Merge pull request #13 from TransformCore/feature/deployment

Update configuration so it works with 0.12

Author: Chris Mills

.github/actions/Dockerfile

@@ -0,0 +1,18 @@
+FROM r.j3ss.co/terraform:latest
+
+LABEL "com.github.actions.name"="AWS Fargate"
+LABEL "com.github.actions.description"="Deploy to AWS Fargate on push to the master branch"
+LABEL "com.github.actions.icon"="cloud"
+LABEL "com.github.actions.color"="red"
+
+RUN apk add --no-cache \
+	git \
+	make
+
+COPY ../../terraform /usr/src/terraform
+COPY Makefile /usr/src
+COPY deploy.sh /usr/local/bin/deploy
+
+WORKDIR /usr/src
+
+ENTRYPOINT ["deploy"]

.github/actions/Makefile

@@ -0,0 +1,104 @@
+SHELL := /bin/bash
+AWS_REGION := ${AWS_REGION}
+AWS_ACCESS_KEY_ID := ${AWS_ACCESS_KEY_ID}
+AWS_SECRET_ACCESS_KEY := ${AWS_SECRET_ACCESS_KEY}
+IMAGE := ${IMAGE}
+PORT := ${PORT}
+COUNT := ${COUNT}
+CPU := ${CPU}
+MEMORY := ${MEMORY}
+BUCKET := ${BUCKET}
+
+AWS_DIR=$(CURDIR)/terraform/amazon
+TERRAFORM_FLAGS :=
+AWS_TERRAFORM_FLAGS = -var "region=$(AWS_REGION)" \
+		-var "access_key=$(AWS_ACCESS_KEY_ID)" \
+		-var "secret_key=$(AWS_SECRET_ACCESS_KEY)" \
+		-var "image=$(IMAGE)" \
+		-var "port=$(PORT)" \
+		-var "count=$(COUNT)" \
+		-var "cpu=$(CPU)" \
+		-var "memory=$(MEMORY)" \
+		-var "bucket=$(BUCKET)"
+
+.PHONY: aws-init
+aws-init:
+	@:$(call check_defined, AWS_REGION, Amazon Region)
+	@:$(call check_defined, AWS_ACCESS_KEY_ID, Amazon Access Key ID)
+	@:$(call check_defined, AWS_SECRET_ACCESS_KEY, Amazon Secret Access Key)
+	@:$(call check_defined, IMAGE, Docker image to run)
+	@:$(call check_defined, PORT, Port to expose)
+	@:$(call check_defined, COUNT, Number of containers to run)
+	@:$(call check_defined, CPU, Fargate instance CPU units to provision (1 vCPU = 1024 CPU units))
+	@:$(call check_defined, MEMORY, Fargate instance memory to provision (in MiB))
+	@:$(call check_defined, BUCKET, s3 bucket name to store the terraform state)
+	@cd $(AWS_DIR) && terraform init \
+		-backend-config "bucket=$(BUCKET)" \
+		-backend-config "region=$(AWS_REGION)" \
+		$(AWS_TERRAFORM_FLAGS)
+
+.PHONY: terraform-validate
+terraform-validate: ## Validate terraform scripts.
+	@cd $(AWS_DIR) && echo "$$(docker run --rm -it --entrypoint bash -w '/mnt' -v $$(pwd):/mnt r.j3ss.co/terraform -c 'terraform validate -check-variables=false . && echo [OK] terraform')"
+
+.PHONY: aws-plan
+aws-plan: aws-init ## Run terraform plan for Amazon.
+	@cd $(AWS_DIR) && terraform plan \
+		$(AWS_TERRAFORM_FLAGS)
+
+.PHONY: aws-apply
+aws-apply: aws-init ## Run terraform apply for Amazon.
+	@cd $(AWS_DIR) && terraform apply \
+		$(AWS_TERRAFORM_FLAGS) \
+		$(TERRAFORM_FLAGS)
+
+.PHONY: aws-destroy
+aws-destroy: aws-init ## Run terraform destroy for Amazon.
+	@cd $(AWS_DIR) && terraform destroy \
+		$(AWS_TERRAFORM_FLAGS)
+
+check_defined = \
+				$(strip $(foreach 1,$1, \
+				$(call __check_defined,$1,$(strip $(value 2)))))
+__check_defined = \
+				  $(if $(value $1),, \
+				  $(error Undefined $1$(if $2, ($2))$(if $(value @), \
+				  required by target `$@')))
+
+.PHONY: update
+update: update-terraform ## Update terraform binary locally.
+
+TERRAFORM_BINARY:=$(shell which terraform || echo "/usr/local/bin/terraform")
+TMP_TERRAFORM_BINARY:=/tmp/terraform
+.PHONY: update-terraform
+update-terraform: ## Update terraform binary locally from the docker container.
+	@echo "Updating terraform binary..."
+	$(shell docker run --rm --entrypoint bash r.j3ss.co/terraform -c "cd \$\$$(dirname \$\$$(which terraform)) && tar -Pc terraform" | tar -xvC $(dir $(TMP_TERRAFORM_BINARY)) > /dev/null)
+	sudo mv $(TMP_TERRAFORM_BINARY) $(TERRAFORM_BINARY)
+	sudo chmod +x $(TERRAFORM_BINARY)
+	@echo "Update terraform binary: $(TERRAFORM_BINARY)"
+	@terraform version
+
+.PHONY: test
+test: terraform-validate shellcheck ## Runs the tests on the repository.
+
+# if this session isn't interactive, then we don't want to allocate a
+# TTY, which would fail, but if it is interactive, we do want to attach
+# so that the user can send e.g. ^C through.
+INTERACTIVE := $(shell [ -t 0 ] && echo 1 || echo 0)
+ifeq ($(INTERACTIVE), 1)
+	DOCKER_FLAGS += -t
+endif
+
+.PHONY: shellcheck
+shellcheck: ## Runs the shellcheck tests on the scripts.
+	docker run --rm -i $(DOCKER_FLAGS) \
+		--name shellcheck \
+		-v $(CURDIR):/usr/src:ro \
+		--workdir /usr/src \
+		r.j3ss.co/shellcheck ./test.sh
+
+.PHONY: help
+help:
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+

