-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #161 from domain-protect/prd-environment
production example and workflow
- Loading branch information
Showing
9 changed files
with
186 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| name: Deploy Domain Protect Production | ||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| env: | ||
| TERRAFORM_VERSION: "1.7.3" | ||
| TF_VAR_org_primary_account: ${{ secrets.ORG_PRIMARY_ACCOUNT }} | ||
| TF_VAR_slack_webhook_urls: ${{ secrets.SLACK_WEBHOOK_URLS }} | ||
| TF_VAR_external_id: ${{ secrets.EXTERNAL_ID }} | ||
| TF_VAR_cf_api_key: ${{ secrets.CF_API_KEY }} | ||
| TF_VAR_hackerone_api_token: ${{ secrets.HACKERONE_API_TOKEN }} | ||
| TF_VAR_region: ${{ secrets.AWS_REGION }} | ||
| TF_CLI_ARGS_init: "-backend-config=\"bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}\" -backend-config=\"key=${{ secrets.TERRAFORM_STATE_KEY }}\" -backend-config=\"region=${{ secrets.TERRAFORM_STATE_REGION }}\"" | ||
|
|
||
| jobs: | ||
| terraform_plan_apply_prd: | ||
| name: Terraform plan & apply prd | ||
| environment: 'prd' | ||
| runs-on: ubuntu-latest | ||
| defaults: | ||
| run: | ||
| working-directory: ./examples/prd | ||
|
|
||
| permissions: | ||
| id-token: write | ||
| contents: write | ||
| pull-requests: write | ||
| checks: write | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | ||
|
|
||
| - name: Terraform setup | ||
| uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3 | ||
| with: | ||
| terraform_version: ${{ env.TERRAFORM_VERSION }} | ||
|
|
||
| - name: Terraform format | ||
| run: terraform fmt -check -recursive | ||
|
|
||
| - name: Set up Python | ||
| uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5 | ||
|
|
||
| - name: Display Python version | ||
| run: python -c "import sys; print(sys.version)" | ||
|
|
||
| - name: Install virtualenv | ||
| run: pip install virtualenv | ||
|
|
||
| - name: Configure AWS Credentials | ||
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4 | ||
| with: | ||
| role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN}} | ||
| aws-region: ${{ secrets.AWS_REGION }} | ||
|
|
||
| - name: set Terraform prd workspace | ||
| run: | | ||
| terraform init | ||
| terraform workspace list > list.txt | ||
| if grep "prd" list.txt | ||
| then | ||
| terraform workspace select prd | ||
| else | ||
| echo "creating prd terraform workspace" | ||
| terraform workspace new prd | ||
| fi | ||
| - name: terraform plan prd | ||
| run: terraform plan -out tfplan | ||
|
|
||
| - name: terraform apply prd | ||
| run: terraform apply -auto-approve tfplan |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Example deployment | ||
|
|
||
| ## Local testing | ||
| * replace the Terraform state S3 bucket fields in the command below as appropriate | ||
| * for local testing, duplicate `terraform.tfvars.example`, rename without the `.example` suffix | ||
| * enter details appropriate to your organization and save | ||
|
|
||
| Initialise Terraform: | ||
| ```bash | ||
| terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=key=TERRAFORM_STATE_KEY -backend-config=region=TERRAFORM_STATE_REGION | ||
| ``` | ||
| If using the same Terraform state bucket for multiple environments, e.g. `dev` and `prd`: | ||
| ```bash | ||
| terraform workspace new dev | ||
| ``` | ||
| Plan Terraform locally: | ||
| ``` | ||
| terraform plan | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| terraform { | ||
| backend "s3" { | ||
| # bucket = "YOUR S3 BUCKET NAME" | ||
| # key = "domain-protect" | ||
| # region = "YOUR S3 BUCKET REGION" | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| module "domain_protect" { | ||
| source = "../../" | ||
| # source = "domain-protect/domain-protect/aws" | ||
| # version = "0.5.1" | ||
|
|
||
| allowed_regions = "['eu-west-1', 'eu-west-2', 'us-east-1']" | ||
| cf_api_key = var.cf_api_key | ||
| cloudflare = true | ||
| environment = "prd" | ||
| external_id = var.external_id | ||
| hackerone = "enabled" | ||
| ip_address = true | ||
| ip_scan_schedule = "10 minutes" | ||
| ip_time_limit = 0.1 # 6 minutes | ||
| org_primary_account = var.org_primary_account | ||
| rcu = 1 | ||
| scan_schedule = "10 minutes" | ||
| slack_channels = ["devsecops"] | ||
| slack_webhook_type = "app" | ||
| slack_webhook_urls = var.slack_webhook_urls | ||
| takeover = true | ||
| update_schedule = "10 minutes" | ||
| wcu = 1 | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| provider "aws" { | ||
| default_tags { | ||
| tags = var.tags | ||
| } | ||
| } | ||
|
|
||
| provider "archive" {} | ||
| provider "null" {} | ||
| provider "random" {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| org_primary_account = "012345678901" | ||
| external_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" | ||
| cf_api_key = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" | ||
| hackerone_api_token = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX" | ||
|
|
||
| slack_webhook_urls = ["https://hooks.slack.com/services/XXXXXXXXXX/XXXXXXXXXXXXXXXXX"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| variable "cf_api_key" { | ||
| description = "Cloudflare API token" | ||
| } | ||
|
|
||
| variable "external_id" { | ||
| description = "external ID for security audit role to be defined in tvars file. Leave empty if not configured" | ||
| } | ||
|
|
||
| variable "hackerone_api_token" { | ||
| description = "HackerOne API token" | ||
| } | ||
|
|
||
| variable "org_primary_account" { | ||
| description = "The AWS account number of the organization primary account" | ||
| } | ||
|
|
||
| variable "slack_webhook_urls" { | ||
| description = "List of Slack webhook URLs, in the same order as the slack_channels list - enter in tfvars file" | ||
| type = list(string) | ||
| } | ||
|
|
||
| variable "tags" { | ||
| description = "Default tags to apply to all resources" | ||
| type = map(string) | ||
| default = {} | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| terraform { | ||
| required_version = "> 1" | ||
|
|
||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = "> 5.12.0" | ||
| } | ||
| archive = { | ||
| source = "hashicorp/archive" | ||
| version = "> 2.2.0" | ||
| } | ||
| null = { | ||
| source = "hashicorp/null" | ||
| version = "> 3.1.0" | ||
| } | ||
| random = { | ||
| source = "hashicorp/random" | ||
| version = "> 3.1.0" | ||
| } | ||
| } | ||
| } |