fix: vol assets bucket (#478)

* fix: seperate bucket name by account * fix: add missing local * fix: updated cdn module * fix: remove original bucket ref * feat: updated cdn to be called in prod with new bucket name * fix: updated ci workflow * fix: duplicate ref * fix: asset bucket attribute * fix: removed unused ref * fix: asset bucket issue * fix: provider issue * fix: provider issue pt 2 * fix: update lock files * fix: include .gitignore files and remove lock files to resolve issues once and for all * fix: include .gitignore file * fix: bucket name using local * docs: update Terraform docs * fix: tf-formatting --------- Co-authored-by: Laurence Barker <[email protected]> Co-authored-by: [email protected] <[email protected]> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
dvsa · Nov 28, 2024 · e28b505 · e28b505
1 parent 51ecbcd
commit e28b505
Show file tree

Hide file tree

Showing 18 changed files with 72 additions and 135 deletions.
diff --git a/.github/workflows/assets.yaml b/.github/workflows/assets.yaml
@@ -6,6 +6,10 @@ on:
       ref:
         type: string
         required: false
+      account:
+        description: "Environment to deploy"
+        type: string
+        required: true
       version:
         type: string
         required: true
@@ -14,6 +18,9 @@ on:
         default: false
         required: false
 
+concurrency:
+  group: assets-${{ inputs.account }}
+
 jobs:
   build:
     name: Build${{ inputs.push && ' and Push' || '' }}
@@ -23,7 +30,8 @@ jobs:
         working-directory: app/cdn
     env:
       ASSET_BUCKET: "vol-app-assets"
-      AWS_OIDC_ROLE: ${{ vars.ACCOUNT_NONPROD_TF_OIDC_ROLE }}
+      ACCOUNT_NUMBER: ${{ vars[inputs.account == 'prod' && 'ACCOUNT_PROD' || 'ACCOUNT_NONPROD'] }}
+      AWS_OIDC_ROLE: ${{ vars[inputs.account == 'prod' && 'ACCOUNT_PROD_TF_OIDC_ROLE' || 'ACCOUNT_NONPROD_TF_OIDC_ROLE'] }}
       AWS_REGION: ${{ vars.DVSA_AWS_REGION }}
     steps:
       - uses: actions/checkout@v4
@@ -53,4 +61,4 @@ jobs:
 
       - name: Upload assets to CloudFront assets bucket
         if: ${{ inputs.push }}
-        run: aws s3 cp ./public s3://${{ env.ASSET_BUCKET }}/${{ inputs.version }}/ --recursive
+        run: aws s3 cp ./public s3://${{ env.ACCOUNT_NUMBER }}-${{ env.ASSET_BUCKET }}/${{ inputs.version }}/ --recursive
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -177,15 +177,18 @@ jobs:
           echo "**Internal**: \`${{ steps.internal-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
           echo "**Assets**: \`${{ steps.assets-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
 
-  cdn:
+  cdn-nonprod:
     name: CDN
     if: ${{ needs.orchestrator.outputs.should-build-assets }}
+    concurrency:
+      group: assets-nonprod
     needs:
       - orchestrator
       - get-version
     uses: ./.github/workflows/assets.yaml
     with:
       push: true
+      account: nonprod
       version: ${{ needs.get-version.outputs.assets }}
     permissions:
       contents: read
@@ -381,6 +384,23 @@ jobs:
       pull-requests: write
     secrets: inherit
 
+  cdn-prod:
+    name: CDN
+    if: ${{ needs.orchestrator.outputs.should-build-assets && needs.release-please.outputs.release_created }}
+    concurrency:
+      group: assets-prod
+    needs:
+      - orchestrator
+      - get-version
+    uses: ./.github/workflows/assets.yaml
+    with:
+      push: true
+      account: prod
+      version: ${{ needs.get-version.outputs.assets }}
+    permissions:
+      contents: read
+      id-token: write
+
   terraform-account-prod:
     name: Account (prod)
     if: ${{ always() && !cancelled() && !failure() && needs.release-please.outputs.release_created }}

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -176,12 +176,15 @@ jobs:
   cdn:
     name: CDN
     if: ${{ needs.orchestrator.outputs.should-build-assets }}
+    concurrency:
+      group: assets-nonprod
     needs:
       - orchestrator
       - get-version
     uses: ./.github/workflows/assets.yaml
     with:
       version: ${{ needs.get-version.outputs.assets }}
+      account: nonprod
     permissions:
       contents: read
       id-token: write

diff --git a/.github/workflows/deploy-account.yaml b/.github/workflows/deploy-account.yaml
@@ -89,7 +89,7 @@ jobs:
 
