Template infra deploy #9765225682

navapbc · Jul 2, 2024 · a179a66 · a179a66
1 parent 7466fa3
commit a179a66
Show file tree

Hide file tree

Showing 19 changed files with 246 additions and 246 deletions.
diff --git a/.github/actions/configure-aws-credentials/action.yml b/.github/actions/configure-aws-credentials/action.yml
@@ -26,13 +26,13 @@ runs:
       run: |
         echo "Get network name for app_name=${{ inputs.app_name }} and environment=${{ inputs.environment }}"
 
-        terraform -chdir=infra/${{ inputs.app_name }}/app-config init > /dev/null
-        terraform -chdir=infra/${{ inputs.app_name }}/app-config apply -auto-approve > /dev/null
+        terraform -chdir="infra/${{ inputs.app_name }}/app-config" init > /dev/null
+        terraform -chdir="infra/${{ inputs.app_name }}/app-config" apply -auto-approve > /dev/null
 
         if [[ "${{ inputs.environment }}" == "shared" ]]; then
-          network_name=$(terraform -chdir=infra/${{ inputs.app_name }}/app-config output -raw shared_network_name)
+          network_name=$(terraform -chdir="infra/${{ inputs.app_name }}/app-config" output -raw shared_network_name)
         else
-          network_name=$(terraform -chdir=infra/${{ inputs.app_name }}/app-config output -json environment_configs | jq -r .${{ inputs.environment }}.network_name)
+          network_name=$(terraform -chdir="infra/${{ inputs.app_name }}/app-config" output -json environment_configs | jq -r ".${{ inputs.environment }}.network_name")
         fi
 
         echo "Network name retrieved: ${network_name}"
@@ -46,9 +46,9 @@ runs:
         network_name="${{ inputs.network_name || steps.get-network-name.outputs.network_name }}"
         echo "Get account name for network: ${network_name}"
 
-        terraform -chdir=infra/project-config init > /dev/null
-        terraform -chdir=infra/project-config apply -auto-approve > /dev/null
-        account_name=$(terraform -chdir=infra/project-config output -json network_configs | jq -r .${network_name}.account_name)
+        terraform -chdir="infra/project-config" init > /dev/null
+        terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
+        account_name=$(terraform -chdir="infra/project-config" output -json network_configs | jq -r ".${network_name}.account_name")
 
         echo "Account name retrieved: ${account_name}"
         echo "account_name=${account_name}" >> "$GITHUB_OUTPUT"
@@ -64,22 +64,22 @@ runs:
 
         account_name="${{ inputs.account_name || steps.get-account-name.outputs.account_name }}"
 
-        terraform -chdir=infra/project-config init > /dev/null
-        terraform -chdir=infra/project-config apply -auto-approve > /dev/null
-        aws_region=$(terraform -chdir=infra/project-config output -raw default_region)
+        terraform -chdir="infra/project-config" init > /dev/null
+        terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
+        aws_region=$(terraform -chdir="infra/project-config" output -raw default_region)
         echo "aws_region=${aws_region}"
-        github_actions_role_name=$(terraform -chdir=infra/project-config output -raw github_actions_role_name)
+        github_actions_role_name=$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)
         echo "github_actions_role_name=${github_actions_role_name}"
 
         # Get the account id associated with the account name extracting the
         # ACCOUNT_ID part of the tfbackend file name which looks like
         # <ACCOUNT_NAME>.<ACCOUNT_ID>.s3.tfbackend.
-        # The cut command splits the string with period as the delimeter and
+        # The cut command splits the string with period as the delimiter and
         # extracts the second field.
         account_id=$(ls infra/accounts/${account_name}.*.s3.tfbackend | cut -d. -f2)
         echo "account_id=${account_id}"
 
