Template infra deploy #10425718977

navapbc · Aug 16, 2024 · a3ec8f6 · a3ec8f6
1 parent e70bcf8
commit a3ec8f6
Show file tree

Hide file tree

Showing 11 changed files with 43 additions and 25 deletions.
diff --git a/.template-version b/.template-version
@@ -1 +1 @@
-da5e8657bbbf19d53bbb6170009af694d0672122
+c7d3f5258a122a5ba8d7afad06adb0355a6698bc
diff --git a/bin/is-image-published b/bin/is-image-published
@@ -13,7 +13,7 @@ image_tag=$(git rev-parse "${git_ref}")
 # Need to init module when running in CD since GitHub actions does a fresh checkout of repo
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-image_repository_name=$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)
+image_repository_name="$(terraform -chdir="infra/${app_name}/app-config" output -json build_repository_config | jq -r ".name")"
 region=$(./bin/current-region)
 
 result=""

diff --git a/bin/publish-release b/bin/publish-release
@@ -17,7 +17,7 @@ echo "  image_tag=${image_tag}"
 # Need to init module when running in CD since GitHub actions does a fresh checkout of repo
 terraform -chdir="infra/${app_name}/app-config" init > /dev/null
 terraform -chdir="infra/${app_name}/app-config" apply -auto-approve > /dev/null
-image_repository_name=$(terraform -chdir="infra/${app_name}/app-config" output -raw image_repository_name)
+image_repository_name="$(terraform -chdir="infra/${app_name}/app-config" output -json build_repository_config | jq -r ".name")"
 
 region=$(./bin/current-region)
 read -r image_registry_id image_repository_url <<< "$(aws ecr describe-repositories --repository-names "${image_repository_name}" --query "repositories[0].[registryId,repositoryUri]" --output text)"

diff --git a/infra/app/app-config/build-repository.tf b/infra/app/app-config/build-repository.tf
@@ -0,0 +1,20 @@
+data "external" "account_ids_by_name" {
+  program = ["${path.module}/../../../bin/account-ids-by-name"]
+}
+
+locals {
+  image_repository_name         = "${local.project_name}-${local.app_name}"
+  image_repository_region       = module.project_config.default_region
+  image_repository_account_name = module.project_config.network_configs[local.shared_network_name].account_name
+  image_repository_account_id   = data.external.account_ids_by_name.result[local.image_repository_account_name]
+
+  build_repository_config = {
+    name           = local.image_repository_name
+    region         = local.image_repository_region
+    network_name   = local.shared_network_name
+    account_name   = local.image_repository_account_name
+    account_id     = local.image_repository_account_id
+    repository_arn = "arn:aws:ecr:${local.image_repository_region}:${local.image_repository_account_id}:repository/${local.image_repository_name}"
+    repository_url = "${local.image_repository_account_id}.dkr.ecr.${local.image_repository_region}.amazonaws.com/${local.image_repository_name}"
+  }
+}
diff --git a/infra/app/app-config/main.tf b/infra/app/app-config/main.tf
@@ -3,9 +3,8 @@ locals {
   # the folder under /infra that corresponds to the application
   app_name = regex("/infra/([^/]+)/app-config$", abspath(path.module))[0]
 
-  environments          = ["dev", "staging", "prod"]
-  project_name          = module.project_config.project_name
-  image_repository_name = "${local.project_name}-${local.app_name}"
+  environments = ["dev", "staging", "prod"]
+  project_name = module.project_config.project_name
 
   # Whether or not the application has a database
   # If enabled:
@@ -42,10 +41,6 @@ locals {
     prod    = module.prod_config
   }
 
-  build_repository_config = {
-    region = module.project_config.default_region
-  }
-
   # The name of the network that contains the resources shared across all
   # application environments, such as the build repository.
   # The list of networks can be found in /infra/networks

diff --git a/infra/app/app-config/outputs.tf b/infra/app/app-config/outputs.tf
@@ -34,10 +34,6 @@ output "enable_identity_provider" {
   value = local.enable_identity_provider
 }
 