.github/actions/deploy.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+set -e
+set -o pipefail
+
+if [[ "$GITHUB_REF" != "refs/heads/master" ]]; then
+	echo "$GITHUB_REF was not master, exiting..."
+	exit 0
+fi
+
+echo "On branch ${GITHUB_REF}, deploying..."
+
+(
+cd /usr/src
+make aws-apply TERRAFORM_FLAGS=-auto-approve
+)

.github/main.workflow

@@ -46,7 +46,7 @@ action "Deploy to Fargate" {
     COUNT = "2"
     CPU = "256"
     MEMORY = "512"
-    BUCKET = "et-dash-action"
+    BUCKET = "et-dash-actions"
   }
   secrets = ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY"]
 }

terraform/ecs.tf

@@ -1,3 +1,7 @@
+## Most of this is taken from https://github.com/jessfraz/aws-fargate-action
+## Because I am super lazy and stuck for time
+## Updated it so it's not old and doesn't work.
+
 ### Network
 
 # Fetch availability zones in the current region.
@@ -9,63 +13,63 @@ resource "aws_vpc" "main" {
 
 # Create var.az_count private subnets, each in a different availability zone.
 resource "aws_subnet" "private" {
-  count             = "${var.az_count}"
-  cidr_block        = "${cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)}"
-  availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
-  vpc_id            = "${aws_vpc.main.id}"
+  count             = var.az_count
+  cidr_block        = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+  vpc_id            = aws_vpc.main.id
 }
 