-        aws_role_to_assume=arn:aws:iam::${account_id}:role/${github_actions_role_name}
+        aws_role_to_assume="arn:aws:iam::${account_id}:role/${github_actions_role_name}"
         echo "aws_role_to_assume=${aws_role_to_assume}"
 
         echo "::endgroup::"

diff --git a/.template-version b/.template-version
@@ -1 +1 @@
-63bb86a9e415ca2432b271a39e6af2b4472bff6d
+e3109d95a61345b63df4f4fcd58e2299555b7ebd
diff --git a/bin/account-ids-by-name b/bin/account-ids-by-name
@@ -10,13 +10,13 @@ set -euo pipefail
 script_dir=$(dirname "$0")
 
 key_value_pairs=()
-backend_config_file_paths=$(ls -1 "$script_dir"/../infra/accounts/*.*.s3.tfbackend)
+backend_config_file_paths=$(ls -1 "${script_dir}"/../infra/accounts/*.*.s3.tfbackend)
 
-for backend_config_file_path in $backend_config_file_paths; do
-  backend_config_file=$(basename "$backend_config_file_path")
+for backend_config_file_path in ${backend_config_file_paths}; do
+  backend_config_file=$(basename "${backend_config_file_path}")
   backend_config_name="${backend_config_file/.s3.tfbackend/}"
-  IFS='.' read -r account_name account_id <<< "$backend_config_name"
-  key_value_pairs+=("\"$account_name\":\"$account_id\"")
+  IFS='.' read -r account_name account_id <<< "${backend_config_name}"
+  key_value_pairs+=("\"${account_name}\":\"${account_id}\"")
 done
 
 IFS=","

diff --git a/bin/check-database-roles b/bin/check-database-roles
@@ -11,43 +11,43 @@
 # -----------------------------------------------------------------------------
 set -euo pipefail
 
-app_name=$1
-environment=$2
+app_name="$1"
+environment="$2"
 
-terraform -chdir="infra/$app_name/app-config" init > /dev/null
-terraform -chdir="infra/$app_name/app-config" apply -auto-approve > /dev/null
-./bin/terraform-init "infra/$app_name/database" "$environment"
-db_role_manager_function_name=$(terraform -chdir="infra/$app_name/database" output -raw role_manager_function_name)
-db_config=$(terraform -chdir="infra/$app_name/app-config" output -json environment_configs | jq -r ".$environment.database_config")
-payload="{\"action\":\"check\",\"config\":$db_config}"
+terraform -chdir="infra/${app_name}/app-config" init > /dev/null
+terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
+./bin/terraform-init "infra/${app_name}/database" "${environment}"
+db_role_manager_function_name=$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)
+db_config=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")
+payload="{\"action\":\"check\",\"config\":${db_config}}"
 
 echo "======================="
 echo "Checking database roles"
 echo "======================="
 echo "Input parameters"
-echo "  app_name=$app_name"
-echo "  environment=$environment"
+echo "  app_name=${app_name}"
+echo "  environment=${environment}"
 echo
-echo "Invoking Lambda function: $db_role_manager_function_name"
-echo "  Payload: $payload"
+echo "Invoking Lambda function: ${db_role_manager_function_name}"
+echo "  Payload: ${payload}"
 echo
 cli_response=$(aws lambda invoke \
-  --function-name "$db_role_manager_function_name" \
+  --function-name "${db_role_manager_function_name}" \
   --no-cli-pager \
   --log-type Tail \
-  --payload "$(echo -n "$payload" | base64)" \
+  --payload "$(echo -n "${payload}" | base64)" \
   --output json \
   response.json)
 
 # Print logs out (they are returned base64 encoded)
-echo "$cli_response" | jq -r '.LogResult' | base64 --decode
+echo "${cli_response}" | jq -r '.LogResult' | base64 --decode
 echo
 echo "Lambda function response:"
 cat response.json
 rm response.json
 
 # Exit with nonzero status if function failed
-function_error=$(echo "$cli_response" | jq -r '.FunctionError')
-if [ "$function_error" != "null" ]; then
+function_error=$(echo "${cli_response}" | jq -r '.FunctionError')
+if [ "${function_error}" != "null" ]; then
   exit 1
 fi
diff --git a/bin/check-github-actions-auth b/bin/check-github-actions-auth
@@ -8,13 +8,13 @@
 # -----------------------------------------------------------------------------
 set -euo pipefail
 
