ci(terraform): Add matrix for multi environment deployment (#35)

Author: chris3ware

.envrc

@@ -1,22 +1,19 @@
 name: Terraform Docs
+run-name: ${{ github.event.workflow_run.display_title }}
 
 on:
-  pull_request:
-    types: [closed]
-    branches: [main]
-    paths:
-      - "**/*.tf"
-      - "**/*.tfvars"
-      - "**/*.tftpl"
+  workflow_run:
+    workflows: [Terraform CI]
+    types: [completed]
 
 # Disable permissions for all available scopes
 permissions: {}
 
 jobs:
   terraform-docs:
-    if: ${{ github.event.pull_request.merged == true }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
     name: Terraform Docs
     uses: 3ware/workflows/.github/workflows/terraform-docs.yaml@7880d6b986d1d689f5d219e901b863f1378fea9c # v4.4.0
     secrets: inherit
     with:
-      tf-directory: terraform/development
+      tf-directory: terraform

.github/README.md

@@ -1,9 +1,11 @@
 name: Checks
+run-name: ${{ github.event_name == 'merge_group' && github.event.merge_group.head_commit.message || ''}}
 
 on:
   pull_request:
     branches: [main]
-    types: [opened, edited, synchronize]
+  merge_group:
+    types: [checks_requested]
 
 # Disable permissions for all available scopes
 permissions: {}

.github/workflows/terraform-ci.yaml

@@ -27,4 +27,7 @@ override.tf.json
 
 # Ignore CLI configuration files
 .terraformrc
-terraform.rc
+terraform.rc
+
+# Ignore direnv files
+.envrc

.github/workflows/terraform-docs.yaml

@@ -2,12 +2,12 @@
 # To learn more about the format of this file, see https://docs.trunk.io/reference/trunk-yaml
 version: 0.1
 cli:
-  version: 1.22.6
+  version: 1.22.7
 # Trunk provides extensibility via plugins. (https://docs.trunk.io/plugins)
 plugins:
   sources:
     - id: trunk
-      ref: v1.6.3
+      ref: v1.6.4
       uri: https://github.com/trunk-io/plugins
 # Many linters and tools depend on runtimes - configure them here. (https://docs.trunk.io/runtimes)
 runtimes:
@@ -17,19 +17,19 @@ runtimes:
 # This is the section where you manage your linters. (https://docs.trunk.io/check/configuration)
 lint:
   disabled:
+    - checkov
+    - trivy
     - regal
   enabled:
-    - [email protected]
-    - [email protected]
+    - [email protected]
     - [email protected]
     - [email protected]:
         commands: [fmt, validate]
     - [email protected]
-    - [email protected]
     - git-diff-check
     - [email protected]
     - [email protected]
-    - trufflehog@3.82.8
+    - trufflehog@3.83.2
     - [email protected]
   definitions:
     - name: tflint

.github/workflows/wait-for-checks.yaml

@@ -0,0 +1,21 @@
+development_aws_account_id: ENC[AES256_GCM,data:DJFVyfC1L2sU3Rg3,iv:/tY8GG2lda8IP2ITG72Xh4sMs+Tt4VNAP1Qb1LdTZoM=,tag:GwieQ56POhsSxjexHYx9fg==,type:int]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1wpy4kcrhan5ffwwv9dke50v9e302lhravg2njkze9qu33xgnr42q9p2d22
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoSml5M1p6MHIzaitVaGVW
+            OTBZNVBQRmVXU2FENXFnb2UvdFNFYTJhSG1ZCk5FSEUvZFZiVUJFdzVXdC9hclNj
+            T0NicFFSZ212QkdlRTFuQ3lSZUpVMWsKLS0tIFVta2pYaC9VMXlnbU1KNW1Zcnk4
+            aXRkOUhWakRBUEtxSWdFVkw2R3ZscFEKm9zke6+CQFYyFohhm2XLMqW3ffkPs10d
+            Lk5rBlAmGTsneyVHNdBrF/zjD6nKOqs7MZudWX+rZFgeSBnSjxo8qA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-01T11:23:38Z"
+    mac: ENC[AES256_GCM,data:UItGJx1VhU+OtH0B7wcrBdiLjS3sZQwvZ+9pRLA7alkUU56AkdhSGHIIOrstdO8Nnb3Yjt4mPpwyKHUx1r3eIczQUGqUxa3h8kaF7fzyhf3RkJdLsnYRxvjvk7iHRKr/Ey0wtFFa5cGo7bSj2Ar0RTARq1pglLGJ6kRDjMzWaJo=,iv:HHzgmVOWktFiW5YaFEFyMy2wlhPc/v5v1+ccLpRZsB0=,tag:ipbezFjdtACwvEosS+p0Lg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

.gitignore

@@ -1,14 +1,3 @@
-output "aws_account_id" {
-  description = "AWS account number resources are deployed into"
-  value       = data.aws_caller_identity.current.account_id
-  sensitive   = true
-}
-
-output "default_tags" {
-  description = "A map of default tags applied to resources."
-  value       = data.aws_default_tags.this.tags
-}
-
 output "grafana_ip" {
   description = "The connection details of the grafana server."
   value       = "http://${aws_instance.grafana_server.public_ip}:3000"