-output "image_repository_name" {
-  value = local.image_repository_name
-}
-
 output "shared_network_name" {
   value = local.shared_network_name
 }
diff --git a/infra/app/build-repository/main.tf b/infra/app/build-repository/main.tf
@@ -10,6 +10,8 @@ locals {
     description      = "Backend resources required for storing built release candidate artifacts to be used for deploying to environments."
   })
 
+  build_repository_config = module.app_config.build_repository_config
+
   # Get list of AWS account ids for the application environments that
   # will need access to the build repository
   network_names       = toset([for environment_config in values(module.app_config.environment_configs) : environment_config.network_name])
@@ -34,7 +36,7 @@ terraform {
 }
 
 provider "aws" {
-  region = module.app_config.build_repository_config.region
+  region = local.build_repository_config.region
   default_tags {
     tags = local.tags
   }
@@ -49,12 +51,12 @@ module "app_config" {
 }
 
 data "external" "account_ids_by_name" {
-  program = ["../../../bin/account-ids-by-name"]
+  program = ["${path.module}/../../../bin/account-ids-by-name"]
 }
 
 module "container_image_repository" {
   source               = "../../modules/container-image-repository"
-  name                 = module.app_config.image_repository_name
+  name                 = local.build_repository_config.name
   push_access_role_arn = data.aws_iam_role.github_actions.arn
   app_account_ids      = local.app_account_ids
 }
diff --git a/infra/app/service/main.tf b/infra/app/service/main.tf
@@ -40,6 +40,7 @@ locals {
   # Examples: pull request preview environments are temporary.
   is_temporary = terraform.workspace != "default"
 
+  build_repository_config                        = module.app_config.build_repository_config
   environment_config                             = module.app_config.environment_configs[var.environment_name]
   service_config                                 = local.environment_config.service_config
   database_config                                = local.environment_config.database_config
@@ -140,8 +141,10 @@ module "service" {
   source       = "../../modules/service"
   service_name = local.service_config.service_name
 
-  image_repository_name = module.app_config.image_repository_name
-  image_tag             = local.image_tag
+  image_repository_arn = local.build_repository_config.repository_arn
+  image_repository_url = local.build_repository_config.repository_url
+
+  image_tag = local.image_tag
 
   vpc_id             = data.aws_vpc.network.id
   public_subnet_ids  = data.aws_subnets.public.ids

diff --git a/infra/modules/service/access-control.tf b/infra/modules/service/access-control.tf
@@ -60,7 +60,7 @@ data "aws_iam_policy_document" "task_executor" {
       "ecr:BatchGetImage",
       "ecr:GetDownloadUrlForLayer",
     ]
-    resources = [data.aws_ecr_repository.app.arn]
+    resources = [var.image_repository_arn]
   }
 
   dynamic "statement" {

diff --git a/infra/modules/service/main.tf b/infra/modules/service/main.tf
@@ -1,8 +1,5 @@
 data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
-data "aws_ecr_repository" "app" {
-  name = var.image_repository_name
-}
 
 locals {
   alb_name                = var.service_name
@@ -11,7 +8,7 @@ locals {
   log_group_name          = "service/${var.service_name}"
   log_stream_prefix       = var.service_name
   task_executor_role_name = "${var.service_name}-task-executor"
-  image_url               = "${data.aws_ecr_repository.app.repository_url}:${var.image_tag}"
+  image_url               = "${var.image_repository_url}:${var.image_tag}"
 
   base_environment_variables = [
     { name : "PORT", value : tostring(var.container_port) },

diff --git a/infra/modules/service/variables.tf b/infra/modules/service/variables.tf
@@ -102,7 +102,12 @@ variable "hosted_zone_id" {
   default     = null
 }
 
-variable "image_repository_name" {
+variable "image_repository_arn" {
+  type        = string
+  description = "The name of the container image repository"
+}
+
+variable "image_repository_url" {
   type        = string
   description = "The name of the container image repository"
 }