chore: use terraform for aws infrastructure

.github/workflows/.aws-deployer.yml

@@ -0,0 +1,71 @@
+name: .Terraform Deployer
+
+on:
+  workflow_call:
+    inputs:
+      ### Required
+      environment_name:
+        description: 'The name of the environment to deploy to'
+        required: true
+        default: 'dev'
+        type: string
+      command:
+        description: 'The terragrunt command to run'
+        required: true
+        default: 'apply'
+        type: string
+      working_directory:
+        description: 'The working directory to run the command in'
+        required: true
+        default: 'database'
+        type: string
+      tag:
+        description: 'The tag of the containers to deploy'
+        default: 'latest'
+        type: string
+        required: false
+      app_env:
+        required: false
+        type: string
+        description: 'The APP env separates between AWS ENV and Actual APP, since AWS dev is where PR, and TEST is deployed'
+
+
+
+
+
+env:
+    TG_VERSION: 0.55.2
+    TF_VERSION: 1.5.3
+    TG_SRC_PATH: terraform/${{ inputs.working_directory }}
+    AWS_REGION: ca-central-1
+jobs:
+ deploy:
+  name: Deploy
+  runs-on: ubuntu-24.04
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+          role-session-name: ${{ inputs.environment_name }}-deployment
+          aws-region: ${{ env.AWS_REGION }}
+    - uses: hashicorp/setup-terraform@v3
+      with:
+        terraform_version: ${{ env.TF_VERSION }}
+    - name: Setup Terragrunt
+      uses: autero1/action-terragrunt@v3
+      with:
+          terragrunt-version: ${{ env.TG_VERSION }}
+    - name: Terragrunt Apply
+      working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
+      env:
+          target_env: ${{ inputs.environment_name }}
+          aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
+          flyway_image: ghcr.io/${{github.repository}}/migrations:${{inputs.tag}}
+          api_image: ghcr.io/${{github.repository}}/backend:${{inputs.tag}}
+          app_env: ${{inputs.app_env}}
+      run: |
+          # Run terraform
+          terragrunt run-all ${{inputs.command}} --terragrunt-non-interactive