 # Create var.az_count public subnets, each in a different availability zone.
 resource "aws_subnet" "public" {
-  count                   = "${var.az_count}"
-  cidr_block              = "${cidrsubnet(aws_vpc.main.cidr_block, 8, var.az_count + count.index)}"
-  availability_zone       = "${data.aws_availability_zones.available.names[count.index]}"
-  vpc_id                  = "${aws_vpc.main.id}"
+  count                   = var.az_count
+  cidr_block              = cidrsubnet(aws_vpc.main.cidr_block, 8, var.az_count + count.index)
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  vpc_id                  = aws_vpc.main.id
   map_public_ip_on_launch = true
 }
 
 # Internet gateway for the public subnet.
 resource "aws_internet_gateway" "gw" {
-  vpc_id = "${aws_vpc.main.id}"
+  vpc_id = aws_vpc.main.id
 }
 
 # Route the public subnet traffic through the internet gateway.
 resource "aws_route" "internet_access" {
-  route_table_id         = "${aws_vpc.main.main_route_table_id}"
+  route_table_id         = aws_vpc.main.main_route_table_id
   destination_cidr_block = "0.0.0.0/0"
-  gateway_id             = "${aws_internet_gateway.gw.id}"
+  gateway_id             = aws_internet_gateway.gw.id
 }
 
 # Create a NAT gateway with an EIP for each private subnet to get internet connectivity.
 resource "aws_eip" "gw" {
-  count      = "${var.az_count}"
+  count      = var.az_count
   vpc        = true
-  depends_on = ["aws_internet_gateway.gw"]
+  depends_on = aws_internet_gateway.gw
 }
 
 resource "aws_nat_gateway" "gw" {
-  count         = "${var.az_count}"
-  subnet_id     = "${element(aws_subnet.public.*.id, count.index)}"
-  allocation_id = "${element(aws_eip.gw.*.id, count.index)}"
+  count         = var.az_count
+  subnet_id     = element(aws_subnet.public.*.id, count.index)
+  allocation_id = element(aws_eip.gw.*.id, count.index)
 }
 
 # Create a new route table for the private subnets.
 # And make it route non-local traffic through the NAT gateway to the internet.
 resource "aws_route_table" "private" {
-  count  = "${var.az_count}"
-  vpc_id = "${aws_vpc.main.id}"
+  count  = var.az_count
+  vpc_id = aws_vpc.main.id
 
   route {
     cidr_block     = "0.0.0.0/0"
-    nat_gateway_id = "${element(aws_nat_gateway.gw.*.id, count.index)}"
+    nat_gateway_id = element(aws_nat_gateway.gw.*.id, count.index)
   }
 }
 
 # Explicitely associate the newly created route tables to the private subnets (so they don't default to the main route table).
 resource "aws_route_table_association" "private" {
-  count          = "${var.az_count}"
-  subnet_id      = "${element(aws_subnet.private.*.id, count.index)}"
-  route_table_id = "${element(aws_route_table.private.*.id, count.index)}"
+  count          = var.az_count
+  subnet_id      = element(aws_subnet.private.*.id, count.index)
+  route_table_id = element(aws_route_table.private.*.id, count.index)
 }
 
 ### Security
@@ -75,7 +79,7 @@ resource "aws_route_table_association" "private" {
 resource "aws_security_group" "ecs_lb" {
   name        = "ecs-lb"
   description = "controls access to the ALB"
-  vpc_id      = "${aws_vpc.main.id}"
+  vpc_id      = aws_vpc.main.id
 
   ingress {
     protocol    = "tcp"
@@ -96,13 +100,13 @@ resource "aws_security_group" "ecs_lb" {
 resource "aws_security_group" "ecs_tasks" {
   name        = "ecs-tasks"
   description = "allow inbound access from the ALB only"
-  vpc_id      = "${aws_vpc.main.id}"
+  vpc_id      = aws_vpc.main.id
 
   ingress {
     protocol        = "tcp"
-    from_port       = "${var.port}"
-    to_port         = "${var.port}"
-    security_groups = ["${aws_security_group.ecs_lb.id}"]
+    from_port       = var.port
+    to_port         = var.port
+    security_groups = [aws_security_group.ecs_lb.id]
   }
 
