Full functional v1 e2e

.github/workflows/runner.yaml

@@ -1,60 +1,73 @@
-name: do-the-job
-on: pull_request
+name: Deploy to ECR
+
+on: push
+env:
+  AWS_REGION: eu-west-1
+
 jobs:
-  start-runner:
-    name: Start self-hosted EC2 runner
-    runs-on: ubuntu-latest
-    outputs:
-      label: ${{ steps.start-ec2-runner.outputs.label }}
-      ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }}
+  build:
+    name: CICD
+    runs-on: self-hosted
     steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v4
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Build and tag image
+        id: build-image
+        env:
+          ECR_REGISTRY: 061051224299.dkr.ecr.eu-west-1.amazonaws.com
+          ECR_REPOSITORY: go-app
+          TAG_COMMIT: ${{ github.sha }}
+        run: |
+          cd app/
+          docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$TAG_COMMIT . 
+          echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$TAG_COMMIT" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.AWS_REGION }}
-      - name: Start EC2 runner
-        id: start-ec2-runner
-        uses: machulav/ec2-github-runner@v2
+          image-ref: ${{ steps.build-image.outputs.image }}
+          format: 'table'
+          hide-progress: true
+          # exit-code: '1' #Error in case of vulnerabilities
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH' #Ignore low severity vulnerabilities 
+          cache: 'false'
+
+      - name: Login to ECR
+        id: login-ecr
+        env:
+          AWS_ACCOUNT: 061051224299
+          ECR_REGISTRY: 061051224299.dkr.ecr.eu-west-1.amazonaws.com
+        run: |
+            docker login -u AWS -p $(aws ecr get-login-password --region $AWS_REGION) $ECR_REGISTRY
+
+      - name: Push image
+        id: push-image
+        env:
+          TAG_COMMIT: ${{ github.sha }}
+        run: |
+          docker push ${{ steps.build-image.outputs.image }}
+          sudo rm /root/.docker/config.json
+
+      - name: Download task definition
+        run: |
+          aws ecs describe-task-definition --task-definition surepay-task --query taskDefinition > task-definition.json
+          cat task-definition.json
+
+      - name: Fill in the new image ID in the Amazon ECS task definition
+        id: task-def
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
         with:
-          mode: start
-          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-          ec2-image-id: ami-02141377eee7defb9
-          ec2-instance-type: t3.nano
-          subnet-id: subnet-0458f5906f3685c08
-          security-group-id: sg-035e60401f1ac532a
-          iam-role-name: runner_policy # optional, requires additional permissions
-          aws-resource-tags: > # optional, requires additional permissions
-            [
-              {"Key": "Name", "Value": "ec2-github-runner"},
-              {"Key": "GitHubRepository", "Value": "${{ github.repository }}"}
-            ]
-  do-the-job:
-    name: Do the job on the runner
-    needs: start-runner # required to start the main job when the runner is ready
-    runs-on: ${{ needs.start-runner.outputs.label }} # run the job on the newly created runner
-    steps:
-      - name: Hello World
-        run: echo 'Hello World!'
-  stop-runner:
-    name: Stop self-hosted EC2 runner
-    needs:
-      - start-runner # required to get output from the start-runner job
-      - do-the-job # required to wait when the main job is done
-    runs-on: ubuntu-latest
-    if: ${{ always() }} # required to stop the runner even if the error happened in the previous jobs
-    steps:
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.AWS_REGION }}
-      - name: Stop EC2 runner
-        uses: machulav/ec2-github-runner@v2
+          task-definition: task-definition.json
+          container-name: go-app
+          image: ${{ steps.build-image.outputs.image }}
+
+      - name: Deploy Amazon ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v2
         with:
-          mode: stop
-          github-token: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }}
-          label: ${{ needs.start-runner.outputs.label }}
-          ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }}
+          task-definition: ${{ steps.task-def.outputs.task-definition }}
+          service: surepay-service 
+          cluster: surepay-ecs
+          desired-count: 4
+          wait-for-service-stability: true

