Element84 · hectormachin · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024 · Oct 4, 2024
@@ -0,0 +1,13 @@
+**Related Issue(s):** 
+
+- #
+
+
+**Proposed Changes:**
+
+1. 
+2. 
+
+**PR Checklist:**
+
+- [ ] I have added my changes to the CHANGELOG **or** a CHANGELOG entry is not required.
@@ -0,0 +1,19 @@
+name: 🚀 Deploy Dev
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - v.*
+  workflow_dispatch:
+
+jobs:
+  deploy-dev:
+    uses: ./.github/workflows/deploy-wf.yaml
+    secrets: inherit
+    concurrency: dev
+    with:
+      stage: dev
+      url: https://console.goose.filmdrop.element84.com
+      fd-aws-tf-modules-version: v2.29.0
@@ -0,0 +1,121 @@
+on:
+  workflow_call:
+    inputs:
+      stage:
+        required: true
+        type: string
+      url:
+        required: true
+        type: string
+      fd-aws-tf-modules-version:
+        required: true
+        type: string
+
+env:
+  project-name: goose
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  deploy:
+    environment:
+      name: ${{ inputs.stage }}
+      url: ${{ inputs.url }}
+
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.7.5"
+
+      - name: Preparing Environment
+        id: prep_env
+        run: |
+          echo "Creating terraform backend file ..."
+          echo '' > config.s3.backend.tf
+          echo 'terraform {' >> config.s3.backend.tf
+          echo '  backend "s3" {' >> config.s3.backend.tf
+          echo '    encrypt = true' >> config.s3.backend.tf
+          echo "    bucket = \"${{ secrets.TF_STATE_BUCKET }}\"" >> config.s3.backend.tf
+          echo "    dynamodb_table = \"${{ secrets.TF_STATE_LOCK_TABLE }}\"" >> config.s3.backend.tf
+          echo "    key = \"${{ env.project-name }}-${{ inputs.stage }}.tfstate\"" >> config.s3.backend.tf
+          echo "    region = \"${{ secrets.AWS_REGION }}\"" >> config.s3.backend.tf
+          echo '  }' >> config.s3.backend.tf
+          echo '}' >> config.s3.backend.tf
+          cat config.s3.backend.tf
+          echo "Using FilmDrop Terraform ${{ inputs.fd-aws-tf-modules-version }} release..."
+          ./scripts/retrieve_tf_modules.sh ${{ inputs.fd-aws-tf-modules-version }}
+
+      - name: Update stac-server lambdas
+        id: update_stac_lambdas
+        run: ./scripts/update-stac-server-lambdas.bash
+
+      - name: Update cirrus lambda dist
+        id: update_cirrus_lambda_dist
+        run: ./scripts/update-cirrus-lambda-dist.bash
+
+      - name: Configure Terraform Init Credentials
+        id: init_creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleaseInit
+
+      - name: Terraform Init
+        id: tf_init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: tf_validate
+        run: terraform validate
+
+      - name: Configure Terraform Plan Credentials
+        id: plan_creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleasePlan
+
+      - name: Terraform Plan
+        id: tf_plan
+        run: terraform plan -var-file="${{ inputs.stage }}.tfvars" -out ${{ inputs.stage }}.tfplan -lock=false
+
+      - name: Configure Terraform Apply Credentials
+        id: apply_creds
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          role-session-name: GitHubReleaseApply
+
+      - name: Terraform Apply
+        id: tf_apply
+        run: terraform apply -lock=false -input=false ${{ inputs.stage }}.tfplan
+
+      - name: Post status to Slack channel
+        id: tf_apply_successs
+        if: steps.tf_apply.outcome == 'success'
+        continue-on-error: true
+        uses: slackapi/[email protected]
+        with:
+          channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          slack-message: ":silly-goose: ${{ env.project-name }}-${{ inputs.stage }}-titiler ${{  github.ref_name }} terraform apply job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
+
+      - name: Post status to Slack channel
+        id: tf_apply_failure
+        if: steps.tf_apply.outcome != 'success'
+        continue-on-error: true
+        uses: slackapi/[email protected]
+        with:
+          channel-id: ${{ secrets.SLACK_CHANNEL_ID }}
+          slack-message: ":goosebonk: ${{ env.project-name }}-${{ inputs.stage }}-titiler ${{  github.ref_name }} terraform apply has failed!\n:alert: make sure cleanup job deletes all AWS resources!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+        env:
