diff --git a/.github/workflows/python-checks.yml b/.github/workflows/python-checks.yml new file mode 100644 index 00000000..d20fb2e9 --- /dev/null +++ b/.github/workflows/python-checks.yml @@ -0,0 +1,14 @@ +name: python-checks + +on: + push: + paths: + - terraform/services/alarm-to-slack/lambda_src/** + workflow_dispatch: + +jobs: + python-checks: + runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + - run: scripts/python-checks diff --git a/.github/workflows/tf-admin-aco-deny.yml b/.github/workflows/tf-admin-aco-deny.yml index f1caaccc..51d32ed1 100644 --- a/.github/workflows/tf-admin-aco-deny.yml +++ b/.github/workflows/tf-admin-aco-deny.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/admin-aco-deny jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-admin-create-aco-creds.yml b/.github/workflows/tf-admin-create-aco-creds.yml index 5881a22f..a627766f 100644 --- a/.github/workflows/tf-admin-create-aco-creds.yml +++ b/.github/workflows/tf-admin-create-aco-creds.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/admin-create-aco-creds jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-admin-create-aco.yml b/.github/workflows/tf-admin-create-aco.yml index c232fee3..8d00bc81 100644 --- a/.github/workflows/tf-admin-create-aco.yml +++ b/.github/workflows/tf-admin-create-aco.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/admin-create-aco jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-admin-create-group.yml b/.github/workflows/tf-admin-create-group.yml index 64d40d0c..0cc24ed4 100644 --- a/.github/workflows/tf-admin-create-group.yml +++ b/.github/workflows/tf-admin-create-group.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/admin-create-group jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-alarm-to-slack.yml b/.github/workflows/tf-alarm-to-slack.yml index 4156c6eb..49c08e20 100644 --- a/.github/workflows/tf-alarm-to-slack.yml +++ b/.github/workflows/tf-alarm-to-slack.yml @@ -28,27 +28,7 @@ defaults: working-directory: ./terraform/services/alarm-to-slack jobs: - python-lint-test: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - name: Install Python dependencies & Run Lint and Unit Tests - run: | - pip install pylint pytest - pylint lambda_src - pytest lambda_src - - check-fmt: - needs: python-lint-test - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply-deploy: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-api-waf-sync.yml b/.github/workflows/tf-api-waf-sync.yml index db9fb1a6..cdf2fbab 100644 --- a/.github/workflows/tf-api-waf-sync.yml +++ b/.github/workflows/tf-api-waf-sync.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/api-waf-sync jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-api-waf.yml b/.github/workflows/tf-api-waf.yml index 04eb1103..7111ff2b 100644 --- a/.github/workflows/tf-api-waf.yml +++ b/.github/workflows/tf-api-waf.yml @@ -23,16 +23,7 @@ defaults: working-directory: ./terraform/services/api-waf jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-backup-plan.yml b/.github/workflows/tf-backup-plan.yml index 939ce3bd..0e7e06eb 100644 --- a/.github/workflows/tf-backup-plan.yml +++ b/.github/workflows/tf-backup-plan.yml @@ -23,16 +23,7 @@ defaults: working-directory: ./terraform/services/backup-plan jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-bucket-access-logs.yml b/.github/workflows/tf-bucket-access-logs.yml index c904bd8d..03ed836d 100644 --- a/.github/workflows/tf-bucket-access-logs.yml +++ b/.github/workflows/tf-bucket-access-logs.yml @@ -22,16 +22,7 @@ defaults: working-directory: ./terraform/services/bucket-access-logs jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-cclf-import.yml b/.github/workflows/tf-cclf-import.yml index edf59379..cdfcc809 100644 --- a/.github/workflows/tf-cclf-import.yml +++ b/.github/workflows/tf-cclf-import.