.github/workflows/tf.yaml

@@ -0,0 +1,41 @@
+name: Terraform pipeline + docs
+on:
+  - pull_request
+
+jobs:
+  tf-pipe:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - uses: actions/checkout@v4
+    - uses: hashicorp/setup-terraform@v3
+
+    - name: Terraform fmt
+      id: fmt
+      run: terraform fmt -check
+      continue-on-error: true
+
+    - name: Terraform Init
+      id: init
+      run: terraform init
+
+    - name: Terraform Validate
+      id: validate
+      run: terraform validate -no-color
+
+    - name: Terraform Plan
+      id: plan
+      run: terraform plan -no-color
+        continue-on-error: true
+
+    - name: Render terraform docs and push changes back to PR
+      uses: terraform-docs/gh-actions@main
+      with:
+        working-dir: .
+        output-file: README.md
+        output-method: inject
+        git-push: "true"
+        recursive: true

.gitignore

@@ -37,4 +37,5 @@ override.tf.json
 terraform.rc
 
 # Lock file
-.terraform.lock.hcl
+.terraform.lock.hcl
+NOTES

README.md

@@ -0,0 +1,41 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_ecs"></a> [ecs](#module\_ecs) | ./modules/ecs | n/a |
+| <a name="module_runner"></a> [runner](#module\_runner) | ./modules/runner | n/a |
+| <a name="module_suplement"></a> [suplement](#module\_suplement) | ./modules/suplement | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ami_id"></a> [ami\_id](#input\_ami\_id) | Runner | `string` | `"ami-0e9085e60087ce171"` | no |
+| <a name="input_app_name"></a> [app\_name](#input\_app\_name) | n/a | `string` | `"go-app"` | no |
+| <a name="input_azs"></a> [azs](#input\_azs) | n/a | `list(string)` | <pre>[<br/>  "eu-west-1a",<br/>  "eu-west-1b"<br/>]</pre> | no |
+| <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | Default Tags for Project | `map(string)` | <pre>{<br/>  "Environment": "Dev",<br/>  "Owner": "surepay",<br/>  "Project": "surepay"<br/>}</pre> | no |
+| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | n/a | `string` | `"t2.medium"` | no |
+| <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | n/a | `list(string)` | <pre>[<br/>  "10.0.1.0/24",<br/>  "10.0.2.0/24"<br/>]</pre> | no |
+| <a name="input_project"></a> [project](#input\_project) | n/a | `string` | `"surepay"` | no |
+| <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | n/a | `list(string)` | <pre>[<br/>  "10.0.101.0/24",<br/>  "10.0.102.0/24"<br/>]</pre> | no |
+| <a name="input_region"></a> [region](#input\_region) | n/a | `string` | `"eu-west-1"` | no |
+| <a name="input_vpc_cidr"></a> [vpc\_cidr](#input\_vpc\_cidr) | VPC | `string` | `"10.0.0.0/16"` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

app/Dockerfile

@@ -0,0 +1,23 @@
+FROM golang:1.23
+WORKDIR /src
+
+COPY <<EOF /src/server.go
+package main
+import "github.com/gin-gonic/gin"
+func main() {
+   app := gin.Default()
+   router := app.Group("/")
+   router.GET("/", Hello)
+   app.Run(":80")
+}
+func Hello(c *gin.Context) {
+  c.Writer.Write([]byte("<h1> hello ecs </h1>"))
+}
+EOF
+RUN ls
+RUN go mod init server
+RUN go mod tidy
+RUN go build -o hello
+EXPOSE 80 
+
+CMD ["/src/hello"]

main.tf

@@ -8,25 +8,77 @@ module "vpc" {
   private_subnets = var.private_subnets
   public_subnets  = var.public_subnets
 
