[ecs] Add Atlantis for GitOps (#50)

* atlantis and cloudtrail added in new way
cloudposse-archives · Mar 7, 2019 · 5b1d5e4 · 5b1d5e4
1 parent d16c697
commit 5b1d5e4
Show file tree

Hide file tree

Showing 13 changed files with 141 additions and 20 deletions.
diff --git a/.gitmodules b/.gitmodules
diff --git a/Dockerfile b/Dockerfile
@@ -1,38 +1,36 @@
 FROM cloudposse/terraform-root-modules:0.11.0 as terraform-root-modules
 
-FROM cloudposse/geodesic:0.46.0
+FROM cloudposse/geodesic:0.72.2
 
 ENV DOCKER_IMAGE="cloudposse/root.cloudposse.co"
 ENV DOCKER_TAG="latest"
 
+# General
+ENV NAMESPACE="cpco"
+ENV STAGE="root"
+
 # Geodesic banner
 ENV BANNER="root.cloudposse.co"
 
+# Message of the Day
+ENV MOTD_URL="https://geodesic.sh/motd"
+
 # AWS Region
 ENV AWS_REGION="us-west-2"
 ENV AWS_DEFAULT_REGION="${AWS_REGION}"
 ENV AWS_ACCOUNT_ID="323330167063"
 ENV AWS_ROOT_ACCOUNT_ID="${AWS_ACCOUNT_ID}"
 
-# Terraform vars
-ENV TF_VAR_region="${AWS_REGION}"
-ENV TF_VAR_account_id="${AWS_ACCOUNT_ID}"
-ENV TF_VAR_namespace="cpco"
-ENV TF_VAR_stage="root"
-
-ENV TF_VAR_parent_domain_name="cloudposse.co"
-ENV TF_VAR_root_domain_name="root.cloudposse.co"
-
 # Terraform state bucket and DynamoDB table for state locking
 ENV TF_BUCKET_REGION="${AWS_REGION}"
-ENV TF_BUCKET="${TF_VAR_namespace}-${TF_VAR_stage}-terraform-state"
-ENV TF_DYNAMODB_TABLE="${TF_VAR_namespace}-${TF_VAR_stage}-terraform-state-lock"
+ENV TF_BUCKET="${NAMESPACE}-${STAGE}-terraform-state"
+ENV TF_DYNAMODB_TABLE="${NAMESPACE}-${STAGE}-terraform-state-lock"
 
 # Default AWS Profile name
-ENV AWS_DEFAULT_PROFILE="${TF_VAR_namespace}-${TF_VAR_stage}-admin"
+ENV AWS_DEFAULT_PROFILE="${NAMESPACE}-${STAGE}-admin"
 
 # chamber KMS config
-ENV CHAMBER_KMS_KEY_ALIAS="alias/${TF_VAR_namespace}-${TF_VAR_stage}-chamber"
+ENV CHAMBER_KMS_KEY_ALIAS="alias/${NAMESPACE}-${STAGE}-chamber"
 
 # Copy root modules
 COPY --from=terraform-root-modules /aws/tfstate-backend/ /conf/tfstate-backend/
@@ -42,7 +40,6 @@ COPY --from=terraform-root-modules /aws/accounts/ /conf/accounts/
 COPY --from=terraform-root-modules /aws/account-settings/ /conf/account-settings/
 COPY --from=terraform-root-modules /aws/root-iam/ /conf/root-iam/
 COPY --from=terraform-root-modules /aws/iam/ /conf/iam/
-COPY --from=terraform-root-modules /aws/cloudtrail/ /conf/cloudtrail/
 
 # Place configuration in 'conf/' directory
 COPY conf/ /conf/
@@ -53,4 +50,8 @@ RUN make -C /conf install
 # Filesystem entry for tfstate
 RUN s3 fstab '${TF_BUCKET}' '/' '/secrets/tf'
 
