ci: Bundle OpenTofu setup actions.

jamesiarmes · jamesiarmes · commit dd68cbd17d78 · 2025-10-02T12:49:00.000-04:00
diff --git a/.github/actions/setup-opentofu/action.yaml b/.github/actions/setup-opentofu/action.yaml
@@ -17,33 +17,16 @@ runs:
       run: tofu version
     - name: Set optional variables
       shell: bash
-      env:
-        # For any of these that have a value, the corresponding TF_VAR_*
-        # environment variable will be set.
-        APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ env.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
-        TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ env.TF_VAR_CONSUMER_CONTAINER_COUNT }}
-        CONSUMER_CPU: ${{ env.TF_VAR_CONSUMER_CPU }}
-        CONSUMER_MEMORY: ${{ env.TF_VAR_CONSUMER_MEMORY }}
-        DATABASE_SKIP_FINAL_SNAPSHOT: ${{ env.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
-        DELETION_PROTECTION: ${{ env.TF_VAR_DELETION_PROTECTION }}
-        DEPLOYMENT_ENVIRONMENTS: ${{ env.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
-        ENVIRONMENT: ${{ env.TF_VAR_ENVIRONMENT }}
-        EXPORT_EXPIRATION: ${{ env.TF_VAR_EXPORT_EXPIRATION }}
-        IMAGE_TAGS_MUTABLE: ${{ env.TF_VAR_IMAGE_TAGS_MUTABLE }}
-        KEY_RECOVERY_PERIOD: ${{ env.TF_VAR_KEY_RECOVERY_PERIOD }}
-        PROGRAM: ${{ env.TF_VAR_PROGRAM }}
-        PROJECT: ${{ env.TF_VAR_PROJECT }}
-        REPOSITORY: ${{ env.TF_VAR_REPOSITORY }}
       run: |
         variables=(
           "apply_database_updates_immediately" "consumer_container_count"
-          "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
-          "deletion_protection" "deployment_environments" "environment"
-          "export_expiration" "image_tags_mutable" "key_recovery_period"
-          "program" "project" "repository"
+          "consumer_cpu" "consumer_memory" "database_instance_count"
+          "database_skip_final_snapshot" "deletion_protection"
+          "deployment_environments" "environment" "export_expiration"
+          "image_tags_mutable" "key_recovery_period" "program" "project" "repository"
         )
         for var in ${variables[@]}; do
-          name="$(echo $var | tr '[:lower:]' '[:upper:]')"
+          name="TF_VAR_$(echo $var | tr '[:lower:]' '[:upper:]')"
           if [ -n "${!name}" ]; then
             echo "Setting TF_VAR_$var"
             echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -80,55 +80,35 @@ jobs:
           aws-region: ${{ secrets.AWS_REGION || 'us-west-1' }}
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
-      - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-        with:
-          tofu_wrapper: false
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Set optional variables
-        env:
-          # For any of these that have a value, the corresponding TF_VAR_*
-          # environment variable will be set.
-          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
-          TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
-          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
-          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
-          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
-          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
-          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
-          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
-          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
-          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
-          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
-          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
-          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
-          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
-        run: |
-          variables=(
-            "apply_database_updates_immediately" "consumer_container_count"
-            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
-            "deletion_protection" "deployment_environments" "environment"
-            "export_expiration" "image_tags_mutable" "key_recovery_period"
-            "program" "project" "repository"
-          )
-          for var in ${variables[@]}; do
-            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
-            if [ -n "${!name}" ]; then
-              echo "Setting TF_VAR_$var"
-              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
-            else
-              echo "$name is not set"
-            fi
-          done
       - name: Download plan file
         uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.config }}-tfplan
           path: ./tofu/config/${{ inputs.config }}
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/${{ inputs.config }}
-        run: tofu init
+      - name: Setup OpenTofu
+        uses: ./.github/actions/setup-opentofu
+        env:
+          TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
+          TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+          TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }}
+          TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          TF_VAR_ENVIRONMENT: ${{ inputs.environment }}
+          TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+          TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+          TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+          TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
+          TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
+          TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
+        with:
+          config: ${{ inputs.config }}
       - name: Deploy changes
         working-directory: ./tofu/config/${{ inputs.config }}
         run: tofu apply tfplan
diff --git a/.github/workflows/launch-tools.yaml b/.github/workflows/launch-tools.yaml
@@ -88,15 +88,18 @@ jobs:
         uses: ./.github/actions/setup-opentofu
         env:
           TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
-          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
           TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
           TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
           TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }}
           TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
           TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          TF_VAR_ENVIRONMENT: ${{ inputs.environment }}
           TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
           TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
           TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
           TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
           TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
           TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
@@ -131,8 +134,6 @@ jobs:
           echo "command<<EOF" >> $GITHUB_OUTPUT
           echo "$COMMAND_STRING" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT
-#      - name: Show outputs
-#        run: echo "${{ steps.command.outputs.command }}"
       - name: Launch container
         id: run-task
         uses: geekcell/github-action-aws-ecs-run-task@v5
diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml
@@ -68,6 +68,10 @@ on:
         default: development
         required: true
         type: environment
+      image_tag:
+        description: (Optional) Image tag to use for the OpenTofu containers. Defaults to latest SHA.
+        required: false
+        type: string
 
