ci: Add workflow to launch a tools container.

jamesiarmes · jamesiarmes · commit db350b8cdcf3 · 2025-10-02T12:48:59.000-04:00
diff --git a/.github/workflows/launch-tools.yaml b/.github/workflows/launch-tools.yaml
@@ -0,0 +1,132 @@
+name: Launch tools container
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to destroy.
+        default: development
+        required: true
+        type: environment
+      command:
+        description: |
+          Command to run in the tools container in the CMD format: executable,
+          param1, param2, ...
+        default: "echo,hello world"
+        required: true
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  launch:
+    name: Launch tools container in ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    env:
+      # Set required variables.
+      TF_VAR_repo_oidc_arn: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+      TF_VAR_vpc_cidr: ${{ secrets.TF_VAR_VPC_CIDR }}
+      TF_VAR_vpc_private_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
+      TF_VAR_vpc_public_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION || 'us-west-1' }}
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: GitHub_to_AWS_via_FederatedOIDC
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_wrapper: false
+      - name: Display OpenTofu version
+        run: tofu version
+      - name: Set optional variables
+        env:
+          # For any of these that have a value, the corresponding TF_VAR_*
+          # environment variable will be set.
+          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
+          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
+          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+        run: |
+          variables=(
+            "apply_database_updates_immediately" "consumer_container_count"
+            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
+            "deletion_protection" "deployment_environments" "environment"
+            "export_expiration" "image_tags_mutable" "key_recovery_period"
+            "program" "project" "repository"
+          )
+          for var in ${variables[@]}; do
+            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
+            if [ -n "${!name}" ]; then
+              echo "Setting TF_VAR_$var"
+              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
+            else
+              echo "$name is not set"
+            fi
+          done
+      - name: Initialize OpenTofu
+        working-directory: ./tofu/config/service
+        run: tofu init
+      - name: Get OpenTofu outputs
+        id: outputs
+        working-directory: ./tofu/config/service
+        run: |
+            OUTPUTS=$(tofu output -json | jq -c)
+            echo "OUTPUTS=$OUTPUTS"
+            echo "outputs=$OUTPUTS" >> $GITHUB_OUTPUT
+      - name: Parse subnets
+        id: subnets
+        env:
+          SUBNETS: ${{ toJson(fromJson(steps.outputs.outputs.outputs).container_subnets.value) }}
+        run: |
+          SUBNET_STRING=$(echo "$SUBNETS" | jq -r '.[]')
+          echo "subnets<<EOF" >> $GITHUB_OUTPUT
+          echo "$SUBNET_STRING" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+      - name: Parse command
+        id: command
+        env:
+          COMMAND: ${{ inputs.command }}
+        run: |
+          IFS=',' read -ra parts <<< "$COMMAND"
+          COMMAND_STRING=$(printf "%s\n" "${parts[@]}")
+          echo "command<<EOF" >> $GITHUB_OUTPUT
+          echo "$COMMAND_STRING" >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+#      - name: Show outputs
+#        run: echo "${{ steps.command.outputs.command }}"
+      - name: Launch container
+        id: run-task
+        uses: geekcell/github-action-aws-ecs-run-task@v5
+        with:
+          cluster: ${{ secrets.TF_VAR_PROJECT }}-${{ secrets.TF_VAR_ENVIRONMENT }}
+          task-definition: ${{ secrets.TF_VAR_PROJECT }}-${{ secrets.TF_VAR_ENVIRONMENT }}-tools
+          override-container: ${{ secrets.TF_VAR_PROJECT }}-${{ secrets.TF_VAR_ENVIRONMENT }}-tools
+          assign-public-ip: DISABLED
+          tail-logs: true
+          task-wait-until-stopped: true
+          # The block style indicator (|) is necessary to tell YAML to preserve
+          # newlines.
+          override-container-command: |
+            ${{ steps.command.outputs.command }}
+          subnet-ids: |
+            ${{ steps.subnets.outputs.subnets }}
+          security-group-ids: |
+            ${{ fromJson(steps.outputs.outputs.outputs).task_security_group_id.value }}
diff --git a/tofu/config/service/outputs.tf b/tofu/config/service/outputs.tf
@@ -1,3 +1,8 @@
+output "container_subnets" {
+  value       = split(",", module.inputs.values["vpc/private_subnets"])
+  description = "The IDs of the subnets in which the container resources will be deployed."
+}
+
 output "export_bucket" {
   value       = module.system.export_bucket
   description = "The name of the S3 bucket for exports."
@@ -7,3 +12,8 @@ output "queue_url" {
   value       = module.system.queue_url
   description = "The URL of the SQS queue."
 }
+
+output "task_security_group_id" {
+  value       = module.system.task_security_group_id
+  description = "The ID of the security group attached to the ECS tasks."
+}
diff --git a/tofu/modules/system/outputs.tf b/tofu/modules/system/outputs.tf
@@ -7,3 +7,8 @@ output "queue_url" {
   value       = module.sqs.queue_url
   description = "The URL of the SQS queue."
 }
+
+output "task_security_group_id" {
+  value       = module.task_security_group.security_group_id
+  description = "The ID of the security group attached to the ECS tasks."
+}

Original file line number	Diff line number	Diff line change
`@@ -7,3 +7,8 @@ output "queue_url" {`
`7`	`7`	`value = module.sqs.queue_url`
`8`	`8`	`description = "The URL of the SQS queue."`
`9`	`9`	`}`
	`10`	`+`
	`11`	`+output "task_security_group_id" {`
	`12`	`+ value = module.task_security_group.security_group_id`
	`13`	`+ description = "The ID of the security group attached to the ECS tasks."`
	`14`	`+}`