   egress {
@@ -116,26 +120,26 @@ resource "aws_security_group" "ecs_tasks" {
 ### Load balancer.
 resource "aws_alb" "main" {
   name            = "github-actions-deploy"
-  subnets         = ["${aws_subnet.public.*.id}"]
-  security_groups = ["${aws_security_group.ecs_lb.id}"]
+  subnets         = [aws_subnet.public.*.id]
+  security_groups = [aws_security_group.ecs_lb.id]
 }
 
 resource "aws_alb_target_group" "app" {
   name        = "github-actions-deploy"
   port        = 80
   protocol    = "HTTP"
-  vpc_id      = "${aws_vpc.main.id}"
+  vpc_id      = aws_vpc.main.id
   target_type = "ip"
 }
 
 # Redirect all traffic from the load balancer to the target group.
 resource "aws_alb_listener" "front_end" {
-  load_balancer_arn = "${aws_alb.main.id}"
+  load_balancer_arn = aws_alb.main.id
   port              = "80"
   protocol          = "HTTP"
 
   default_action {
-    target_group_arn = "${aws_alb_target_group.app.id}"
+    target_group_arn = aws_alb_target_group.app.id
     type             = "forward"
   }
 }

terraform/outputs.tf

@@ -1,7 +1,7 @@
 output "alb_hostname" {
-  value = "${aws_alb.main.dns_name}"
+  value = aws_alb.main.dns_name
 }
 
 output "container_definitions" {
-  value = "${local.container_definitions}"
+  value = local.container_definitions
 }

terraform/service.tf

@@ -2,16 +2,16 @@ locals {
   container_definitions = <<DEFINITION
 [
   {
-    "cpu": ${var.cpu},
-    "image": "${var.image}",
-    "memory": ${var.memory},
+    "cpu": var.cpu
+    "image": var.image,
+    "memory": var.memory,
     "name": "app",
     "networkMode": "awsvpc",
     "pseudoTerminal": true,
     "portMappings": [
       {
-        "containerPort": ${var.port},
-        "hostPort": ${var.port}
+        "containerPort": var.port,
+        "hostPort": var.port
       }
     ]
   }
@@ -20,33 +20,33 @@ DEFINITION
 }
 
 resource "aws_ecs_task_definition" "app" {
-  family                   = "app"
-  network_mode             = "awsvpc"
+  family = "app"
+  network_mode = "awsvpc"
   requires_compatibilities = ["FARGATE"]
-  cpu                      = "${var.cpu}"
-  memory                   = "${var.memory}"
-  task_role_arn            = "arn:aws:iam::445220836204:role/ecsInstanceRole"
-  execution_role_arn       = "arn:aws:iam::445220836204:role/ecsInstanceRole"
+  cpu = var.cpu
+  memory = var.memory
+  task_role_arn = "arn:aws:iam::445220836204:role/ecsInstanceRole"
+  execution_role_arn = "arn:aws:iam::445220836204:role/ecsInstanceRole"
 
-  container_definitions = "${local.container_definitions}"
+  container_definitions = local.container_definitions
 }
 
 resource "aws_ecs_service" "main" {
-  name            = "tf-ecs-service"
-  cluster         = "${aws_ecs_cluster.main.id}"
-  task_definition = "${aws_ecs_task_definition.app.arn}"
-  desired_count   = "${var.desired_count}"
-  launch_type     = "FARGATE"
+  name = "tf-ecs-service"
+  cluster = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.app.arn
+  desired_count = var.desired_count
+  launch_type = "FARGATE"
 
   network_configuration {
-    security_groups = ["${aws_security_group.ecs_tasks.id}"]
-    subnets         = ["${aws_subnet.private.*.id}"]
+    security_groups = [aws_security_group.ecs_tasks.id]
+    subnets = [aws_subnet.private.*.id]
   }
 
   load_balancer {
-    target_group_arn = "${aws_alb_target_group.app.id}"
-    container_name   = "app"
-    container_port   = "${var.port}"
+    target_group_arn = aws_alb_target_group.app.id
+    container_name = "app"
+    container_port = var.port
   }
 
   depends_on = [