ci: Bundle OpenTofu setup actions.

Author: jamesiarmes

.github/actions/setup-opentofu/action.yaml

@@ -0,0 +1,40 @@
+name: Setup OpenTofu
+description: Sets up OpenTofu and related environment variables
+inputs:
+  config:
+    description: OpenTofu configuration to initialize.
+    required: true
+    default: service
+runs:
+  using: composite
+  steps:
+    - name: Setup OpenTofu
+      uses: opentofu/setup-opentofu@v1
+      with:
+        tofu_wrapper: false
+    - name: Display OpenTofu version
+      shell: bash
+      run: tofu version
+    - name: Set optional variables
+      shell: bash
+      run: |
+        variables=(
+          "apply_database_updates_immediately" "consumer_container_count"
+          "consumer_cpu" "consumer_memory" "database_instance_count"
+          "database_skip_final_snapshot" "deletion_protection"
+          "deployment_environments" "environment" "export_expiration"
+          "image_tags_mutable" "key_recovery_period" "program" "project" "repository"
+        )
+        for var in ${variables[@]}; do
+          name="TF_VAR_$(echo $var | tr '[:lower:]' '[:upper:]')"
+          if [ -n "${!name}" ]; then
+            echo "Setting TF_VAR_$var"
+            echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
+          else
+            echo "$name is not set"
+          fi
+        done
+    - name: Initialize OpenTofu
+      shell: bash
+      working-directory: ./tofu/config/${{ inputs.config }}
+      run: tofu init

.github/workflows/deploy.yaml

@@ -80,55 +80,35 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION || 'us-west-1' }}
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
-      - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-        with:
-          tofu_wrapper: false
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Set optional variables
-        env:
-          # For any of these that have a value, the corresponding TF_VAR_*
-          # environment variable will be set.
-          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
-          TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
-          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
-          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
-          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
-          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
-          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
-          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
-          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
-          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
-          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
-          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
-          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
-          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
-        run: |
-          variables=(
-            "apply_database_updates_immediately" "consumer_container_count"
-            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
-            "deletion_protection" "deployment_environments" "environment"
-            "export_expiration" "image_tags_mutable" "key_recovery_period"
-            "program" "project" "repository"
-          )
-          for var in ${variables[@]}; do
-            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
-            if [ -n "${!name}" ]; then
-              echo "Setting TF_VAR_$var"
-              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
-            else
-              echo "$name is not set"
-            fi
-          done
       - name: Download plan file
         uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.config }}-tfplan
           path: ./tofu/config/${{ inputs.config }}
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/${{ inputs.config }}
-        run: tofu init
+      - name: Setup OpenTofu
+        uses: ./.github/actions/setup-opentofu
+        env:
+          TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
+          TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+          TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }}
+          TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          TF_VAR_ENVIRONMENT: ${{ inputs.environment }}
+          TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+          TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+          TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+          TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
+          TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
+          TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
+        with:
+          config: ${{ inputs.config }}
       - name: Deploy changes
         working-directory: ./tofu/config/${{ inputs.config }}
         run: tofu apply tfplan

.github/workflows/launch-tools.yaml

@@ -40,50 +40,74 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION || 'us-west-1' }}
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
+#      - name: Setup OpenTofu
+#        uses: opentofu/setup-opentofu@v1
+#        with:
+#          tofu_wrapper: false
+#      - name: Display OpenTofu version
+#        run: tofu version
+#      - name: Set optional variables
+#        env:
+#          # For any of these that have a value, the corresponding TF_VAR_*
+#          # environment variable will be set.
+#          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+#          TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
+#          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+#          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+#          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+#          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+#          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+#          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
+#          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+#          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+#          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+#          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+#          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+#          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+#        run: |
+#          variables=(
+#            "apply_database_updates_immediately" "consumer_container_count"
+#            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
+#            "deletion_protection" "deployment_environments" "environment"
+#            "export_expiration" "image_tags_mutable" "key_recovery_period"
+#            "program" "project" "repository"
+#          )
+#          for var in ${variables[@]}; do
+#            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
+#            if [ -n "${!name}" ]; then
+#              echo "Setting TF_VAR_$var"
+#              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
+#            else
+#              echo "$name is not set"
+#            fi
+#          done
+#      - name: Initialize OpenTofu
+#        working-directory: ./tofu/config/service
+#        run: tofu init
       - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-        with:
-          tofu_wrapper: false
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Set optional variables
+        uses: ./.github/actions/setup-opentofu
         env:
-          # For any of these that have a value, the corresponding TF_VAR_*
-          # environment variable will be set.
-          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
           TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
-          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
-          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
-          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
-          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
-          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
-          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
-          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
-          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
-          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
-          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
-          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
-          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
-        run: |
-          variables=(
-            "apply_database_updates_immediately" "consumer_container_count"
-            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
-            "deletion_protection" "deployment_environments" "environment"
-            "export_expiration" "image_tags_mutable" "key_recovery_period"
-            "program" "project" "repository"
-          )
-          for var in ${variables[@]}; do
-            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
-            if [ -n "${!name}" ]; then
-              echo "Setting TF_VAR_$var"
-              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
-            else
-              echo "$name is not set"
-            fi
-          done
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/service
-        run: tofu init
+          TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+          TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }}
+          TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          TF_VAR_ENVIRONMENT: ${{ inputs.environment }}
+          TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+          TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+          TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+          TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
+          TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
+          TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
+        with:
+          config: service
       - name: Get OpenTofu outputs
         id: outputs
         working-directory: ./tofu/config/service
@@ -110,8 +134,6 @@ jobs:
           echo "command<<EOF" >> $GITHUB_OUTPUT
           echo "$COMMAND_STRING" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
-#      - name: Show outputs
-#        run: echo "${{ steps.command.outputs.command }}"
       - name: Launch container
         id: run-task
         uses: geekcell/github-action-aws-ecs-run-task@v5

