From f2f3b7f481daacd793d8faef9d985a0be00d30ce Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 15 Aug 2025 14:54:20 +0000 Subject: [PATCH] (github actions) generated latest snippets --- .../workflows/atmos-pro-terraform-apply.yaml | 63 ++++ .../workflows/atmos-pro-terraform-plan.yaml | 55 ++++ .../snippets/.github/workflows/atmos-pro.yaml | 82 +++++ .../atmos-terraform-apply-matrix.yaml | 57 ---- .../workflows/atmos-terraform-apply.yaml | 104 ------- .../workflows/atmos-terraform-dispatch.yaml | 67 ---- .../atmos-terraform-drift-detection.yaml | 69 ----- .../atmos-terraform-drift-remediation.yaml | 55 ---- .../atmos-terraform-plan-matrix.yaml | 70 ----- .../workflows/atmos-terraform-plan.yaml | 53 ---- examples/snippets/Dockerfile | 4 +- .../workflows/quickstart/app/addons.yaml | 94 +++--- .../app/addons/spa-s3-cloudfront.yaml | 4 +- .../workflows/quickstart/app/app-on-ecs.yaml | 22 ++ .../app/app-on-eks-with-argocd.yaml | 34 +++ .../app/app-on-lambda-with-atmos.yaml | 39 +++ .../stacks/workflows/quickstart/app/data.yaml | 26 +- .../quickstart/foundation/accounts.yaml | 4 +- .../quickstart/foundation/baseline.yaml | 10 +- .../quickstart/foundation/gitops.yaml | 31 +- .../quickstart/foundation/identity.yaml | 18 +- .../quickstart/foundation/network.yaml | 25 +- .../quickstart/monitor/compliance.yaml | 288 ++++++++++++++++++ .../workflows/quickstart/monitor/datadog.yaml | 159 ++++++++++ .../workflows/quickstart/monitor/grafana.yaml | 43 +++ .../workflows/quickstart/platform/ecs.yaml | 20 +- .../workflows/quickstart/platform/eks.yaml | 64 ++-- 27 files changed, 933 insertions(+), 627 deletions(-) create mode 100644 examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml create mode 100644 examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml create mode 100644 examples/snippets/.github/workflows/atmos-pro.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-apply.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml delete mode 100644 examples/snippets/.github/workflows/atmos-terraform-plan.yaml create mode 100644 examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml create mode 100644 examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml create mode 100644 examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml create mode 100644 examples/snippets/stacks/workflows/quickstart/monitor/compliance.yaml create mode 100644 examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml create mode 100644 examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml diff --git a/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml b/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml new file mode 100644 index 000000000..4ca9c5fc3 --- /dev/null +++ b/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml @@ -0,0 +1,63 @@ +name: 👽 Atmos Pro Terraform Apply +run-name: apply ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}} + +on: + workflow_dispatch: + inputs: + atmos_pro_run_id: + description: "Atmos Pro Run ID" + type: string + sha: + description: "Commit SHA" + type: string + component: + description: "Component" + required: true + type: string + stack: + description: "Stack" + required: true + type: string + github_environment: + description: "GitHub Environment" + required: true + type: string + +# Avoid running the same stack in parallel mode (from different workflows) +# This applied to across workflows to both plan and apply +concurrency: + group: "${{ inputs.stack }}-${{ inputs.component }}" + cancel-in-progress: false + +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + atmos-apply: + name: ${{ inputs.component }}-${{ inputs.stack }} + + # The GitHub environment is defined in Atmos Pro settings. + # Typically this is - + environment: ${{ inputs.github_environment }} + + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" + + steps: + - uses: runs-on/action@v1 + - uses: unfor19/install-aws-cli-action@v1 + + - name: Apply Atmos Component + uses: cloudposse/github-action-atmos-terraform-apply@v4 + with: + # Atmos Pro args + component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + sha: ${{ inputs.sha }} + # Atmos required configuration + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} diff --git a/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml b/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml new file mode 100644 index 000000000..bae6ff145 --- /dev/null +++ b/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml @@ -0,0 +1,55 @@ +name: 👽 Atmos Pro Terraform Plan +run-name: plan ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}} + +on: + workflow_dispatch: + inputs: + atmos_pro_run_id: + description: "Atmos Pro Run ID" + type: string + sha: + description: "Commit SHA" + type: string + component: + description: "Component" + required: true + type: string + stack: + description: "Stack" + required: true + type: string + +# Avoid running the same stack in parallel mode (from different workflows) +# This applied to across workflows to both plan and apply +concurrency: + group: "${{ inputs.stack }}-${{ inputs.component }}" + cancel-in-progress: false + +permissions: + id-token: write # This is required for requesting the JWT (OIDC) token + contents: read # This is required for actions/checkout + +jobs: + atmos-plan: + name: ${{ inputs.component }}-${{ inputs.stack }} + + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" + + steps: + - uses: runs-on/action@v1 + - uses: unfor19/install-aws-cli-action@v1 + + - name: Plan Atmos Component + uses: cloudposse/github-action-atmos-terraform-plan@v5 + with: + # Atmos Pro args + component: ${{ inputs.component }} + stack: ${{ inputs.stack }} + sha: ${{ inputs.sha }} + # Atmos required configuration + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} diff --git a/examples/snippets/.github/workflows/atmos-pro.yaml b/examples/snippets/.github/workflows/atmos-pro.yaml new file mode 100644 index 000000000..4ab4fef29 --- /dev/null +++ b/examples/snippets/.github/workflows/atmos-pro.yaml @@ -0,0 +1,82 @@ +name: 👽 Atmos Pro Determine Affected Stacks +run-name: 👽 Atmos Pro Determine Affected Stacks + +# Atmos Pro reacts to events defined in the Atmos stack settings +# and will trigger the appropriate workflows for the given event. +# +# For example, pull requests opened, synchronize, and reopened will trigger plan workflows. +# Whereas pull requests merged will trigger apply workflows +on: + pull_request: + types: + - opened + - synchronize + - reopened + - closed + branches: + - main + +# Avoid conflicting workflow triggers. +# For example, wait to trigger apply until plan has been triggered +concurrency: + group: "${{ github.ref }}" + cancel-in-progress: false + +permissions: + id-token: write # This is required for requesting the JWT (OIDC) token + contents: read # This is required for actions/checkout + +jobs: + affected: + name: Trigger Affected Stacks + + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=small" + - "tag=affected-stacks" + - "private=false" + + # Trigger Atmos Pro for Pull Request plan events and specifically closed PRs that have been merged (not just closed) + if: github.event.action != 'closed' || (github.event.action == 'closed' && github.event.pull_request.merged == true) + + steps: + - uses: runs-on/action@v1 + - name: Checkout + # For merged PRs, we will need to checkout the base branch to get the correct base branch SHA. + # This isn't necessary for other events. + if: github.event.action == 'closed' + uses: actions/checkout@v4 + with: + fetch-depth: 0 # Fetch all history for all branches and tags + + # For merged PRs, we want to use 1 previous commit from the base branch SHA + # This is because by the time this workflow runs, the PR branch has already been merged. + # It's critical to use the base branch SHA to get the correct changes, not the previous commit from the PR branch. + - name: Determine previous commit on base branch + id: get_parent + if: github.event.action == 'closed' + shell: bash + run: | + # For squash merges, github.event.pull_request.base.sha represents the state of the base branch + # when the PR was created (or last updated). This may be stale compared to the actual commit + # on the main branch at the time of the merge. Using 'HEAD~1' after the merge ensures we get + # the commit that was the tip of main immediately before the squash merge commit was added. + echo "Merge commit: $(git rev-parse HEAD)" + PARENT=$(git rev-parse HEAD~1) + echo "Parent (base) commit: $PARENT" + echo "merge_commit=$MERGE_COMMIT" >> "$GITHUB_OUTPUT" + echo "parent_commit=$PARENT" >> "$GITHUB_OUTPUT" + + - name: Determine Affected Stacks + id: affected + uses: cloudposse/github-action-atmos-affected-stacks@v6 + env: + ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }} + with: + atmos-version: ${{ vars.ATMOS_VERSION }} + atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} + atmos-pro-upload: true + # Compare the head of the PR to the base of the PR if the PR is not merged. + # If the PR is merged, compare the head of the PR to 1 previous commit on the base branch. + head-ref: ${{ github.event.pull_request.head.sha }} + base-ref: ${{ github.event.action == 'closed' && steps.get_parent.outputs.parent_commit || github.event.pull_request.base.sha }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml b/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml deleted file mode 100644 index 8d380cbe1..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml +++ /dev/null @@ -1,57 +0,0 @@ -name: 👽 Atmos Terraform Apply Matrix (Reusable) -run-name: 👽 Atmos Terraform Apply Matrix (Reusable) - -on: - workflow_call: - inputs: - stacks: - description: "Stacks" - required: true - type: string - sha: - description: "Commit SHA to apply. Default: github.sha" - type: string - required: false - default: "${{ github.event.pull_request.head.sha }}" - atmos-version: - description: The version of atmos to install - required: false - default: ">= 1.63.0" - type: string - atmos-config-path: - description: The path to the atmos.yaml file - required: true - type: string - -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - atmos-apply: - if: ${{ inputs.stacks != '{include:[]}' }} - name: ${{ matrix.stack_slug }} - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - strategy: - max-parallel: 10 - fail-fast: false # Don't fail fast to avoid locking TF State - matrix: ${{ fromJson(inputs.stacks) }} - ## Avoid running the same stack in parallel mode (from different workflows) - concurrency: - group: ${{ matrix.stack_slug }} - cancel-in-progress: false - steps: - - uses: unfor19/install-aws-cli-action@v1 - - - name: Apply Atmos Component - uses: cloudposse/github-action-atmos-terraform-apply@v2 - with: - component: ${{ matrix.component }} - stack: ${{ matrix.stack }} - sha: ${{ inputs.sha }} - atmos-version: ${{ inputs.atmos-version }} - atmos-config-path: ${{ inputs.atmos-config-path }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-apply.yaml b/examples/snippets/.github/workflows/atmos-terraform-apply.yaml deleted file mode 100644 index 5438fe22e..