 permissions:
   contents: read
@@ -95,49 +99,29 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
           role-session-name: GitHub_to_AWS_via_FederatedOIDC
       - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-        with:
-          tofu_wrapper: false
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Set optional variables
+        uses: ./.github/actions/setup-opentofu
         env:
-          # For any of these that have a value, the corresponding TF_VAR_*
-          # environment variable will be set.
-          APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
           TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
-          CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
-          CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
-          DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
-          DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
-          DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
-          ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
-          EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
-          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
-          KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
-          PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
-          PROJECT: ${{ secrets.TF_VAR_PROJECT }}
-          REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
-        run: |
-          variables=(
-            "apply_database_updates_immediately" "consumer_container_count"
-            "consumer_cpu" "consumer_memory" "database_skip_final_snapshot"
-            "deletion_protection" "deployment_environments" "environment"
-            "export_expiration" "image_tags_mutable" "key_recovery_period"
-            "program" "project" "repository"
-          )
-          for var in ${variables[@]}; do
-            name="$(echo $var | tr '[:lower:]' '[:upper:]')"
-            if [ -n "${!name}" ]; then
-              echo "Setting TF_VAR_$var"
-              echo "TF_VAR_$var=${!name}" >> $GITHUB_ENV
-            else
-              echo "$name is not set"
-            fi
-          done
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/${{ inputs.config }}
-        run: tofu init
+          TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }}
+          TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }}
+          TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
+          TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }}
+          TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
+          TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }}
+          TF_VAR_ENVIRONMENT: ${{ inputs.environment }}
+          TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
+          TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
+          TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
+          TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
+          TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }}
+          TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
+          TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }}
+          TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }}
+          TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }}
+        with:
+          config: ${{ inputs.config }}
       - name: Plan changes
         working-directory: ./tofu/config/${{ inputs.config }}
         run: tofu plan -concise -no-color -out tfplan > plan.txt
diff --git a/tofu/config/service/locals.tf b/tofu/config/service/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  image_tag = var.image_tag != null ? var.image_tag : sha256(timestamp())
+}
diff --git a/tofu/config/service/main.tf b/tofu/config/service/main.tf
@@ -30,9 +30,10 @@ module "system" {
   container_subnets   = split(",", module.inputs.values["vpc/private_subnets"])
 
   apply_database_updates_immediately = var.apply_database_updates_immediately
+  database_instance_count            = var.database_instance_count
   database_skip_final_snapshot       = var.database_skip_final_snapshot
   deletion_protection                = var.deletion_protection
-  image_tag                          = var.image_tag != null ? var.image_tag : sha256(timestamp())
+  image_tag                          = local.image_tag
   image_tags_mutable                 = var.image_tags_mutable
 
   consumer_container_count = var.consumer_container_count
diff --git a/tofu/config/service/outputs.tf b/tofu/config/service/outputs.tf
@@ -8,6 +8,11 @@ output "export_bucket" {
   description = "The name of the S3 bucket for exports."
 }
 
+output "image_tag" {
+  value       = local.image_tag
+  description = "The tag of the container image used for the ECS tasks."
+}
+
 output "queue_url" {
   value       = module.system.queue_url
   description = "The URL of the SQS queue."
diff --git a/tofu/config/service/variables.tf b/tofu/config/service/variables.tf
@@ -22,6 +22,17 @@ variable "consumer_memory" {
   default     = 4096
 }
 
+variable "database_instance_count" {
+  type        = number
+  description = "Number of instances in the database cluster."
+  default     = 1
+
+  validation {
+    condition     = var.database_instance_count >= 0 && var.database_instance_count < 17
+    error_message = "Database instance count must be between 0 and 16."
+  }
+}
+
 variable "database_skip_final_snapshot" {
   type        = bool
   description = "Whether to skip the final snapshot when the database cluster is deleted."
diff --git a/tofu/modules/system/variables.tf b/tofu/modules/system/variables.tf
@@ -33,8 +33,8 @@ variable "database_instance_count" {
   default     = 1
 
   validation {
-    condition     = var.database_instance_count > 0 && var.database_instance_count < 17
-    error_message = "Database instance count must be between 1 and 16."
+    condition     = var.database_instance_count >= 0 && var.database_instance_count < 17
+    error_message = "Database instance count must be between 0 and 16."
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+locals {`
	`2`	`+ image_tag = var.image_tag != null ? var.image_tag : sha256(timestamp())`
	`3`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -33,8 +33,8 @@ variable "database_instance_count" {`
`33`	`33`	`default = 1`
`34`	`34`
`35`	`35`	`validation {`
`36`		`- condition = var.database_instance_count > 0 && var.database_instance_count < 17`
`37`		`- error_message = "Database instance count must be between 1 and 16."`
	`36`	`+ condition = var.database_instance_count >= 0 && var.database_instance_count < 17`
	`37`	`+ error_message = "Database instance count must be between 0 and 16."`
`38`	`38`	`}`
`39`	`39`	`}`
`40`	`40`