Skip to content

Commit

Permalink
production example and workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
paulschwarzenberger committed Dec 21, 2024
1 parent 6f6007e commit d7a53b4
Show file tree
Hide file tree
Showing 9 changed files with 186 additions and 1 deletion.
72 changes: 72 additions & 0 deletions .github/workflows/prd.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
name: Deploy Domain Protect Production
on:
workflow_dispatch:

env:
TERRAFORM_VERSION: "1.7.3"
TF_VAR_org_primary_account: ${{ secrets.ORG_PRIMARY_ACCOUNT }}
TF_VAR_slack_webhook_urls: ${{ secrets.SLACK_WEBHOOK_URLS }}
TF_VAR_external_id: ${{ secrets.EXTERNAL_ID }}
TF_VAR_cf_api_key: ${{ secrets.CF_API_KEY }}
TF_VAR_hackerone_api_token: ${{ secrets.HACKERONE_API_TOKEN }}
TF_VAR_region: ${{ secrets.AWS_REGION }}
TF_CLI_ARGS_init: "-backend-config=\"bucket=${{ secrets.TERRAFORM_STATE_BUCKET }}\" -backend-config=\"key=${{ secrets.TERRAFORM_STATE_KEY }}\" -backend-config=\"region=${{ secrets.TERRAFORM_STATE_REGION }}\""

jobs:
terraform_plan_apply_prd:
name: Terraform plan & apply prd
environment: 'prd'
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./examples/prd

permissions:
id-token: write
contents: write
pull-requests: write
checks: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Terraform setup
uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}

- name: Terraform format
run: terraform fmt -check -recursive

- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5

- name: Display Python version
run: python -c "import sys; print(sys.version)"

- name: Install virtualenv
run: pip install virtualenv

- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
with:
role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN}}
aws-region: ${{ secrets.AWS_REGION }}

- name: set Terraform prd workspace
run: |
terraform init
terraform workspace list > list.txt
if grep "prd" list.txt
then
terraform workspace select prd
else
echo "creating prd terraform workspace"
terraform workspace new prd
fi
- name: terraform plan prd
run: terraform plan -out tfplan

- name: terraform apply prd
run: terraform apply -auto-approve tfplan
2 changes: 1 addition & 1 deletion examples/dev/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ module "domain_protect" {
cloudflare = true
environment = "dev"
external_id = var.external_id
hackerone = "enabled"
hackerone = "disabled"
ip_address = true
ip_time_limit = 0.1 # 6 minutes
org_primary_account = var.org_primary_account
Expand Down
19 changes: 19 additions & 0 deletions examples/prd/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
# Example deployment

## Local testing
* replace the Terraform state S3 bucket fields in the command below as appropriate
* for local testing, duplicate `terraform.tfvars.example`, rename without the `.example` suffix
* enter details appropriate to your organization and save

Initialise Terraform:
```bash
terraform init -backend-config=bucket=TERRAFORM_STATE_BUCKET -backend-config=key=TERRAFORM_STATE_KEY -backend-config=region=TERRAFORM_STATE_REGION
```
If using the same Terraform state bucket for multiple environments, e.g. `dev` and `prd`:
```bash
terraform workspace new dev
```
Plan Terraform locally:
```
terraform plan
```
7 changes: 7 additions & 0 deletions examples/prd/backend.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
terraform {
backend "s3" {
# bucket = "YOUR S3 BUCKET NAME"
# key = "domain-protect"
# region = "YOUR S3 BUCKET REGION"
}
}
24 changes: 24 additions & 0 deletions examples/prd/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
module "domain_protect" {
source = "../../"
# source = "domain-protect/domain-protect/aws"
# version = "0.5.1"

allowed_regions = "['eu-west-1', 'eu-west-2', 'us-east-1']"
cf_api_key = var.cf_api_key
cloudflare = true
environment = "prd"
external_id = var.external_id
hackerone = "enabled"
ip_address = true
ip_scan_schedule = "10 minutes"
ip_time_limit = 0.1 # 6 minutes
org_primary_account = var.org_primary_account
rcu = 1
scan_schedule = "10 minutes"
slack_channels = ["devsecops"]
slack_webhook_type = "app"
slack_webhook_urls = var.slack_webhook_urls
takeover = true
update_schedule = "10 minutes"
wcu = 1
}
9 changes: 9 additions & 0 deletions examples/prd/providers.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
provider "aws" {
default_tags {
tags = var.tags
}
}

provider "archive" {}
provider "null" {}
provider "random" {}
6 changes: 6 additions & 0 deletions examples/prd/terraform.tfvars.example
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
org_primary_account = "012345678901"
external_id = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
cf_api_key = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
hackerone_api_token = "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"

slack_webhook_urls = ["https://hooks.slack.com/services/XXXXXXXXXX/XXXXXXXXXXXXXXXXX"]
26 changes: 26 additions & 0 deletions examples/prd/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
variable "cf_api_key" {
description = "Cloudflare API token"
}

variable "external_id" {
description = "external ID for security audit role to be defined in tvars file. Leave empty if not configured"
}

variable "hackerone_api_token" {
description = "HackerOne API token"
}

variable "org_primary_account" {
description = "The AWS account number of the organization primary account"
}

variable "slack_webhook_urls" {
description = "List of Slack webhook URLs, in the same order as the slack_channels list - enter in tfvars file"
type = list(string)
}

variable "tags" {
description = "Default tags to apply to all resources"
type = map(string)
default = {}
}
22 changes: 22 additions & 0 deletions examples/prd/versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
terraform {
required_version = "> 1"

required_providers {
aws = {
source = "hashicorp/aws"
version = "> 5.12.0"
}
archive = {
source = "hashicorp/archive"
version = "> 2.2.0"
}
null = {
source = "hashicorp/null"
version = "> 3.1.0"
}
random = {
source = "hashicorp/random"
version = "> 3.1.0"
}
}
}

0 comments on commit d7a53b4

Please sign in to comment.