+# Install atlantis
+RUN curl -fsSL -o /usr/bin/atlantis https://github.com/cloudposse/atlantis/releases/download/0.5.2/atlantis_linux_amd64 && \
+    chmod 755 /usr/bin/atlantis
+
 WORKDIR /conf/
diff --git a/Makefile b/Makefile
@@ -32,3 +32,15 @@ install:
 ## Start the geodesic shell by calling wrapper script
 run:
 	$(CLUSTER)
+
+run/atlantis:
+	docker run --privileged -it -e AWS_ACCESS_KEY_ID -e AWS_SECRET_ACCESS_KEY -e AWS_SECURITY_TOKEN -e AWS_SESSION_TOKEN -e ATLANTIS_ENABLED=true $(DOCKER_IMAGE_NAME)
+
+run/atlantis/shell:
+	docker run --privileged -it \
+		-e AWS_ACCESS_KEY_ID \
+		-e AWS_SECRET_ACCESS_KEY \
+		-e AWS_SECURITY_TOKEN \
+		-e AWS_SESSION_TOKEN \
+		-e ATLANTIS_ENABLED=true \
+		$(DOCKER_IMAGE_NAME) -c bash
diff --git a/atlantis.yaml b/atlantis.yaml
@@ -0,0 +1,28 @@
+version: 2
+
+projects:
+
+- name: "cloudtrail"
+  workflow: "make"
+  dir: "conf/cloudtrail"
+  workspace: "default"
+  terraform_version: "v0.11.10"
+  autoplan:
+    when_modified:
+      - "Makefile*"
+      - "*.tf"
+      - "*.tfvars"
+      - ".envrc"
+    enabled: true
+  apply_requirements:
+    - "approved"
+
+workflows:
+  make:
+    plan:
+      steps:
+        - run: "make reset deps"
+        - run: "set -o pipefail; make plan | tfmask | scenery --no-color"
+    apply:
+      steps:
+        - run: "set -o pipefail; make apply | tfmask"
diff --git a/buildspec.yml b/buildspec.yml
@@ -0,0 +1,27 @@
+version: 0.2
+phases:
+  pre_build:
+    commands:
+      - echo Logging in to Amazon ECR...
+      - aws --version
+      - eval $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
+      - REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.us-west-2.amazonaws.com/$IMAGE_REPO_NAME
+      - IMAGE_TAG=$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
+  build:
+    commands:
+      - echo Build started on `date`
+      - echo Building the Docker image...
+      - REPO_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$IMAGE_REPO_NAME
+      - docker pull $REPO_URI:latest || true
+      - docker build --cache-from $REPO_URI:latest --tag $REPO_URI:latest --tag $REPO_URI:$IMAGE_TAG .
+  post_build:
+    commands:
+      - echo Build completed on `date`
+      - echo Pushing the Docker images...
+      - REPO_URI=$AWS_ACCOUNT_ID.dkr.ecr.$AWS_REGION.amazonaws.com/$IMAGE_REPO_NAME
+      - docker push $REPO_URI:latest
+      - docker push $REPO_URI:$IMAGE_TAG
+      - echo Writing image definitions file...
+      - printf '[{"name":"%s","imageUri":"%s"}]' "$CONTAINER_NAME" "$REPO_URI:$IMAGE_TAG" | tee imagedefinitions.json
+artifacts:
+  files: imagedefinitions.json
diff --git a/conf/atlantis b/conf/atlantis
diff --git a/conf/cloudtrail/.envrc b/conf/cloudtrail/.envrc
@@ -0,0 +1,7 @@
+# Import the remote module
+export TF_CLI_INIT_FROM_MODULE="git::https://github.com/cloudposse/terraform-root-modules.git//aws/cloudtrail?ref=tags/0.35.1"
+export TF_CLI_PLAN_PARALLELISM=2
+
+use terraform
+use atlantis
+use tfenv
diff --git a/conf/cloudtrail/Makefile.tasks b/conf/cloudtrail/Makefile.tasks
@@ -0,0 +1,7 @@
+## Fetch the remote terraform module
+deps:
+	terraform init
+
+## Reset this project
+reset:
+	rm -rf Makefile *.tf .terraform
diff --git a/conf/ecs/.envrc b/conf/ecs/.envrc
@@ -0,0 +1,7 @@
+# Import the remote module
+export TF_CLI_INIT_FROM_MODULE="git::https://github.com/cloudposse/terraform-root-modules.git//aws/ecs?ref=tags/0.53.2"
+export TF_CLI_PLAN_PARALLELISM=2
+
+use terraform
+use atlantis
+use tfenv
diff --git a/conf/ecs/Makefile.tasks b/conf/ecs/Makefile.tasks
@@ -0,0 +1,12 @@
+## Fetch the remote terraform module
+deps:
+	terraform init
+
+## Reset this project
+reset:
+	rm -rf Makefile *.tf .terraform
+
+## Coldstart setup
+coldstart:
+	terraform apply -target module.dns
+	terraform apply
diff --git a/conf/ecs/atlantis.auto.tfvars b/conf/ecs/atlantis.auto.tfvars
@@ -0,0 +1,17 @@
+atlantis_enabled = "true"
+
+atlantis_branch = "master"
+
+atlantis_repo_name = "root.cloudposse.co"
+
+atlantis_repo_owner = "cloudposse"
+
+atlantis_repo_whitelist = ["github.com/cloudposse/root.cloudposse.co"]
+
+atlantis_allow_repo_config = "true"
+
+atlantis_gh_user = "cloudpossebot"
+
+atlantis_gh_team_whitelist = "cloudposse:*,engineering:*"
+
+atlantis_wake_word = "atlantis"
diff --git a/conf/ecs/dns.auto.tfvars b/conf/ecs/dns.auto.tfvars
@@ -0,0 +1,3 @@
+dns_enabled = "true"
+
+dns_parent_zone_name = "root.cloudposse.co"
diff --git a/conf/ecs/sns.auto.tfvars b/conf/ecs/sns.auto.tfvars
@@ -0,0 +1,5 @@
+slack_channel = "#test"
+
+slack_username = "ecs"
+
+slack_webhook_url = "https://hooks.slack.com/services/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		dns_enabled = "true"

		dns_parent_zone_name = "root.cloudposse.co"