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/cclf-import jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-codebuild-projects.yml b/.github/workflows/tf-codebuild-projects.yml index dc4426bd..b913fa03 100644 --- a/.github/workflows/tf-codebuild-projects.yml +++ b/.github/workflows/tf-codebuild-projects.yml @@ -20,16 +20,7 @@ defaults: working-directory: ./terraform/services/codebuild-projects jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-external-services-ip-sets.yml b/.github/workflows/tf-external-services-ip-sets.yml index 3c485b8e..492306f0 100644 --- a/.github/workflows/tf-external-services-ip-sets.yml +++ b/.github/workflows/tf-external-services-ip-sets.yml @@ -22,16 +22,7 @@ defaults: working-directory: ./terraform/services/external-services-ip-sets jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-github-actions-oidc-provider.yml b/.github/workflows/tf-github-actions-oidc-provider.yml index 27edafe8..31408633 100644 --- a/.github/workflows/tf-github-actions-oidc-provider.yml +++ b/.github/workflows/tf-github-actions-oidc-provider.yml @@ -23,16 +23,7 @@ defaults: working-directory: ./terraform/services/github-actions-oidc-provider jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-github-actions-role.yml b/.github/workflows/tf-github-actions-role.yml index f5df4ab4..bdf71832 100644 --- a/.github/workflows/tf-github-actions-role.yml +++ b/.github/workflows/tf-github-actions-role.yml @@ -22,16 +22,7 @@ defaults: working-directory: ./terraform/services/github-actions-role jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-kms-keys.yml b/.github/workflows/tf-kms-keys.yml index d5a5ce2f..c55a1524 100644 --- a/.github/workflows/tf-kms-keys.yml +++ b/.github/workflows/tf-kms-keys.yml @@ -23,16 +23,7 @@ defaults: working-directory: ./terraform/services/kms-keys jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-opt-out-export.yml b/.github/workflows/tf-opt-out-export.yml index 96a30700..f6421c35 100644 --- a/.github/workflows/tf-opt-out-export.yml +++ b/.github/workflows/tf-opt-out-export.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/opt-out-export jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-opt-out-import.yml b/.github/workflows/tf-opt-out-import.yml index 26b79d8c..4fef1a57 100644 --- a/.github/workflows/tf-opt-out-import.yml +++ b/.github/workflows/tf-opt-out-import.yml @@ -28,16 +28,7 @@ defaults: working-directory: ./terraform/services/opt-out-import jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-security-groups.yml b/.github/workflows/tf-security-groups.yml index e01fa1de..f6a4a056 100644 --- a/.github/workflows/tf-security-groups.yml +++ b/.github/workflows/tf-security-groups.yml @@ -20,19 +20,10 @@ env: defaults: run: - working-directory: ./terraform/services/security-groups + working-directory: ./terraform/services/security-groups jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-snyk-integration.yml b/.github/workflows/tf-snyk-integration.yml index 2a7061b0..a4fd3331 100644 --- a/.github/workflows/tf-snyk-integration.yml +++ b/.github/workflows/tf-snyk-integration.yml @@ -23,16 +23,7 @@ defaults: working-directory: ./terraform/services/snyk-integration jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tf-tfstate.yml b/.github/workflows/tf-tfstate.yml index fa122218..b2290b49 100644 --- a/.github/workflows/tf-tfstate.yml +++ b/.github/workflows/tf-tfstate.yml @@ -25,16 +25,7 @@ defaults: working-directory: ./terraform/services/tfstate jobs: - check-fmt: - runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} - steps: - - uses: actions/checkout@v4 - - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 - - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 - - run: tofu fmt -check -diff -recursive . - plan-apply: - needs: check-fmt permissions: contents: read id-token: write diff --git a/.github/workflows/tofu-checks.yml b/.github/workflows/tofu-checks.yml new file mode 100644 index 00000000..2ffcd85c --- /dev/null +++ b/.github/workflows/tofu-checks.yml @@ -0,0 +1,26 @@ +name: tofu-checks + +on: + workflow_dispatch: + pull_request: + paths: + - 'terraform/**' + push: + branches: + - main + paths: + - 'terraform/**' + +env: + TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + +jobs: + check: + runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 + - run: scripts/tofu-checks diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml new file mode 100644 index 00000000..724d0d6b --- /dev/null +++ b/.github/workflows/tofu-plan.yml @@ -0,0 +1,44 @@ +name: tofu-plan + +on: + workflow_dispatch: + inputs: + all_services: + required: false + type: boolean + pull_request: + paths: + - 'terraform/services/**' + +env: + TENV_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + +jobs: + plan: + permissions: + contents: read + id-token: write + runs-on: codebuild-cdap-${{github.run_id}}-${{github.run_attempt}} + strategy: + fail-fast: false + matrix: + app: [ab2d, bcda, dpc] + env: [dev, test, sandbox, prod] + include: + - app: cdap + env: mgmt + steps: + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + fetch-depth: 0 + - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2 + - uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40 + - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + with: + role-to-assume: arn:aws:iam::${{ contains(fromJSON('["dev", "test"]'), matrix.env) && secrets.NON_PROD_ACCOUNT || secrets.PROD_ACCOUNT }}:role/delegatedadmin/developer/${{ matrix.app }}-${{ matrix.env }}-github-actions + aws-region: ${{ vars.AWS_REGION }} + - run: scripts/tofu-plan + env: + ALL_SERVICES: ${{ inputs.all_services }} + APP: ${{ matrix.app }} + ENV: ${{ matrix.env }} diff --git a/scripts/python-checks b/scripts/python-checks new file mode 100755 index 00000000..2c2b79fd --- /dev/null +++ b/scripts/python-checks @@ -0,0 +1,25 @@ +#!/bin/bash +# Run checks on python files from git diff. Used in the python-checks workflow. +set -e + +# When run on main, diff against the prior commit. When run on any +# other branch, diff against main. +ref="$([ "$(git branch --show-current)" == "main" ] && echo "HEAD^" || echo "main")" +echo "Using $ref for diff" + +# Run checks in all affected python directories. +diff_dirs="$(git diff --name-only "$ref" -- '*.py' | xargs dirname | sort | uniq)" +repo_root="$(git rev-parse --show-toplevel)" +for dir in $diff_dirs; do + cd "$repo_root" + [ ! -d "$dir" ] && echo "No directory found at $dir. Skipping" && continue + cd "$dir" + temp_venv=$(mktemp -d) + python -m venv "$temp_venv" + source "$temp_venv/bin/activate" + [ -f "requirements.txt" ] && pip install -r requirements.txt + pip install pylint pytest + echo "Running python lint and test on \"$dir\"" + pylint . + pytest . +done diff --git a/scripts/tofu-checks b/scripts/tofu-checks new file mode 100755 index 00000000..8bdd4fa5 --- /dev/null +++ b/scripts/tofu-checks @@ -0,0 +1,26 @@ +#!/bin/bash +# Run checks on tofu files from git diff. Used in the tofu-checks workflow. +set -e + +# When run on main, diff against the prior commit. When run on any +# other branch, diff against main. +ref="$([ "$(git branch --show-current)" == "main" ] && echo "HEAD^" || echo "main")" +echo "Using $ref for diff" + +# Check formatting on all added or modified terraform/tofu files. +echo "Checking formatting on the following added or modified tf files:" +diff_tf="$(git diff --name-only --diff-filter=ACMR "$ref" -- '*.tf')" +echo "$diff_tf" +tofu fmt -check -diff $diff_tf + +# Run checks in all affected terraform/tofu directories. +diff_dirs="$(git diff --name-only "$ref" -- '*.tf' | xargs dirname | sort | uniq)" +repo_root="$(git rev-parse --show-toplevel)" +for dir in $diff_dirs; do + cd "$repo_root" + [ ! -d "$dir" ] && continue # Skip if directory no longer exists + cd "$dir" + echo "Running validate on \"$dir\"" + tofu init -backend=false + tofu validate +done diff --git a/scripts/tofu-plan b/scripts/tofu-plan new file mode 100755 index 00000000..7f6be5e9 --- /dev/null +++ b/scripts/tofu-plan @@ -0,0 +1,82 @@ +#!/bin/bash +# Run tofu plan across all services. Used in the tofu-plan workflow. +set -e + +temp_plan=$(mktemp) + +# Set temp file for summary if not running in github actions +if [ -z "$GITHUB_STEP_SUMMARY" ]; then + temp_summary=$(mktemp) + echo "Setting GITHUB_STEP_SUMMARY to $temp_summary" + GITHUB_STEP_SUMMARY="$temp_summary" +fi + +plan_error=false + +if [ "$ALL_SERVICES" == "true" ]; then + dirs="$(ls -d terraform/services/*)" +else + # When run on main, diff against the prior commit. When run on any + # other branch, diff against main. + ref="$([ "$(git branch --show-current)" == "main" ] && echo "HEAD^" || echo "main")" + echo "Using $ref for diff" + + # Get all affected service directories. + dirs="$(git diff --name-only "$ref" -- 'terraform/services/**/*.tf' | xargs dirname | sort | uniq)" +fi + +repo_root="$(git rev-parse --show-toplevel)" +for dir in $dirs; do + cd "$repo_root" + [ ! -d "$dir" ] && echo "No directory found at $dir. Skipping" && continue + cd "$dir" + [ ! -f "conf.sh" ] && echo "No conf.sh file in $dir. Skipping" && continue + set -a + source conf.sh + set +a + case "$INFRA_ENVS" in + all) + ;; + account) + if [[ "$APP" == "bcda" && ("$ENV" == "test" || "$ENV" == "prod") ]]; then + echo "Planning the $dir service against the $APP-$ENV env for this account" + else + echo "Skipping $dir