diff --git a/.github/workflows/assets.yaml b/.github/workflows/assets.yaml index ed8b577dff..f539084b9d 100644 --- a/.github/workflows/assets.yaml +++ b/.github/workflows/assets.yaml @@ -6,6 +6,10 @@ on: ref: type: string required: false + account: + description: "Environment to deploy" + type: string + required: true version: type: string required: true @@ -14,6 +18,9 @@ on: default: false required: false +concurrency: + group: assets-${{ inputs.account }} + jobs: build: name: Build${{ inputs.push && ' and Push' || '' }} @@ -23,7 +30,8 @@ jobs: working-directory: app/cdn env: ASSET_BUCKET: "vol-app-assets" - AWS_OIDC_ROLE: ${{ vars.ACCOUNT_NONPROD_TF_OIDC_ROLE }} + ACCOUNT_NUMBER: ${{ vars[inputs.account == 'prod' && 'ACCOUNT_PROD' || 'ACCOUNT_NONPROD'] }} + AWS_OIDC_ROLE: ${{ vars[inputs.account == 'prod' && 'ACCOUNT_PROD_TF_OIDC_ROLE' || 'ACCOUNT_NONPROD_TF_OIDC_ROLE'] }} AWS_REGION: ${{ vars.DVSA_AWS_REGION }} steps: - uses: actions/checkout@v4 @@ -53,4 +61,4 @@ jobs: - name: Upload assets to CloudFront assets bucket if: ${{ inputs.push }} - run: aws s3 cp ./public s3://${{ env.ASSET_BUCKET }}/${{ inputs.version }}/ --recursive + run: aws s3 cp ./public s3://${{ env.ACCOUNT_NUMBER }}-${{ env.ASSET_BUCKET }}/${{ inputs.version }}/ --recursive diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml index b01a60aa7a..bbb177051e 100644 --- a/.github/workflows/cd.yaml +++ b/.github/workflows/cd.yaml @@ -177,15 +177,18 @@ jobs: echo "**Internal**: \`${{ steps.internal-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY echo "**Assets**: \`${{ steps.assets-version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY - cdn: + cdn-nonprod: name: CDN if: ${{ needs.orchestrator.outputs.should-build-assets }} + concurrency: + group: assets-nonprod needs: - orchestrator - get-version uses: ./.github/workflows/assets.yaml with: push: true + account: nonprod version: ${{ needs.get-version.outputs.assets }} permissions: contents: read @@ -381,6 +384,23 @@ jobs: pull-requests: write secrets: inherit + cdn-prod: + name: CDN + if: ${{ needs.orchestrator.outputs.should-build-assets && needs.release-please.outputs.release_created }} + concurrency: + group: assets-prod + needs: + - orchestrator + - get-version + uses: ./.github/workflows/assets.yaml + with: + push: true + account: prod + version: ${{ needs.get-version.outputs.assets }} + permissions: + contents: read + id-token: write + terraform-account-prod: name: Account (prod) if: ${{ always() && !cancelled() && !failure() && needs.release-please.outputs.release_created }} diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 61b010957b..b15250f472 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -176,12 +176,15 @@ jobs: cdn: name: CDN if: ${{ needs.orchestrator.outputs.should-build-assets }} + concurrency: + group: assets-nonprod needs: - orchestrator - get-version uses: ./.github/workflows/assets.yaml with: version: ${{ needs.get-version.outputs.assets }} + account: nonprod permissions: contents: read id-token: write diff --git a/.github/workflows/deploy-account.yaml b/.github/workflows/deploy-account.yaml index 9641d5bb30..f7196f155e 100644 --- a/.github/workflows/deploy-account.yaml +++ b/.github/workflows/deploy-account.yaml @@ -89,7 +89,7 @@ jobs: - name: Terraform init id: init - run: terraform init -no-color -input=false + run: terraform init -no-color -input=false -upgrade - name: Validate id: validate diff --git a/.github/workflows/deploy-environment.yaml b/.github/workflows/deploy-environment.yaml index 773f2c4d01..355032e175 100644 --- a/.github/workflows/deploy-environment.yaml +++ b/.github/workflows/deploy-environment.yaml @@ -155,7 +155,7 @@ jobs: - name: Terraform init id: init - run: terraform init -no-color -input=false + run: terraform init -no-color -input=false -upgrade - name: Select workspace if: ${{ inputs.workspace }} diff --git a/infra/terraform/.gitignore b/infra/terraform/.gitignore new file mode 100644 index 0000000000..d429192fbd --- /dev/null +++ b/infra/terraform/.gitignore @@ -0,0 +1,13 @@ +#Ignore tf lock files and associated transient lock files +.terraform.tfstate.lock.info +.terraform.lock.hcl +#Ignore state files, this uses a remote state +*.tfstate +*.tfstate.