diff --git a/examples/snippets/.github/workflows/atmos-components-updater.yml b/examples/snippets/.github/workflows/atmos-components-updater.yml index fd0b03a15..ac0b6ec6b 100644 --- a/examples/snippets/.github/workflows/atmos-components-updater.yml +++ b/examples/snippets/.github/workflows/atmos-components-updater.yml @@ -4,14 +4,15 @@ on: workflow_dispatch: {} schedule: - - cron: 0 8 * * * + - cron: "0 8 * * *" jobs: update: environment: atmos runs-on: - - self-hosted - - terraform + - "runs-on=${{ github.run_id }}" + - "runner=small" + - "private=false" steps: - name: "Checkout source code at current commit" uses: actions/checkout@v4 diff --git a/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml b/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml deleted file mode 100644 index 4ca9c5fc3..000000000 --- a/examples/snippets/.github/workflows/atmos-pro-terraform-apply.yaml +++ /dev/null @@ -1,63 +0,0 @@ -name: 👽 Atmos Pro Terraform Apply -run-name: apply ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}} - -on: - workflow_dispatch: - inputs: - atmos_pro_run_id: - description: "Atmos Pro Run ID" - type: string - sha: - description: "Commit SHA" - type: string - component: - description: "Component" - required: true - type: string - stack: - description: "Stack" - required: true - type: string - github_environment: - description: "GitHub Environment" - required: true - type: string - -# Avoid running the same stack in parallel mode (from different workflows) -# This applied to across workflows to both plan and apply -concurrency: - group: "${{ inputs.stack }}-${{ inputs.component }}" - cancel-in-progress: false - -permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - -jobs: - atmos-apply: - name: ${{ inputs.component }}-${{ inputs.stack }} - - # The GitHub environment is defined in Atmos Pro settings. - # Typically this is - - environment: ${{ inputs.github_environment }} - - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - - steps: - - uses: runs-on/action@v1 - - uses: unfor19/install-aws-cli-action@v1 - - - name: Apply Atmos Component - uses: cloudposse/github-action-atmos-terraform-apply@v4 - with: - # Atmos Pro args - component: ${{ inputs.component }} - stack: ${{ inputs.stack }} - sha: ${{ inputs.sha }} - # Atmos required configuration - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} diff --git a/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml b/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml deleted file mode 100644 index bae6ff145..000000000 --- a/examples/snippets/.github/workflows/atmos-pro-terraform-plan.yaml +++ /dev/null @@ -1,55 +0,0 @@ -name: 👽 Atmos Pro Terraform Plan -run-name: plan ${{ inputs.component }}/${{ inputs.stack }}/${{ inputs.atmos_pro_run_id}} - -on: - workflow_dispatch: - inputs: - atmos_pro_run_id: - description: "Atmos Pro Run ID" - type: string - sha: - description: "Commit SHA" - type: string - component: - description: "Component" - required: true - type: string - stack: - description: "Stack" - required: true - type: string - -# Avoid running the same stack in parallel mode (from different workflows) -# This applied to across workflows to both plan and apply -concurrency: - group: "${{ inputs.stack }}-${{ inputs.component }}" - cancel-in-progress: false - -permissions: - id-token: write # This is required for requesting the JWT (OIDC) token - contents: read # This is required for actions/checkout - -jobs: - atmos-plan: - name: ${{ inputs.component }}-${{ inputs.stack }} - - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=terraform" - - "tag=${{ inputs.component }}-${{ inputs.stack }}" - - "private=false" - - steps: - - uses: runs-on/action@v1 - - uses: unfor19/install-aws-cli-action@v1 - - - name: Plan Atmos Component - uses: cloudposse/github-action-atmos-terraform-plan@v5 - with: - # Atmos Pro args - component: ${{ inputs.component }} - stack: ${{ inputs.stack }} - sha: ${{ inputs.sha }} - # Atmos required configuration - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} diff --git a/examples/snippets/.github/workflows/atmos-pro.yaml b/examples/snippets/.github/workflows/atmos-pro.yaml deleted file mode 100644 index 4ab4fef29..000000000 --- a/examples/snippets/.github/workflows/atmos-pro.yaml +++ /dev/null @@ -1,82 +0,0 @@ -name: 👽 Atmos Pro Determine Affected Stacks -run-name: 👽 Atmos Pro Determine Affected Stacks - -# Atmos Pro reacts to events defined in the Atmos stack settings -# and will trigger the appropriate workflows for the given event. -# -# For example, pull requests opened, synchronize, and reopened will trigger plan workflows. -# Whereas pull requests merged will trigger apply workflows -on: - pull_request: - types: - - opened - - synchronize - - reopened - - closed - branches: - - main - -# Avoid conflicting workflow triggers. -# For example, wait to trigger apply until plan has been triggered -concurrency: - group: "${{ github.ref }}" - cancel-in-progress: false - -permissions: - id-token: write # This is required for requesting the JWT (OIDC) token - contents: read # This is required for actions/checkout - -jobs: - affected: - name: Trigger Affected Stacks - - runs-on: - - "runs-on=${{ github.run_id }}" - - "runner=small" - - "tag=affected-stacks" - - "private=false" - - # Trigger Atmos Pro for Pull Request plan events and specifically closed PRs that have been merged (not just closed) - if: github.event.action != 'closed' || (github.event.action == 'closed' && github.event.pull_request.merged == true) - - steps: - - uses: runs-on/action@v1 - - name: Checkout - # For merged PRs, we will need to checkout the base branch to get the correct base branch SHA. - # This isn't necessary for other events. - if: github.event.action == 'closed' - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Fetch all history for all branches and tags - - # For merged PRs, we want to use 1 previous commit from the base branch SHA - # This is because by the time this workflow runs, the PR branch has already been merged. - # It's critical to use the base branch SHA to get the correct changes, not the previous commit from the PR branch. - - name: Determine previous commit on base branch - id: get_parent - if: github.event.action == 'closed' - shell: bash - run: | - # For squash merges, github.event.pull_request.base.sha represents the state of the base branch - # when the PR was created (or last updated). This may be stale compared to the actual commit - # on the main branch at the time of the merge. Using 'HEAD~1' after the merge ensures we get - # the commit that was the tip of main immediately before the squash merge commit was added. - echo "Merge commit: $(git rev-parse HEAD)" - PARENT=$(git rev-parse HEAD~1) - echo "Parent (base) commit: $PARENT" - echo "merge_commit=$MERGE_COMMIT" >> "$GITHUB_OUTPUT" - echo "parent_commit=$PARENT" >> "$GITHUB_OUTPUT" - - - name: Determine Affected Stacks - id: affected - uses: cloudposse/github-action-atmos-affected-stacks@v6 - env: - ATMOS_PRO_WORKSPACE_ID: ${{ vars.ATMOS_PRO_WORKSPACE_ID }} - with: - atmos-version: ${{ vars.ATMOS_VERSION }} - atmos-config-path: ${{ vars.ATMOS_CONFIG_PATH }} - atmos-pro-upload: true - # Compare the head of the PR to the base of the PR if the PR is not merged. - # If the PR is merged, compare the head of the PR to 1 previous commit on the base branch. - head-ref: ${{ github.event.pull_request.head.sha }} - base-ref: ${{ github.event.action == 'closed' && steps.get_parent.outputs.parent_commit || github.event.pull_request.base.sha }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml b/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml index 8748c7271..8d380cbe1 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-apply-matrix.yaml @@ -31,9 +31,11 @@ jobs: atmos-apply: if: ${{ inputs.stacks != '{include:[]}' }} name: ${{ matrix.stack_slug }} - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" strategy: max-parallel: 10 fail-fast: false # Don't fail fast to avoid locking TF State diff --git a/examples/snippets/.github/workflows/atmos-terraform-apply.yaml b/examples/snippets/.github/workflows/atmos-terraform-apply.yaml index fb2d6ed3d..5438fe22e 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-apply.