added github actions, trivy, tflint, and alb certificate

CDCgov · Dec 17, 2024 · 3b9caa5 · 3b9caa5
1 parent 06206c8
commit 3b9caa5
Show file tree

Hide file tree

Showing 8 changed files with 292 additions and 18 deletions.
diff --git a/.github/workflows/ecs_deployment_apply.yaml b/.github/workflows/ecs_deployment_apply.yaml
@@ -0,0 +1,85 @@
+name: Terraform Apply
+run-name: Terraform apply ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: 'The workspace to terraform against'
+        required: true
+        type: choice
+        options:
+          - " "
+          - prod
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: ${{ github.event.inputs.workspace }}
+  terraform_action: apply
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        # this may need to be updated if you change the directory you are working with
+        # ./terraform/implementation/dev || ./terraform/implementation/prod for example
+        # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.9.8"
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: githubDeploymentWorkflow
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Terraform
+        env:
+          ACTION: ${{ env.terraform_action }}
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          OWNER: ${{ vars.OWNER }}
+          PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ vars.AWS_REGION }}
+          WORKSPACE: ${{ env.workspace }}
+          UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }}
+          ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}}
+          TLS_CERT: ${{ secrets.TLS_CERT}}
+          TLS_KEY: ${{ secrets.TLS_KEY}}         
+        shell: bash
+        run: |
+          echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars
+          echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars
+          echo "region = \"$REGION\"" >> $WORKSPACE.tfvars               
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform apply -auto-approve \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \      
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert"=${TLS_CERT}" \
+
diff --git a/.github/workflows/ecs_deployment_plan.yaml b/.github/workflows/ecs_deployment_plan.yaml
@@ -0,0 +1,89 @@
+
+
+name: Terraform Plan
+run-name: Terraform plan ${{ inputs.workspace }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      workspace:
+        description: 'The workspace to terraform against'
+        required: true
+        type: choice
+        options:
+          - " "
+          - prod
+
+concurrency:
+  group: ${{ github.event.inputs.workspace }}-terraform
+  cancel-in-progress: false
+
+permissions:
+  id-token: write
+  contents: read
+
+env:
+  workspace: ${{ github.event.inputs.workspace }}
+  terraform_action: plan
+
+jobs:
+  terraform:
+    name: Run Terraform
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: bash
+        # this may need to be updated if you change the directory you are working with
+        # ./terraform/implementation/dev || ./terraform/implementation/prod for example
+        # this practice is recommended to keep the terraform code organized while reducing the risk of conflicts
+        working-directory: ./terraform/implementation/ecs
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.9.8"
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          role-session-name: githubDeploymentWorkflow
+          aws-region: ${{ vars.region }}
+
+      - name: Terraform
+        env:
+          ACTION: ${{ env.terraform_action }}
+          BUCKET: ${{ secrets.TFSTATE_BUCKET }}
+          DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
+          OWNER: ${{ vars.OWNER }}
+          PROJECT: ${{ vars.PROJECT }}
+          REGION: ${{ vars.AWS_REGION }}
+          WORKSPACE: ${{ env.workspace }}
+          UMLS_API_KEY: ${{ secrets.UMLS_API_KEY }}
+          ERSD_API_KEY: ${{ secrets.ERSD_API_KEY}}
+          TLS_CERT : ${{ secrets.TLS_CERT}}
+          TLS_KEY : ${{ secrets.TLS_KEY}}
+        shell: bash
+        run: |
+          echo "owner = \"$OWNER\"" >> $WORKSPACE.tfvars
+          echo "project = \"$PROJECT\"" >> $WORKSPACE.tfvars
+          echo "region = \"$REGION\"" >> $WORKSPACE.tfvars         
+          terraform init \
+            -var-file="$WORKSPACE.tfvars" \
+            -backend-config "bucket=$BUCKET" \
+            -backend-config "dynamodb_table=$DYNAMODB_TABLE" \
+            -backend-config "region=$REGION" \
+            || (echo "terraform init failed, exiting..." && exit 1)
+          terraform workspace select "$WORKSPACE"
+          terraform apply -auto-approve \
+            -var-file="$WORKSPACE.tfvars" \
+            -var "umls_api_key=${UMLS_API_KEY}" \
+            -var "ersd_api_key=${ERSD_API_KEY}" \      
+            -var "qc_tls_key=${TLS_KEY}" \
+            -var "qc_tls_cert"=${TLS_CERT}" \
+
+
+
diff --git a/.github/workflows/tflint.yaml b/.github/workflows/tflint.yaml
@@ -0,0 +1,47 @@
+name: Terraform Linting
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  tflint:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        dirs: [terraform/modules/oidc, terraform/modules/tfstate, terraform/implementation/setup, terraform/implementation/ecs]
+
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout source code
+
+      - uses: actions/cache@v4
+        name: Cache plugin dir
+        with:
+          path: ~/.tflint.d/plugins
+          key: ${{ matrix.dirs }}-tflint-${{ hashFiles('.tflint.hcl') }}
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.52.0
+
+      - name: Show version
+        run: tflint --version
+
+      - name: Init TFLint
+        run: tflint --init
+        # If rate limiting becomes an issue, setup a GitHub token and enable it as an environment variable
+        # env:
+          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
+          # GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Run TFLint
+        working-directory: ${{ github.workspace }}/${{matrix.dirs}}
+        run: tflint -f compact
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
@@ -0,0 +1,32 @@
+name: Trivy Security Scan
+
+on:
+  pull_request:
+  push:
+    branches: 
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  trivy:
+    name: trivy
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          scan-ref: 'terraform/modules/'
+          scanners: 'vuln,secret,config'
+          ignore-unfixed: false
+          exit-code: '1'
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
diff --git a/.gitignore b/.gitignore
@@ -85,4 +85,6 @@ build/
 .env
 .local.env 
 