* +#Crash logs done belong in here +crash.log +crash.*.log +#Ignore plan files +*tfplan* +#Ignore local terraform directories +**/.terraform/* \ No newline at end of file diff --git a/infra/terraform/accounts/_init/.terraform.lock.hcl b/infra/terraform/accounts/_init/.terraform.lock.hcl deleted file mode 100644 index 4917d240c7..0000000000 --- a/infra/terraform/accounts/_init/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.74.0" - constraints = ">= 4.0.0, ~> 5.0, >= 5.6.0, >= 5.70.0, >= 5.72.1" - hashes = [ - "h1:0Iq3x8RSdWedvATBO1RZbCQqRCHPNsdhkYVrRs9crEE=", - "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", - "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", - "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", - "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", - "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", - "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", - "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", - "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", - "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", - "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", - "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", - "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", - "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", - ] -} diff --git a/infra/terraform/accounts/nonprod/.terraform.lock.hcl b/infra/terraform/accounts/nonprod/.terraform.lock.hcl deleted file mode 100644 index d7c75e0b1c..0000000000 --- a/infra/terraform/accounts/nonprod/.terraform.lock.hcl +++ /dev/null @@ -1,45 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.74.0" - constraints = ">= 4.0.0, >= 5.0.0, >= 5.6.0, >= 5.49.0, >= 5.61.0, >= 5.70.0, >= 5.72.1" - hashes = [ - "h1:NjiJii9QnUzkYo8wFU9fsdKGl1PSqGsfU34Er2n1GSs=", - "zh:1e2d65add4d63af5b396ae33d55c48303eca6c86bd1be0f6fae13267a9b47bc4", - "zh:20ddec3dac3d06a188f12e58b6428854949b1295e937c5d4dca4866dc1c937af", - "zh:35b72de4e6a3e3d69efc07184fb413406262fe447b2d82d57eaf8c787a068a06", - "zh:44eada24a50cd869aadc4b29f9e791fdf262d7f426921e9ac2893bbb86013176", - "zh:455e666e3a9a2312b3b9f434b87a404b6515d64a8853751e20566a6548f9df9e", - "zh:58b3ae74abfca7b9b61f42f0c8b10d97f9b01aff18bd1d4ab091129c9d203707", - "zh:840a8a32d5923f9e7422f9c80d165c3f89bb6ea370b8283095081e39050a8ea8", - "zh:87cb6dbbdbc1b73bdde4b8b5d6d780914a3e8f1df0385da4ea7323dc1a68468f", - "zh:8b8953e39b0e6e6156c5570d1ca653450bfa0d9b280e2475f01ee5c51a6554db", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9bd750262e2fb0187a8420a561e55b0a1da738f690f53f5c7df170cb1f380459", - "zh:9d2474c1432dfa5e1db197e2dd6cd61a6a15452e0bc7acd09ca86b3cdb228871", - "zh:b763ecaf471c7737a5c6e4cf257b5318e922a6610fd83b36ed8eb68582a8642e", - "zh:c1344cd8fe03ff7433a19b14b14a1898c2ca5ba22a468fb8e1687f0a7f564d52", - "zh:dc0e0abf3be7402d0d022ced82816884356115ed27646df9c7222609e96840e6", - ] -} - -provider "registry.terraform.io/hashicorp/tls" { - version = "4.0.6" - constraints = ">= 3.0.0" - hashes = [ - "h1:/sSdjHoiykrPdyBP1JE03V/KDgLXnHZhHcSOYIdDH/A=", - "zh:10de0d8af02f2e578101688fd334da3849f56ea91b0d9bd5b1f7a243417fdda8", - "zh:37fc01f8b2bc9d5b055dc3e78bfd1beb7c42cfb776a4c81106e19c8911366297", - "zh:4578ca03d1dd0b7f572d96bd03f744be24c726bfd282173d54b100fd221608bb", - "zh:6c475491d1250050765a91a493ef330adc24689e8837a0f07da5a0e1269e11c1", - "zh:81bde94d53cdababa5b376bbc6947668be4c45ab655de7aa2e8e4736dfd52509", - "zh:abdce260840b7b050c4e401d4f75c7a199fafe58a8b213947a258f75ac18b3e8", - "zh:b754cebfc5184873840f16a642a7c9ef78c34dc246a8ae29e056c79939963c7a", - "zh:c928b66086078f9917aef0eec15982f2e337914c5c4dbc31dd4741403db7eb18", - "zh:cded27bee5f24de6f2ee0cfd1df46a7f88e84aaffc2ecbf3ff7094160f193d50", - "zh:d65eb3867e8f69aaf1b8bb53bd637c99c6b649ba3db16ded50fa9a01076d1a27", - "zh:ecb0c8b528c7a619fa71852bb3fb5c151d47576c5aab2bf3af4db52588722eeb", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} diff --git a/infra/terraform/environments/dev/.terraform.lock.hcl b/infra/terraform/environments/dev/.terraform.lock.hcl deleted file mode 100644 index 43853d0b0a..0000000000 --- a/infra/terraform/environments/dev/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.72.1" - constraints = ">= 4.0.0, >= 4.36.0, >= 4.40.0, >= 4.66.1, >= 5.0.0, >= 5.12.0, >= 5.25.0, >= 5.37.0, >= 5.61.0, >= 5.70.0, ~> 5.72.1" - hashes = [ - "h1:BkYfMmqLJIqLkLLz9sDRWJR5+7GCXTocNPN4pIHkhQo=", - "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", - "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", - "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", - "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", - "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", - "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", - "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", - "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", - "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", - "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", - "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", - "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", - "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", - ] -} diff --git a/infra/terraform/environments/dev/provider.tf b/infra/terraform/environments/dev/provider.tf index 0a49a9d72d..f7929a35cb 100644 --- a/infra/terraform/environments/dev/provider.tf +++ b/infra/terraform/environments/dev/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.72.1" + version = ">= 5.72.1" } } diff --git a/infra/terraform/environments/int/.terraform.lock.hcl b/infra/terraform/environments/int/.terraform.lock.hcl deleted file mode 100644 index 43853d0b0a..0000000000 --- a/infra/terraform/environments/int/.terraform.lock.hcl +++ /dev/null @@ -1,25 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/aws" { - version = "5.72.1" - constraints = ">= 4.0.0, >= 4.36.0, >= 4.40.0, >= 4.66.1, >= 5.0.0, >= 5.12.0, >= 5.25.0, >= 5.37.0, >= 5.61.0, >= 5.70.0, ~> 5.72.1" - hashes = [ - "h1:BkYfMmqLJIqLkLLz9sDRWJR5+7GCXTocNPN4pIHkhQo=", - "zh:0dea6843836e926d33469b48b948744079023816d16a2ff7666bcfb6aa3522d4", - "zh:195fa9513f75800a0d62797ebec75ee73e9b8c28d713fe9b63d3b1d1eec129b3", - "zh:1ed92f3961715bf0e024bcde3c12dfbdc50b00c1f8a43cc00802cfc45a256208", - "zh:2ac687e3a52606466cae4a6813e81d923042488df88d2424e28d3f8530f091bb", - "zh:32e7ca75f9314557daada3c44628fe1f3bf964a4f833bfb4b2295d833fe64b6f", - "zh:374ee0e6b4327cc6ef666908ce5d6450a3a56e90cd2b785e83c2bcfc100021d2", - "zh:5500fd6fdac44f96411fcf9c6d01691159ec35455ed127eb4c3a498e1cc92a64", - "zh:723a2dc4b064c12e7ee62ad4fbfd72fa5e025206ea47b735994ef53f3c373152", - "zh:89d97b87605f1d734f27e642567cbecf785b521af8ea81dac55c77ccde876221", - "zh:951ee1e5731e8d65d521d71b95927e55055b3c4656eef6d46fa580a63328befc", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:9b2b362470b64ec227b2da64762ab8bc4111c6b80365fd9d82fc5e1e33f44038", - "zh:aa6e57d0cb974ff0da5dee5d43ad2745cbbc4a2b507d4c799839b9fa96daf688", - "zh:ba0d14c4a6b7aa844a830d47c0bf995b632e37f0795394b5b60c638b62b7fc03", - "zh:c9764065a9c5d324db0b02bd201b9e3a2118e49c4960884acdeea377173302e9", - ] -} diff --git a/infra/terraform/environments/int/provider.tf b/infra/terraform/environments/int/provider.tf index ea6e12bc43..991da6a8fe 100644 --- a/infra/terraform/environments/int/provider.tf +++ b/infra/terraform/environments/int/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.72.1" + version = ">= 5.72.1" } } diff --git a/infra/terraform/environments/prep/provider.tf b/infra/terraform/environments/prep/provider.tf index 63c7ded343..6f33ff197b 100644 --- a/infra/terraform/environments/prep/provider.tf +++ b/infra/terraform/environments/prep/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.72.1" + version = ">= 5.72.1" } } diff --git a/infra/terraform/environments/prod/provider.tf b/infra/terraform/environments/prod/provider.tf index 5813ce385d..5e1c45ff8a 100644 --- a/infra/terraform/environments/prod/provider.tf +++ b/infra/terraform/environments/prod/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 5.72.1" + version = ">= 5.72.1" } } diff --git a/infra/terraform/modules/account/README.md b/infra/terraform/modules/account/README.md index d15114842e..11805900db 100644 --- a/infra/terraform/modules/account/README.md +++ b/infra/terraform/modules/account/README.md @@ -26,6 +26,7 @@ |------|------| | [aws_s3_bucket_policy.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_policy) | resource | | [aws_signer_signing_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/signer_signing_profile) | resource | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | ## Inputs diff --git a/infra/terraform/modules/account/main.tf b/infra/terraform/modules/account/main.tf index 2c373686fd..0808532a97 100644 --- a/infra/terraform/modules/account/main.tf +++ b/infra/terraform/modules/account/main.tf @@ -1,10 +1,16 @@ +data "aws_caller_identity" "current" {} + +locals { + account_id = data.aws_caller_identity.current.account_id +} + module "assets" { count = var.create_assets_bucket ? 1 : 0 source = "terraform-aws-modules/s3-bucket/aws" version = "~> 4.0" - bucket = "vol-app-assets" + bucket = "${local.account_id}-vol-app-assets" } data "aws_iam_policy_document" "s3_policy" { @@ -18,7 +24,7 @@ data "aws_iam_policy_document" "s3_policy" { } principals { type = "AWS" - identifiers = ["arn:aws:sts::054614622558:assumed-role/OLCS-DEVAPPCI-DEVCI-OLCSCISLAVE"] + identifiers = ["arn:aws:sts::054614622558:assumed-role/OLCS-DEVAPPCI-DEVCI-OLCSCISLAVE"] } } } diff --git a/infra/terraform/modules/service/README.md b/infra/terraform/modules/service/README.md index 268d5f21fc..f309333470 100644 --- a/infra/terraform/modules/service/README.md +++ b/infra/terraform/modules/service/README.md @@ -37,6 +37,7 @@ | [aws_lb_listener_rule.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule) | resource | | [aws_lb_target_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group) | resource | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_caller_identity.current_account_id](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | | [aws_canonical_user_id.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/canonical_user_id) | data source | | [aws_cloudfront_log_delivery_canonical_user_id.cloudfront](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/cloudfront_log_delivery_canonical_user_id) | data source | | [aws_route53_zone.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route53_zone) | data source | diff --git a/infra/terraform/modules/service/cdn.tf b/infra/terraform/modules/service/cdn.tf index ed7f2c0cb4..9303426aa6 100644 --- a/infra/terraform/modules/service/cdn.tf +++ b/infra/terraform/modules/service/cdn.tf @@ -13,14 +13,19 @@ provider "aws" { skip_requesting_account_id = false } -data "aws_s3_bucket" "assets" { - bucket = "vol-app-assets" -} - data "aws_route53_zone" "public" { name = var.domain_name } +data "aws_caller_identity" "current_account_id" {} + +locals { + asset_bucket = "${data.aws_caller_identity.current_account_id.account_id}-vol-app-assets" +} +data "aws_s3_bucket" "assets" { + bucket = local.asset_bucket +} + locals { domain_name = data.aws_route53_zone.public.name subdomain = "${var.environment}-cdn"