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-apply.yaml @@ -34,9 +34,11 @@ jobs: name: Determine Affected Stacks if: needs.pr.outputs.no-apply == 'false' needs: ["pr"] - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - id: affected uses: cloudposse/github-action-atmos-affected-stacks@v4 diff --git a/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml b/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml index 1b1831946..e1f10cb52 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-dispatch.yaml @@ -28,9 +28,11 @@ permissions: jobs: dispatch-id: - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - name: echo Distinct ID ${{ github.event.inputs.distinct_id }} run: echo ${{ github.event.inputs.distinct_id }} diff --git a/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml b/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml index 0a630491e..86fd8e69d 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-drift-detection.yaml @@ -17,9 +17,11 @@ permissions: jobs: select-components: name: Select Components - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - name: Selected Components id: components @@ -54,10 +56,14 @@ jobs: needs: ["plan-atmos-components"] if: always() name: Reconcile issues - runs-on: ['self-hosted', 'terraform'] + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - name: Drift Detection uses: cloudposse/github-action-atmos-terraform-drift-detection@v2 with: - max-opened-issues: '25' + max-opened-issues: '10' process-all: 'true' diff --git a/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml b/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml index e7599a8bb..964038947 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-drift-remediation.yaml @@ -16,9 +16,11 @@ jobs: remediate-drift: if: github.event.action == 'labeled' && contains(github.event.issue.labels.*.name, 'apply') name: Remediate Drift - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - uses: unfor19/install-aws-cli-action@v1 - name: Remediate Drift @@ -37,7 +39,11 @@ jobs: ) && !contains(github.event.issue.labels.*.name, 'remediated') name: Discard Drift - runs-on: ['self-hosted', 'terraform'] + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - name: Discard Drift uses: cloudposse/github-action-atmos-terraform-drift-remediation@v2 diff --git a/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml b/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml index 9feac7e3f..07d9a2dfd 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-plan-matrix.yaml @@ -41,9 +41,11 @@ jobs: atmos-plan: if: ${{ inputs.stacks != '{include:[]}' }} name: ${{ matrix.stack_slug }} - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" continue-on-error: ${{ inputs.continue-on-error == 'true' }} strategy: max-parallel: 10 diff --git a/examples/snippets/.github/workflows/atmos-terraform-plan.yaml b/examples/snippets/.github/workflows/atmos-terraform-plan.yaml index dc8379e73..f81d1b451 100644 --- a/examples/snippets/.github/workflows/atmos-terraform-plan.yaml +++ b/examples/snippets/.github/workflows/atmos-terraform-plan.yaml @@ -18,9 +18,11 @@ jobs: atmos-affected: if: ${{ !contains( github.event.pull_request.labels.*.name, 'no-plan') }} name: Determine Affected Stacks - runs-on: - - self-hosted - - terraform + runs-on: + - "runs-on=${{ github.run_id }}" + - "runner=terraform" + - "tag=${{ inputs.component }}-${{ inputs.stack }}" + - "private=false" steps: - id: affected uses: cloudposse/github-action-atmos-affected-stacks@v4 diff --git a/examples/snippets/Dockerfile b/examples/snippets/Dockerfile index d4cbe5a95..4ff3bc750 100644 --- a/examples/snippets/Dockerfile +++ b/examples/snippets/Dockerfile @@ -4,8 +4,7 @@ ARG GEODESIC_OS=debian # https://github.com/cloudposse/atmos ARG ATMOS_VERSION=1.180.0 # This should match the version set in .github/workflows/auto-format.yaml -ARG TF_1_VERSION=1.5.7 -ARG TOFU_VERSION=1.8.8 +ARG TOFU_VERSION=1.10.1 FROM public.ecr.aws/cloudposse/geodesic:${GEODESIC_VERSION}-${GEODESIC_OS} @@ -24,12 +23,9 @@ ENV AWS_DEFAULT_REGION=us-east-1 ENV AWS_DEFAULT_SHORT_REGION=use1 ENV AWS_REGION_ABBREVIATION_TYPE=short -ARG TF_1_VERSION ARG TOFU_VERSION -RUN apt-get update && apt-get install -y -u --allow-downgrades \ - terraform-1="${TF_1_VERSION}-*" && \ - tofu="${TOFU_VERSION}" && \ - update-alternatives --set terraform /usr/share/terraform/1/bin/terraform +RUN apt-get update && apt-get install -y --allow-downgrades \ + tofu="${TOFU_VERSION}" ARG ATMOS_VERSION RUN apt-get update && apt-get install -y --allow-downgrades \ atmos="${ATMOS_VERSION}-*" \ @@ -49,7 +45,7 @@ ARG TENANT="core" ENV NAMESPACE=acme # Format of Geodesic banner prompt ENV BANNER=${NAMESPACE} -ENV DOCKER_IMAGE="acme/infra-acme" +ENV DOCKER_IMAGE="acme/infrastructure" ENV DOCKER_TAG="latest" # Default AWS_PROFILE diff --git a/examples/snippets/Makefile b/examples/snippets/Makefile index ea30055cf..08e8c2b4b 100644 --- a/examples/snippets/Makefile +++ b/examples/snippets/Makefile @@ -1,6 +1,6 @@ export DOCKER_ORG ?= acme export DOCKER_TAG ?= latest -export ECR_IMAGE ?= infra-acme +export ECR_IMAGE ?= infrastructure export DOCKER_IMAGE ?= $(DOCKER_ORG)/$(ECR_IMAGE) export DOCKER_IMAGE_NAME ?= $(DOCKER_IMAGE):$(DOCKER_TAG) diff --git a/examples/snippets/stacks/workflows/alerting.yaml b/examples/snippets/stacks/workflows/alerting.yaml deleted file mode 100644 index 6d8c35483..000000000 --- a/examples/snippets/stacks/workflows/alerting.yaml +++ /dev/null @@ -1,46 +0,0 @@ -workflows: - all: - description: run all workflows - steps: - - command: workflow init -f alerting - - command: workflow vendor -f alerting - - command: workflow deploy -f alerting - - - init: - description: Prompt to collect the OpsGenie API Key and write it to AWS SSM - steps: - - type: shell - command: |- - if [ $( AWS_PROFILE=acme-core-gbl-auto-admin chamber read opsgenie opsgenie_api_key ) ]; then - echo "Found OpsGenie API Key, skipping init..." - exit 0 - fi - - echo "Please enter an OpsGenie API Key" - stty -echo - read -p "API Key: " -r API_KEY - stty echo - if [ -z "$API_KEY" ] - then - echo 'Inputs cannot be blank, please try again!' - exit 0 - fi - if ! [[ "$API_KEY" =~ "^[a-zA-Z0-9-]{36}$" ]] - then - echo "Invalid API Key" - echo "HINT: The API key ID is displayed as a lower-case, 36-character alphanumeric value." - exit 0 - fi - AWS_PROFILE=acme-core-gbl-auto-admin chamber write opsgenie opsgenie_api_key "$API_KEY" - - vendor: - description: vendor dependencies - steps: - - command: vendor pull --component opsgenie-team - - deploy: - description: opsgenie - steps: - - command: terraform deploy opsgenie-team/app-team-1 -s core-gbl-auto - - command: terraform deploy opsgenie-team/sre -s core-gbl-auto diff --git a/examples/snippets/stacks/workflows/app-on-ecs.yaml b/examples/snippets/stacks/workflows/app-on-ecs.yaml deleted file mode 100644 index 899cb7c91..000000000 --- a/examples/snippets/stacks/workflows/app-on-ecs.yaml +++ /dev/null @@ -1,22 +0,0 @@ -workflows: - all: - steps: - - command: workflow verify/github-oidc-providers -f app-on-ecs - - command: workflow deploy/app-on-ecs -f app-on-ecs - - verify/github-oidc-providers: - description: | - This workflow ensures all Github OIDC Provider Configuration deployed. - steps: - - command: workflow deploy/github-oidc-provider -f github - - deploy/app-on-ecs: - description: | - This workflow deploys `app-on-ecs` stacks - steps: - - command: terraform deploy ecs-services/example-app-on-ecs -s plat-use1-sandbox - - command: terraform deploy ecs-services/example-app-on-ecs/dev -s plat-use1-dev - - command: terraform deploy ecs-services/example-app-on-ecs/qa1 -s plat-use1-dev - - command: terraform deploy ecs-services/example-app-on-ecs/qa2 -s plat-use1-dev - - command: terraform deploy ecs-services/example-app-on-ecs -s plat-use1-staging - - command: terraform deploy ecs-services/example-app-on-ecs -s plat-use1-prod diff --git a/examples/snippets/stacks/workflows/compliance.yaml b/examples/snippets/stacks/workflows/compliance.yaml deleted file mode 100644 index 2a595afaf..000000000 --- a/examples/snippets/stacks/workflows/compliance.yaml +++ /dev/null @@ -1,288 +0,0 @@ -workflows: - vendor: - description: Vendor compliance layer components and scripts. - steps: - - command: vendor pull --component config-bucket - - command: vendor pull --component cloudtrail-bucket - - command: vendor pull --component aws-config - - command: vendor pull --component security-hub - - command: vendor pull --component guardduty - - command: vendor pull --component s3-bucket - - command: vendor pull --component route53-resolver-dns-firewall - - command: vendor pull --component aws-shield - - command: vendor pull --component aws-inspector2 - - deploy/aws-config/global-collector: - description: Deploy AWS Config into main global collector account - steps: - # Note that central region 'use1' and central account 'security' should be the first one created - - command: terraform deploy aws-config-use1 -s core-use1-security - - command: terraform deploy aws-config-use2 -s core-use2-security - - command: terraform deploy aws-config-usw1 -s core-usw1-security - - command: terraform deploy aws-config-usw2 -s core-usw2-security - - command: terraform deploy aws-config-aps1 -s core-aps1-security - - command: terraform deploy aws-config-apne3 -s core-apne3-security - - command: terraform deploy aws-config-apne2 -s core-apne2-security - - command: terraform deploy aws-config-apne1 -s core-apne1-security - - command: terraform deploy aws-config-apse1 -s core-apse1-security - - command: terraform deploy aws-config-apse2 -s core-apse2-security - - command: terraform deploy aws-config-cac1 -s core-cac1-security - - command: terraform deploy aws-config-euc1 -s core-euc1-security - - command: terraform deploy aws-config-euw1 -s core-euw1-security - - command: terraform deploy aws-config-euw2 -s core-euw2-security - - command: terraform deploy aws-config-euw3 -s core-euw3-security - - command: terraform deploy aws-config-eun1 -s core-eun1-security - - command: terraform deploy aws-config-sae1 -s core-sae1-security - - deploy/aws-config/superadmin: - description: Deploy AWS Config into accounts that require SuperAdmin to apply - steps: - - command: terraform deploy aws-config-use1 -s core-use1-identity - - command: terraform deploy aws-config-use1 -s core-use1-root - - command: terraform deploy aws-config-use2 -s core-use2-identity - - command: terraform deploy aws-config-use2 -s core-use2-root - - command: terraform deploy aws-config-usw1 -s core-usw1-identity - - command: terraform deploy aws-config-usw1 -s core-usw1-root - - command: terraform deploy aws-config-usw2 -s core-usw2-identity - - command: terraform deploy aws-config-usw2 -s core-usw2-root - - command: terraform deploy aws-config-aps1 -s core-aps1-identity - - command: terraform deploy aws-config-aps1 -s core-aps1-root - - command: terraform deploy aws-config-apne3 -s core-apne3-identity - - command: terraform deploy aws-config-apne3 -s core-apne3-root - - command: terraform deploy aws-config-apne2 -s core-apne2-identity - - command: terraform deploy aws-config-apne2 -s core-apne2-root - - command: terraform deploy aws-config-apne1 -s core-apne1-identity - - command: terraform deploy aws-config-apne1 -s core-apne1-root - - command: terraform deploy aws-config-apse1 -s core-apse1-identity - - command: terraform deploy aws-config-apse1 -s core-apse1-root - - command: terraform deploy aws-config-apse2 -s core-apse2-identity - - command: terraform deploy aws-config-apse2 -s core-apse2-root - - command: terraform deploy aws-config-cac1 -s core-cac1-identity - - command: terraform deploy aws-config-cac1 -s core-cac1-root - - command: terraform deploy aws-config-euc1 -s core-euc1-identity - - command: terraform deploy aws-config-euc1 -s core-euc1-root - - command: terraform deploy aws-config-euw1 -s core-euw1-identity - - command: terraform deploy aws-config-euw1 -s core-euw1-root - - command: terraform deploy aws-config-euw2 -s core-euw2-identity - - command: terraform deploy aws-config-euw2 -s core-euw2-root - - command: terraform deploy aws-config-euw3 -s core-euw3-identity - - command: terraform deploy aws-config-euw3 -s core-euw3-root - - command: terraform deploy aws-config-eun1 -s core-eun1-identity - - command: terraform deploy aws-config-eun1 -s core-eun1-root - - command: terraform deploy aws-config-sae1 -s core-sae1-identity - - command: terraform deploy aws-config-sae1 -s core-sae1-root - - deploy/security-hub/step1: - description: Deploy Security Hub to Delegated Administrator account (core-security) - steps: - - command: terraform deploy security-hub/delegated-administrator/use1 -s core-use1-security - - command: terraform deploy security-hub/delegated-administrator/use2 -s core-use2-security - - command: terraform deploy security-hub/delegated-administrator/usw1 -s core-usw1-security - - command: terraform deploy security-hub/delegated-administrator/usw2 -s core-usw2-security - - command: terraform deploy security-hub/delegated-administrator/aps1 -s core-aps1-security - - command: terraform deploy security-hub/delegated-administrator/apne3 -s core-apne3-security - - command: terraform deploy security-hub/delegated-administrator/apne2 -s core-apne2-security - - command: terraform deploy security-hub/delegated-administrator/apne1 -s core-apne1-security - - command: terraform deploy security-hub/delegated-administrator/apse1 -s core-apse1-security - - command: terraform deploy security-hub/delegated-administrator/apse2 -s core-apse2-security - - command: terraform deploy security-hub/delegated-administrator/cac1 -s core-cac1-security - - command: terraform deploy security-hub/delegated-administrator/euc1 -s core-euc1-security - - command: terraform deploy security-hub/delegated-administrator/euw1 -s core-euw1-security - - command: terraform deploy security-hub/delegated-administrator/euw2 -s core-euw2-security - - command: terraform deploy security-hub/delegated-administrator/euw3 -s core-euw3-security - - command: terraform deploy security-hub/delegated-administrator/eun1 -s core-eun1-security - - command: terraform deploy security-hub/delegated-administrator/sae1 -s core-sae1-security - - deploy/security-hub/step2: - description: Deploy Security Hub to AWS Organizations Management Account (core-root). You must be SuperAdmin to run this workflow. - steps: - - command: terraform deploy security-hub/root/use1 -s core-use1-root - - command: terraform deploy security-hub/root/use2 -s core-use2-root - - command: terraform deploy security-hub/root/usw1 -s core-usw1-root - - command: terraform deploy security-hub/root/usw2 -s core-usw2-root - - command: terraform deploy security-hub/root/aps1 -s core-aps1-root - - command: terraform deploy security-hub/root/apne3 -s core-apne3-root - - command: terraform deploy security-hub/root/apne2 -s core-apne2-root - - command: terraform deploy security-hub/root/apne1 -s core-apne1-root - - command: terraform deploy security-hub/root/apse1 -s core-apse1-root - - command: terraform deploy security-hub/root/apse2 -s core-apse2-root - - command: terraform deploy security-hub/root/cac1 -s core-cac1-root - - command: terraform deploy security-hub/root/euc1 -s core-euc1-root - - command: terraform deploy security-hub/root/euw1 -s core-euw1-root - - command: terraform deploy security-hub/root/euw2 -s core-euw2-root - - command: terraform deploy security-hub/root/euw3 -s core-euw3-root - - command: terraform deploy security-hub/root/eun1 -s core-eun1-root - - command: terraform deploy security-hub/root/sae1 -s core-sae1-root - - deploy/security-hub/step3: - description: Deploy Security Hub Organization Settings to Delegated Administrator account (core-security) - steps: - - command: terraform deploy security-hub/org-settings/use1 -s core-use1-security - - command: terraform deploy security-hub/org-settings/use2 -s core-use2-security - - command: terraform deploy security-hub/org-settings/usw1 -s core-usw1-security - - command: terraform deploy security-hub/org-settings/usw2 -s core-usw2-security - - command: terraform deploy security-hub/org-settings/aps1 -s core-aps1-security - - command: terraform deploy security-hub/org-settings/apne3 -s core-apne3-security - - command: terraform deploy security-hub/org-settings/apne2 -s core-apne2-security - - command: terraform deploy security-hub/org-settings/apne1 -s core-apne1-security - - command: terraform deploy security-hub/org-settings/apse1 -s core-apse1-security - - command: terraform deploy security-hub/org-settings/apse2 -s core-apse2-security - - command: terraform deploy security-hub/org-settings/cac1 -s core-cac1-security - - command: terraform deploy security-hub/org-settings/euc1 -s core-euc1-security - - command: terraform deploy security-hub/org-settings/euw1 -s core-euw1-security - - command: terraform deploy security-hub/org-settings/euw2 -s core-euw2-security - - command: terraform deploy security-hub/org-settings/euw3 -s core-euw3-security - - command: terraform deploy security-hub/org-settings/eun1 -s core-eun1-security - - command: terraform deploy security-hub/org-settings/sae1 -s core-sae1-security - - deploy/guardduty/step1: - description: Deploy GuardDuty to Delegated Administrator account (core-security) - steps: - - command: terraform deploy guardduty/delegated-administrator/use1 -s core-use1-security - - command: terraform deploy guardduty/delegated-administrator/use2 -s core-use2-security - - command: terraform deploy guardduty/delegated-administrator/usw1 -s core-usw1-security - - command: terraform deploy guardduty/delegated-administrator/usw2 -s core-usw2-security - - command: terraform deploy guardduty/delegated-administrator/aps1 -s core-aps1-security - - command: terraform deploy guardduty/delegated-administrator/apne3 -s core-apne3-security - - command: terraform deploy guardduty/delegated-administrator/apne2 -s core-apne2-security - - command: terraform deploy guardduty/delegated-administrator/apne1 -s core-apne1-security - - command: terraform deploy guardduty/delegated-administrator/apse1 -s core-apse1-security - - command: terraform deploy guardduty/delegated-administrator/apse2 -s core-apse2-security - - command: terraform deploy guardduty/delegated-administrator/cac1 -s core-cac1-security - - command: terraform deploy guardduty/delegated-administrator/euc1 -s core-euc1-security - - command: terraform deploy guardduty/delegated-administrator/euw1 -s core-euw1-security - - command: terraform deploy guardduty/delegated-administrator/euw2 -s core-euw2-security - - command: terraform deploy guardduty/delegated-administrator/euw3 -s core-euw3-security - - command: terraform deploy guardduty/delegated-administrator/eun1 -s core-eun1-security - - command: terraform deploy guardduty/delegated-administrator/sae1 -s core-sae1-security - - deploy/guardduty/step2: - description: Deploy GuardDuty to AWS Organizations Management Account (core-root). You must be SuperAdmin to run this workflow. - steps: - - command: terraform deploy guardduty/root/use1 -s core-use1-root - - command: terraform deploy guardduty/root/use2 -s core-use2-root - - command: terraform deploy guardduty/root/usw1 -s core-usw1-root - - command: terraform deploy guardduty/root/usw2 -s core-usw2-root - - command: terraform deploy guardduty/root/aps1 -s core-aps1-root - - command: terraform deploy guardduty/root/apne3 -s core-apne3-root - - command: terraform deploy guardduty/root/apne2 -s core-apne2-root - - command: terraform deploy guardduty/root/apne1 -s core-apne1-root - - command: terraform deploy guardduty/root/apse1 -s core-apse1-root - - command: terraform deploy guardduty/root/apse2 -s core-apse2-root - - command: terraform deploy guardduty/root/cac1 -s core-cac1-root - - command: terraform deploy guardduty/root/euc1 -s core-euc1-root - - command: terraform deploy guardduty/root/euw1 -s core-euw1-root - - command: terraform deploy guardduty/root/euw2 -s core-euw2-root - - command: terraform deploy guardduty/root/euw3 -s core-euw3-root - - command: terraform deploy guardduty/root/eun1 -s core-eun1-root - - command: terraform deploy guardduty/root/sae1 -s core-sae1-root - - deploy/guardduty/step3: - description: Deploy GuardDuty Organization Settings to Delegated Administrator account (core-security) - steps: - - command: terraform deploy guardduty/org-settings/use1 -s core-use1-security - - command: terraform deploy guardduty/org-settings/use2 -s core-use2-security - - command: terraform deploy guardduty/org-settings/usw1 -s core-usw1-security - - command: terraform deploy guardduty/org-settings/usw2 -s core-usw2-security - - command: terraform deploy guardduty/org-settings/aps1 -s core-aps1-security - - command: terraform deploy guardduty/org-settings/apne3 -s core-apne3-security - - command: terraform deploy guardduty/org-settings/apne2 -s core-apne2-security - - command: terraform deploy guardduty/org-settings/apne1 -s core-apne1-security - - command: terraform deploy guardduty/org-settings/apse1 -s core-apse1-security - - command: terraform deploy guardduty/org-settings/apse2 -s core-apse2-security - - command: terraform deploy guardduty/org-settings/cac1 -s core-cac1-security - - command: terraform deploy guardduty/org-settings/euc1 -s core-euc1-security - - command: terraform deploy guardduty/org-settings/euw1 -s core-euw1-security - - command: terraform deploy guardduty/org-settings/euw2 -s core-euw2-security - - command: terraform deploy guardduty/org-settings/euw3 -s