diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index b6f0d02..3bedf89 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,7 +36,7 @@ jobs: steps: - uses: actions/checkout@v6 - - name: Get lambda code bucket + - name: Get build artifact bucket id: deploy_bucket uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 with: diff --git a/.github/workflows/build_get.yml b/.github/workflows/build_get.yml index ddcca5d..25bd001 100644 --- a/.github/workflows/build_get.yml +++ b/.github/workflows/build_get.yml @@ -13,7 +13,7 @@ on: default: "" outputs: code_bucket: - description: "Bucket containing lambda zips" + description: "Bucket containing build artifacts" value: ${{ jobs.bucket.outputs.code_bucket_name }} lambda_version: description: "Valid lambda version" diff --git a/.github/workflows/destroy.yml b/.github/workflows/destroy.yml index 8979cfc..3defe62 100644 --- a/.github/workflows/destroy.yml +++ b/.github/workflows/destroy.yml @@ -60,13 +60,15 @@ jobs: tg_action: destroy frontend: - needs: setup + needs: lambdas runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - name: Destroy frontend infra uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 + env: + TF_VAR_api_invoke_url: "https://placeholder.execute-api.us-east-1.amazonaws.com" with: aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend diff --git a/.github/workflows/infra.yml b/.github/workflows/infra.yml index 543015c..f47c3a6 100644 --- a/.github/workflows/infra.yml +++ b/.github/workflows/infra.yml @@ -10,7 +10,7 @@ on: required: true type: string code_bucket: - description: "Bucket containing lambda zips" + description: "Bucket containing build artifacts" required: true type: string lambda_matrix: @@ -45,15 +45,32 @@ jobs: tg_directory: infra/live/${{ inputs.environment }}/aws/oidc frontend: - needs: oidc + needs: lambdas runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 with: ref: ${{ inputs.infra_version }} + - name: Get api infra + uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 + id: get-api + with: + aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} + tg_directory: infra/live/${{ inputs.environment }}/aws/api + tg_action: init + + - name: Get api invoke url + id: get_api_vars + env: + TG_OUTPUTS: ${{ steps.get-api.outputs.tg_outputs }} + run: | + echo "invoke_url=$(echo $TG_OUTPUTS | jq -r '.invoke_url.value')" >> $GITHUB_OUTPUT + - name: Deploy frontend infra uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 + env: + TF_VAR_api_invoke_url: ${{ steps.get_api_vars.outputs.invoke_url }} with: aws_oidc_role_arn: ${{ env.AWS_OIDC_ROLE_ARN }} tg_directory: infra/live/${{ inputs.environment }}/aws/frontend diff --git a/.github/workflows/infra_releases.yml b/.github/workflows/infra_releases.yml index 7bd7af2..36d53cc 100644 --- a/.github/workflows/infra_releases.yml +++ b/.github/workflows/infra_releases.yml @@ -11,7 +11,7 @@ on: type: string outputs: code_bucket: - description: "Bucket containing lambda zips" + description: "Bucket containing build artifacts" value: ${{ jobs.bucket.outputs.bucket_name }} concurrency: # only run one instance of workflow at any one time @@ -35,7 +35,7 @@ jobs: with: ref: ${{ inputs.infra_version }} - - name: Deploy lambda code bucket + - name: Deploy build artifact bucket id: deploy_bucket uses: chrispsheehan/terragrunt-aws-oidc-action@0.4.1 with: diff --git a/infra/modules/aws/_shared/lambda/data.tf b/infra/modules/aws/_shared/lambda/data.tf index 96cf5af..1ef311c 100644 --- a/infra/modules/aws/_shared/lambda/data.tf +++ b/infra/modules/aws/_shared/lambda/data.tf @@ -1,5 +1,5 @@ -data "aws_s3_bucket" "lambda_code" { - bucket = var.lambda_bucket +data "aws_s3_bucket" "code_bucket" { + bucket = var.code_bucket } data "archive_file" "bootstrap_lambda" { @@ -55,7 +55,7 @@ data "aws_iam_policy_document" "codedeploy_lambda" { effect = "Allow" actions = ["s3:GetObject", "s3:GetObjectVersion"] resources = [ - "arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}/*" + "arn:aws:s3:::${data.aws_s3_bucket.code_bucket.bucket}/*" ] } @@ -64,7 +64,7 @@ data "aws_iam_policy_document" "codedeploy_lambda" { sid = "ListArtifactPrefix" effect = "Allow" actions = ["s3:ListBucket", "s3:GetBucketLocation"] - resources = ["arn:aws:s3:::${data.aws_s3_bucket.lambda_code.bucket}"] + resources = ["arn:aws:s3:::${data.aws_s3_bucket.code_bucket.bucket}"] } statement { diff --git a/infra/modules/aws/_shared/lambda/main.tf b/infra/modules/aws/_shared/lambda/main.tf index 131b968..52dd042 100644 --- a/infra/modules/aws/_shared/lambda/main.tf +++ b/infra/modules/aws/_shared/lambda/main.tf @@ -21,7 +21,7 @@ resource "aws_iam_role_policy_attachment" "additional_iam_attachments" { } resource "aws_s3_object" "bootstrap_lambda_zip" { - bucket = data.aws_s3_bucket.lambda_code.bucket + bucket = data.aws_s3_bucket.code_bucket.bucket key = local.lambda_bootstrap_zip_key source = data.archive_file.bootstrap_lambda.output_path @@ -38,7 +38,7 @@ resource "aws_lambda_function" "lambda" { reserved_concurrent_executions = local.pc_reserved_count - s3_bucket = data.aws_s3_bucket.lambda_code.bucket + s3_bucket = data.aws_s3_bucket.code_bucket.bucket s3_key = aws_s3_object.bootstrap_lambda_zip.key # publish ONE immutable version so we can create an alias diff --git a/infra/modules/aws/_shared/lambda/variables.tf b/infra/modules/aws/_shared/lambda/variables.tf index 96a2aec..83ed6dd 100644 --- a/infra/modules/aws/_shared/lambda/variables.tf +++ b/infra/modules/aws/_shared/lambda/variables.tf @@ -9,9 +9,9 @@ variable "environment" { description = "Environment reference used in naming resources i.e. 'dev'" } -variable "lambda_bucket" { +variable "code_bucket" { type = string - description = "Lambda bucket where the code zip(s) are uploaded to" + description = "Bucket where deployable code artifacts are uploaded" } ### end of static vars set in root.hcl ### @@ -220,4 +220,4 @@ variable "provisioned_config" { ) error_message = "When sqs_scale is set, both scale_in_cooldown_seconds and scale_out_cooldown_seconds must be specified and each must be at least 60 seconds." } -} \ No newline at end of file +} diff --git a/infra/modules/aws/api/main.tf b/infra/modules/aws/api/main.tf index 1991bae..d8c3e00 100644 --- a/infra/modules/aws/api/main.tf +++ b/infra/modules/aws/api/main.tf @@ -1,9 +1,9 @@ module "lambda_api" { source = "../_shared/lambda" - project_name = var.project_name - environment = var.environment - lambda_bucket = var.lambda_bucket + project_name = var.project_name + environment = var.environment + code_bucket = var.code_bucket lambda_name = local.lambda_name diff --git a/infra/modules/aws/api/variables.tf b/infra/modules/aws/api/variables.tf index 17d0029..c34d4f9 100644 --- a/infra/modules/aws/api/variables.tf +++ b/infra/modules/aws/api/variables.tf @@ -9,9 +9,9 @@ variable "environment" { description = "Environment reference used in naming resources i.e. 'dev'" } -variable "lambda_bucket" { +variable "code_bucket" { type = string - description = "Lambda bucket where the code zip(s) are uploaded to" + description = "Bucket where deployable code artifacts are uploaded" } ### end of static vars set in root.hcl ### @@ -57,4 +57,4 @@ variable "api_5xx_alarm_evaluation_periods" { variable "api_5xx_alarm_datapoints_to_alarm" { type = number description = "The number of evaluated periods that must be breaching to trigger ALARM" -} \ No newline at end of file +} diff --git a/infra/modules/aws/code_bucket/main.tf b/infra/modules/aws/code_bucket/main.tf index f7b85f7..ad16b9b 100644 --- a/infra/modules/aws/code_bucket/main.tf +++ b/infra/modules/aws/code_bucket/main.tf @@ -1,11 +1,11 @@ -resource "aws_s3_bucket" "lambda" { - bucket = var.lambda_bucket +resource "aws_s3_bucket" "code" { + bucket = var.code_bucket force_destroy = true } -resource "aws_s3_bucket_ownership_controls" "lambda" { - depends_on = [aws_s3_bucket.lambda] - bucket = aws_s3_bucket.lambda.id +resource "aws_s3_bucket_ownership_controls" "code" { + depends_on = [aws_s3_bucket.code] + bucket = aws_s3_bucket.code.id rule { object_ownership = "BucketOwnerEnforced" } @@ -14,7 +14,7 @@ resource "aws_s3_bucket_ownership_controls" "lambda" { resource "aws_s3_bucket_lifecycle_configuration" "delete_old_files" { count = var.s3_expiration_days > 0 ? 