       - name: Terraform init
         id: init
-        run: terraform init -no-color -input=false
+        run: terraform init -no-color -input=false -upgrade
 
       - name: Validate
         id: validate

diff --git a/.github/workflows/deploy-environment.yaml b/.github/workflows/deploy-environment.yaml
@@ -155,7 +155,7 @@ jobs:
 
       - name: Terraform init
         id: init
-        run: terraform init -no-color -input=false
+        run: terraform init -no-color -input=false -upgrade
 
       - name: Select workspace
         if: ${{ inputs.workspace }}

diff --git a/infra/terraform/.gitignore b/infra/terraform/.gitignore
@@ -0,0 +1,13 @@
+#Ignore tf lock files and associated transient lock files
+.terraform.tfstate.lock.info
+.terraform.lock.hcl
+#Ignore state files, this uses a remote state
+*.tfstate
+*.tfstate.*
+#Crash logs done belong in here
+crash.log
+crash.*.log
+#Ignore plan files
+*tfplan*
+#Ignore local terraform directories
+**/.terraform/*
diff --git a/infra/terraform/accounts/_init/.terraform.lock.hcl b/infra/terraform/accounts/_init/.terraform.lock.hcl
diff --git a/infra/terraform/accounts/nonprod/.terraform.lock.hcl b/infra/terraform/accounts/nonprod/.terraform.lock.hcl
diff --git a/infra/terraform/environments/dev/.terraform.lock.hcl b/infra/terraform/environments/dev/.terraform.lock.hcl
diff --git a/infra/terraform/environments/dev/provider.tf b/infra/terraform/environments/dev/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.72.1"
+      version = ">= 5.72.1"
     }
   }
 

diff --git a/infra/terraform/environments/int/.terraform.lock.hcl b/infra/terraform/environments/int/.terraform.lock.hcl
diff --git a/infra/terraform/environments/int/provider.tf b/infra/terraform/environments/int/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.72.1"
+      version = ">= 5.72.1"
     }
   }
 

diff --git a/infra/terraform/environments/prep/provider.tf b/infra/terraform/environments/prep/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.72.1"
+      version = ">= 5.72.1"
     }
   }
 

diff --git a/infra/terraform/environments/prod/provider.tf b/infra/terraform/environments/prod/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.72.1"
+      version = ">= 5.72.1"
     }
   }
 

diff --git a/infra/terraform/modules/account/README.md b/infra/terraform/modules/account/README.md
@@ -26,6 +26,7 @@
 |------|------|
 | [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource |
 | [aws_signer_signing_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/signer_signing_profile) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 
 ## Inputs

diff --git a/infra/terraform/modules/account/main.tf b/infra/terraform/modules/account/main.tf
@@ -1,10 +1,16 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
 module "assets" {
   count = var.create_assets_bucket ? 1 : 0
 
   source  = "terraform-aws-modules/s3-bucket/aws"
   version = "~> 4.0"
 
-  bucket = "vol-app-assets"
+  bucket = "${local.account_id}-vol-app-assets"
 }
 
 data "aws_iam_policy_document" "s3_policy" {
@@ -18,7 +24,7 @@ data "aws_iam_policy_document" "s3_policy" {
     }
     principals {
       type        = "AWS"
-      identifiers =  ["arn:aws:sts::054614622558:assumed-role/OLCS-DEVAPPCI-DEVCI-OLCSCISLAVE"]
+      identifiers = ["arn:aws:sts::054614622558:assumed-role/OLCS-DEVAPPCI-DEVCI-OLCSCISLAVE"]
     }
   }
 }

diff --git a/infra/terraform/modules/service/README.md b/infra/terraform/modules/service/README.md
@@ -37,6 +37,7 @@
 | [aws_lb_listener_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource |
 | [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.current_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source |
 | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source |
 | [aws_route53_zone.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source |

diff --git a/infra/terraform/modules/service/cdn.tf b/infra/terraform/modules/service/cdn.tf
@@ -13,14 +13,19 @@ provider "aws" {
   skip_requesting_account_id = false
 }
 
-data "aws_s3_bucket" "assets" {
-  bucket = "vol-app-assets"
-}
-
 data "aws_route53_zone" "public" {
   name = var.domain_name
 }
 
+data "aws_caller_identity" "current_account_id" {}
+
+locals {
+  asset_bucket = "${data.aws_caller_identity.current_account_id.account_id}-vol-app-assets"
+}
+data "aws_s3_bucket" "assets" {
+  bucket = local.asset_bucket
+}
+
 locals {
   domain_name = data.aws_route53_zone.public.name
   subdomain   = "${var.environment}-cdn"