.trunk/trunk.yaml

@@ -1,67 +1,14 @@
-terraform {
-  # Must be above 1.9.0 to allow cross-object referencing for input variable validations
-  required_version = ">=1.9.0, <=2.0.0"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~>5.69.0"
-    }
-    # http = {
-    #   source  = "hashicorp/http"
-    #   version = "~>3.4.5"
-    # }
-  }
-}
-
-locals {
-  valid_account_no = {
-    development = "713881824542"
-    production  = "535002868697"
-  }
-}
-
-data "aws_caller_identity" "current" {
-  lifecycle {
-    postcondition {
-      condition = contains(values(local.valid_account_no), self.id)
-      error_message = format(
-        "Invalid AWS account ID specified. Received: '%s', Require: '%s'.\n%s",
-        self.id,
-        join(", ", values(local.valid_account_no)),
-        "Configure AWS credentials to assume the correct role."
-      )
-    }
-  }
-}
-
-locals {
-  # Defines a list of permitted environment tag values. Used by the postcondition in the aws_default_tags data source
-  # to validate the environment tag extrapolated from the workspace name in data.tf
-  valid_environment = ["development", "production"]
-}
-
-data "aws_default_tags" "this" {
-  lifecycle {
-    postcondition {
-      condition = anytrue([
-        for tag in values(self.tags) : contains(local.valid_environment, tag)
-      ])
-      error_message = format(
-        "Invalid environment tag specified. Received: '%s', Require: '%s'.\n%s",
-        self.tags["3ware:environment"],
-        join(", ", local.valid_environment),
-        "Rename workspace with a valid environment suffix."
-      )
-    }
-  }
+data "sops_file" "aws_account_id" {
+  source_file = "${path.module}/.sops-files/sensitive.enc.yaml"
 }
 
 provider "aws" {
-  region = var.region
+  region              = var.region
+  allowed_account_ids = [data.sops_file.aws_account_id.data["${var.environment}_aws_account_id"]]
   default_tags {
     tags = {
       "3ware:project-id"           = var.project_id
-      "3ware:environment"          = local.environment
+      "3ware:environment"          = var.environment
       "3ware:managed-by-terraform" = true
       "3ware:workspace"            = terraform.workspace
     }

terraform/development/.sops-files/sensitive.enc.yaml

@@ -1,3 +1,4 @@
+environment       = "development"
 instance_type     = "t2.micro"
 project_id        = "gitops-2024"
 region            = "us-east-1"

terraform/development/.terraform.lock.hcl

@@ -1,3 +1,23 @@
+locals {
+  valid_environment = ["development"]
+}
+
+variable "environment" {
+  description = "(Required) Terraform deployment environment"
+  type        = string
+
+  validation {
+    condition = contains(local.valid_environment, var.environment)
+    error_message = format(
+      "Invalid environment provided. Received: '%s', Require: '%v'.\n%s",
+      var.environment,
+      join(", ", local.valid_environment),
+      "Change the environment variable value to one that is permitted."
+    )
+  }
+}
+
+
 locals {
   valid_instance_types = ["t2.micro"]
 }

terraform/development/outputs.tf

@@ -1,6 +1,20 @@
 terraform {
-  required_version = ">= 1.8.2"
-
+  # Must be above 1.9.0 to allow cross-object referencing for input variable validations
+  required_version = ">=1.9.0, < 2.0.0"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~>5.69.0"
+    }
+    # http = {
+    #   source  = "hashicorp/http"
+    #   version = "~>3.4.5"
+    # }
+    sops = {
+      source  = "carlpett/sops"
+      version = "~> 1.1.1"
+    }
+  }
   cloud {
     organization = "3ware"
     hostname     = "app.terraform.io"

terraform/development/providers.tf

@@ -0,0 +1,21 @@
+production_aws_account_id: ENC[AES256_GCM,data:OGQZoe74L66XGHe5,iv:FI81M4+97WLF5KzLjA3H7AkaFC4uDx+ooS0vXGv4scM=,tag:K0yrBflkL/cObMnb+HWVIw==,type:int]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1wpy4kcrhan5ffwwv9dke50v9e302lhravg2njkze9qu33xgnr42q9p2d22
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvbDlpYlJsOHE1SVd4MWZj
+            eXNuZ1dyVTVWbGZqZXpUTWdRWnc5TnFOd21zCkd2TkQrUWhwaWhJaThjZmVBZGYw
+            ck1WRkhtK0ZNYmFmaXNMQXQweVFPZFkKLS0tIGFCZytBUy9SbnNkbUFIVCtKZWJH
+            Q3dVbjg3NXZPME9sdUtEYzVlcGhPbG8KyuJvku8qDbnmOm2zG94RthEQM8ML2U3n
+            YFfHPYaKVQydgbb6lziQywZja2oJICXM1zRbGvadQNpN4VH6D7OFfw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-01T14:56:19Z"
+    mac: ENC[AES256_GCM,data:OVSNjOmC9onsy5pQPO7nIQOsDXkY3CiJ611x+Etun5XMqVpPFaVqv6xsQeNXNth4bc0uqui8zH6hGJ8TZ6Y5idfzej3fqOJ0Qz1VoLKgYNSnUsQJ/LtIKTrVaJv6zMqIrkcTwC+4Xva+Rrb538XavQ/J6PP8JOez2ako5E3BYpc=,iv:SuPbeZ1MBySAKnMY3gryyOzX3cZ0ajblmfYMBqA+zy4=,tag:chYjPV86oIqUGm+b3XHpuQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1