service for the $APP-$ENV environment" + continue + fi + ;; + *) + in_set=false + for infra_env in $INFRA_ENVS; do + if [ "$infra_env" == "$APP-$ENV" ]; then + in_set=true + fi + done + if [ "$in_set" != true ]; then + echo "Skipping $dir service for the $APP-$ENV environment" + continue + fi + ;; + esac + echo "Running plan on $dir" + tofu init -reconfigure -backend-config="../../backends/${APP}-${ENV}.s3.tfbackend" + export TF_VAR_app="$APP" + export TF_VAR_env="$ENV" + tofu plan | tee "$temp_plan" + if grep "Your infrastructure matches the configuration." "$temp_plan"; then + echo ":white_check_mark: No changes in $dir service on $APP-$ENV env." >> $GITHUB_STEP_SUMMARY + elif grep "OpenTofu encountered an error while generating this plan." "$temp_plan"; then + plan_error=true + echo ":exclamation: Error in plan for $dir service on $APP-$ENV env." >> $GITHUB_STEP_SUMMARY + else + echo ":pencil: Changes in $dir service on $APP-$ENV env. See plan." >> $GITHUB_STEP_SUMMARY + fi +done + +if [ -n "$temp_summary" ]; then + echo "See summary at $temp_summary" +fi + +if [ "$plan_error" == "true" ]; then + exit 1 +fi diff --git a/terraform/services/admin-aco-deny/conf.sh b/terraform/services/admin-aco-deny/conf.sh new file mode 100644 index 00000000..f83097ee --- /dev/null +++ b/terraform/services/admin-aco-deny/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-sandbox bcda-prod" diff --git a/terraform/services/admin-create-aco-creds/conf.sh b/terraform/services/admin-create-aco-creds/conf.sh new file mode 100644 index 00000000..f83097ee --- /dev/null +++ b/terraform/services/admin-create-aco-creds/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-sandbox bcda-prod" diff --git a/terraform/services/admin-create-aco/conf.sh b/terraform/services/admin-create-aco/conf.sh new file mode 100644 index 00000000..f83097ee --- /dev/null +++ b/terraform/services/admin-create-aco/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-sandbox bcda-prod" diff --git a/terraform/services/admin-create-group/conf.sh b/terraform/services/admin-create-group/conf.sh new file mode 100644 index 00000000..f83097ee --- /dev/null +++ b/terraform/services/admin-create-group/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-sandbox bcda-prod" diff --git a/terraform/services/alarm-to-slack/conf.sh b/terraform/services/alarm-to-slack/conf.sh new file mode 100644 index 00000000..b10d1543 --- /dev/null +++ b/terraform/services/alarm-to-slack/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=account diff --git a/terraform/services/alarm-to-slack/lambda_src/requirements.txt b/terraform/services/alarm-to-slack/lambda_src/requirements.txt new file mode 100644 index 00000000..0df32a53 --- /dev/null +++ b/terraform/services/alarm-to-slack/lambda_src/requirements.txt @@ -0,0 +1 @@ +boto3==1.40.52 diff --git a/terraform/services/alarm-to-slack/main.tf b/terraform/services/alarm-to-slack/main.tf index fa5ec87d..2c951267 100644 --- a/terraform/services/alarm-to-slack/main.tf +++ b/terraform/services/alarm-to-slack/main.tf @@ -20,6 +20,8 @@ module "sns_to_slack_function" { name = local.full_name description = "Listens for CloudWatch Alerts and forwards to Slack" + # TODO use zip file + handler = "lambda_function.lambda_handler" runtime = "python3.13" diff --git a/terraform/services/api-waf-sync/.terraform.lock.hcl b/terraform/services/api-waf-sync/.terraform.lock.hcl deleted file mode 100644 index 5f3051f2..00000000 --- a/terraform/services/api-waf-sync/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.8.0" - constraints = "~> 5.8.0" - hashes = [ - "h1:vnjWfeuf4AflWsRq3ivVig8dR8PAg8BHTVyAtOzJ1yQ=", - "zh:0974311d5e1becfdcbdae43d022d52689fdad32a4145659e56ac534bcb8cba02", - "zh:100dc64a90fc0d36cf6e2882b4358fde17705edd8ab3c5f2c06d219c36b21565", - "zh:467a86de8a7d77cde5c3386f9e82d7f1bf5972d1b3d177e797d1d9d2e87fd357", - "zh:4ad1f8ef5c5522f81d271b93594a43a7666b3409ca201a1911cd950e489ef12b", - "zh:540a50ab7061c6df2057ec9580890a9e86a687233120af738985fa84dde2a20a", - "zh:6e7b73b770e92891da94751c3e0cff1e1b852f5121da8c4a689056833eeb7d94", - "zh:879d42721e86331b05ff77bd219ca9a062485cdb2fa803d2dcf63084f25d484c", - "zh:980563e615fbba127c02df6dc8872ce60f7137df45fdb8cd801cdcbae6cf192a", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a6ad25c4d3edde466ea68731097aedad4b68278af0742fc1ab71d2c30491f92e", - "zh:af8df9e06f576c11ce67ac2b675d0d8db4aac618fec95d27c10aa59436feebbf", - "zh:b625ca7c4b99c6b3af34041b9773ccd9d80b0dde264c40b5d163a6abd73793af", - "zh:c9e0ca6aa48ebaa0892ac438392c49052a86605f490950d5317855f35ab7d74a", - "zh:dc500a03d3ed6b1fed3f118a55a7fb93bf172965ae6b2f25cc7f4a152e44edd7", - "zh:e0438bf67d93a29f0d56f9a4544297155ca85c0f10626778d4c3aa68c7e93581", - ] -} diff --git a/terraform/services/api-waf-sync/conf.sh b/terraform/services/api-waf-sync/conf.sh new file mode 100644 index 00000000..2c4d8d3f --- /dev/null +++ b/terraform/services/api-waf-sync/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-prod dpc-dev dpc-test dpc-prod" diff --git a/terraform/services/api-waf/conf.sh b/terraform/services/api-waf/conf.sh new file mode 100644 index 00000000..7780c940 --- /dev/null +++ b/terraform/services/api-waf/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-sandbox bcda-prod dpc-dev dpc-test dpc-sandbox dpc-prod" diff --git a/terraform/services/backup-plan/conf.sh b/terraform/services/backup-plan/conf.sh new file mode 100644 index 00000000..b10d1543 --- /dev/null +++ b/terraform/services/backup-plan/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=account diff --git a/terraform/services/bucket-access-logs/conf.sh b/terraform/services/bucket-access-logs/conf.sh new file mode 100644 index 00000000..b10d1543 --- /dev/null +++ b/terraform/services/bucket-access-logs/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=account diff --git a/terraform/services/cclf-import/conf.sh b/terraform/services/cclf-import/conf.sh new file mode 100644 index 00000000..65b01c18 --- /dev/null +++ b/terraform/services/cclf-import/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-dev bcda-test bcda-prod" diff --git a/terraform/services/codebuild-projects/conf.sh b/terraform/services/codebuild-projects/conf.sh new file mode 100644 index 00000000..aa0200ba --- /dev/null +++ b/terraform/services/codebuild-projects/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-prod" # TODO this should be cdap-mgmt diff --git a/terraform/services/external-services-ip-sets/conf.sh b/terraform/services/external-services-ip-sets/conf.sh new file mode 100644 index 00000000..b10d1543 --- /dev/null +++ b/terraform/services/external-services-ip-sets/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=account diff --git a/terraform/services/github-actions-oidc-provider/conf.sh b/terraform/services/github-actions-oidc-provider/conf.sh new file mode 100644 index 00000000..b10d1543 --- /dev/null +++ b/terraform/services/github-actions-oidc-provider/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=account diff --git a/terraform/services/github-actions-role/conf.sh b/terraform/services/github-actions-role/conf.sh new file mode 100644 index 00000000..1f3cc105 --- /dev/null +++ b/terraform/services/github-actions-role/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=all diff --git a/terraform/services/kms-keys/conf.sh b/terraform/services/kms-keys/conf.sh new file mode 100644 index 00000000..1f3cc105 --- /dev/null +++ b/terraform/services/kms-keys/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=all diff --git a/terraform/services/opt-out-export/conf.sh b/terraform/services/opt-out-export/conf.sh new file mode 100644 index 00000000..c85bfefc --- /dev/null +++ b/terraform/services/opt-out-export/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="dpc-dev dpc-test" diff --git a/terraform/services/opt-out-import/conf.sh b/terraform/services/opt-out-import/conf.sh new file mode 100644 index 00000000..5da700b8 --- /dev/null +++ b/terraform/services/opt-out-import/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS="bcda-test bcda-prod dpc-dev dpc-test" diff --git a/terraform/services/security-groups/conf.sh b/terraform/services/security-groups/conf.sh new file mode 100644 index 00000000..1f3cc105 --- /dev/null +++ b/terraform/services/security-groups/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=all diff --git a/terraform/services/snyk-integration/conf.sh b/terraform/services/snyk-integration/conf.sh new file mode 100644 index 00000000..b10d1543 --- /dev/null +++ b/terraform/services/snyk-integration/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=account diff --git a/terraform/services/tfstate/conf.sh b/terraform/services/tfstate/conf.sh new file mode 100644 index 00000000..1f3cc105 --- /dev/null +++ b/terraform/services/tfstate/conf.sh @@ -0,0 +1 @@ +INFRA_ENVS=all