-account_name=$1
+account_name="$1"
 
 # This is used later to determine the run id of the workflow run
 # See comment below about "Getting workflow run id"
 prev_run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
 
-code_repository=$(terraform -chdir=infra/project-config output --raw code_repository)
+code_repository=$(terraform -chdir="infra/project-config" output --raw code_repository)
 
 echo "========================="
 echo "Check GitHub Actions Auth"
@@ -26,25 +26,25 @@ echo
 # Get AWS account authentication details (AWS account, IAM role, AWS region)
 echo "::group::AWS account authentication details"
 
-terraform -chdir=infra/project-config init > /dev/null
-terraform -chdir=infra/project-config apply -auto-approve > /dev/null
-aws_region=$(terraform -chdir=infra/project-config output -raw default_region)
-echo "aws_region=$aws_region"
-github_actions_role_name=$(terraform -chdir=infra/project-config output -raw github_actions_role_name)
+terraform -chdir="infra/project-config" init > /dev/null
+terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
+aws_region=$(terraform -chdir="infra/project-config" output -raw default_region)
+echo "aws_region=${aws_region}"
+github_actions_role_name=$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)
 echo "github_actions_role_name=${github_actions_role_name}"
 
 # Get the account id associated with the account name extracting the
 # account_id part of the tfbackend file name which looks like
 # <account_name>.<account_id>.s3.tfbackend.
-# The cut command splits the string with period as the delimeter and
+# The cut command splits the string with period as the delimiter and
 # extracts the second field.
-account_id=$(find infra/accounts/"${account_name}".*.s3.tfbackend | cut -d. -f2)
+account_id=$(find "infra/accounts/${account_name}."*.s3.tfbackend | cut -d. -f2)
 echo "account_id=${account_id}"
 
 aws_role_to_assume="arn:aws:iam::${account_id}:role/${github_actions_role_name}"
-echo "aws_role_to_assume=$aws_role_to_assume"
+echo "aws_role_to_assume=${aws_role_to_assume}"
 
-echo "::endgroup::"  
+echo "::endgroup::"
 
 ##################
 ## Run workflow ##
@@ -72,21 +72,21 @@ echo "Get workflow run id"
 # * This GitHub community discussion also requests this feature:
 # https://github.com/orgs/community/discussions/17389
 
-echo "Previous workflow run created at $prev_run_create_time"
+echo "Previous workflow run created at ${prev_run_create_time}"
 echo "Check workflow run create time until we find a newer workflow run"
 while : ; do
   echo -n "."
   run_create_time=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json createdAt --jq ".[].createdAt")
-  [[ $run_create_time > $prev_run_create_time ]] && break
+  [[ "${run_create_time}" > "${prev_run_create_time}" ]] && break
 done
-echo "Found newer workflow run created at $run_create_time"
+echo "Found newer workflow run created at ${run_create_time}"
 
 echo "Get id of workflow run"
 workflow_run_id=$(gh run list --workflow check-ci-cd-auth.yml --limit 1 --json databaseId --jq ".[].databaseId")
-echo "Workflow run id: $workflow_run_id"
+echo "Workflow run id: ${workflow_run_id}"
 
 workflow_run_url="https://github.com/${code_repository}/actions/runs/${workflow_run_id}"
-echo "See run logs at":
+echo "See run logs at:"
 echo "    ${workflow_run_url}"
 
 echo "Watch workflow run until it exits"

diff --git a/bin/configure-monitoring-secret b/bin/configure-monitoring-secret
@@ -12,32 +12,32 @@
 # -----------------------------------------------------------------------------
 set -euo pipefail
 
-app_name=$1
-environment=$2
-integration_endpoint_url=$3
+app_name="$1"
+environment="$2"
+integration_endpoint_url="$3"
 
-terraform -chdir="infra/$app_name/app-config" init > /dev/null
-terraform -chdir="infra/$app_name/app-config" apply -auto-approve > /dev/null
+terraform -chdir="infra/${app_name}/app-config" init > /dev/null
+terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
 