.github/workflows/pr-close.yml

@@ -1,76 +1,31 @@
-name: PR Closed
+name: PR Close
 
 on:
-  # Disabling this for now as it's OpenShift specific. Remove workflow_dispatch when updated.
-  workflow_dispatch:
-  # pull_request:
-  #   types: [closed]
-
+  pull_request:
+    types: [closed]
 concurrency:
-  # PR open and close use the same group, allowing only one at a time
+  # Cancel in progress for PR open and close
   group: ${{ github.event.number }}
-  cancel-in-progress: true
-
+  cancel-in-progress: false
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: write # This is required for actions/checkout
+  packages: write
+  pull-requests: write
 jobs:
-  cleanup:
-    name: Cleanup and Images
-    uses: bcgov/quickstart-openshift-helpers/.github/workflows/[email protected]
-    secrets:
-      oc_namespace: ${{ secrets.OC_NAMESPACE }}
-      oc_token: ${{ secrets.OC_TOKEN }}
+  cleanup-aws-database:
+    name: Cleanup AWS Database
+    uses: ./.github/workflows/.deployer.yml
     with:
-      cleanup: helm
-      packages: backend frontend migrations
-
-
-  cleanup_db: # TODO move it off to another action later.
-    name: Remove DB User from crunchy
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install CLI tools from OpenShift Mirror
-        uses: redhat-actions/openshift-tools-installer@v1
-        with:
-          oc: "4.14.37"
-
-      - name: OC Login
-        shell: bash
-        run: |
-          # OC Login
-          OC_TEMP_TOKEN=$(curl -k -X POST https://api.silver.devops.gov.bc.ca:6443/api/v1/namespaces/${{ secrets.oc_namespace }}/serviceaccounts/pipeline/token --header "Authorization: Bearer ${{ secrets.oc_token }}" -d '{"spec": {"expirationSeconds": 600}}' -H 'Content-Type: application/json; charset=utf-8' | jq -r '.status.token' )
-
-          oc login --token=$OC_TEMP_TOKEN --server=https://api.silver.devops.gov.bc.ca:6443
-          oc project ${{ secrets.oc_namespace }} # Safeguard!
-
-      - name: Remove PR user and database from crunchy
-        shell: bash
-        run: |
-          # check if postgres-crunchy exists or else exit
-          oc get PostgresCluster/postgres-crunchy || exit 0
-
-          # Remove the user from the crunchy cluster yaml and apply the changes
-          USER_TO_REMOVE='{"databases":["app-${{ github.event.number }}"],"name":"app-${{ github.event.number }}"}'
-
-          echo 'getting current users from crunchy'
-          CURRENT_USERS=$(oc get PostgresCluster/postgres-crunchy -o json | jq '.spec.users')
-          echo "${CURRENT_USERS}"
-
-          # Remove the user from the list,
-          UPDATED_USERS=$(echo "${CURRENT_USERS}" | jq --argjson user "${USER_TO_REMOVE}" 'map(select(. != $user))')
-
-          PATCH_JSON=$(jq -n --argjson users "${UPDATED_USERS}" '{"spec": {"users": $users}}')
-          oc patch PostgresCluster/postgres-crunchy --type=merge -p "${PATCH_JSON}"
-
-          # get primary crunchy pod and remove the role and db
-          CRUNCHY_PG_PRIMARY_POD_NAME=$(oc get pods -l postgres-operator.crunchydata.com/role=master -o json | jq -r '.items[0].metadata.name')
-
-          echo "${CRUNCHY_PG_PRIMARY_POD_NAME}"
-          # Terminate all connections to the database before trying terminate
-          oc exec "${CRUNCHY_PG_PRIMARY_POD_NAME}" -- psql -c "SELECT pg_terminate_backend(pg_stat_activity.pid) FROM pg_stat_activity WHERE pg_stat_activity.datname = 'app-${{ github.event.number }}' AND pid <> pg_backend_pid();"
-
-          # Drop the database and role
-          oc exec "${CRUNCHY_PG_PRIMARY_POD_NAME}" -- psql -c "DROP DATABASE \"app-${{ github.event.number }}\" --cascade"
-          oc exec "${CRUNCHY_PG_PRIMARY_POD_NAME}" -- psql -c "DROP ROLE \"app-${{ github.event.number }}\" --cascade"
-          echo 'database and role deleted'
-
-          exit 0
+      environment_name: dev
+      command: destroy
+      working_directory: database
+    secrets: inherit
+  cleanup-aws-api:
+      name: Cleanup AWS API
+      uses: ./.github/workflows/.deployer.yml
+      with:
+        environment_name: dev
+        command: destroy
+        working_directory: api
+      secrets: inherit

.github/workflows/pr-open.yml

@@ -6,16 +6,20 @@ on:
 concurrency:
   # Cancel in progress for PR open and close
   group: ${{ github.event.number }}
-  cancel-in-progress: true
-
+  cancel-in-progress: false
+permissions:
+  id-token: write # This is required for requesting the JWT
+  contents: write # This is required for actions/checkout
+  packages: write
+  pull-requests: write
 jobs:
   # https://github.com/bcgov-nr/action-builder-ghcr
   builds:
     name: Builds
     runs-on: ubuntu-24.04
     strategy:
       matrix:
-        package: [backend, frontend, migrations]
+        package: [backend, migrations]
     timeout-minutes: 10
     steps:
       - uses: bcgov-nr/[email protected]
@@ -25,36 +29,30 @@ jobs:
           tag: ${{ github.event.number }}
           tag_fallback: latest
           triggers: ('${{ matrix.package }}/')
-
+      - uses: shrink/actions-docker-registry-tag@v4
+        with:
+          registry: ghcr.io
+          repository: ${{ github.repository }}/${{ matrix.package }}
+          target: ${{ github.event.number }}
+          tags: ${{ github.event.number }}-${{ github.run_number }}
   # https://github.com/bcgov/quickstart-openshift-helpers
-  # deploys:
-  #   name: Deploys
-  #   needs: [builds]
-  #   uses: ./.github/workflows/.deployer.yml
-  #   secrets:
-  #     oc_namespace: ${{ secrets.OC_NAMESPACE }}
-  #     oc_token: ${{ secrets.OC_TOKEN }}
-  #   with:
-  #     triggers: ('backend/' 'frontend/' 'migrations/' 'charts/')
-  #     db_user: app-${{github.event.number}}
-  #     params: --set global.secrets.persist=false
-
-  # All current tests require deployment to dev first.
-  # tests:
-  #   name: Tests
-  #   if: needs.deploys.outputs.triggered == 'true'
-  #   # needs: [deploys]
-  #   uses: ./.github/workflows/.tests.yml
-  #   with:
-  #     target: ${{ github.event.number }}
-
-  results:
-    name: PR Results
+  deploy-db:
     needs: [builds]
-    # needs: [builds, deploys, tests]
-    if: always()
-    runs-on: ubuntu-24.04
-    steps:
-      - if: contains(needs.*.result, 'failure')
-        run: echo "At least one job has failed." && exit 1
-      - run: echo "Success!"
+    name: Deploys Database
+    uses: ./.github/workflows/.deployer.yml
+    with:
+      environment_name: dev
+      command: apply
+      working_directory: database
+    secrets: inherit
+  deploy-api:
+    name: Deploys API
+    needs: [deploy-db]
+    uses: ./.github/workflows/.deployer.yml
+    with:
+      environment_name: dev
+      command: apply
+      working_directory: api
+      tag: ${{ github.event.number }}-${{ github.run_number }}
+      app_env: ${{github.event.number}}
+    secrets: inherit

