feat: reuse workflow, improve tf cloud usage (#11)

.github/workflows/main.yml

@@ -0,0 +1,15 @@
+name: Terraform Apply
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  terraform_apply:
+    name: Terraform Apply
+    uses: soat-tech-challenge/github-workflows/.github/workflows/terraform-apply.yml@main
+    secrets: inherit
+    with:
+      cloud_workspace: database-staging

.github/workflows/pull-request.yml

@@ -9,128 +9,22 @@ on:
 jobs:
   tflint:
     name: TFLint
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Setup TFLint
-        uses: terraform-linters/setup-tflint@v3
-
-      - name: Init TFLint
-        run: tflint --init
-        env:
-          # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/plugins.md#avoiding-rate-limiting
-          GITHUB_TOKEN: ${{ github.token }}
-
-      - name: Run TFLint
-        run: tflint -f compact
+    uses: soat-tech-challenge/github-workflows/.github/workflows/tflint.yml@main
 
   tfsec:
-    name: tfsec
-    runs-on: ubuntu-latest
+    uses: soat-tech-challenge/github-workflows/.github/workflows/tfsec.yml@main
 
     permissions:
       contents: read
       pull-requests: write
 
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: tfsec
-        uses: aquasecurity/[email protected]
-        with:
-          tfsec_args: --soft-fail
-          github_token: ${{ github.token }}
-
-  terraform-cloud-speculative-run:
-    name: Terraform Cloud Speculative Run
-    runs-on: ubuntu-latest
+  terraform-plan:
+    name: Terraform Plan
+    uses: soat-tech-challenge/github-workflows/.github/workflows/terraform-plan.yml@main
+    secrets: inherit
+    with:
+      cloud_workspace: database-staging
 
     permissions:
       contents: read
       pull-requests: write
-
-    env:
-      TF_CLOUD_ORGANIZATION: ${{ vars.TF_CLOUD_ORGANIZATION }}
-      TF_API_TOKEN: ${{ secrets.TF_API_TOKEN }}
-      TF_WORKSPACE: ${{ vars.TF_WORKSPACE }}
-      CONFIG_DIRECTORY: ${{ vars.CONFIG_DIRECTORY }}
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Upload Configuration
-        uses: hashicorp/tfc-workflows-github/actions/[email protected]
-        id: upload
-        with:
-          workspace: ${{ env.TF_WORKSPACE }}
-          directory: ${{ env.CONFIG_DIRECTORY }}
-          speculative: true
-
-      - name: Create Plan Run
-        uses: hashicorp/tfc-workflows-github/actions/[email protected]
-        id: run
-        ## run may fail, if so continue to output PR comment
-        ## step.terraform-cloud-check-run-status will fail job after pr comment is created/updated.
-        continue-on-error: true
-        with:
-          workspace: ${{ env.TF_WORKSPACE }}
-          configuration_version: ${{ steps.upload.outputs.configuration_version_id }}
-          plan_only: true
-
-      - name: Get Plan Output
-        uses: hashicorp/tfc-workflows-github/actions/[email protected]
-        id: plan-output
-        with:
-          plan: ${{ steps.run.outputs.plan_id }}
-
-      - name: Update PR with Plan comment
-        uses: actions/github-script@v6
-        if: github.event_name == 'pull_request'
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            // 1. Retrieve existing bot comments for the PR
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: context.issue.number,
-            })
-            const botComment = comments.find(comment => {
-              return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
-            })
-            const output = `#### Terraform Cloud Plan Output
-            \`\`\`
-            Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
-            \`\`\`
-            [Terraform Cloud Plan](${{ steps.run.outputs.run_link }})
-            `
-            // 3. If we have a comment, update it, otherwise create a new one
-            if (botComment) {
-              github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: botComment.id,
-                body: output
-              })
-            } else {
-              github.rest.issues.createComment({
-                issue_number: context.issue.number,
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                body: output
-              })
-            }
-
-        ## Check Run Status, if not planned_and_finished fail the job
-      - id: terraform-cloud-check-run-status
-        if: ${{ steps.run.outputs.run_status != 'planned_and_finished'}}
-        run: |
-          echo "Terraform Cloud Run Failed or Requires Further Attention"
-          echo "Run Status: '${{ steps.run.outputs.run_status }}'"
-          echo "${{ steps.run.outputs.run_link }}"
-          exit 1