+  #Single NAT Gateway https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/v5.16.0?tab=readme-ov-file#single-nat-gateway
   enable_nat_gateway = true
+  single_nat_gateway = true
+
+  create_database_subnet_group    = false
+  create_elasticache_subnet_group = false
+  create_redshift_subnet_group    = false
+  manage_default_network_acl      = false
+  manage_default_route_table      = false
+  manage_default_security_group   = false
 
   default_vpc_tags = merge(
     var.default_tags, {
-      Name = "SurepayVPC"
+      Name = "vpc"
     },
   )
 }
 
 module "runner" {
-  source                = "./modules/runner"
+  source     = "./modules/runner"
+  runner_ami = var.ami_id
+  region     = var.region
+
+  instance_type = var.instance_type
+
+  aws_ecs_service_name       = module.ecs.service_name
+  aws_ecs_cluster_name       = module.ecs.cluster_name
+  is_lb_private              = "false"
+  runner_host_key_pair       = module.suplement.key_pair_name
+  runner_iam_policy_name     = "${var.project}RunnerHostPolicy"
+  create_dns_record          = "false"
+  vpc_id                     = module.vpc.vpc_id
+  elb_subnets                = module.vpc.public_subnets
+  auto_scaling_group_subnets = module.vpc.private_subnets
+
+  github_url           = "https://github.com/dilsilva/surepay/settings/actions/runners"
+  github_owner         = "dilsilva"
+  github_repo          = "surepay"
+  ssm_parameter_name   = module.suplement.ssm_parameter_name
+  github_runner_group  = ""
+  github_runner_labels = ""
 
-  ami_id                = var.ami_id
-  vpc_id                = module.vpc.vpc_id
-  runner_instance_type  = "t2.micro"
-  subnet_id             = tostring(module.vpc.public_subnets[0])
-  default_tags = merge(
+  tags = merge(
     var.default_tags, {
-      Name = "gh-runner"
-    },
-  )
-}
+      "name" = "${var.project}-runner"
+  }, )
+
+  depends_on = [module.vpc, module.suplement]
+}
+
+
+module "ecs" {
+  source = "./modules/ecs"
+
+  project         = var.project
+  region          = var.region
+  vpc_id          = module.vpc.vpc_id
+  public_subnets  = module.vpc.public_subnets
+  private_subnets = module.vpc.private_subnets
+  app_name        = var.app_name
+  app_image       = module.suplement.ecr_repository
+
+  private_instances_security_group = module.runner.private_instances_security_group
+
+  depends_on = [module.vpc, module.suplement]
+}
+
+module "suplement" {
+  source     = "./modules/suplement"
+  project    = var.project
+  public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDJaDTgLeCoQqvOD2Hbityz0WD+/jmLY7Wpy4Zmu81S2ejbSiU2AHAZil0KhCJzMDtoZfhbsntRCU1i5tIVnCyT1XOptMXrMn3h8LqVHjc7KqMZkOnPHFjUm/JBgAsxyM4NOVIgLykH4QRotRCBtMhjPWwDfpdgrlFciEmq6NEiyVkNRWT2RJ2FV9JqD15vs9i3Q/whmR6nbqb7o5HCPRz6s2wkQonsjP16v+MpPZjFswGMJxcsL4ZcKN4bvsElhwYVGDSS1R6Z4cn/CSU8bluRPIHWUSEZsW9vME7h32j2v79qBp5I8ACJbyQC2VstoHRWSOoVt/sQE3gLjGBd+goi7sQCHDVQnhstSPuxZOdEuxGDANSEyyo7TCiZrfRVZqcDtmUi1WmTkAzpvFjQYZT8hwIxsVbp2VG3tP6UwH3DH8ofxd6eIOvH27bxlbwzbOAkNG9/rwT4kGfyZZ2D8R9aH9PFXeeohiQkJegyRzzIWzHhxtL2v5i2Mxcbtnhj/kdzK0GUUymDjO3LK7+UW4kGEKCX/KxuuWWsrlrKPTMZu1x3nsDJD+gUgC33GOkY7zO0hSj4kXVxpPN+Q5RngNB9rHF7RPRMuS7TCF0V6ZfTRh9Q6DNDrGOrzlLmJj2yA0vB/V2rsLRA/TXVpTlE91/j/1vxsIFuZ99NspCUwbBABw== dilsilva.diego@gmail.com"
+  pat_value  = "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"
+  app_name   = var.app_name
+}

modules/README.md

@@ -0,0 +1,25 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->