-has_incident_management_service=$(terraform -chdir="infra/$app_name/app-config" output -raw has_incident_management_service)
-if [ "$has_incident_management_service" = "false" ]; then
+has_incident_management_service=$(terraform -chdir="infra/${app_name}/app-config" output -raw has_incident_management_service)
+if [ "${has_incident_management_service}" = "false" ]; then
   echo "Application does not have incident management service, no secret to create"
   exit 0
 fi
 
-secret_name=$(terraform -chdir="infra/$app_name/app-config" output -json environment_configs | jq -r ".$environment.incident_management_service_integration.integration_url_param_name")
+secret_name=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.incident_management_service_integration.integration_url_param_name")
 
 echo "====================="
 echo "Setting up SSM secret"
 echo "====================="
-echo "app_name=$app_name"
-echo "environment=$environment"
-echo "integration_endpoint_url=$integration_endpoint_url"
+echo "app_name=${app_name}"
+echo "environment=${environment}"
+echo "integration_endpoint_url=${integration_endpoint_url}"
 echo
-echo "Creating SSM secret: $secret_name"
+echo "Creating SSM secret: ${secret_name}"
 
 aws ssm put-parameter \
-    --name "$secret_name" \
-    --value "$integration_endpoint_url" \
+    --name "${secret_name}" \
+    --value "${integration_endpoint_url}" \
     --type SecureString \
     --overwrite
diff --git a/bin/create-or-update-database-roles b/bin/create-or-update-database-roles
@@ -13,43 +13,43 @@
 # -----------------------------------------------------------------------------
 set -euo pipefail
 
-app_name=$1
-environment=$2
+app_name="$1"
+environment="$2"
 
-terraform -chdir="infra/$app_name/app-config" init > /dev/null
-terraform -chdir="infra/$app_name/app-config" apply -auto-approve > /dev/null
-./bin/terraform-init "infra/$app_name/database" "$environment"
-db_role_manager_function_name=$(terraform -chdir="infra/$app_name/database" output -raw role_manager_function_name)
-db_config=$(terraform -chdir="infra/$app_name/app-config" output -json environment_configs | jq -r ".$environment.database_config")
-payload="{\"action\":\"manage\",\"config\":$db_config}"
+terraform -chdir="infra/${app_name}/app-config" init > /dev/null
+terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
+./bin/terraform-init "infra/${app_name}/database" "${environment}"
+db_role_manager_function_name=$(terraform -chdir="infra/${app_name}/database" output -raw role_manager_function_name)
+db_config=$(terraform -chdir="infra/${app_name}/app-config" output -json environment_configs | jq -r ".${environment}.database_config")
+payload="{\"action\":\"manage\",\"config\":${db_config}}"
 
 echo "================================"
 echo "Creating/updating database users"
 echo "================================"
 echo "Input parameters"
-echo "  app_name=$app_name"
-echo "  environment=$environment"
+echo "  app_name=${app_name}"
+echo "  environment=${environment}"
 echo
-echo "Invoking Lambda function: $db_role_manager_function_name"
-echo "  Payload: $payload"
+echo "Invoking Lambda function: ${db_role_manager_function_name}"
+echo "  Payload: ${payload}"
 echo
 cli_response=$(aws lambda invoke \
-  --function-name "$db_role_manager_function_name" \
+  --function-name "${db_role_manager_function_name}" \
   --no-cli-pager \
   --log-type Tail \
-  --payload "$(echo -n "$payload" | base64)" \
+  --payload "$(echo -n "${payload}" | base64)" \
   --output json \
   response.json)
 
 # Print logs out (they are returned base64 encoded)
-echo "$cli_response" | jq -r '.LogResult' | base64 --decode
+echo "${cli_response}" | jq -r '.LogResult' | base64 --decode
 echo
 echo "Lambda function response:"
 cat response.json
 rm response.json
 