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-apply.yaml +++ /dev/null @@ -1,104 +0,0 @@ -name: 👽 Atmos Terraform Apply -run-name: 👽 Atmos Terraform Apply - - -on: - push: - branches: - - main - -permissions: - id-token: write - contents: read - issues: write - pull-requests: write - -jobs: - pr: - name: PR Context - runs-on: - - "self-hosted" - - "amd64" - - "common" - steps: - - uses: cloudposse-github-actions/get-pr@v2 - id: pr - - outputs: - base: ${{ fromJSON(steps.pr.outputs.json).base.sha }} - head: ${{ fromJSON(steps.pr.outputs.json).head.sha }} - auto-apply: ${{ contains( fromJSON(steps.pr.outputs.json).labels.*.name, 'auto-apply') }} - no-apply: ${{ contains( fromJSON(steps.pr.outputs.json).labels.*.name, 'no-apply') }} - - atmos-affected: - name: Determine Affected Stacks - if: needs.pr.outputs.no-apply == 'false' - needs: ["pr"] - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v4 - with: - base-ref: ${{ needs.pr.outputs.base }} - head-ref: ${{ needs.pr.outputs.head }} - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - outputs: - stacks: ${{ steps.affected.outputs.matrix }} - has-affected-stacks: ${{ steps.affected.outputs.has-affected-stacks }} - - plan-atmos-components: - needs: ["atmos-affected", "pr"] - if: | - needs.atmos-affected.outputs.has-affected-stacks == 'true' && needs.pr.outputs.auto-apply != 'true' - name: Validate plan (${{ matrix.name }}) - uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml - strategy: - matrix: ${{ fromJson(needs.atmos-affected.outputs.stacks) }} - max-parallel: 1 # This is important to avoid ddos GHA API - fail-fast: false # Don't fail fast to avoid locking TF State - with: - stacks: ${{ matrix.items }} - drift-detection-mode-enabled: "true" - continue-on-error: 'true' - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - sha: ${{ needs.pr.outputs.head }} - secrets: inherit - - drift-detection: - needs: ["atmos-affected", "plan-atmos-components", "pr"] - if: | - always() && needs.atmos-affected.outputs.has-affected-stacks == 'true' && needs.pr.outputs.auto-apply != 'true' - name: Reconcile issues - runs-on: - - "self-hosted" - - "amd64" - - "common" - steps: - - name: Drift Detection - uses: cloudposse/github-action-atmos-terraform-drift-detection@v2 - with: - max-opened-issues: '-1' - process-all: 'false' - - auto-apply: - needs: ["atmos-affected", "pr"] - if: | - needs.atmos-affected.outputs.has-affected-stacks == 'true' && needs.pr.outputs.auto-apply == 'true' - name: Apply (${{ matrix.name }}) - uses: ./.github/workflows/atmos-terraform-apply-matrix.yaml - strategy: - max-parallel: 1 - fail-fast: false # Don't fail fast to avoid locking TF State - matrix: ${{ fromJson(needs.atmos-affected.outputs.stacks) }} - with: - stacks: ${{ matrix.items }} - sha: ${{ needs.pr.outputs.head }} - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - secrets: inherit diff --git a/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml b/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml deleted file mode 100644 index e1f10cb52..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml +++ /dev/null @@ -1,67 +0,0 @@ -name: 👽 Atmos Terraform Dispatch -run-name: 👽 Atmos Terraform Dispatch - -on: - workflow_dispatch: - inputs: - component: - description: "Atmos Component" - type: string - stack: - description: "Atmos Stack" - type: string - plan: - description: "Terraform Plan" - type: boolean - default: true - apply: - description: "Terraform Apply" - type: boolean - default: false - distinct_id: - description: "Distinct ID" - - -permissions: - id-token: write - contents: read - -jobs: - dispatch-id: - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - name: echo Distinct ID ${{ github.event.inputs.distinct_id }} - run: echo ${{ github.event.inputs.distinct_id }} - - atmos-plan: - needs: [ "dispatch-id" ] - if: ${{ inputs.plan }} - name: Plan (${{ inputs.stack }}) - uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml - with: - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - stacks: | - {"include": [ - {"component": "${{ inputs.component }}", "stack": "${{ inputs.stack }}", "stack_slug": "${{ inputs.stack }}-${{ inputs.component }}"} - ]} - secrets: inherit - - atmos-apply: - needs: ["atmos-plan"] - if: ${{ inputs.apply }} - name: Apply (${{ inputs.stack }}) - uses: ./.github/workflows/atmos-terraform-apply-matrix.yaml - with: - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - stacks: | - {"include": [ - {"component": "${{ inputs.component }}", "stack": "${{ inputs.stack }}", "stack_slug": "${{ inputs.stack }}-${{ inputs.component }}"} - ]} - secrets: inherit - diff --git a/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml b/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml deleted file mode 100644 index 86fd8e69d..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml +++ /dev/null @@ -1,69 +0,0 @@ -name: 👽 Atmos Terraform Drift Detection -run-name: 👽 Atmos Terraform Drift Detection - -on: - # push: - # branches: - # - main # this is for debugging only - workflow_dispatch: {} - schedule: - - cron: "0 */12 * * *" - -permissions: - id-token: write - contents: write - issues: write - -jobs: - select-components: - name: Select Components - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - name: Selected Components - id: components - uses: cloudposse/github-action-atmos-terraform-select-components@v2 - with: - select-filter: '.settings.github.actions_enabled and .metadata.type != "abstract"' - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - outputs: - stacks: ${{ steps.components.outputs.matrix }} - has-selected-components: ${{ steps.components.outputs.has-selected-components }} - - plan-atmos-components: - needs: ["select-components"] - if: ${{ needs.select-components.outputs.has-selected-components == 'true' }} - name: Detect Drift (${{ matrix.name }}) - uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml - strategy: - max-parallel: 1 # This is important to avoid ddos GHA API - fail-fast: false # Don't fail fast to avoid locking TF State - matrix: ${{ fromJson(needs.select-components.outputs.stacks) }} - with: - stacks: ${{ matrix.items }} - sha: ${{ github.sha }} - drift-detection-mode-enabled: "true" - continue-on-error: true - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - secrets: inherit - - drift-detection: - needs: ["plan-atmos-components"] - if: always() - name: Reconcile issues - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - name: Drift Detection - uses: cloudposse/github-action-atmos-terraform-drift-detection@v2 - with: - max-opened-issues: '10' - process-all: 'true' diff --git a/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml b/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml deleted file mode 100644 index 964038947..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml +++ /dev/null @@ -1,55 +0,0 @@ -name: 👽 Atmos Terraform Drift Remediation -run-name: 👽 Atmos Terraform Drift Remediation - -on: - issues: - types: - - labeled - - closed - -permissions: - id-token: write - contents: read - issues: write - -jobs: - remediate-drift: - if: github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'apply') - name: Remediate Drift - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - uses: unfor19/install-aws-cli-action@v1 - - name: Remediate Drift - uses: cloudposse/github-action-atmos-terraform-drift-remediation@v2 - with: - issue-number: ${{ github.event.issue.number }} - action: remediate - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - - discard-drift: - if: > - github.event.action == 'closed' && ( - contains(github.event.issue.labels.*.name, 'drift') || - contains(github.event.issue.labels.*.name, 'error') - ) && - !contains(github.event.issue.labels.*.name, 'remediated') - name: Discard Drift - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - name: Discard Drift - uses: cloudposse/github-action-atmos-terraform-drift-remediation@v2 - with: - issue-number: ${{ github.event.issue.number }} - action: discard - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - diff --git a/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml b/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml deleted file mode 100644 index 07d9a2dfd..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml +++ /dev/null @@ -1,70 +0,0 @@ -name: 👽 Atmos Terraform Plan Matrix (Reusable) -run-name: 👽 Atmos Terraform Plan Matrix (Reusable) - -on: - workflow_call: - inputs: - stacks: - description: "Stacks" - required: true - type: string - drift-detection-mode-enabled: - description: "Indicate whether this action is used in drift detection workflow." - type: string - required: false - default: 'false' - sha: - description: "SHA to use" - required: false - default: "${{ github.event.pull_request.head.sha }}" - type: string - atmos-version: - description: The version of atmos to install - required: false - default: ">= 1.63.0" - type: string - atmos-config-path: - description: The path to the atmos.yaml file - required: true - type: string - continue-on-error: - description: "Prevents a workflow run from failing when a job fails. Set to true to allow a workflow run to pass when this job fails." - required: false - default: "false" - type: string - -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - atmos-plan: - if: ${{ inputs.stacks != '{include:[]}' }} - name: ${{ matrix.stack_slug }} - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - continue-on-error: ${{ inputs.continue-on-error == 'true' }} - strategy: - max-parallel: 10 - fail-fast: false # Don't fail fast to avoid locking TF State - matrix: ${{ fromJson(inputs.stacks) }} - ## Avoid running the same stack in parallel mode (from different workflows) - concurrency: - group: ${{ matrix.stack_slug }} - cancel-in-progress: false - steps: - - uses: unfor19/install-aws-cli-action@v1 - - - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v3 - with: - component: ${{ matrix.component }} - stack: ${{ matrix.stack }} - drift-detection-mode-enabled: ${{ inputs.drift-detection-mode-enabled }} - infracost-api-key: ${{ secrets.INFRACOST_API_KEY }} - sha: ${{ inputs.sha }} - atmos-version: ${{ inputs.atmos-version }} - atmos-config-path: ${{ inputs.atmos-config-path }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-plan.yaml b/examples/snippets/.github/workflows/atmos-terraform-plan.yaml deleted file mode 100644 index f81d1b451..000000000 --- a/examples/snippets/.github/workflows/atmos-terraform-plan.yaml +++ /dev/null @@ -1,53 +0,0 @@ -name: 👽 Atmos Terraform Plan -run-name: 👽 Atmos Terraform Plan - -on: - pull_request_target: - types: - - opened - - synchronize - - reopened - branches: - - main - -permissions: - id-token: write - contents: read - -jobs: - atmos-affected: - if: ${{ !contains( github.event.pull_request.labels.