Git Product home page Git Product logo

aws-proton-terraform-github-actions-sample's Introduction

Terraform OpenSource GitHub Actions automation template for AWS Proton

Welcome! This repository should help you test how Proton works with Terraform Open Source to provision your infrastructure. In this repository you will find two things:

  1. A CloudFormation template (GitHubConfiguration.yaml) that will help you get the underlying roles and permissions set up
  2. A GitHub Actions task to run Terraform Open Source based on commits to this repo

If you are looking to find an example of what an AWS Proton Template looks like when authored for Terraform, head over to aws-samples/aws-proton-terraform-sample-templates

How to:

You will need the following:

  • $ENVIRONMENT_NAME: the name of the environment you plan to create, this can be any name you would like
  • $REGION: the region into which you will be deploying this service
  • $GITHUB_USER: A GitHub account with which you can fork this repository

When you see these strings in the instructions below, you should replace them with the value you have chosen.

  1. Create a new repository from this repository
    • If you plan on using this template as a starting point and making changes, this is a Repository Template, so you can just click "Use this template" and a new repository will get created in your account that is an exact copy of this one.
    • If you don't plan on really making any changes, you can also fork this template, and then if/when it is updated you can get those updates.
  2. We will be using Github Actions to deploy our Terraform template, and notify Proton of the deployment status. You can see the steps of our workflow in proton_run.yml. Forked repositories do not have Actions enabled by default, see this page for information on how to enable them.
  3. Ensure you have a CodeStar Connection set up for the account into which you forked the repo in the previous step. For information on how to set that up see this documentation.
  4. Run GitHubConfiguration.yaml through CloudFormation (https://aws.amazon.com/cloudformation/). This will create a role that GitHub Actions will use to provision resources into your account, as well as an S3 bucket to store Terraform Open Source state files. Make sure you use all lowercase names in the stack name, as we will use it to create an S3 bucket to save your state files.
aws cloudformation create-stack --stack-name aws-proton-terraform-role-stack \
   --template-body file:///$PWD/GitHubConfiguration.yaml \
   --parameters ParameterKey=FullRepoName,ParameterValue=$GITHUB_USER/aws-proton-terraform-github-actions-sample \
   --capabilities CAPABILITY_NAMED_IAM
  1. Open the file env_config.json. Add a new object to the configuration dictionary where the key is ENVIRONMENT_NAME, role is the Role output from the stack created in (3), and the region with REGION. This will tell Terraform the role and region to use for deployments. You can use different roles for each environment by adding them to this file
  2. In the same file update state_bucket with the BucketName output from (3). This will tell Terraform where to store the state file.
  3. Commit your changes and push them to your forked repository.
  4. At this point, you should register an Environment Template that you wish to deploy. If you need an example, head on over to aws-samples/aws-proton-terraform-sample-templates where there are some options to try out.
  5. Register your repository with Proton by following the instructions here
  6. Deploy your environment in Proton by following the instructions using the following commands. Change GITHUB_USER to be name of the GitHub account with the forked repository. For more information see the documentation here
 aws proton create-environment \
        --name $ENVIRONMENT_NAME \
        --template-name "ENVIRONMENT_TEMPLATE_NAME" \
        --template-major-version "1" \
        --provisioning-repository="branch=main,name=$GITHUB_USER/aws-proton-terraform-github-actions-sample,provider=GITHUB" \
        --spec file:///$PWD/specs/env-spec.yml
  1. Shortly after you trigger the deployment, come back to your repository to see the Pull Request. Once you merge it, you can go back to Proton and see the updated status of your newly created environment

Feel free to reach out with questions or open a ticket with suggestions in our public roadmap at https://github.com/aws/aws-proton-public-roadmap

Thank you!

Security

See CONTRIBUTING for more information.

License

This library is licensed under the MIT-0 License. See the LICENSE file.

aws-proton-terraform-github-actions-sample's People

Contributors

amazon-auto avatar askulkarni2 avatar augentry avatar awishn02 avatar frankret avatar kohidave avatar mikewrighton avatar mreferre avatar msperrin avatar nouvionp avatar rafavallina avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

bmihaescu literalice augentry frankret askulkarni2 syedsaadahmed1 clarkyangjw abhivr-amazon mikewrighton jimmy-james nouvionp rafavallina tatcoo prabaksa awsandy mreferre awishn02 ajegher snypher rayalavi pamkuang racicot-amzn wellsiau-aws msperrin vttrmv-beta the-aws-terraform-samples jayas234 magesh1087 balabes2002 eklein42 vaibhav29-indi josewilt awsproton pgasiorowski shawn-albert arunsathiya jacobmjjo onolisk knustes

aws-proton-terraform-github-actions-sample's Issues

Extra "" in --outputs "${formatted_outputs[*]}" resulting in Error parsing parameter

In Notify Proton Step in .github/workflows/proton_run.yml

The line 266

aws proton notify-resource-deployment-status-change --region ${{ needs.get-deployment-data.outputs.proton_region }} --resource-arn ${{ needs.get-deployment-data.outputs.resource_arn }} --status SUCCEEDED --deployment-id ${{ needs.get-deployment-data.outputs.deployment_id }} --outputs "${formatted_outputs[*]}"

gives error similar to:

Error parsing parameter '--outputs': Second instance of key "valueString" encountered for input:
key=security_group_id,valueString=sg-00bd47009c8d7f524 key=subnet_id,valueString=subnet-0dbb1eb78c0ada8b9 key=vpc_arn,valueString=arn:aws:ec2:us-east-1:127511872893:vpc/vpc-029f362a11ac62575
                                                                     ^
This is often because there is a preceding "," instead of a space.