1 : 0 - bucket = aws_s3_bucket.lambda.id + bucket = aws_s3_bucket.code.id rule { id = "delete-expired-objects" diff --git a/infra/modules/aws/code_bucket/outputs.tf b/infra/modules/aws/code_bucket/outputs.tf index 326a885..65816d7 100644 --- a/infra/modules/aws/code_bucket/outputs.tf +++ b/infra/modules/aws/code_bucket/outputs.tf @@ -1,3 +1,3 @@ output "bucket" { - value = aws_s3_bucket.lambda.bucket + value = aws_s3_bucket.code.bucket } diff --git a/infra/modules/aws/code_bucket/variables.tf b/infra/modules/aws/code_bucket/variables.tf index ff218ad..474e02c 100644 --- a/infra/modules/aws/code_bucket/variables.tf +++ b/infra/modules/aws/code_bucket/variables.tf @@ -1,6 +1,6 @@ ### start of static vars set in root.hcl ### -variable "lambda_bucket" { - description = "S3 bucket to host lambda code files" +variable "code_bucket" { + description = "S3 bucket to host build artifacts" type = string } ### end of static vars set in root.hcl ### diff --git a/infra/modules/aws/frontend/data.tf b/infra/modules/aws/frontend/data.tf index 0f749c0..048b10c 100644 --- a/infra/modules/aws/frontend/data.tf +++ b/infra/modules/aws/frontend/data.tf @@ -51,11 +51,3 @@ data "aws_cloudfront_cache_policy" "caching_disabled" { data "aws_caller_identity" "current" {} -data "terraform_remote_state" "api" { - backend = "s3" - config = { - bucket = var.state_bucket - key = "${var.environment}/aws/api/terraform.tfstate" - region = var.aws_region - } -} diff --git a/infra/modules/aws/frontend/locals.tf b/infra/modules/aws/frontend/locals.tf index fb6e6a4..c4960c6 100644 --- a/infra/modules/aws/frontend/locals.tf +++ b/infra/modules/aws/frontend/locals.tf @@ -1,7 +1,7 @@ locals { name = "${var.environment}-${var.project_name}" bucket_name = "${data.aws_caller_identity.current.account_id}-${local.name}" - api_domain = replace(data.terraform_remote_state.api.outputs.invoke_url, "https://", "") + api_domain = replace(var.api_invoke_url, "https://", "") s3_origin_id = "s3" api_origin_id = "api" diff --git a/infra/modules/aws/frontend/variables.tf b/infra/modules/aws/frontend/variables.tf index 3a332ba..0581499 100644 --- a/infra/modules/aws/frontend/variables.tf +++ b/infra/modules/aws/frontend/variables.tf @@ -23,3 +23,8 @@ variable "deploy_role_arn" { description = "ARN of the OIDC deploy role to grant frontend bucket access" } ### end of static vars set in root.hcl ### + +variable "api_invoke_url" { + type = string + description = "Invoke URL of the API Gateway HTTP API" +} diff --git a/infra/modules/aws/lambda_worker/main.tf b/infra/modules/aws/lambda_worker/main.tf index d2ba495..ce45336 100644 --- a/infra/modules/aws/lambda_worker/main.tf +++ b/infra/modules/aws/lambda_worker/main.tf @@ -1,9 +1,9 @@ module "lambda_worker" { source = "../_shared/lambda" - project_name = var.project_name - environment = var.environment - lambda_bucket = var.lambda_bucket + project_name = var.project_name + environment = var.environment + code_bucket = var.code_bucket lambda_name = local.lambda_name diff --git a/infra/modules/aws/lambda_worker/variables.tf b/infra/modules/aws/lambda_worker/variables.tf index 49b8449..ba56938 100644 --- a/infra/modules/aws/lambda_worker/variables.tf +++ b/infra/modules/aws/lambda_worker/variables.tf @@ -9,9 +9,9 @@ variable "environment" { description = "Environment reference used in naming resources i.e. 'dev'" } -variable "lambda_bucket" { +variable "code_bucket" { type = string - description = "Lambda bucket where the code zip(s) are uploaded to" + description = "Bucket where deployable code artifacts are uploaded" } ### end of static vars set in root.hcl ### @@ -63,4 +63,4 @@ variable "sqs_dlq_alarm_evaluation_periods" { variable "sqs_dlq_alarm_datapoints_to_alarm" { type = number description = "The number of evaluated periods that must be breaching to trigger ALARM" -} \ No newline at end of file +} diff --git a/infra/root.hcl b/infra/root.hcl index bb4ccc3..99f15a2 100644 --- a/infra/root.hcl +++ b/infra/root.hcl @@ -26,7 +26,7 @@ locals { # separate s3 version bucket when dev, otherwise ci s3_bucket_base = local.environment == "dev" ? "${local.base_reference}-${local.environment}" : "${local.base_reference}-ci" - lambda_bucket = "${local.s3_bucket_base}-lambda" + code_bucket = "${local.s3_bucket_base}-code" } terraform { @@ -97,6 +97,6 @@ inputs = merge( deploy_role_arn = local.deploy_role_arn state_bucket = local.state_bucket state_lock_table = local.state_lock_table - lambda_bucket = local.lambda_bucket + code_bucket = local.code_bucket } )