core-euw3-security - - command: terraform deploy guardduty/org-settings/eun1 -s core-eun1-security - - command: terraform deploy guardduty/org-settings/sae1 -s core-sae1-security - - destroy/aws-config/global-collector: - description: Destroy AWS Config from accounts that require superadmin to apply - steps: - # Note that central region 'use1' and central account 'security' should be the last one destroyed - - command: terraform destroy aws-config-use2 -s core-use2-security -auto-approve - - command: terraform destroy aws-config-usw1 -s core-usw1-security -auto-approve - - command: terraform destroy aws-config-usw2 -s core-usw2-security -auto-approve - - command: terraform destroy aws-config-aps1 -s core-aps1-security -auto-approve - - command: terraform destroy aws-config-apne3 -s core-apne3-security -auto-approve - - command: terraform destroy aws-config-apne2 -s core-apne2-security -auto-approve - - command: terraform destroy aws-config-apne1 -s core-apne1-security -auto-approve - - command: terraform destroy aws-config-apse1 -s core-apse1-security -auto-approve - - command: terraform destroy aws-config-apse2 -s core-apse2-security -auto-approve - - command: terraform destroy aws-config-cac1 -s core-cac1-security -auto-approve - - command: terraform destroy aws-config-euc1 -s core-euc1-security -auto-approve - - command: terraform destroy aws-config-euw1 -s core-euw1-security -auto-approve - - command: terraform destroy aws-config-euw2 -s core-euw2-security -auto-approve - - command: terraform destroy aws-config-euw3 -s core-euw3-security -auto-approve - - command: terraform destroy aws-config-eun1 -s core-eun1-security -auto-approve - - command: terraform destroy aws-config-sae1 -s core-sae1-security -auto-approve - - command: terraform destroy aws-config-use1 -s core-use1-security -auto-approve - - deploy/audit-manager-bucket: - description: Deploy bucket to hold Audit Manager finders - steps: - - command: terraform deploy s3-bucket/audit-manager -s core-use1-security - - deploy/route53-resolver-dns-firewall-buckets: - description: Deploy Route53 Firewall S3 Buckets - steps: - - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-dev - - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-prod - - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-sandbox - - command: terraform deploy route53-resolver-dns-firewall-logs -s plat-use1-staging - - deploy/route53-resolver-dns-firewall: - description: Deploy Route53 Firewall - steps: - - command: terraform deploy route53-resolver-dns-firewall/dev -s plat-use1-dev - - command: terraform deploy route53-resolver-dns-firewall/prod -s plat-use1-prod - - command: terraform deploy route53-resolver-dns-firewall/sandbox -s plat-use1-sandbox - - command: terraform deploy route53-resolver-dns-firewall/staging -s plat-use1-staging - - deploy/aws-shield: - description: Deploys AWS Shield - steps: - - command: terraform deploy aws-shield -s plat-use1-dev - - command: terraform deploy aws-shield -s plat-use1-prod - - command: terraform deploy aws-shield -s plat-use1-sandbox - - command: terraform deploy aws-shield -s plat-use1-staging - - deploy/aws-inspector2/step1: - description: Configure AWS Delegated Administrator account across all regions for AWS Inspector - steps: - - command: terraform deploy aws-inspector2/delegate-orgadmin/use1 -s core-use1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/use2 -s core-use2-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/usw1 -s core-usw1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/usw2 -s core-usw2-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/aps1 -s core-aps1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/apne3 -s core-apne3-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/apne2 -s core-apne2-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/apne1 -s core-apne1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/apse1 -s core-apse1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/apse2 -s core-apse2-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/cac1 -s core-cac1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/euc1 -s core-euc1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/euw1 -s core-euw1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/euw2 -s core-euw2-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/euw3 -s core-euw3-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/eun1 -s core-eun1-root - - command: terraform deploy aws-inspector2/delegate-orgadmin/sae1 -s core-sae1-root - - deploy/aws-inspector2/step2: - description: Deploy to the Delegated Administrator account to establish organization wide configuration - steps: - # There is a bug that tries to deploy Lambda Code scanning even though it's not enabled - # https://github.com/hashicorp/terraform-provider-aws/issues/34039 - # For now, we'll enable Inspector only in regions that support Lambda Code scanning - - command: terraform deploy aws-inspector2/org-settings/use1 -s core-use1-security - - command: terraform deploy aws-inspector2/org-settings/use2 -s core-use2-security - - command: terraform deploy aws-inspector2/org-settings/usw2 -s core-usw2-security - - command: terraform deploy aws-inspector2/org-settings/apne1 -s core-apne1-security - - command: terraform deploy aws-inspector2/org-settings/apse1 -s core-apse1-security - - command: terraform deploy aws-inspector2/org-settings/apse2 -s core-apse2-security - - command: terraform deploy aws-inspector2/org-settings/euc1 -s core-euc1-security - - command: terraform deploy aws-inspector2/org-settings/euw1 -s core-euw1-security - - command: terraform deploy aws-inspector2/org-settings/euw2 -s core-euw2-security - - command: terraform deploy aws-inspector2/org-settings/eun1 -s core-eun1-security diff --git a/examples/snippets/stacks/workflows/grafana.yaml b/examples/snippets/stacks/workflows/grafana.yaml deleted file mode 100644 index 379af9ce7..000000000 --- a/examples/snippets/stacks/workflows/grafana.yaml +++ /dev/null @@ -1,43 +0,0 @@ - -workflows: - all: - description: run all workflows - steps: - - command: workflow vendor -f grafana - - command: workflow deploy -f grafana - - vendor: - description: vendor dependencies - steps: - - command: vendor pull --component - - deploy: - description: deploys all Grafana data sources into plat accounts - steps: - - command: workflow deploy/data-sources -s plat-use1-dev -f grafana - - command: workflow deploy/data-sources -s plat-use1-staging -f grafana - - command: workflow deploy/data-sources -s plat-use1-prod -f grafana - - command: workflow deploy/grafana -s core-use1-auto -f grafana - - deploy/data-sources: - description: deploys all Grafana data sources into a given stack - steps: - - command: terraform deploy prometheus - - command: terraform deploy eks/prometheus-scraper - - command: terraform deploy eks/loki - - command: terraform deploy eks/promtail - - type: shell - command: |- - echo "Now update the eks/cluster map_additional_iam_roles and reapply eks/cluster" - - deploy/grafana: - description: deploys centralized Grafana and all sub components - steps: - - command: terraform deploy grafana -s core-use1-auto - - command: terraform deploy grafana/api-key -s core-use1-auto - - command: terraform deploy grafana/dashboard/plat-dev-prometheus -s core-use1-auto - - command: terraform deploy grafana/dashboard/plat-dev-loki -s core-use1-auto - - command: terraform deploy