+          SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
@@ -0,0 +1,49 @@
+# This workflow sets up Snyk scans
+
+name: Snyk Scan
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  schedule: # Run snyk scan daily at midnight
+    - cron: '0 0 * * *'
+
+permissions:
+  contents: read
+
+jobs:
+  snyk:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+
+      - name: Snyk IaC report vulnerabilities
+        uses: snyk/actions/[email protected]
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+
+        # Push the Snyk Code results into GitHub Code Scanning tab
+      - name: Upload result to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: snyk.sarif
+
+      - name: Snyk IaC gatekeeper
+        uses: snyk/actions/[email protected]
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args:
+            --sarif-file-output=snyk.sarif
+            --policy-path=.snyk
+            --severity-threshold=high # Forces fail on high-severity vulnerabilities
@@ -0,0 +1,89 @@
+name: Pre-commit CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  validate:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    env:
+      CI: true
+      STAC_SERVER_TAG: v3.7.0
+      CIRRUS_TAG: v1.0.0a0
+      fd-aws-tf-modules-version: v2.29.0
+      stage: dev
+      project-name: goose
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "18"
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.7.5"
+
+      - name: Preparing Environment
+        id: prep_env
+        run: |
+          echo "Creating terraform backend file ..."
+          echo '' > config.s3.backend.tf
+          echo 'terraform {' >> config.s3.backend.tf
+          echo '  backend "s3" {' >> config.s3.backend.tf
+          echo '    encrypt = true' >> config.s3.backend.tf
+          echo "    bucket = \"${{ secrets.TF_STATE_BUCKET }}\"" >> config.s3.backend.tf
+          echo "    dynamodb_table = \"${{ secrets.TF_STATE_LOCK_TABLE }}\"" >> config.s3.backend.tf
+          echo "    key = \"${{ env.project-name }}-${{ env.stage }}.tfstate\"" >> config.s3.backend.tf
+          echo "    region = \"${{ secrets.AWS_REGION }}\"" >> config.s3.backend.tf
+          echo '  }' >> config.s3.backend.tf
+          echo '}' >> config.s3.backend.tf
+          cat config.s3.backend.tf
+          echo "Using FilmDrop Terraform ${{ env.fd-aws-tf-modules-version }} release..."
+          ./scripts/retrieve_tf_modules.sh ${{ env.fd-aws-tf-modules-version }}
+
+      - name: Update stac-server lambdas
+        id: update_stac_lambdas
+        run: ./scripts/update-stac-server-lambdas.bash
+
+      - name: Update cirrus lambda dist
+        id: update_cirrus_lambda_dist
+        run: ./scripts/update-cirrus-lambda-dist.bash
+
+      - name: Terraform Init
+        id: tf_init
+        run: terraform init
+
+      - name: Terraform Validate
+        id: tf_validate
+        run: terraform validate -no-color
+  pre-commit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.7.5"
+      - uses: terraform-linters/setup-tflint@v4
+        with:
+          tflint_version: "v0.49.0"
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+      - name: Install pre-commit
+        run: pip install pre-commit
+      - name: Run pre-commit
+        run: pre-commit run --all-files
@@ -0,0 +1,34 @@
+*.auto.tfvars
+*.env*
+*.orig
+*.out
+*.swo
+*.swp
+*.tfstate
+*.tfstate.*
+*.tmp
+*.zip
+*output
+.DS_Store
+.opensearch.info
+.pytest*
+.terraform.lock*
+.terraform.lock.hcl
+.terraform.tfstate*
+.terraform/
+__pycache__
+bin/terraform
+modules/jupyterhub-dask-eks/cluster.yaml
+modules/jupyterhub-dask-eks/daskhub.yaml
+modules/jupyterhub-dask-eks/spec.yaml
+modules/jupyterhub-dask-eks/storageclass.yaml
+node_modules
+package-lock.json
+plan.json
+plan.out
+saved.plan
+stac-server-*
+stac-server.tgz
+terraform-visual-report
+terraform.tgz
+modules/stac-server/historical-ingest/lambda/package/*
@@ -0,0 +1,3 @@
+MD024: false
+MD013: 
+  line_length: 100
@@ -0,0 +1,11 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.85.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_tflint
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.1.8
+    hooks:
+      - id: ruff
+      - id: ruff-format