.github/workflows/plan.yaml

@@ -68,6 +68,10 @@ on:
         default: development
         required: true
         type: environment
+      image_tag:
+        description: (Optional) Image tag to use for the OpenTofu containers. Defaults to latest SHA.
+        required: false
+        type: string
 
 permissions:
   contents: read
@@ -95,49 +99,29 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
       - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-        with:
-          tofu_wrapper: false
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Set optional variables
+        uses: ./.github/actions/setup-opentofu
         env:
-          # For any of these that have a value, the corresponding TF_VAR_*
-          # environment variable will be set.
-          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
           TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
-          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
-          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
-          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
-          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
-          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
-          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
-          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
-          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
-          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
-          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
-          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
-          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
-        run: |
-          variables=(
-            "apply_database_updates_immediately" "consumer_container_count"
-            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
-            "deletion_protection" "deployment_environments" "environment"
-            "export_expiration" "image_tags_mutable" "key_recovery_period"
-            "program" "project" "repository"
-          )
-          for var in ${variables[@]}; do
-            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
-            if [ -n "${!name}" ]; then
-              echo "Setting TF_VAR_$var"
-              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
-            else
-              echo "$name is not set"
-            fi
-          done
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/${{ inputs.config }}
-        run: tofu init
+          TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+          TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }}
+          TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          TF_VAR_ENVIRONMENT: ${{ inputs.environment }}
+          TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+          TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+          TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+          TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
+          TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
+          TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
+        with:
+          config: ${{ inputs.config }}
       - name: Plan changes
         working-directory: ./tofu/config/${{ inputs.config }}
         run: tofu plan -concise -no-color -out tfplan > plan.txt

tofu/config/service/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  image_tag = var.image_tag != null ? var.image_tag : sha256(timestamp())
+}

tofu/config/service/main.tf

@@ -30,9 +30,10 @@ module "system" {
   container_subnets   = split(",", module.inputs.values["vpc/private_subnets"])
 
   apply_database_updates_immediately = var.apply_database_updates_immediately
+  database_instance_count            = var.database_instance_count
   database_skip_final_snapshot       = var.database_skip_final_snapshot
   deletion_protection                = var.deletion_protection
-  image_tag                          = var.image_tag != null ? var.image_tag : sha256(timestamp())
+  image_tag                          = local.image_tag
   image_tags_mutable                 = var.image_tags_mutable
 
   consumer_container_count = var.consumer_container_count

tofu/config/service/outputs.tf

@@ -8,6 +8,11 @@ output "export_bucket" {
   description = "The name of the S3 bucket for exports."
 }
 
+output "image_tag" {
+  value       = local.image_tag
+  description = "The tag of the container image used for the ECS tasks."
+}
+
 output "queue_url" {
   value       = module.system.queue_url
   description = "The URL of the SQS queue."

tofu/config/service/variables.tf

@@ -22,6 +22,17 @@ variable "consumer_memory" {
   default     = 4096
 }
 
+variable "database_instance_count" {
+  type        = number
+  description = "Number of instances in the database cluster."
+  default     = 1
+
+  validation {
+    condition     = var.database_instance_count >= 0 && var.database_instance_count < 17
+    error_message = "Database instance count must be between 0 and 16."
+  }
+}
+
 variable "database_skip_final_snapshot" {
   type        = bool
   description = "Whether to skip the final snapshot when the database cluster is deleted."

tofu/modules/system/variables.tf

@@ -33,8 +33,8 @@ variable "database_instance_count" {
   default     = 1
 
   validation {
-    condition     = var.database_instance_count > 0 && var.database_instance_count < 17
-    error_message = "Database instance count must be between 1 and 16."
+    condition     = var.database_instance_count >= 0 && var.database_instance_count < 17
+    error_message = "Database instance count must be between 0 and 16."
   }
 }