socket /tmp/statsock > /dev/null 2>&1 || exit 1"]
+        command = length(var.app_health_check) > 0 ? split(",", var.app_health_check) : []
       }
       readonly_root_filesystem = false
       essential                = true
@@ -73,7 +78,7 @@ resource "null_resource" "cluster_arn_precondition_check" {
   lifecycle {
     precondition {
       condition     = (var.create_cluster == false && var.cluster_arn != "" || var.create_cluster && var.cluster_arn == "")
-      error_message = "The cluster ARN must be provided if 'create_cluster' is false. If you mean to create the cluster, set 'create_cluster' to true."
+      error_message = "The cluster ARN must be provided if 'create_cluster' is false. If you mean to have this module create the cluster, set 'create_cluster' to true."
     }
   }
 }
@@ -82,8 +87,6 @@ module "service" {
   source  = "terraform-aws-modules/ecs/aws//modules/service"
   version = "~> 5.7.0"
 
-  depends_on = [module.s3.wrapper]
-
   name        = "${var.app_name}-${var.environment}"
   cluster_arn = var.create_cluster ? module.cluster.arn : var.cluster_arn
   capacity_provider_strategy = {
@@ -145,27 +148,7 @@ module "service" {
     }
   }
 
-  tasks_iam_role_statements = [
-    {
-      actions = [
-        "s3:PutObject",
-        "s3:GetObjectAcl",
-        "s3:GetObject",
-        "s3:ListBucket",
-        "s3:DeleteObject",
-        "s3:PutObjectAcl"
-      ]
-      resources = flatten([for bucket in module.s3.wrapper :
-        split(",", "arn:aws:s3:::${bucket.s3_bucket_id},arn:aws:s3:::${bucket.s3_bucket_id}/*"
-      )])
-    },
-    {
-      actions = [
-        "secretsmanager:GetSecretValue"
-      ]
-      resources = ["arn:aws:secretsmanager:${data.aws_region.current.name}:*:secret:/rds*"]
-    }
-  ]
+  tasks_iam_role_statements = var.iam_statements
 
   timeouts = {
     create = "10m"

deploy/tf/variables.tf

@@ -9,6 +9,17 @@ variable "app_container_name" {
   default     = "app"
 }
 
+variable "app_health_check" {
+  description = "The health check commmand to run on the docker container."
+  type        = string
+  default     = null
+}
+
+variable "app_hostnames" {
+  description = "Hostnames to associate with the application"
+  type        = list(string)
+}
+
 variable "app_name" {
   description = "The name of the application e.g. sample-django-app"
   type        = string
@@ -20,22 +31,12 @@ variable "app_port" {
   default     = 9000
 }
 
-variable "app_hostnames" {
-  description = "Hostnames to associate with the application"
-  type        = list(string)
-}
-
 variable "cluster_arn" {
   description = "ARN of the existing cluster to deploy the service/tasks to."
   type        = string
   default     = ""
 }
 
-variable "container_vars" {
-  description = "Map of key/pair values to pass to the container definition."
-  type        = map(any)
-}
-
 variable "cpu" {
   description = "The CPU capacity to allocate to the task."
   type        = number
@@ -58,11 +59,22 @@ variable "ecr_repository" {
   type        = string
 }
 
+variable "env_vars" {
+  description = "Map of key/pair values to pass to the container definition."
+  type        = map(any)
+}
+
 variable "environment" {
   description = "Environment name to prepend/append to resource names"
   type        = string
 }
 
+variable "iam_statements" {
+  description = "List of IAM statements to attach to the task role"
+  type        = any
+  default     = []
+}
+
 variable "image" {
   description = "The digest/tag of the docker image to pull from ECR"
   type        = string