-tmp_remote_image_*
+tmp_remote_image_*
+
+.terraform
diff --git a/terraform/implementation/ecs/_variable.tf b/terraform/implementation/ecs/_variable.tf
@@ -109,19 +109,23 @@ variable "cred_manager" {
   default     = "undefined"
 }
 
-# variable "qc_db_connection_string" {
-#   description = "Connection string to the tefca database"
-# }
+variable "umls_api_key" {
+  description = "Key for the UMLS API"
+  sensitive = true
+}
 
-# variable "qc_jdbc_db_url" {
-#   description = "JDBC connection string for flyway to the qc database"
-# }
+variable "ersd_api_key" {
+  description = "Key for the ERSD API"
+  sensitive = true
+}
 
+variable "qc_tls_key" {
+  description = "Key for the Cloudfare cert for domain: queryconnector.dev"
+  sensitive = true
+}
 
-# variable "qc_jdbc_db_password" {
-#   description = "JDBC password for flyway to the qc database"
-# }
+variable "qc_tls_cert" {
+  description = "Certificate importing from Cloudfare: queryconnector.dev"
+  sensitive = true
+}
 
-# variable "qc_jdbc_db_user" {
-#   description = "JDBC username for flyway to the qc database"
-# }
diff --git a/terraform/implementation/ecs/main.tf b/terraform/implementation/ecs/main.tf
@@ -4,6 +4,15 @@
 #   statuses = ["ISSUED"]
 # }
 
+
+
+resource "aws_acm_certificate" "cloudflare_cert" {
+  private_key      = var.qc_tls_key       # Private key from Cloudflare
+  certificate_body = var.qc_tls_cert      # Public cert from Cloudflare
+
+  provider = aws.us-east-1  # ACM certificates for ALB must be in the "us-east-1" region when using CloudFront
+}
+
 data "aws_caller_identity" "current" {}
 
 module "vpc" {
@@ -37,7 +46,6 @@ module "ecs" {
   tags         = local.tags
 
 
-
   phdi_version = "main"
 
   service_data = {
@@ -88,7 +96,14 @@ module "ecs" {
          name  = "FLYWAY_USER"
          value = aws_db_instance.qc_db.username
          },
-
+         {    
+         name  = "UMLS_API_KEY"
+         value = var.umls_api_key
+         },
+                  {    
+         name  = "ERSD_API_KEY"
+         value = var.ersd_api_key
+         },
       ]
     }
   }
@@ -102,13 +117,13 @@ module "ecs" {
   internal = var.internal
 
   # If the intent is to enable https and port 443, pass the arn of the cert in AWS certificate manager. This cert will be applied to the load balancer. (default is "")
-  # certificate_arn = data.aws_acm_certificate.this.arn
+  certificate_arn = aws_acm_certificate.cloudflare_cert.arn
 
   # If the intent is to disable authentication, set ecr_viewer_app_env to "test" (default is "prod")
   # ecr_viewer_app_env = "test"
 
   # To disable autoscaling, set enable_autoscaling to false (default is true)
-  # enable_autoscaling = false
+  enable_autoscaling = false
 
   # If intent is to use a metadata database for polutating the ecr-viewer library, setup the database data object to connect to the database (supported databases are postgres and sqlserver)
   # Postgresql database example

diff --git a/terraform/implementation/setup/main.tf b/terraform/implementation/setup/main.tf
@@ -24,7 +24,7 @@ module "oidc" {
   project = var.project
 
   # This variable must match the name of the terraform workspace that you'll be using for your ECS module call in the /ecs module
-  workspace = "prod"
+  workspace = "dev"
 
   # state_bucket_arn   = module.tfstate.aws_s3_bucket.tfstate.arn
   state_bucket_arn = module.tfstate.state_bucket.arn