grafana/dashboard/plat-staging-prometheus -s core-use1-auto - - command: terraform deploy grafana/dashboard/plat-staging-loki -s core-use1-auto - - command: terraform deploy grafana/dashboard/plat-prod-prometheus -s core-use1-auto - - command: terraform deploy grafana/dashboard/plat-prod-loki -s core-use1-auto \ No newline at end of file diff --git a/examples/snippets/stacks/workflows/monitoring.yaml b/examples/snippets/stacks/workflows/monitoring.yaml deleted file mode 100644 index 6a9afa6a9..000000000 --- a/examples/snippets/stacks/workflows/monitoring.yaml +++ /dev/null @@ -1,159 +0,0 @@ - -workflows: - all: - description: run all workflows - steps: - - command: workflow init -f monitoring - - command: workflow vendor -f monitoring - - command: workflow deploy/datadog-configuration -f monitoring - - command: workflow deploy/datadog-integration -f monitoring -# - command: workflow deploy/datadog-logs-archive -f monitoring - - command: workflow deploy/datadog-monitor -f monitoring - - command: workflow deploy/datadog-lambda-forwarder -f monitoring - - command: workflow deploy/datadog-agent -f monitoring - - command: workflow deploy/datadog-synthetics-private-location -f monitoring - - command: workflow deploy/datadog-private-location-ecs -f monitoring - - init: - description: Prompt for uploading Datadog API Key to AWS SSM - steps: - - type: shell - command: |- - echo "Please enter a Datadog API Key" - - stty -echo - read -p "API Key: " -r API_KEY - stty echo - if [ -z "$API_KEY" ] - then - echo 'Inputs cannot be blank please try again!' - exit 0 - fi - if ! [[ "$API_KEY" =~ "^[a-zA-Z0-9-]{32}$" ]] - then - echo "Invalid API Key" - echo "HINT: The API key ID is displayed as an upper-case, 32-character alphanumeric value." - exit 0 - fi - - stty -echo - read -p "APP Key: " -r APP_KEY - stty echo - if [ -z "$APP_KEY" ] - then - echo 'Inputs cannot be blank please try again!' - exit 0 - fi - if ! [[ "$APP_KEY" =~ "^[a-zA-Z0-9]{40}$" ]] - then - echo "Invalid APP Key" - exit 0 - fi - - AWS_PROFILE=acme-core-gbl-auto-admin aws ssm put-parameter --name /datadog/default/datadog_api_key --value $API_KEY --type SecureString - AWS_PROFILE=acme-core-gbl-auto-admin aws ssm put-parameter --name /datadog/default/datadog_app_key --value $APP_KEY --type SecureString - - vendor: - description: vendor dependencies - steps: - - command: vendor pull --component datadog-configuration - - command: vendor pull --component datadog-integration - - command: vendor pull --component datadog-lambda-forwarder - - command: vendor pull --component datadog-monitor - #- command: vendor pull --component datadog-logs-archive - - command: vendor pull --component eks/datadog-agent - - command: vendor pull --component datadog-synthetics-private-location - - command: vendor pull --component datadog-private-location-ecs - - deploy/datadog-configuration: - description: deploys all datadog-configuration components - steps: - - command: terraform deploy datadog-configuration -s core-gbl-artifacts - - command: terraform deploy datadog-configuration -s core-gbl-audit - - command: terraform deploy datadog-configuration -s core-gbl-auto - - command: terraform deploy datadog-configuration -s core-gbl-dns - - command: terraform deploy datadog-configuration -s core-gbl-network - - command: terraform deploy datadog-configuration -s core-gbl-security - - command: terraform deploy datadog-configuration -s plat-gbl-sandbox - - command: terraform deploy datadog-configuration -s plat-gbl-dev - - command: terraform deploy datadog-configuration -s plat-gbl-staging - - command: terraform deploy datadog-configuration -s plat-gbl-prod - - deploy/datadog-integration: - description: deploys all datadog-integration components - steps: - - command: terraform deploy datadog-integration -s core-gbl-artifacts - - command: terraform deploy datadog-integration -s core-gbl-audit - - command: terraform deploy datadog-integration -s core-gbl-auto - - command: terraform deploy datadog-integration -s core-gbl-dns - - command: terraform deploy datadog-integration -s core-gbl-network - - command: terraform deploy datadog-integration -s core-gbl-security - - command: terraform deploy datadog-integration -s plat-gbl-sandbox - - command: terraform deploy datadog-integration -s plat-gbl-dev - - command: terraform deploy datadog-integration -s plat-gbl-staging - - command: terraform deploy datadog-integration -s plat-gbl-prod - -# deploy/datadog-logs-archive: -# description: deploys all datadog-logs-archive components -# steps: -# - command: terraform deploy datadog-logs-archive -s core-gbl-artifacts -# - command: terraform deploy datadog-logs-archive -s core-gbl-audit -# - command: terraform deploy datadog-logs-archive -s core-gbl-auto -# - command: terraform deploy datadog-logs-archive -s core-gbl-dns -# - command: terraform deploy datadog-logs-archive -s core-gbl-network -# - command: terraform deploy datadog-logs-archive -s core-gbl-security -# - command: terraform deploy datadog-logs-archive -s plat-gbl-sandbox -# - command: terraform deploy datadog-logs-archive -s plat-gbl-dev -# - command: terraform deploy datadog-logs-archive -s plat-gbl-staging -# - command: terraform deploy datadog-logs-archive -s plat-gbl-prod - - deploy/datadog-monitor: - description: deploys all datadog-monitor components - steps: - - command: terraform deploy datadog-monitor -s core-gbl-auto - - command: terraform deploy datadog-monitor -s plat-gbl-sandbox - - command: terraform deploy datadog-monitor -s plat-gbl-dev - - command: terraform deploy datadog-monitor -s plat-gbl-staging - - command: terraform deploy datadog-monitor -s plat-gbl-prod - - deploy/datadog-lambda-forwarder: - description: deploys all datadog-lambda-forwarder components - steps: - - command: terraform deploy datadog-lambda-forwarder -s core-use1-artifacts - - command: terraform deploy datadog-lambda-forwarder -s core-use1-audit - - command: terraform deploy datadog-lambda-forwarder -s core-use1-auto - - command: terraform deploy datadog-lambda-forwarder -s core-use1-dns - - command: terraform deploy datadog-lambda-forwarder -s core-use1-network - - command: terraform deploy datadog-lambda-forwarder -s core-use1-security - - command: terraform deploy datadog-lambda-forwarder -s plat-use1-sandbox - - command: terraform deploy datadog-lambda-forwarder -s plat-use1-dev - - command: terraform deploy datadog-lambda-forwarder -s plat-use1-staging - - command: terraform deploy datadog-lambda-forwarder -s plat-use1-prod - - - deploy/datadog-agent: - description: deploys all datadog-agent components - steps: - - command: terraform deploy eks/datadog-agent -s core-use1-auto - - command: terraform deploy eks/datadog-agent -s plat-use1-dev - - command: terraform deploy eks/datadog-agent -s plat-use1-staging - - command: terraform deploy eks/datadog-agent -s plat-use1-prod - - deploy/datadog-synthetics-private-location: - description: deploys all datadog-synthetics-private-location components - steps: - - command: terraform deploy datadog-synthetics-private-location -s core-use1-auto - - command: terraform deploy datadog-synthetics-private-location -s plat-use1-dev - - command: terraform deploy datadog-synthetics-private-location -s plat-use1-staging - - command: terraform deploy datadog-synthetics-private-location -s plat-use1-prod - - - deploy/datadog-private-location-ecs: - description: deploys all datadog-private-location-ecs components - steps: - - command: terraform deploy datadog-private-location-ecs -s core-use1-auto - - command: terraform deploy datadog-private-location-ecs -s plat-use1-sandbox - - command: terraform deploy datadog-private-location-ecs -s plat-use1-dev - - command: terraform deploy datadog-private-location-ecs -s plat-use1-staging - - command: terraform deploy datadog-private-location-ecs -s plat-use1-prod - diff --git a/examples/snippets/stacks/workflows/addons.