*.name, 'no-plan') }} - name: Determine Affected Stacks - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - steps: - - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v4 - with: - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - base-ref: ${{ github.event.pull_request.base.sha }} - head-ref: ${{ github.event.pull_request.head.sha }} - outputs: - stacks: ${{ steps.affected.outputs.matrix }} - has-affected-stacks: ${{ steps.affected.outputs.has-affected-stacks }} - - atmos-plan: - needs: ["atmos-affected"] - if: ${{ needs.atmos-affected.outputs.has-affected-stacks == 'true' }} - name: Plan (${{ matrix.name }}) - uses: ./.github/workflows/atmos-terraform-plan-matrix.yaml - strategy: - matrix: ${{ fromJson(needs.atmos-affected.outputs.stacks) }} - max-parallel: 1 # This is important to avoid ddos GHA API - fail-fast: false # Don't fail fast to avoid locking TF State - with: - stacks: ${{ matrix.items }} - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - sha: ${{ github.event.pull_request.head.sha }} - secrets: inherit - diff --git a/examples/snippets/Dockerfile b/examples/snippets/Dockerfile index 4ff3bc750..8e015f055 100644 --- a/examples/snippets/Dockerfile +++ b/examples/snippets/Dockerfile @@ -2,9 +2,9 @@ ARG GEODESIC_VERSION=4.3.0 ARG GEODESIC_OS=debian # https://github.com/cloudposse/atmos -ARG ATMOS_VERSION=1.180.0 +ARG ATMOS_VERSION=1.185.0 # This should match the version set in .github/workflows/auto-format.yaml -ARG TOFU_VERSION=1.10.1 +ARG TOFU_VERSION=1.10.5 FROM public.ecr.aws/cloudposse/geodesic:${GEODESIC_VERSION}-${GEODESIC_OS} diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons.yaml index 1f46f57aa..cb62b9ad2 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons.yaml @@ -2,134 +2,134 @@ workflows: all: description: run all workflows steps: - - command: workflow vendor -f addons - - command: workflow deploy/all -f addons + - command: workflow vendor -f quickstart/app/addons + - command: workflow deploy/all -f quickstart/app/addons vendor: description: Vendor addon components. steps: - - command: workflow vendor -f addons/alb - - command: workflow vendor -f addons/api-gateway - - command: workflow vendor -f addons/cognito - - command: workflow vendor -f addons/ec2-instance - - command: workflow vendor -f addons/kinesis-stream - - command: workflow vendor -f addons/kms - - command: workflow vendor -f addons/lambda - - command: workflow vendor -f addons/memorydb - - command: workflow vendor -f addons/s3-bucket - - command: workflow vendor -f addons/ses - - command: workflow vendor -f addons/sns-topic - - command: workflow vendor -f addons/spa-s3-cloudfront - - command: workflow vendor -f addons/sqs-queue - - command: workflow vendor -f addons/ssm-parameters - - command: workflow vendor -f addons/waf + - command: workflow vendor -f quickstart/app/addons/alb + - command: workflow vendor -f quickstart/app/addons/api-gateway + - command: workflow vendor -f quickstart/app/addons/cognito + - command: workflow vendor -f quickstart/app/addons/ec2-instance + - command: workflow vendor -f quickstart/app/addons/kinesis-stream + - command: workflow vendor -f quickstart/app/addons/kms + - command: workflow vendor -f quickstart/app/addons/lambda + - command: workflow vendor -f quickstart/app/addons/memorydb + - command: workflow vendor -f quickstart/app/addons/s3-bucket + - command: workflow vendor -f quickstart/app/addons/ses + - command: workflow vendor -f quickstart/app/addons/sns-topic + - command: workflow vendor -f quickstart/app/addons/spa-s3-cloudfront + - command: workflow vendor -f quickstart/app/addons/sqs-queue + - command: workflow vendor -f quickstart/app/addons/ssm-parameters + - command: workflow vendor -f quickstart/app/addons/waf deploy/all: description: run all deploy workflows steps: - - command: workflow deploy/alb -f addons - - command: workflow deploy/api-gateway -f addons - - command: workflow deploy/cognito -f addons - - command: workflow deploy/ec2-instance -f addons - - command: workflow deploy/kinesis-stream -f addons - - command: workflow deploy/kms -f addons - - command: workflow deploy/lambda -f addons - - command: workflow deploy/memorydb -f addons - - command: workflow deploy/s3-bucket -f addons - - command: workflow deploy/ses -f addons - - command: workflow deploy/sns-topic -f addons - - command: workflow deploy/spa-s3-cloudfront -f addons - - command: workflow deploy/sqs-queue -f addons - - command: workflow deploy/ssm-parameters -f addons - - command: workflow deploy/waf -f addons + - command: workflow deploy/alb -f quickstart/app/addons + - command: workflow deploy/api-gateway -f quickstart/app/addons + - command: workflow deploy/cognito -f quickstart/app/addons + - command: workflow deploy/ec2-instance -f quickstart/app/addons + - command: workflow deploy/kinesis-stream -f quickstart/app/addons + - command: workflow deploy/kms -f quickstart/app/addons + - command: workflow deploy/lambda -f quickstart/app/addons + - command: workflow deploy/memorydb -f quickstart/app/addons + - command: workflow deploy/s3-bucket -f quickstart/app/addons + - command: workflow deploy/ses -f quickstart/app/addons + - command: workflow deploy/sns-topic -f quickstart/app/addons + - command: workflow deploy/spa-s3-cloudfront -f quickstart/app/addons + - command: workflow deploy/sqs-queue -f quickstart/app/addons + - command: workflow deploy/ssm-parameters -f quickstart/app/addons + - command: workflow deploy/waf -f quickstart/app/addons deploy/alb: description: >- Deploy Alb Component. Please modify the stacks/workflows/addons/alb.yaml to customize steps: - - command: workflow all -f addons/alb + - command: workflow all -f quickstart/app/addons/alb deploy/api-gateway: description: >- Deploy Api-Gateway Component. Please modify the stacks/workflows/addons/api-gateway.yaml to customize steps: - - command: workflow all -f addons/api-gateway + - command: workflow all -f quickstart/app/addons/api-gateway deploy/cognito: description: >- Deploy Cognito Component. Please modify the stacks/workflows/addons/cognito.yaml to customize steps: - - command: workflow all -f addons/cognito + - command: workflow all -f quickstart/app/addons/cognito deploy/ec2-instance: description: >- Deploy Ec2-Instance Component. Please modify the stacks/workflows/addons/ec2-instance.yaml to customize steps: - - command: workflow all -f addons/ec2-instance + - command: workflow all -f quickstart/app/addons/ec2-instance deploy/kinesis-stream: description: >- Deploy Kinesis-Stream Component. Please modify the stacks/workflows/addons/kinesis-stream.yaml to customize steps: - - command: workflow all -f addons/kinesis-stream + - command: workflow all -f quickstart/app/addons/kinesis-stream deploy/kms: description: >- Deploy Kms Component. Please modify the stacks/workflows/addons/kms.yaml to customize steps: - - command: workflow all -f addons/kms + - command: workflow all -f quickstart/app/addons/kms deploy/lambda: description: >- Deploy Lambda Component. Please modify the stacks/workflows/addons/lambda.yaml to customize steps: - - command: workflow all -f addons/lambda + - command: workflow all -f quickstart/app/addons/lambda deploy/memorydb: description: >- Deploy Memorydb Component. Please modify the stacks/workflows/addons/memorydb.yaml to customize steps: - - command: workflow all -f addons/memorydb + - command: workflow all -f quickstart/app/addons/memorydb deploy/s3-bucket: description: >- Deploy S3-Bucket Component. Please modify the stacks/workflows/addons/s3-bucket.yaml to customize steps: - - command: workflow all -f addons/s3-bucket + - command: workflow all -f quickstart/app/addons/s3-bucket deploy/ses: description: >- Deploy Ses Component. Please modify the stacks/workflows/addons/ses.yaml to customize steps: - - command: workflow all -f addons/ses + - command: workflow all -f quickstart/app/addons/ses deploy/sns-topic: description: >- Deploy Sns-Topic Component. Please modify the stacks/workflows/addons/sns-topic.yaml to customize steps: - - command: workflow all -f addons/sns-topic + - command: workflow all -f quickstart/app/addons/sns-topic deploy/spa-s3-cloudfront: description: >- Deploy Spa-S3-Cloudfront Component. Please modify the stacks/workflows/addons/spa-s3-cloudfront.yaml to customize steps: - - command: workflow all -f addons/spa-s3-cloudfront + - command: workflow all -f quickstart/app/addons/spa-s3-cloudfront deploy/sqs-queue: description: >- Deploy Sqs-Queue Component. Please modify the stacks/workflows/addons/sqs-queue.yaml to customize steps: - - command: workflow all -f addons/sqs-queue + - command: workflow all -f quickstart/app/addons/sqs-queue deploy/ssm-parameters: description: >- Deploy Ssm-Parameters Component. Please modify the stacks/workflows/addons/ssm-parameters.yaml to customize steps: - - command: workflow all -f addons/ssm-parameters + - command: workflow all -f quickstart/app/addons/ssm-parameters deploy/waf: description: >- Deploy Waf Component. Please modify the stacks/workflows/addons/waf.yaml to customize steps: - - command: workflow all -f addons/waf + - command: workflow all -f quickstart/app/addons/waf diff --git a/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml index a9408c435..4f3c7bd03 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml @@ -2,8 +2,8 @@ workflows: all: description: run