1st pass at concourse pages

ci/pipeline.yml

@@ -207,6 +207,66 @@ jobs:
       username: ((slack-username))
       icon_url: ((slack-icon-url))
 
+- name: deploy-concourse-pages-production
+  serial: true
+  interruptible: true
+  plan:
+  - in_parallel:
+    - get: concourse-deployment
+      passed: [deploy-concourse-staging]
+    - get: concourse-config
+      passed: [deploy-concourse-staging]
+    - get: terraform-yaml
+    - get: concourse-stemcell-jammy
+      passed: [deploy-concourse-staging]
+  - put: concourse-production-pages-deployment
+    params:
+      <<: *deploy-params
+      ops_files:
+      - concourse-deployment/cluster/operations/basic-auth.yml
+      - concourse-deployment/cluster/operations/build-log-retention.yml
+      - concourse-deployment/cluster/operations/scale.yml
+      - concourse-deployment/cluster/operations/enable-global-resources.yml
+      - concourse-config/operations/credhub.yml
+      - concourse-config/operations/iaas-worker.yml
+      - concourse-config/operations/postgres-production-pages.yml
+      - concourse-config/operations/external-postgres-tls.yml
+      - concourse-config/operations/driver.yml
+      - concourse-config/operations/config.yml
+      - concourse-config/operations/generic-oauth.yml
+      - concourse-config/operations/compliance.yml
+      - concourse-config/operations/prometheus.yml
+      - concourse-config/operations/set-garbage-collection.yml
+      - concourse-config/operations/base-resource-defaults.yml
+      - concourse-config/operations/max-containers.yml
+      - concourse-config/operations/bosh-dns-aliases.yml
+      - concourse-config/operations/enable-across-step.yml
+      - concourse-config/operations/container-placement.yml
+      - concourse-config/operations/iptables.yml
+      - concourse-config/operations/redact-secrets.yml
+      vars_files:
+      - concourse-deployment/versions.yml
+      - concourse-config/variables/production-pages.yml
+      - concourse-config/variables/postgres-tls.yml
+      - terraform-yaml/state.yml
+  on_failure:
+    put: slack
+    params:
+      text: |
+        :x: FAILED to deploy Concourse Pages on production
+        <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details>
+      channel: '#cg-platform'
+      username: ((slack-username))
+      icon_url: ((slack-icon-url))
+  on_success:
+    put: slack
+    params:
+      text: |
+        :white_check_mark: Successfully deployed Concourse Pages on production
+        <$ATC_EXTERNAL_URL/teams/$BUILD_TEAM_NAME/pipelines/$BUILD_PIPELINE_NAME/jobs/$BUILD_JOB_NAME/builds/$BUILD_NAME|View build details>
+      channel: '#cg-platform-news'
+      username: ((slack-username))
+      icon_url: ((slack-icon-url))
 # by having a different job for iptables, we should work around the issue
 # where the concourse deployment seems to fail because we lose our worker
 # so the iptables job never runs and dns breaks until we re-run the whole
@@ -239,6 +299,30 @@ jobs:
         BOSH_CA_CERT: ((common_ca_cert_store))
         BOSH_DEPLOYMENT: concourse-production
 
+- name: iptables-production-pages
+  serial: true
+  interruptible: true
+  plan:
+  - task: iptables-iaas-worker-bosh-dns
+    config:
+      <<: *iptables-iaas-worker-bosh-dns
+      params:
+        BOSH_ENVIRONMENT: ((concourse-production-deployment-bosh-target))
+        BOSH_CLIENT: ci
+        BOSH_CLIENT_SECRET: ((tooling_bosh_uaa_ci_client_secret))
+        BOSH_CA_CERT: ((common_ca_cert_store))
+        BOSH_DEPLOYMENT: concourse-production-pages
+  - task: iptables-worker-bosh-dns
+    tags: [iaas]
+    config:
+      <<: *iptables-worker-bosh-dns
+      params:
+        BOSH_ENVIRONMENT: ((concourse-production-deployment-bosh-target))
+        BOSH_CLIENT: ci
+        BOSH_CLIENT_SECRET: ((tooling_bosh_uaa_ci_client_secret))
+        BOSH_CA_CERT: ((common_ca_cert_store))
+        BOSH_DEPLOYMENT: concourse-production-pages
+
 - name: set-teams-production
   plan:
   - get: team-source
@@ -254,6 +338,21 @@ jobs:
         concourse_username: ((basic-auth-username-production))
         concourse_password: ((basic-auth-password-production))
 
+- name: set-teams-production-pages
+  plan:
+  - get: team-source
+    params: {depth: 1}
+    trigger: true
+    passed: [set-teams-staging]
+  - put: terraform-production
+    params:
+      env_name: production
+      terraform_source: team-source/teams
+      vars:
+        concourse_url: https://ci-pages.fr.cloud.gov
+        concourse_username: ((basic-auth-username-production-pages))
+        concourse_password: ((basic-auth-password-production-pages))
+
 resources:
 - name: concourse-deployment
   type: git

operations/postgres-production-pages.yml

@@ -0,0 +1,18 @@
+- type: replace
+  path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/host?
+  value: ((terraform_outputs.production_concourse_pages_rds_host))
+
+- type: replace
+  path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/port?
+  value: ((terraform_outputs.production_concourse_pages_rds_port))
+
+- type: replace
+  path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/role?/name?
+  value: ((terraform_outputs.production_concourse_pages_rds_username))
+
+- type: replace
+  path: /instance_groups/name=web/jobs/name=web/properties/postgresql?/role?/password?
+  value: ((terraform_outputs.production_concourse_pages_rds_password))
+
+- type: remove
+  path: /variables/name=postgres_password

variables/production-pages.yml

@@ -0,0 +1,16 @@
+deployment_name: concourse-production-pages
+external_url: https://ci-pages.fr.cloud.gov
+azs: [z1]
+web_vm_type: m6i.large.concourse.web
+worker_vm_type: m6i.xlarge.concourse.worker
+iaas_worker_vm_type: m6i.xlarge.concourse.worker
+web_vm_extensions: [production-concourse-pages-lb]
+worker_vm_extensions: [production-concourse-profile]
+iaas_worker_vm_extensions: [production-concourse-iaas-profile]
+network_name: production-concourse_pages
+web_instances: 2
+worker_instances: 2
+iaas_worker_instances: 1
+build_logs_default: 25
+build_logs_maximum: 0
+max_active_containers_per_worker: 200