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons.yaml diff --git a/examples/snippets/stacks/workflows/addons/alb.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/alb.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/alb.yaml diff --git a/examples/snippets/stacks/workflows/addons/api-gateway.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/api-gateway.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/api-gateway.yaml diff --git a/examples/snippets/stacks/workflows/addons/cognito.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/cognito.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/cognito.yaml diff --git a/examples/snippets/stacks/workflows/addons/ec2-instance.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/ec2-instance.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/ec2-instance.yaml diff --git a/examples/snippets/stacks/workflows/addons/kinesis-stream.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/kinesis-stream.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/kinesis-stream.yaml diff --git a/examples/snippets/stacks/workflows/addons/kms.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/kms.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/kms.yaml diff --git a/examples/snippets/stacks/workflows/addons/lambda.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/lambda.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/lambda.yaml diff --git a/examples/snippets/stacks/workflows/addons/memorydb.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/memorydb.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/memorydb.yaml diff --git a/examples/snippets/stacks/workflows/addons/s3-bucket.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/s3-bucket.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/s3-bucket.yaml diff --git a/examples/snippets/stacks/workflows/addons/ses.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/ses.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/ses.yaml diff --git a/examples/snippets/stacks/workflows/addons/sns-topic.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/sns-topic.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/sns-topic.yaml diff --git a/examples/snippets/stacks/workflows/addons/spa-s3-cloudfront.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/spa-s3-cloudfront.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/spa-s3-cloudfront.yaml diff --git a/examples/snippets/stacks/workflows/addons/sqs-queue.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/sqs-queue.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/sqs-queue.yaml diff --git a/examples/snippets/stacks/workflows/addons/ssm-parameters.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml similarity index 100% rename from examples/snippets/stacks/workflows/addons/ssm-parameters.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/ssm-parameters.yaml diff --git a/examples/snippets/stacks/workflows/addons/waf.yaml b/examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml similarity index 51% rename from examples/snippets/stacks/workflows/addons/waf.yaml rename to examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml index 2ba790220..fad86334b 100644 --- a/examples/snippets/stacks/workflows/addons/waf.yaml +++ b/examples/snippets/stacks/workflows/quickstart/app/addons/waf.yaml @@ -2,7 +2,9 @@ workflows: all: description: run all workflows steps: - - command: terraform deploy waf --stack plat-use1-sandbox + - command: terraform deploy waf --stack plat-use1-dev + - command: terraform deploy waf --stack plat-use1-staging + - command: terraform deploy waf --stack plat-use1-prod vendor: description: vendor all components required for this addon diff --git a/examples/snippets/stacks/workflows/data.yaml b/examples/snippets/stacks/workflows/quickstart/app/data.yaml similarity index 100% rename from examples/snippets/stacks/workflows/data.yaml rename to examples/snippets/stacks/workflows/quickstart/app/data.yaml diff --git a/examples/snippets/stacks/workflows/accounts.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml similarity index 100% rename from examples/snippets/stacks/workflows/accounts.yaml rename to examples/snippets/stacks/workflows/quickstart/foundation/accounts.yaml diff --git a/examples/snippets/stacks/workflows/baseline.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/baseline.yaml similarity index 100% rename from examples/snippets/stacks/workflows/baseline.yaml rename to examples/snippets/stacks/workflows/quickstart/foundation/baseline.yaml diff --git a/examples/snippets/stacks/workflows/github.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/github.yaml similarity index 100% rename from examples/snippets/stacks/workflows/github.yaml rename to examples/snippets/stacks/workflows/quickstart/foundation/github.yaml diff --git a/examples/snippets/stacks/workflows/gitops.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/gitops.yaml similarity index 100% rename from examples/snippets/stacks/workflows/gitops.yaml rename to examples/snippets/stacks/workflows/quickstart/foundation/gitops.yaml diff --git a/examples/snippets/stacks/workflows/identity.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml similarity index 100% rename from examples/snippets/stacks/workflows/identity.yaml rename to examples/snippets/stacks/workflows/quickstart/foundation/identity.yaml diff --git a/examples/snippets/stacks/workflows/network.yaml b/examples/snippets/stacks/workflows/quickstart/foundation/network.yaml similarity index 74% rename from examples/snippets/stacks/workflows/network.yaml rename to examples/snippets/stacks/workflows/quickstart/foundation/network.yaml index 852de7a5d..3a3144a74 100644 --- a/examples/snippets/stacks/workflows/network.yaml +++ b/examples/snippets/stacks/workflows/quickstart/foundation/network.yaml @@ -15,13 +15,15 @@ workflows: description: Vendor component dependencies for the network layer. steps: - command: vendor pull --component tgw/hub - - command: vendor pull --component tgw/spoke + - command: vendor pull --component tgw/attachment + - command: vendor pull --component tgw/routes - command: vendor pull --component acm - command: vendor pull --component bastion - command: vendor pull --component dns-delegated - command: vendor pull --component dns-primary - command: vendor pull --component ec2-client-vpn - command: vendor pull --component vpc + - command: vendor pull --component vpc-routes deploy/vpc: description: Provision VPCs for the network layer. @@ -42,22 +44,25 @@ workflows: command: wipe-default-vpcs deploy/tgw: - description: Provision the Transit Gateway "hub" and "spokes" for connecting VPCs. + description: Provision the Transit Gateway for connecting VPCs, including all attachments and routes. steps: - command: terraform deploy tgw/hub -s core-use1-network - name: hub - - command: terraform deploy tgw/spoke -s core-use1-network - - command: echo 'Creating core spokes for Transit Gateway' - type: shell - name: core-spokes - - command: terraform deploy tgw/spoke -s core-use1-auto - - command: terraform deploy tgw/spoke -s plat-use1-sandbox - - command: echo 'Creating platform spokes for Transit Gateway' - type: shell - name: plat-spokes - - command: terraform deploy tgw/spoke -s plat-use1-dev - - command: terraform deploy tgw/spoke -s plat-use1-staging - - command: terraform deploy tgw/spoke -s plat-use1-prod + - command: terraform deploy tgw/attachment -s core-use1-network + - command: terraform deploy tgw/attachment -s core-use1-auto + - command: terraform deploy tgw/attachment -s plat-use1-sandbox + - command: terraform deploy tgw/attachment -s plat-use1-dev + - command: terraform deploy tgw/attachment -s plat-use1-staging + - command: terraform deploy tgw/attachment -s plat-use1-prod + - command: terraform deploy tgw/routes -s core-use1-network + - command: terraform deploy tgw/routes -s plat-use1-sandbox + - command: terraform deploy tgw/routes -s plat-use1-dev + - command: terraform deploy tgw/routes -s plat-use1-staging + - command: terraform deploy tgw/routes -s plat-use1-prod + - command: terraform deploy vpc/routes/private -s core-use1-network + - command: terraform deploy vpc/routes/private -s plat-use1-sandbox + - command: terraform deploy vpc/routes/private -s plat-use1-dev + - command: terraform deploy vpc/routes/private -s plat-use1-staging + - command: terraform deploy vpc/routes/private -s plat-use1-prod deploy/dns: description: Configure the DNS "primary" and "delegated" stacks. @@ -97,10 +102,7 @@ workflows: description: Provision AWS Certificate Manager for custom and ad-hoc requests. steps: - command: terraform deploy acm -s core-use1-auto - - command: terraform deploy acm -s plat-use1-sandbox - - command: terraform deploy acm -s plat-use1-dev - - command: terraform deploy acm -s plat-use1-staging - - command: terraform deploy acm -s plat-use1-prod + deploy/vpn: description: Establish the AWS Client VPN in the core-network account. diff --git a/examples/snippets/stacks/workflows/argocd.yaml b/examples/snippets/stacks/workflows/quickstart/platform/argocd.yaml similarity index 86% rename from examples/snippets/stacks/workflows/argocd.yaml rename to examples/snippets/stacks/workflows/quickstart/platform/argocd.yaml index 160b27741..e14dbbe3c 100644 --- a/examples/snippets/stacks/workflows/argocd.yaml +++ b/examples/snippets/stacks/workflows/quickstart/platform/argocd.yaml @@ -249,7 +249,7 @@ workflows: - type: shell command: |- echo "Please create a fine-grained GitHub PAT" - echo "Scope: acme/argocd-deploy-non-prod and acme/infra-acme" + echo "Scope: acme/argocd-deploy-non-prod and acme/infrastructure" echo "Permissions: (Repository) Contents: Read and write, Metadata: Read-only" echo "Follow this manual to create PAT https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token" echo "Please upload this PAT to 1Password" @@ -260,24 +260,7 @@ workflows: - type: shell command: |- echo "Please create a fine-grained GitHub PAT" - echo "Scope: acme/argocd-deploy-prod and acme/infra-acme" + echo "Scope: acme/argocd-deploy-prod and acme/infrastructure" echo "Permissions: (Repository) Contents: Read and write, Metadata: Read-only" echo "Follow this manual to create PAT https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token" - echo "Please upload this PAT to 1Password" - - migrate_less_1_305: - description: | - This workflow migrates ArgoCD to `0.0.0` - steps: - - type: shell - command: |- - AWS_PROFILE=acme-plat-gbl-dev-admin chamber read -q argocd/notifications/notifiers/service_webhook_github-commit-status github-token | AWS_PROFILE=acme-plat-gbl-dev-admin chamber write argocd/notifications/notifiers/common github-token - AWS_PROFILE=acme-plat-gbl-dev-admin chamber delete argocd/notifications/notifiers/service_webhook_github-commit-status github-token - AWS_PROFILE=acme-plat-gbl-dev-admin chamber delete argocd/notifications/notifiers/service_githubAWS_PROFILE=acme-plat-gbl-staging-admin chamber read -q argocd/notifications/notifiers/service_webhook_github-commit-status github-token | AWS_PROFILE=acme-plat-gbl-staging-admin chamber write argocd/notifications/notifiers/common github-token - AWS_PROFILE=acme-plat-gbl-staging-admin chamber delete argocd/notifications/notifiers/service_webhook_github-commit-status github-token - AWS_PROFILE=acme-plat-gbl-staging-admin chamber delete argocd/notifications/notifiers/service_githubAWS_PROFILE=acme-plat-gbl-prod-admin chamber read -q argocd/notifications/notifiers/service_webhook_github-commit-status github-token | AWS_PROFILE=acme-plat-gbl-prod-admin chamber write argocd/notifications/notifiers/common github-token - AWS_PROFILE=acme-plat-gbl-prod-admin chamber delete argocd/notifications/notifiers/service_webhook_github-commit-status github-token - AWS_PROFILE=acme-plat-gbl-prod-admin chamber delete argocd/notifications/notifiers/service_github - - command: workflow deploy/github-webhook-pat -f argocd - - command: workflow deploy/argocd -f argocd - - command: workflow deploy/argocd-repos -f argocd + echo "Please upload this PAT to 1Password" \ No newline at end of file diff --git a/examples/snippets/stacks/workflows/ecs.yaml b/examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml similarity index 100% rename from examples/snippets/stacks/workflows/ecs.yaml rename to examples/snippets/stacks/workflows/quickstart/platform/ecs.yaml diff --git a/examples/snippets/stacks/workflows/eks.yaml b/examples/snippets/stacks/workflows/quickstart/platform/eks.yaml similarity index 100% rename from examples/snippets/stacks/workflows/eks.yaml rename to examples/snippets/stacks/workflows/quickstart/platform/eks.yaml diff --git a/examples/snippets/stacks/workflows/release_engineering.yaml b/examples/snippets/stacks/workflows/release_engineering.yaml deleted file mode 100644 index ed96fd3fd..000000000 --- a/examples/snippets/stacks/workflows/release_engineering.yaml +++ /dev/null @@ -1,35 +0,0 @@ -workflows: - verify/github-oidc-providers: - description: | - This workflow ensures all Github OIDC Provider Configuration deployed. - Please assume `acme-core-gbl-root-admin` - steps: - - command: workflow deploy/github-oidc-provider -f github - - deploy/pre-requisites: - description: | - This workflow ensures all components are up to date before attempting to deploy the repos that access them. - Often a eks/cluster component will need to be reapplied to add OIDC access for a given repo. - steps: - - command: terraform deploy ecr -s core-use1-artifacts - - command: workflow deploy/acm -f network - - command: terraform deploy eks/cluster -s plat-use1-dev - - command: terraform deploy eks/cluster -s plat-use1-staging - - command: terraform deploy eks/cluster -s plat-use1-prod - - deploy/acm: - description: | - This workflow deploys additional ACM certificates required for specific release workflow environments. - steps: - - command: terraform deploy acm/preview -s plat-use1-dev - - command: terraform deploy acm/hotfix -s plat-use1-dev - - command: terraform deploy acm/qa1 -s plat-use1-staging - - command: terraform deploy acm/qa2 -s plat-use1-staging - - command: terraform deploy acm/qa3 -s plat-use1-staging - - command: terraform deploy acm/qa4 -s plat-use1-staging - - demo/install: - description: | - This workflow deploys GitHub repositories for release engineering demo - steps: - - command: terraform deploy release-engineering-bootstrap -s core-gbl-auto