Solution

line 266 needs to be changed to below where --outputs "${formatted_outputs[]}" is changed to --outputs ${formatted_outputs[]}

aws proton notify-resource-deployment-status-change --region ${{ needs.get-deployment-data.outputs.proton_region }} --resource-arn ${{ needs.get-deployment-data.outputs.resource_arn }} --status SUCCEEDED --deployment-id ${{ needs.get-deployment-data.outputs.deployment_id }} --outputs ${formatted_outputs[*]}

GH Actions script does not Notify Proton of a terraform apply failure

Upon a failure of a terraform apply, the GH Actions script exits without notifying Proton of the failure. This is a view of the run:

image

The script never gets to the Notify Proton stage.

This is a snippet of the terraform apply failure (if of interest):

Warning: Experimental feature "module_variable_optional_attrs" is active
│ 
│   on .terraform/modules/aws-eks-accelerator-for-terraform/modules/launch-templates/locals.tf line 4, in terraform:
│    4:   experiments = [module_variable_optional_attrs]
│ 
│ Experimental features are subject to breaking changes in future minor or
│ patch releases, based on feedback.
│ 
│ If you have feedback on the design of this feature, please open a GitHub
│ issue to discuss it.
│ 
│ (and 18 more similar warnings elsewhere)
╵
╷
│ Error: failed creating IAM Role (aws-preprod-dev-eks-cluster-role): EntityAlreadyExists: Role with name aws-preprod-dev-eks-cluster-role already exists.
│ 	status code: 409, request id: 957a148c-2189-4a7a-a1fa-ab44ac11e1e6
│ 
│   with module.aws-eks-accelerator-for-terraform.module.aws_eks.aws_iam_role.cluster[0],
│   on .terraform/modules/aws-eks-accelerator-for-terraform.aws_eks/main.tf line 128, in resource "aws_iam_role" "cluster":
│  128: resource "aws_iam_role" "cluster" {
│ 
╵
╷
│ Error: error creating KMS Alias (alias/aws-preprod-dev-eks): AlreadyExistsException: An alias with the name arn:aws:kms:us-west-2:***:alias/aws-preprod-dev-eks already exists
│ 
│   with module.aws-eks-accelerator-for-terraform.module.kms[0].aws_kms_alias.this,
│   on .terraform/modules/aws-eks-accelerator-for-terraform/modules/aws-kms/main.tf line 29, in resource "aws_kms_alias" "this":
│   29: resource "aws_kms_alias" "this" {
│ 
╵
Error: Process completed with exit code 1.

These are known issues that are being addressed in the template. The expectation is that the GH Actions would be able to get to the Notify Proton stage and inform Proton that the deployment failed. Right now the Proton deployment remains in the in progress state indefinitely.

AWS Account ID is masked in Notify Proton Step

Ref: aws-actions/configure-aws-credentials#304

As configure-aws-credentials masks the AWS Account ID, the --resource-arn ${{ needs.get-deployment-data.outputs.resource_arn }} resolves to a masked (xxx) AWS_ACCOUNTID in the ARN, resulting in step failure.

A solution would be to include mask-aws-account-id: 'no' in Configure AWS Credentials step.

    - name: Configure AWS Credentials
      id: assume_role
      uses: aws-actions/configure-aws-credentials@v1
      with:
        aws-region: ${{ needs.get-deployment-data.outputs.target_region }}
        role-to-assume: ${{ needs.get-deployment-data.outputs.role_arn }}
        role-session-name: TF-Github-Actions-Notify-Proton
        mask-aws-account-id: 'no'

GH Actions exits abnormally at the Notify Proton step

I am trying to leverage these GH Actions for a template I am using to define an EKS cluster. The deployment of the resources seems to complete successfully but at the time of notifying Proton the script exits with a syntax error on the aws cli call:

  # Get outputs as json
  outputs_json=$(terraform output -json)
  
  # The outputs parameters expects a list of key=keyName,valueString=value key=key2Name,valueString=value2 etc...
  # So here we convert the output json into a shell array
  # NOTE: This will probably not play nicely with complex output objects (non primitives)
  
  formatted_outputs=( $(echo $outputs_json | jq -r "to_entries|map(\"key=\(.key),valueString=\(.value.value|tostring)\")|.[]") )
  
  # Notify proton
  aws proton notify-resource-deployment-status-change --region us-west-2 --resource-arn arn:aws:proton:us-west-2:***:environment/myeks --status SUCCEEDED --deployment-id 4bc18b1d-a802-4dcd-8199-246177142027 --outputs ${formatted_outputs[*]}
  echo "Notify success!"   
  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
  env:
    AWS_DEFAULT_REGION: us-west-2
    AWS_REGION: us-west-2
    AWS_ACCESS_KEY_ID: ***
    AWS_SECRET_ACCESS_KEY: ***
    AWS_SESSION_TOKEN: ***

usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help

Unknown options: --name, myeks

Error: Process completed with exit code 252.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.