 # Exit with nonzero status if function failed
-function_error=$(echo "$cli_response" | jq -r '.FunctionError')
-if [ "$function_error" != "null" ]; then
+function_error=$(echo "${cli_response}" | jq -r '.FunctionError')
+if [ "${function_error}" != "null" ]; then
   exit 1
 fi
diff --git a/bin/create-tfbackend b/bin/create-tfbackend
@@ -15,42 +15,42 @@
 # -----------------------------------------------------------------------------
 set -euo pipefail
 
-module_dir=$1
-backend_config_name=$2
-tf_state_key="${3:-$module_dir/$backend_config_name.tfstate}"
+module_dir="$1"
+backend_config_name="$2"
+tf_state_key="${3:-${module_dir}/${backend_config_name}.tfstate}"
 
 # The local tfbackend config file that will store the terraform backend config
-backend_config_file="$module_dir/$backend_config_name.s3.tfbackend"
+backend_config_file="${module_dir}/${backend_config_name}.s3.tfbackend"
 
 # Get the name of the S3 bucket that was created to store the tf state
 # and the name of the DynamoDB table that was created for tf state locks.
 # This will be used to configure the S3 backends in all the application
 # modules
-tf_state_bucket_name=$(terraform -chdir=infra/accounts output -raw tf_state_bucket_name)
-tf_locks_table_name=$(terraform -chdir=infra/accounts output -raw tf_locks_table_name)
-region=$(terraform -chdir=infra/accounts output -raw region)
+tf_state_bucket_name=$(terraform -chdir="infra/accounts" output --raw tf_state_bucket_name)
+tf_locks_table_name=$(terraform -chdir="infra/accounts" output --raw tf_locks_table_name)
+region=$(terraform -chdir="infra/accounts" output --raw region)
 
 echo "===================================="
 echo "Create terraform backend config file"
 echo "===================================="
 echo "Input parameters"
-echo "  module_dir=$module_dir"
-echo "  backend_config_name=$backend_config_name"
+echo "  module_dir=${module_dir}"
+echo "  backend_config_name=${backend_config_name}"
 echo
 
 # Create output file from example file
-cp infra/example.s3.tfbackend "$backend_config_file"
+cp infra/example.s3.tfbackend "${backend_config_file}"
 
 # Replace the placeholder values
-sed -i.bak "s/<TF_STATE_BUCKET_NAME>/$tf_state_bucket_name/g" "$backend_config_file"
-sed -i.bak "s|<TF_STATE_KEY>|$tf_state_key|g" "$backend_config_file"
-sed -i.bak "s/<TF_LOCKS_TABLE_NAME>/$tf_locks_table_name/g" "$backend_config_file"
-sed -i.bak "s/<REGION>/$region/g" "$backend_config_file"
+sed -i.bak "s/<TF_STATE_BUCKET_NAME>/${tf_state_bucket_name}/g" "${backend_config_file}"
+sed -i.bak "s|<TF_STATE_KEY>|${tf_state_key}|g" "${backend_config_file}"
+sed -i.bak "s/<TF_LOCKS_TABLE_NAME>/${tf_locks_table_name}/g" "${backend_config_file}"
+sed -i.bak "s/<REGION>/${region}/g" "${backend_config_file}"
 
 # Remove the backup file created by sed
-rm "$backend_config_file.bak"
+rm "${backend_config_file}.bak"
 
-echo "Created file: $backend_config_file"
+echo "Created file: ${backend_config_file}"
 echo "------------------ file contents ------------------"
-cat "$backend_config_file"
+cat "${backend_config_file}"
 echo "----------------------- end -----------------------"
diff --git a/bin/current-account-config-name b/bin/current-account-config-name
@@ -6,7 +6,7 @@
 set -euo pipefail
 
 current_account_id=$(./bin/current-account-id)
-backend_config_file_path=$(ls -1 infra/accounts/*."$current_account_id".s3.tfbackend)
-backend_config_file=$(basename "$backend_config_file_path")
+backend_config_file_path=$(ls -1 infra/accounts/*."${current_account_id}".s3.tfbackend)
+backend_config_file=$(basename "${backend_config_file_path}")
 backend_config_name="${backend_config_file/.s3.tfbackend/}"
-echo "$backend_config_name"
+echo "${backend_config_name}"