.github/workflows/terraform-destroy.yml

@@ -5,31 +5,5 @@ on:
 
 jobs:
   terraform_destroy:
-    name: Terraform Destroy
-    if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
-    environment: AWS
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Setup Terraform
-        uses: hashicorp/setup-terraform@v2
-        with:
-          cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
-
-      - name: Terraform Init
-        run: terraform init
-
-      - name: Terraform Plan
-        run: terraform plan -destroy -input=false
-        env:
-          TF_VAR_AWS_ACCESS_KEY: ${{ secrets.TF_AWS_READONLY_ACCESSKEY }}
-          TF_VAR_AWS_SECRET_KEY: ${{ secrets.TF_AWS_READONLY_SECRETKEY }}
-
-      - name: Terraform Destroy
-        run: terraform destroy -auto-approve -input=false
-        env:
-          TF_VAR_AWS_ACCESS_KEY: ${{ secrets.TF_VAR_AWS_ACCESS_KEY }}
-          TF_VAR_AWS_SECRET_KEY: ${{ secrets.TF_VAR_AWS_SECRET_KEY }}
+    uses: soat-tech-challenge/github-workflows/.github/workflows/terraform-destroy.yml@main
+    secrets: inherit

datasources.tf

@@ -11,3 +11,9 @@ data "aws_subnets" "private_subnets" {
     values = ["soat-tech-challenge-subnet-public*"]
   }
 }
+
+
+# data "tfe_outputs" "network" {
+#   organization = "soat-tech-challenge"
+#   workspace    = "network-staging"
+# }

main.tf

@@ -1,21 +1,6 @@
-resource "aws_security_group" "soat_tc_rds_sg" {
-  name   = "soat-tc-rds-sg"
-  vpc_id = data.aws_vpc.vpc.id
-
-  ingress {
-    from_port   = var.db_port
-    to_port     = var.db_port
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
 
-resource "aws_db_subnet_group" "soat_tc_rds_subnet_group" {
-  name       = "soat-tc-rds-subnet-group"
-  subnet_ids = data.aws_subnets.private_subnets.ids
-}
 
-resource "aws_db_parameter_group" "soat_tc_rds_parameter_group" {
+resource "aws_db_parameter_group" "this" {
   name   = "soat-tc-rds-parameter-group"
   family = "postgres15"
 
@@ -25,10 +10,12 @@ resource "aws_db_parameter_group" "soat_tc_rds_parameter_group" {
   }
 }
 
-resource "aws_db_instance" "soat_tc_rds_db" {
+resource "aws_db_instance" "this" {
   identifier = "soat-tc-rds-db"
   engine     = "postgres"
 
+  db_name = "backend-db"
+
   allocated_storage = 20
   storage_type      = "gp2"
   engine_version    = "15.3"
@@ -44,8 +31,8 @@ resource "aws_db_instance" "soat_tc_rds_db" {
   ca_cert_identifier  = "rds-ca-rsa2048-g1"
   apply_immediately   = true
 
-  parameter_group_name = aws_db_parameter_group.soat_tc_rds_parameter_group.name
-  db_subnet_group_name = aws_db_subnet_group.soat_tc_rds_subnet_group.name
+  parameter_group_name = aws_db_parameter_group.this.name
+  db_subnet_group_name = aws_db_subnet_group.this.name
 
-  vpc_security_group_ids = [aws_security_group.soat_tc_rds_sg.id]
+  vpc_security_group_ids = [aws_security_group.this.id]
 }

network.tf

@@ -0,0 +1,16 @@
+resource "aws_security_group" "this" {
+  name   = "soat-tc-rds-sg"
+  vpc_id = data.aws_vpc.vpc.id
+
+  ingress {
+    from_port   = var.db_port
+    to_port     = var.db_port
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_db_subnet_group" "this" {
+  name       = "soat-tc-rds-subnet-group"
+  subnet_ids = data.aws_subnets.private_subnets.ids
+}

outputs.tf

@@ -1,4 +1,4 @@
 output "rds_instance_id" {
   description = "The RDS instance identifier"
-  value       = aws_db_instance.soat_tc_rds_db.identifier
+  value       = aws_db_instance.this.name
 }

providers.tf

@@ -1,8 +1,8 @@
 provider "aws" {
   region = var.aws_region
 
-  access_key = var.AWS_ACCESS_KEY
-  secret_key = var.AWS_SECRET_KEY
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
 
   default_tags {
     tags = {
@@ -11,4 +11,3 @@ provider "aws" {
     }
   }
 }
-

terraform.tfvars.example

@@ -1,2 +1,2 @@
-AWS_ACCESS_KEY = ""
-AWS_SECRET_KEY = ""
+aws_secret_key = ""
+aws_access_key = ""

variables.tf

@@ -8,12 +8,12 @@ variable "repository" {
   default = "soat-tech-challenge/terraform-aws-rds"
 }
 
-variable "AWS_ACCESS_KEY" {
+variable "aws_access_key" {
   description = "AWS Access Key"
   type        = string
 }
 
-variable "AWS_SECRET_KEY" {
+variable "aws_secret_key" {
   description = "AWS Secret Key"
   type        = string
 }

versions.tf

@@ -5,7 +5,7 @@ terraform {
     organization = "soat-tech-challenge"
 
     workspaces {
-      name = "staging"
+      name = "database-staging"
     }
   }
 
@@ -14,6 +14,11 @@ terraform {
       source  = "hashicorp/aws"
       version = "4.67.0"
     }
+
+    tfe = {
+      source  = "hashicorp/tfe"
+      version = "~> 0.49.2"
+    }
   }
 }