all workflows steps: - - command: atmos workflow deploy -f addons/spa-s3-cloudfront - - command: atmos workflow upload -f addons/spa-s3-cloudfront + - command: atmos workflow deploy -f quickstart/app/addons/spa-s3-cloudfront + - command: atmos workflow upload -f quickstart/app/addons/spa-s3-cloudfront vendor: description: vendor all components required for this addon diff --git a/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml b/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml new file mode 100644 index 000000000..5e23eb6de --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/app/app-on-ecs.yaml @@ -0,0 +1,22 @@ +workflows: + all: + steps: + - command: workflow verify/github-oidc-providers -f quickstart/app/app-on-ecs + - command: workflow deploy/app-on-ecs -f quickstart/app/app-on-ecs + + verify/github-oidc-providers: + description: | + This workflow ensures all Github OIDC Provider Configuration deployed. + steps: + - command: workflow deploy/github-oidc-provider -f quickstart/foundation/github + + deploy/app-on-ecs: + description: | + This workflow deploys `app-on-ecs` stacks + steps: + - command: terraform deploy ecs-services/example-app-on-ecs -s plat-use1-sandbox + - command: terraform deploy ecs-services/example-app-on-ecs/dev -s plat-use1-dev + - command: terraform deploy ecs-services/example-app-on-ecs/qa1 -s plat-use1-dev + - command: terraform deploy ecs-services/example-app-on-ecs/qa2 -s plat-use1-dev + - command: terraform deploy ecs-services/example-app-on-ecs -s plat-use1-staging + - command: terraform deploy ecs-services/example-app-on-ecs -s plat-use1-prod diff --git a/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml b/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml new file mode 100644 index 000000000..3e859a366 --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/app/app-on-eks-with-argocd.yaml @@ -0,0 +1,34 @@ +workflows: + verify/github-oidc-providers: + description: | + This workflow ensures all Github OIDC Provider Configuration deployed. + Please assume `acme-core-gbl-root-admin` + steps: + - command: workflow deploy/github-oidc-provider -f quickstart/foundation/github + + deploy/pre-requisites: + description: | + This workflow ensures all components are up to date before attempting to deploy the repos that access them. + Often a eks/cluster component will need to be reapplied to add OIDC access for a given repo. + steps: + - command: terraform deploy ecr -s core-use1-artifacts + - command: workflow deploy/acm -f quickstart/foundation/network + - command: terraform deploy eks/cluster -s plat-use1-dev + - command: terraform deploy eks/cluster -s plat-use1-staging + - command: terraform deploy eks/cluster -s plat-use1-prod + + deploy/acm: + description: | + This workflow deploys additional ACM certificates required for specific app-on-eks-with-argocd workflow environments. + steps: + - command: terraform deploy acm/preview -s plat-use1-dev + - command: terraform deploy acm/qa1 -s plat-use1-staging + - command: terraform deploy acm/qa2 -s plat-use1-staging + - command: terraform deploy acm/qa3 -s plat-use1-staging + - command: terraform deploy acm/qa4 -s plat-use1-staging + + demo/install: + description: | + This workflow deploys GitHub repositories for app-on-eks-with-argocd demo + steps: + - command: terraform deploy release-engineering-bootstrap -s core-gbl-auto diff --git a/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml b/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml new file mode 100644 index 000000000..8f9f5581d --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/app/app-on-lambda-with-atmos.yaml @@ -0,0 +1,39 @@ +workflows: + all: + steps: + - command: workflow init/artifact-bucket -f quickstart/app/app-on-lambda-with-atmos + - command: workflow init/app-on-lambda-with-atmos -f quickstart/app/app-on-lambda-with-atmos + - command: workflow deploy/github-oidc-role -f quickstart/app/app-on-lambda-with-atmos + - command: workflow deploy/artifact-bucket -f quickstart/app/app-on-lambda-with-atmos + + init/artifact-bucket: + description: | + This workflow deploys the artifact bucket for the app-on-lambda-with-atmos workflow. + steps: + - command: terraform deploy s3-bucket/github-action-artifacts -s core-us-east-1-artifacts -var privileged_principal_arns=[] + + deploy/artifact-bucket: + description: | + This workflow deploys the artifact bucket for the app-on-lambda-with-atmos workflow. + steps: + - command: terraform deploy s3-bucket/github-action-artifacts -s core-us-east-1-artifacts + + deploy/github-oidc-role: + description: | + This workflow deploys the github-oidc-role for the app-on-lambda-with-atmos workflow. + steps: + - command: terraform deploy github-oidc-role/lambda-publish -s core-gbl-artifacts + - command: terraform deploy github-oidc-role/app-on-lambda-with-atmos -s plat-gbl-dev + - command: terraform deploy github-oidc-role/app-on-lambda-with-atmos -s plat-gbl-staging + - command: terraform deploy github-oidc-role/app-on-lambda-with-atmos -s plat-gbl-prod + + init/app-on-lambda-with-atmos: + description: Initializes SSM parameters for app-on-lambda-with-atmos, these are not valid until the github actions run to update the values. + steps: + - type: shell + name: setup ssm params + command: |- + profiles=( "acme-plat-gbl-dev-admin" "acme-plat-gbl-sandbox-admin" "acme-plat-gbl-staging-admin" "acme-plat-gbl-prod-admin" ) + for profile in ${profiles[@]} ; do + aws --profile $profile ssm put-parameter --name /lambda/app-on-lambda-with-atmos/tag --value 0.0.0 --type String --overwrite + done diff --git a/examples/snippets/stacks/workflows/quickstart/app/data.yaml b/examples/snippets/stacks/workflows/quickstart/app/data.yaml index d21b5b816..0811ce476 100644 --- a/examples/snippets/stacks/workflows/quickstart/app/data.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/data.yaml @@ -2,8 +2,8 @@ workflows: all: description: run all workflows steps: - - command: workflow vendor -f data - - command: workflow deploy/all -f data + - command: workflow vendor -f quickstart/app/data + - command: workflow deploy/all -f quickstart/app/data vendor: description: Vendor addon components. @@ -23,17 +23,17 @@ workflows: deploy/all: description: run all deploy workflows steps: - - command: workflow deploy/aurora-postgres -f data - - command: workflow deploy/aurora-postgres-resources -f data - - command: workflow deploy/aurora-mysql -f data - - command: workflow deploy/aurora-mysql-resources -f data - - command: workflow deploy/aws-backup -f data - - command: workflow deploy/documentdb -f data - - command: workflow deploy/dynamodb -f data - - command: workflow deploy/elasticsearch -f data - - command: workflow deploy/rds -f data - - command: workflow deploy/redshift -f data - - command: workflow deploy/elasticache-redis -f data + - command: workflow deploy/aurora-postgres -f quickstart/app/data + - command: workflow deploy/aurora-postgres-resources -f quickstart/app/data + - command: workflow deploy/aurora-mysql -f quickstart/app/data + - command: workflow deploy/aurora-mysql-resources -f quickstart/app/data + - command: workflow deploy/aws-backup -f quickstart/app/data + - command: workflow deploy/documentdb -f quickstart/app/data + - command: workflow deploy/dynamodb -f quickstart/app/data + - command: workflow deploy/elasticsearch -f quickstart/app/data + - command: workflow deploy/rds -f quickstart/app/data + - command: workflow deploy/redshift -f quickstart/app/data + - command: workflow deploy/elasticache-redis -f quickstart/app/data deploy/aws-backup: description: >- diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml index 959b45e66..d90ca80b5 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml @@ -2,8 +2,8 @@ workflows: all: description: run all workflows steps: - - command: workflow deploy/accounts -f accounts - - command: workflow deploy/account-settings -f accounts + - command: workflow deploy/accounts -f quickstart/foundation/accounts + - command: workflow deploy/account-settings -f quickstart/foundation/accounts deploy/organization: description: | diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/baseline.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/baseline.yaml index 3d50d44bf..82a46e7f3 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/baseline.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/baseline.yaml @@ -3,11 +3,11 @@ workflows: all: description: run all workflows steps: - - command: workflow vendor -f baseline - - command: workflow init/tfstate -f baseline - - command: workflow deploy/tfstate -f baseline - - command: workflow deploy/cloudtrail -f baseline - - command: workflow deploy/ecr -f baseline + - command: workflow vendor -f quickstart/foundation/baseline + - command: workflow init/tfstate -f quickstart/foundation/baseline + - command: workflow deploy/tfstate -f quickstart/foundation/baseline + - command: workflow deploy/cloudtrail -f quickstart/foundation/baseline + - command: workflow deploy/ecr -f quickstart/foundation/baseline vendor: description: Vendor baseline layer components. diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/gitops.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/gitops.yaml index 299b40aa7..28dce85e1 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/gitops.