api/dev/terragrunt.hcl

@@ -0,0 +1,24 @@
+include {
+  path = find_in_parent_folders()
+}
+locals {
+  app_env          = get_env("app_env")
+  flyway_image              = get_env("flyway_image")
+  api_image          = get_env("api_image")
+  target_env              = get_env("target_env")
+
+}
+
+# Include the common terragrunt configuration for all modules
+generate "dev_tfvars" {
+  path              = "dev.auto.tfvars"
+  if_exists         = "overwrite"
+  disable_signature = true
+  contents          = <<-EOF
+  target_env = "dev"
+  flyway_image="${local.flyway_image}"
+  api_image="${local.api_image}"
+  app_env="${local.app_env}"
+  app_name="node-api-${local.target_env}-${local.app_env}"
+EOF
+}

api/terragrunt.hcl

@@ -0,0 +1,57 @@
+terraform {
+  source = "../../..//infrastructure//api"
+}
+
+
+
+locals {
+  region                  = "ca-central-1"
+
+  # Terraform remote S3 config
+  tf_remote_state_prefix  = "terraform-remote-state" # Do not change this, given by cloud.pathfinder.
+  target_env              = get_env("target_env")
+  aws_license_plate          = get_env("aws_license_plate")
+  app_env          = get_env("app_env")
+  statefile_bucket_name   = "${local.tf_remote_state_prefix}-${local.aws_license_plate}-${local.target_env}"
+  statefile_key           = "${local.target_env}/${local.app_env}/api/terraform.tfstate"
+  statelock_table_name    = "${local.tf_remote_state_prefix}-lock-${local.aws_license_plate}"
+  flyway_image              = get_env("flyway_image")
+  api_image          = get_env("api_image")
+
+}
+
+# Remote S3 state for Terraform.
+generate "remote_state" {
+  path      = "backend.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
+terraform {
+  backend "s3" {
+    bucket         = "${local.statefile_bucket_name}"
+    key            = "${local.statefile_key}"            # Path and name of the state file within the bucket
+    region         = "${local.region}"                    # AWS region where the bucket is located
+    dynamodb_table = "${local.statelock_table_name}"
+    encrypt        = true
+  }
+}
+EOF
+}
+
+
+generate "tfvars" {
+  path              = "terragrunt.auto.tfvars"
+  if_exists         = "overwrite"
+  disable_signature = true
+  contents          = <<-EOF
+EOF
+}
+
+generate "provider" {
+  path      = "provider.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
+provider "aws" {
+  region  = "${local.region}"
+}
+EOF
+}

database/dev/terragrunt.hcl

@@ -0,0 +1,17 @@
+include {
+  path = find_in_parent_folders()
+}
+locals {
+  target_env              = get_env("target_env")
+}
+
+# Include the common terragrunt configuration for all modules
+generate "dev_tfvars" {
+  path              = "dev.auto.tfvars"
+  if_exists         = "overwrite"
+  disable_signature = true
+  contents          = <<-EOF
+  target_env = "dev"
+  db_cluster_name = "qsawsc-aurora-cluster-${local.target_env}"
+EOF
+}