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/gitops.yaml @@ -1,36 +1,23 @@ workflows: all: - description: run all workflows + description: Run all Gitops workflows steps: - - command: workflow vendor -f gitops - - command: workflow deploy/all -f gitops + - command: workflow vendor -f quickstart/foundation/gitops + - command: workflow deploy -f quickstart/foundation/gitops vendor: - description: Vendor gitops required components. + description: Vendor Gitops required components. steps: + - command: vendor pull --component github-oidc-provider - command: vendor pull --component github-oidc-role - command: vendor pull --component dynamodb - command: vendor pull --component s3-bucket - deploy/all: - description: Run all deploy workflows - steps: - - command: workflow deploy/github-oidc-provider -f github - - command: workflow deploy/gitops -f gitops - - deploy/gitops: - description: Run deploy workflows for Gitops requirements + deploy: + description: Run deployment for Gitops requirements steps: + - command: terraform deploy github-oidc-provider -s core-gbl-identity - command: terraform deploy gitops/s3-bucket --stack core-use1-auto - command: terraform deploy gitops/dynamodb --stack core-use1-auto - - command: terraform deploy github-oidc-role/gitops --stack core-use1-auto - - deploy/github-oidc-provider: - description: Deploys GitHub OIDC provider to every included account. - steps: - - command: workflow deploy/github-oidc-provider -f github - - command: terraform deploy github-oidc-provider -s core-gbl-audit - - command: terraform deploy github-oidc-provider -s core-gbl-dns - - command: terraform deploy github-oidc-provider -s core-gbl-network - - command: terraform deploy github-oidc-provider -s core-gbl-security + - command: terraform deploy github-oidc-role/gitops --stack core-use1-auto \ No newline at end of file diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml index 74bf87184..56c708967 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml @@ -24,15 +24,15 @@ workflows: all: description: Run all workflows steps: - - command: workflow check-setup -f identity - - command: workflow vendor -f identity - - command: workflow deploy/all -f identity + - command: workflow check-setup -f quickstart/foundation/identity + - command: workflow vendor -f quickstart/foundation/identity + - command: workflow deploy/all -f quickstart/foundation/identity vendor: description: Vendor identity layer components and scripts. steps: - - command: workflow vendor/components -f identity - - command: workflow vendor/aws-config -f identity + - command: workflow vendor/components -f quickstart/foundation/identity + - command: workflow vendor/aws-config -f quickstart/foundation/identity vendor/components: description: Vendor identity layer components. @@ -59,10 +59,10 @@ workflows: deploy/all: description: Deploy all identity components. steps: - - command: workflow deploy/saml -f identity - - command: workflow deploy/sso -f identity - - command: workflow deploy/teams -f identity - - command: workflow update-aws-config -f identity + - command: workflow deploy/saml -f quickstart/foundation/identity + - command: workflow deploy/sso -f quickstart/foundation/identity + - command: workflow deploy/teams -f quickstart/foundation/identity + - command: workflow update-aws-config -f quickstart/foundation/identity deploy/saml: description: Update aws-saml configuration (when adding a new Identity Provider). diff --git a/examples/snippets/stacks/workflows/quickstart/foundation/network.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/network.yaml index 3a3144a74..fe5695d68 100644 --- a/examples/snippets/stacks/workflows/quickstart/foundation/network.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/network.yaml @@ -2,14 +2,14 @@ workflows: all: description: run all workflows steps: - - command: workflow vendor -f network - - command: workflow deploy/vpc -f network - - command: workflow deploy/tgw -f network - - command: workflow deploy/dns -f network - - command: workflow output/dns-name-servers -f network - - command: workflow deploy/acm -f network - - command: workflow deploy/vpn -f network - - command: workflow deploy/bastion -f network + - command: workflow vendor -f quickstart/foundation/network + - command: workflow deploy/vpc -f quickstart/foundation/network + - command: workflow deploy/tgw -f quickstart/foundation/network + - command: workflow deploy/dns -f quickstart/foundation/network + - command: workflow output/dns-name-servers -f quickstart/foundation/network + - command: workflow deploy/acm -f quickstart/foundation/network + - command: workflow deploy/vpn -f quickstart/foundation/network + - command: workflow deploy/bastion -f quickstart/foundation/network vendor: description: Vendor component dependencies for the network layer. @@ -54,10 +54,6 @@ workflows: - command: terraform deploy tgw/attachment -s plat-use1-staging - command: terraform deploy tgw/attachment -s plat-use1-prod - command: terraform deploy tgw/routes -s core-use1-network - - command: terraform deploy tgw/routes -s plat-use1-sandbox - - command: terraform deploy tgw/routes -s plat-use1-dev - - command: terraform deploy tgw/routes -s plat-use1-staging - - command: terraform deploy tgw/routes -s plat-use1-prod - command: terraform deploy vpc/routes/private -s core-use1-network - command: terraform deploy vpc/routes/private -s plat-use1-sandbox - command: terraform deploy vpc/routes/private -s plat-use1-dev @@ -102,7 +98,10 @@ workflows: description: Provision AWS Certificate Manager for custom and ad-hoc requests. steps: - command: terraform deploy acm -s core-use1-auto - + - command: terraform deploy acm -s plat-use1-sandbox + - command: terraform deploy acm -s plat-use1-dev + - command: terraform deploy acm -s plat-use1-staging + - command: terraform deploy acm -s plat-use1-prod deploy/vpn: description: Establish the AWS Client VPN in the core-network account. diff --git a/examples/snippets/stacks/workflows/quickstart/monitor/compliance.yaml b/examples/snippets/stacks/workflows/quickstart/monitor/compliance.yaml new file mode 100644 index 000000000..2a595afaf --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/monitor/compliance.yaml @@ -0,0 +1,288 @@ +workflows: + vendor: + description: Vendor compliance layer components and scripts. + steps: + - command: vendor pull --component config-bucket + - command: vendor pull --component cloudtrail-bucket + - command: vendor pull --component aws-config + - command: vendor pull --component security-hub + - command: vendor pull --component guardduty + - command: vendor pull --component s3-bucket + - command: vendor pull --component route53-resolver-dns-firewall + - command: vendor pull --component aws-shield + - command: vendor pull --component aws-inspector2 + + deploy/aws-config/global-collector: + description: Deploy AWS Config into main global collector account + steps: + # Note that central region 'use1' and central account 'security' should be the first one created + - command: terraform deploy aws-config-use1 -s core-use1-security + - command: terraform deploy aws-config-use2 -s core-use2-security + - command: terraform deploy aws-config-usw1 -s core-usw1-security + - command: terraform deploy aws-config-usw2 -s core-usw2-security + - command: terraform deploy aws-config-aps1 -s core-aps1-security + - command: terraform deploy aws-config-apne3 -s core-apne3-security + - command: terraform deploy aws-config-apne2 -s core-apne2-security + - command: terraform deploy aws-config-apne1 -s core-apne1-security + - command: terraform deploy aws-config-apse1 -s core-apse1-security + - command: terraform deploy aws-config-apse2 -s core-apse2-security + - command: terraform deploy aws-config-cac1 -s core-cac1-security + - command: terraform deploy aws-config-euc1 -s core-euc1-security + - command: terraform deploy aws-config-euw1 -s core-euw1-security + - command: terraform deploy aws-config-euw2 -s core-euw2-security + - command: terraform deploy aws-config-euw3 -s core-euw3-security + - command: terraform deploy aws-config-eun1 -s core-eun1-security + - command: terraform deploy aws-config-sae1 -s core-sae1-security + + deploy/aws-config/superadmin: + description: Deploy AWS Config into accounts that require SuperAdmin to apply + steps: + - command: terraform deploy aws-config-use1 -s core-use1-identity + - command: terraform deploy aws-config-use1 -s core-use1-root + - command: terraform deploy aws-config-use2 -s core-use2-identity + - command: terraform deploy aws-config-use2 -s core-use2-root + - command: terraform deploy aws-config-usw1 -s core-usw1-identity + - command: terraform deploy aws-config-usw1 -s core-usw1-root + - command: terraform deploy aws-config-usw2 -s core-usw2-identity + - command: terraform deploy aws-config-usw2 -s core-usw2-root + - command: terraform deploy aws-config-aps1 -s core-aps1-identity + - command: terraform deploy aws-config-aps1 -s core-aps1-root + - command: terraform deploy aws-config-apne3 -s core-apne3-identity + - command: terraform deploy aws-config-apne3 -s core-apne3-root + - command: terraform deploy aws-config-apne2 -s core-apne2-identity + - command: terraform deploy aws-config-apne2 -s core-apne2-root + - command: terraform deploy aws-config-apne1 -s core-apne1-identity + - command: terraform deploy aws-config-apne1 -s core-apne1-root + - command: terraform deploy aws-config-apse1 -s core-apse1-identity + - command: terraform deploy aws-config-apse1 -s core-apse1-root + - command: terraform deploy aws-config-apse2 -s core-apse2-identity + - command: terraform deploy aws-config-apse2 -s core-apse2-root + - command: terraform deploy aws-config-cac1 -s core-cac1-identity + - command: terraform deploy aws-config-cac1 -s core-cac1-root + - command: terraform deploy aws-config-euc1 -s core-euc1-identity + - command: terraform deploy aws-config-euc1 -s core-euc1-root + - command: terraform deploy aws-config-euw1 -s core-euw1-identity + - command: terraform deploy aws-config-euw1 -s core-euw1-root + - command: terraform deploy aws-config-euw2 -s core-euw2-identity + - command: terraform deploy aws-config-euw2 -s core-euw2-root + - command: terraform deploy aws-config-euw3 -s core-euw3-identity + - command: terraform deploy aws-config-euw3 -s core-euw3-root + - command: terraform deploy aws-config-eun1 -s core-eun1-identity + - command: terraform deploy aws-config-eun1 -s core-eun1-root + - command: terraform deploy aws-config-sae1 -s core-sae1-identity + - command: terraform deploy aws-config-sae1 -s core-sae1-root + + deploy/security-hub/step1: + description: Deploy Security Hub to Delegated Administrator account (core-security) + steps: + - command: terraform deploy security-hub/delegated-administrator/use1 -s core-use1-security + - command: terraform deploy security-hub/delegated-administrator/use2 -s core-use2-security + - command: terraform deploy security-hub/delegated-administrator/usw1 -s core-usw1-security + - command: terraform deploy security-hub/delegated-administrator/usw2 -s core-usw2-security + - command: terraform deploy security-hub/delegated-administrator/aps1 -s core-aps1-security + - command: terraform deploy security-hub/delegated-administrator/apne3 -s core-apne3-security + - command: terraform deploy security-hub/delegated-administrator/apne2 -s core-apne2-security + - command: terraform deploy security-hub/delegated-administrator/apne1 -s core-apne1-security + - command: terraform deploy security-hub/delegated-administrator/apse1 -s core-apse1-security + - command: terraform deploy security-hub/delegated-administrator/apse2 -s core-apse2-security + - command: terraform deploy security-hub/delegated-administrator/cac1 -s core-cac1-security + - command: terraform deploy security-hub/delegated-administrator/euc1 -s core-euc1-security + - command: terraform deploy security-hub/delegated-administrator/euw1 -s core-euw1-security + - command: terraform deploy security-hub/delegated-administrator/euw2 -s core-euw2-security + - command: terraform deploy security-hub/delegated-administrator/euw3 -s core-euw3-security + - command: terraform deploy security-hub/delegated-administrator/eun1 -s core-eun1-security + - command: terraform deploy security-hub/delegated-administrator/sae1 -s core-sae1-security + + deploy/security-hub/step2: + description: Deploy Security Hub to AWS Organizations Management Account (core-root). You must be SuperAdmin to run this workflow. + steps: + - command: terraform deploy security-hub/root/use1 -s core-use1-root + - command: terraform deploy security-hub/root/use2 -s core-use2-root + - command: terraform deploy security-hub/root/usw1 -s core-usw1-root + - command: terraform deploy security-hub/root/usw2 -s core-usw2-root + - command: terraform deploy security-hub/root/aps1 -s core-aps1-root + - command: terraform deploy security-hub/root/apne3 -s core-apne3-root + - command: terraform deploy security-hub/root/apne2 -s core-apne2-root + - command: terraform deploy security-hub/root/apne1 -s core-apne1-root + - command: terraform deploy security-hub/root/apse1 -s core-apse1-root + - command: terraform deploy security-hub/root/apse2 -s core-apse2-root + - command: terraform deploy security-hub/root/cac1 -s core-cac1-root + - command: terraform deploy security-hub/root/euc1 -s core-euc1-root + - command: terraform deploy security-hub/root/euw1 -s core-euw1-root + - command: terraform deploy security-hub/root/euw2 -s core-euw2-root + - command: terraform deploy security-hub/root/euw3 -s core-euw3-root + - command: terraform deploy security-hub/root/eun1 -s core-eun1-root + - command: terraform deploy security-hub/root/sae1 -s core-sae1-root + + deploy/security-hub/step3: + description: Deploy Security Hub Organization Settings to Delegated Administrator account (core-security) + steps: + - command: terraform deploy security-hub/org-settings/use1 -s core-use1-security + - command: terraform deploy security-hub/org-settings/use2 -s core-use2-security + - command: terraform deploy security-hub/org-settings/usw1 -s core-usw1-security + - command: terraform deploy security-hub/org-settings/usw2 -s core-usw2-security + - command: terraform deploy security-hub/org-settings/aps1 -s core-aps1-security + - command: terraform deploy security-hub/org-settings/apne3 -s core-apne3-security + - command: terraform deploy security-hub/org-settings/apne2 -s core-apne2-security + - command: terraform deploy security-hub/org-settings/apne1 -s core-apne1-security + - command: terraform deploy security-hub/org-settings/apse1 -s core-apse1-security + - command: terraform deploy security-hub/org-settings/apse2 -s core-apse2-security + - command: terraform deploy security-hub/org-settings/cac1 -s core-cac1-security + - command: terraform deploy security-hub/org-settings/euc1 -s core-euc1-security + - command: terraform deploy security-hub/org-settings/euw1 -s core-euw1-security + - command: terraform deploy security-hub/org-settings/euw2 -s core-euw2-security + - command: terraform deploy security-hub/org-settings/euw3 -s core-euw3-security + - command: terraform deploy security-hub/org-settings/eun1 -s core-eun1-security + - command: terraform deploy security-hub/org-settings/sae1 -s core-sae1-security + + deploy/guardduty/step1: + description: Deploy GuardDuty to Delegated Administrator account (core-security) + steps: + - command: terraform deploy guardduty/delegated-administrator/use1 -s core-use1-security + - command: terraform deploy guardduty/delegated-administrator/use2 -s core-use2-security + - command: terraform deploy guardduty/delegated-administrator/usw1 -s core-usw1-security + - command: terraform deploy guardduty/delegated-administrator/usw2 -s core-usw2-security + - command: terraform deploy guardduty/delegated-administrator/aps1 -s core-aps1-security + - command: terraform deploy guardduty/delegated-administrator/apne3 -s core-apne3-security + - command: terraform deploy guardduty/delegated-administrator/apne2 -s core-apne2-security + - command: terraform deploy guardduty/delegated-administrator/apne1 -s core-apne1-security + - command: terraform deploy guardduty/delegated-administrator/apse1 -s core-apse1-security + - command: terraform deploy guardduty/delegated-administrator/apse2 -s core-apse2-security + - command: terraform deploy guardduty/delegated-administrator/cac1 -s core-cac1-security + - command: terraform deploy guardduty/delegated-administrator/euc1 -s core-euc1-security + - command: terraform deploy guardduty/delegated-administrator/euw1 -s core-euw1-security + - command: terraform deploy guardduty/delegated-administrator/euw2 -s core-euw2-security + - command: terraform deploy guardduty/delegated-administrator/euw3 -s core-euw3-security + - command: terraform deploy guardduty/delegated-administrator/eun1 -s core-eun1-security + - command: terraform deploy guardduty/delegated-administrator/sae1 -s core-sae1-security + + deploy/guardduty/step2: + description: Deploy GuardDuty to AWS Organizations Management Account (core-root). You must be SuperAdmin to run this workflow. + steps: + - command: terraform deploy guardduty/root/use1 -s core-use1-root + - command: terraform deploy guardduty/root/use2 -s core-use2-root + - command: terraform deploy guardduty/root/usw1 -s core-usw1-root + - command: terraform deploy guardduty/root/usw2 -s core-usw2-root + - command: terraform deploy guardduty/root/aps1 -s core-aps1-root + - command: terraform deploy guardduty/root/apne3 -s core-apne3-root + - command: terraform deploy guardduty/root/apne2 -s core-apne2-root + - command: terraform deploy guardduty/root/apne1 -s core-apne1-root + - command: terraform deploy guardduty/root/apse1 -s core-apse1-root + - command: terraform deploy guardduty/root/apse2 -s core-apse2-root + - command: terraform deploy guardduty/root/cac1 -s core-cac1-root + - command: terraform deploy guardduty/root/euc1 -s core-euc1-root + - command: terraform deploy guardduty/root/euw1 -s core-euw1-root + - command: terraform deploy guardduty/root/euw2 -s core-euw2-root + - command: terraform deploy guardduty/root/euw3 -s core-euw3-root + - command: terraform deploy guardduty/root/eun1 -s core-eun1-root + - command: terraform deploy guardduty/root/sae1 -s core-sae1-root + + deploy/guardduty/step3: + description: Deploy GuardDuty Organization Settings to Delegated Administrator account (core-security) + steps: + - command: terraform deploy guardduty/org-settings/use1 -s core-use1-security + - command: terraform deploy guardduty/org-settings/use2 -s core-use2-security + - command: terraform deploy guardduty/org-settings/usw1 -s core-usw1-security + - command: terraform deploy guardduty/org-settings/usw2 -s core-usw2-security + - command: terraform deploy guardduty/org-settings/aps1 -s core-aps1-security + - command: terraform deploy guardduty/org-settings/apne3 -s core-apne3-security + - command: terraform deploy guardduty/org-settings/apne2 -s core-apne2-security + - command: terraform deploy guardduty/org-settings/apne1 -s core-apne1-security + - command: terraform deploy guardduty/org-settings/apse1 -s core-apse1-security + - command: terraform deploy guardduty/org-settings/apse2 -s core-apse2-security + - command: terraform deploy guardduty/org-settings/cac1 -s core-cac1-security + - command: terraform deploy guardduty/org-settings/euc1 -s core-euc1-security + - command: terraform deploy guardduty/org-settings/euw1 -s core-euw1-security + - command: terraform deploy guardduty/org-settings/euw2 -s core-euw2-security + - command: terraform deploy guardduty/org-settings/euw3 -s core-euw3-security + - command: terraform deploy guardduty/org-settings/eun1 -s core-eun1-security + - command: terraform deploy guardduty/org-settings/sae1 -s core-sae1-security + + destroy/aws-config/global-collector: + description: Destroy AWS Config from accounts that require superadmin to apply + steps: + # Note that central region 'use1' and central account 'security' should be the last one destroyed + - command: terraform destroy aws-config-use2 -s core-use2-security -auto-approve + - command: terraform destroy aws-config-usw1 -s core-usw1-security -auto-approve + - command: terraform destroy aws-config-usw2 -s core-usw2-security -auto-approve + - command: terraform destroy aws-config-aps1 -s core-aps1-security -auto-approve + - command: terraform destroy aws-config-apne3 -s core-apne3-security -auto-approve + - command: terraform destroy aws-config-apne2 -s core-apne2-security -auto-approve + - command: terraform destroy aws-config-apne1 -s core-apne1-security -auto-approve + - command: terraform destroy aws-config-apse1 -s core-apse1-security -auto-approve + - command: terraform destroy aws-config-apse2 -s core-apse2-security -auto-approve + - command: terraform destroy aws-config-cac1 -s core-cac1-security -auto-approve + - command: terraform destroy aws-config-euc1 -s core-euc1-security -auto-approve + - command: terraform destroy aws-config-euw1 -s core-euw1-security -auto-approve + - command: terraform destroy aws-config-euw2 -s core-euw2-security -auto-approve + - command: terraform destroy aws-config-euw3 -s core-euw3-security -auto-approve + - command: terraform destroy aws-config-eun1 -s core-eun1-security -auto-approve + - command: terraform destroy aws-config-sae1 -s core-sae1-security -auto-approve + - command: terraform destroy aws-config-use1 -s core-use1-security -auto-approve + + deploy/audit-manager-bucket: + description: Deploy bucket to hold Audit Manager finders + steps: + - command: terraform deploy s3-bucket/audit-manager -s core-use1-security + + deploy/route53-resolver-dns-firewall-buckets: + description: Deploy Route53 Firewall S3 Buckets + steps: + - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-dev + - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-prod + - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-sandbox + - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-staging + + deploy/route53-resolver-dns-firewall: + description: Deploy Route53 Firewall + steps: + - command: terraform deploy route53-resolver-dns-firewall/dev -s plat-use1-dev + - command: terraform deploy route53-resolver-dns-firewall/prod -s plat-use1-prod + - command: terraform deploy route53-resolver-dns-firewall/sandbox -s plat-use1-sandbox + - command: terraform deploy route53-resolver-dns-firewall/staging -s plat-use1-staging + + deploy/aws-shield: + description: Deploys AWS Shield + steps: + - command: terraform deploy aws-shield -s plat-use1-dev + - command: terraform deploy aws-shield -s plat-use1-prod + - command: terraform deploy aws-shield -s plat-use1-sandbox + - command: terraform deploy aws-shield -s plat-use1-staging + + deploy/aws-inspector2/step1: + description: Configure AWS Delegated Administrator account across all regions for AWS Inspector + steps: + - command: terraform deploy aws-inspector2/delegate-orgadmin/use1 -s core-use1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/use2 -s core-use2-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/usw1 -s core-usw1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/usw2 -s core-usw2-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/aps1 -s core-aps1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/apne3 -s core-apne3-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/apne2 -s core-apne2-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/apne1 -s core-apne1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/apse1 -s core-apse1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/apse2 -s core-apse2-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/cac1 -s core-cac1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/euc1 -s core-euc1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/euw1 -s core-euw1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/euw2 -s core-euw2-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/euw3 -s core-euw3-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/eun1 -s core-eun1-root + - command: terraform deploy aws-inspector2/delegate-orgadmin/sae1 -s core-sae1-root + + deploy/aws-inspector2/step2: + description: Deploy to the Delegated Administrator account to establish organization wide configuration + steps: + # There is a bug that tries to deploy Lambda Code scanning even though it's not enabled + # https://github.com/hashicorp/terraform-provider-aws/issues/34039 + # For now, we'll enable Inspector only in regions that support Lambda Code scanning + - command: terraform deploy aws-inspector2/org-settings/use1 -s core-use1-security + - command: terraform deploy aws-inspector2/org-settings/use2 -s core-use2-security + - command: terraform deploy aws-inspector2/org-settings/usw2 -s core-usw2-security + - command: terraform deploy aws-inspector2/org-settings/apne1 -s core-apne1-security + - command: terraform deploy aws-inspector2/org-settings/apse1 -s core-apse1-security + - command: terraform deploy aws-inspector2/org-settings/apse2 -s core-apse2-security + - command: terraform deploy aws-inspector2/org-settings/euc1 -s core-euc1-security + - command: terraform deploy aws-inspector2/org-settings/euw1 -s core-euw1-security + - command: terraform deploy aws-inspector2/org-settings/euw2 -s core-euw2-security + - command: terraform deploy aws-inspector2/org-settings/eun1 -s core-eun1-security diff --git a/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml b/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml new file mode 100644 index 000000000..d9541e74c --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/monitor/datadog.yaml @@ -0,0 +1,159 @@ + +workflows: + all: + description: run all workflows + steps: + - command: workflow init -f quickstart/monitor/datadog + - command: workflow vendor -f quickstart/monitor/datadog + - command: workflow deploy/datadog-configuration -f quickstart/monitor/datadog + - command: workflow deploy/datadog-integration -f quickstart/monitor/datadog +# - command: workflow deploy/datadog-logs-archive -f quickstart/monitor/datadog + - command: workflow deploy/datadog-monitor -f quickstart/monitor/datadog + - command: workflow deploy/datadog-lambda-forwarder -f quickstart/monitor/datadog + - command: workflow deploy/datadog-agent -f quickstart/monitor/datadog + - command: workflow deploy/datadog-synthetics-private-location -f quickstart/monitor/datadog + - command: workflow deploy/datadog-private-location-ecs -f quickstart/monitor/datadog + + init: + description: Prompt for uploading Datadog API Key to AWS SSM + steps: + - type: shell + command: |- + echo "Please enter a Datadog API Key" + + stty -echo + read -p "API Key: " -r API_KEY + stty echo + if [ -z "$API_KEY" ] + then + echo 'Inputs cannot be blank please try again!' + exit 0 + fi + if ! [[ "$API_KEY" =~ "^[a-zA-Z0-9-]{32}$" ]] + then + echo "Invalid API Key" + echo "HINT: The API key ID is displayed as an upper-case, 32-character alphanumeric value." + exit 0 + fi + + stty -echo + read -p "APP Key: " -r APP_KEY + stty echo + if [ -z "$APP_KEY" ] + then + echo 'Inputs cannot be blank please try again!' + exit 0 + fi + if ! [[ "$APP_KEY" =~ "^[a-zA-Z0-9]{40}$" ]] + then + echo "Invalid APP Key" + exit 0 + fi + + AWS_PROFILE=acme-core-gbl-auto-admin aws ssm put-parameter --name /datadog/default/datadog_api_key --value $API_KEY --type SecureString + AWS_PROFILE=acme-core-gbl-auto-admin aws ssm put-parameter --name /datadog/default/datadog_app_key --value $APP_KEY --type SecureString + + vendor: + description: vendor dependencies + steps: + - command: vendor pull --component datadog-configuration + - command: vendor pull --component datadog-integration + - command: vendor pull --component datadog-lambda-forwarder + - command: vendor pull --component datadog-monitor + #- command: vendor pull --component datadog-logs-archive + - command: vendor pull --component eks/datadog-agent + - command: vendor pull --component datadog-synthetics-private-location + - command: vendor pull --component datadog-private-location-ecs + + deploy/datadog-configuration: + description: deploys all datadog-configuration components + steps: + - command: terraform deploy datadog-configuration -s core-gbl-artifacts + - command: terraform deploy datadog-configuration -s core-gbl-audit + - command: terraform deploy datadog-configuration -s core-gbl-auto + - command: terraform deploy datadog-configuration -s core-gbl-dns + - command: terraform deploy datadog-configuration -s core-gbl-network + - command: terraform deploy datadog-configuration -s core-gbl-security + - command: terraform deploy datadog-configuration -s plat-gbl-sandbox + - command: terraform deploy datadog-configuration -s plat-gbl-dev + - command: terraform deploy datadog-configuration -s plat-gbl-staging + - command: terraform deploy datadog-configuration -s plat-gbl-prod + + deploy/datadog-integration: + description: deploys all datadog-integration components + steps: + - command: terraform deploy datadog-integration -s core-gbl-artifacts + - command: terraform deploy datadog-integration -s core-gbl-audit + - command: terraform deploy datadog-integration -s core-gbl-auto + - command: terraform deploy datadog-integration -s core-gbl-dns + - command: terraform deploy datadog-integration -s core-gbl-network + - command: terraform deploy datadog-integration -s core-gbl-security + - command: terraform deploy datadog-integration -s plat-gbl-sandbox + - command: terraform deploy datadog-integration -s plat-gbl-dev + - command: terraform deploy datadog-integration -s plat-gbl-staging + - command: terraform deploy datadog-integration -s plat-gbl-prod + +# deploy/datadog-logs-archive: +# description: deploys all datadog-logs-archive components +# steps: +# - command: terraform deploy datadog-logs-archive -s core-gbl-artifacts +# - command: terraform deploy datadog-logs-archive -s core-gbl-audit +# - command: terraform deploy datadog-logs-archive -s core-gbl-auto +# - command: terraform deploy datadog-logs-archive -s core-gbl-dns +# - command: terraform deploy datadog-logs-archive -s core-gbl-network +# - command: terraform deploy datadog-logs-archive -s core-gbl-security +# - command: terraform deploy datadog-logs-archive -s plat-gbl-sandbox +# - command: terraform deploy datadog-logs-archive -s plat-gbl-dev +# - command: terraform deploy datadog-logs-archive -s plat-gbl-staging +# - command: terraform deploy datadog-logs-archive -s plat-gbl-prod + + deploy/datadog-monitor: + description: deploys all datadog-monitor components + steps: + - command: terraform deploy datadog-monitor -s core-gbl-auto + - command: terraform deploy datadog-monitor -s plat-gbl-sandbox + - command: terraform deploy datadog-monitor -s plat-gbl-dev + - command: terraform deploy datadog-monitor -s plat-gbl-staging + - command: terraform deploy datadog-monitor -s plat-gbl-prod + + deploy/datadog-lambda-forwarder: + description: deploys all datadog-lambda-forwarder components + steps: + - command: terraform deploy datadog-lambda-forwarder -s core-use1-artifacts + - command: terraform deploy datadog-lambda-forwarder -s core-use1-audit + - command: terraform deploy datadog-lambda-forwarder -s core-use1-auto + - command: terraform deploy datadog-lambda-forwarder -s core-use1-dns + - command: terraform deploy datadog-lambda-forwarder -s core-use1-network + - command: terraform deploy datadog-lambda-forwarder -s core-use1-security + - command: terraform deploy datadog-lambda-forwarder -s plat-use1-sandbox + - command: terraform deploy datadog-lambda-forwarder -s plat-use1-dev + - command: terraform deploy datadog-lambda-forwarder -s plat-use1-staging + - command: terraform deploy datadog-lambda-forwarder -s plat-use1-prod + + + deploy/datadog-agent: + description: deploys all datadog-agent components + steps: + - command: terraform deploy eks/datadog-agent -s core-use1-auto + - command: terraform deploy eks/datadog-agent -s plat-use1-dev + - command: terraform deploy eks/datadog-agent -s plat-use1-staging + - command: terraform deploy eks/datadog-agent -s plat-use1-prod + + deploy/datadog-synthetics-private-location: + description: deploys all datadog-synthetics-private-location components + steps: + - command: terraform deploy datadog-synthetics-private-location -s core-use1-auto + - command: terraform deploy datadog-synthetics-private-location -s plat-use1-dev + - command: terraform deploy datadog-synthetics-private-location -s plat-use1-staging + - command: terraform deploy datadog-synthetics-private-location -s plat-use1-prod + + + deploy/datadog-private-location-ecs: + description: deploys all datadog-private-location-ecs components + steps: + - command: terraform deploy datadog-private-location-ecs -s core-use1-auto + - command: terraform deploy datadog-private-location-ecs -s plat-use1-sandbox + - command: terraform deploy datadog-private-location-ecs -s plat-use1-dev + - command: terraform deploy datadog-private-location-ecs -s plat-use1-staging + - command: terraform deploy datadog-private-location-ecs -s plat-use1-prod + diff --git a/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml b/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml new file mode 100644 index 000000000..37a7119cb --- /dev/null +++ b/examples/snippets/stacks/workflows/quickstart/monitor/grafana.yaml @@ -0,0 +1,43 @@ + +workflows: + all: + description: run all workflows + steps: + - command: workflow vendor -f quickstart/monitor/grafana + - command: workflow deploy -f quickstart/monitor/grafana + + vendor: + description: vendor dependencies + steps: + - command: vendor pull --component + + deploy: + description: deploys all Grafana data sources into plat accounts + steps: + - command: workflow deploy/data-sources -s plat-use1-dev -f quickstart/monitor/grafana + - command: workflow deploy/data-sources -s plat-use1-staging -f quickstart/monitor/grafana + - command: workflow deploy/data-sources -s plat-use1-prod -f quickstart/monitor/grafana + - command: workflow deploy/grafana -s core-use1-auto -f quickstart/monitor/grafana + + deploy/data-sources: + description: deploys all Grafana data sources into a given stack + steps: + - command: terraform deploy prometheus + - command: terraform deploy eks/prometheus-scraper + - command: terraform deploy eks/loki + - command: terraform deploy eks/promtail + - type: shell + command: |- + echo "Now update the eks/cluster map_additional_iam_roles and reapply eks/cluster" + + deploy/grafana: + description: deploys centralized Grafana and all sub components + steps: + - command: terraform deploy grafana -s core-use1-auto + - command: terraform deploy grafana/api-key -s core-use1-auto + - command: terraform deploy grafana/dashboard/plat-dev-prometheus -s core-use1-auto + - command: terraform deploy grafana/dashboard/plat-dev-loki -s core-use1-auto + - command: terraform deploy grafana/dashboard/plat-staging-prometheus -s core-use1-auto + - command: terraform deploy grafana/dashboard/plat-staging-loki -s core-use1-auto + - command: terraform deploy grafana/dashboard/plat-prod-prometheus -s core-use1-auto + - command: terraform deploy grafana/dashboard/plat-prod-loki -s core-use1-auto \ No newline at end of file diff --git a/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml b/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml index f85997d4e..4e15f5ae8 100644 --- a/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml +++ b/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml @@ -1,13 +1,12 @@ - workflows: - all: - description: run all workflows + description: | + This workflow vendors and deploys all ECS related components to the latest provided version steps: - - command: workflow vendor -f ecs - - command: workflow deploy/ecs-acm -f ecs - - command: workflow deploy/clusters -f ecs - - command: workflow deploy/echo-server -f ecs + - command: workflow vendor -f quickstart/platform/ecs + - command: workflow deploy/ecs-acm -f quickstart/platform/ecs + - command: workflow deploy/clusters -f quickstart/platform/ecs + - command: workflow deploy/echo-server -f quickstart/platform/ecs vendor: description: | @@ -20,7 +19,6 @@ workflows: description: | This workflow deploys ACM for platform ECS Cluster ALBs steps: - - command: terraform deploy ecs/platform/acm -s plat-use1-sandbox - command: terraform deploy ecs/platform/acm -s plat-use1-dev - command: terraform deploy ecs/platform/acm -s plat-use1-staging - command: terraform deploy ecs/platform/acm -s plat-use1-prod @@ -29,7 +27,6 @@ workflows: description: | This workflow deploys ECS Clusters steps: - - command: terraform deploy ecs/cluster -s plat-use1-sandbox - command: terraform deploy ecs/cluster -s plat-use1-dev - command: terraform deploy ecs/cluster -s plat-use1-staging - command: terraform deploy ecs/cluster -s plat-use1-prod @@ -38,11 +35,9 @@ workflows: description: | This workflow Deploys the echo server to the clusters steps: - - command: terraform deploy ecs/platform/service/echo-server -s plat-use1-sandbox - command: terraform deploy ecs/platform/service/echo-server -s plat-use1-dev - command: terraform deploy ecs/platform/service/echo-server -s plat-use1-staging - command: terraform deploy ecs/platform/service/echo-server -s plat-use1-prod - - command: terraform deploy ecs/platform/service/echo-server-private -s plat-use1-sandbox - command: terraform deploy ecs/platform/service/echo-server-private -s plat-use1-dev - command: terraform deploy ecs/platform/service/echo-server-private -s plat-use1-staging - command: terraform deploy ecs/platform/service/echo-server-private -s plat-use1-prod @@ -51,11 +46,9 @@ workflows: description: | This workflow Deploys the echo server to the clusters steps: - - command: terraform destroy ecs/platform/service/echo-server -s plat-use1-sandbox -auto-approve - command: terraform destroy ecs/platform/service/echo-server -s plat-use1-dev -auto-approve - command: terraform destroy ecs/platform/service/echo-server -s plat-use1-staging -auto-approve - command: terraform destroy ecs/platform/service/echo-server -s plat-use1-prod -auto-approve - - command: terraform destroy ecs/platform/service/echo-server-private -s plat-use1-sandbox -auto-approve - command: terraform destroy ecs/platform/service/echo-server-private -s plat-use1-dev -auto-approve - command: terraform destroy ecs/platform/service/echo-server-private -s plat-use1-staging -auto-approve - command: terraform destroy ecs/platform/service/echo-server-private -s plat-use1-prod -auto-approve @@ -64,7 +57,6 @@ workflows: description: | This workflow deploys ECS Clusters steps: - - command: terraform destroy ecs/cluster -s plat-use1-sandbox -auto-approve - command: terraform destroy ecs/cluster -s plat-use1-dev -auto-approve - command: terraform destroy ecs/cluster -s plat-use1-staging -auto-approve - command: terraform destroy ecs/cluster -s plat-use1-prod -auto-approve diff --git a/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml b/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml index 2edea6b04..b4469eede 100644 --- a/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml +++ b/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml @@ -1,5 +1,11 @@ - workflows: + all: + description: | + This workflow vendors and deploys all EKS related components to the latest provided version + steps: + - command: workflow vendor -f quickstart/platform/eks + - command: workflow deploy -f quickstart/platform/eks + vendor: description: | This workflow vendors all EKS related components to the latest provided version @@ -20,6 +26,18 @@ workflows: - command: vendor pull --component eks/echo-server - command: vendor pull --component eks/idp-roles + deploy: + description: | + This workflow deploys all EKS related components to the latest provided version + steps: + - command: workflow deploy/iam-service-linked-roles -f quickstart/platform/eks + - command: workflow deploy/cluster -f quickstart/platform/eks -s plat-use1-dev + - command: workflow deploy/resources -f quickstart/platform/eks -s plat-use1-dev + - command: workflow deploy/cluster -f quickstart/platform/eks -s plat-use1-staging + - command: workflow deploy/resources -f quickstart/platform/eks -s plat-use1-staging + - command: workflow deploy/cluster -f quickstart/platform/eks -s plat-use1-prod + - command: workflow deploy/resources -f quickstart/platform/eks -s plat-use1-prod + deploy/iam-service-linked-roles: description: | This workflow deploys IAM Service Linked Roles required for EKS and Karpenter @@ -40,6 +58,28 @@ workflows: - command: terraform deploy efs - command: terraform deploy eks/storage-class + deploy/resources: + description: | + This workflow creates or updates all shared components in an + EKS cluster. It is especially useful for (re)creating a cluster + in a given stack (e.g. bringing up a cluster in a new region). + + This is stack agnostic, ensure you pass in the `-s ${tenant}-${region}-${stage}` + argument. + steps: + - command: terraform deploy eks/karpenter + - command: terraform deploy eks/karpenter-node-pool + - command: terraform deploy eks/external-secrets-operator + - command: terraform deploy eks/idp-roles + - command: terraform deploy eks/external-dns + - command: terraform deploy eks/reloader + - command: terraform deploy eks/metrics-server + - command: terraform deploy eks/cert-manager + - command: terraform deploy eks/alb-controller + - command: terraform deploy eks/alb-controller-ingress-group + - command: terraform deploy eks/alb-controller-ingress-group/internal + - command: terraform deploy eks/echo-server + destroy/cluster: description: | *CAUTION* This workflow destroys an EKS cluster @@ -75,25 +115,3 @@ workflows: - command: terraform destroy eks/karpenter -auto-approve - command: terraform destroy eks/storage-class - command: terraform destroy eks/cluster -auto-approve - - deploy/resources: - description: | - This workflow creates or updates all shared components in an - EKS cluster. It is especially useful for (re)creating a cluster - in a given stack (e.g. bringing up a cluster in a new region). - - This is stack agnostic, ensure you pass in the `-s ${tenant}-${region}-${stage}` - argument. - steps: - - command: terraform deploy eks/karpenter - - command: terraform deploy eks/karpenter-node-pool - - command: terraform deploy eks/external-secrets-operator - - command: terraform deploy eks/idp-roles - - command: terraform deploy eks/external-dns - - command: terraform deploy eks/reloader - - command: terraform deploy eks/metrics-server - - command: terraform deploy eks/cert-manager - - command: terraform deploy eks/alb-controller - - command: terraform deploy eks/alb-controller-ingress-group - - command: terraform deploy eks/alb-controller-ingress-group/internal - - command: terraform deploy eks/echo-server