gitops-bridge-dev · csantanapr · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024 · Apr 3, 2024
diff --git a/.github/workflows/deploy-pulumi.yaml b/.github/workflows/deploy-pulumi.yaml
@@ -2,44 +2,78 @@ name: Pulumi Deploy
 on:
   push:
     branches:
-      - main
+      - live
     paths:
       - pulumi/**
-env:
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
-  GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}
+  workflow_dispatch: null
 
 jobs:
   preview:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
-      # This IAM Matrix should have a name with the stack name and an iamRole
-      # with access to deploy AWS resources in you account. The easiest method is attaching AdministratorAccess Policy to role.
+      # This IAM Matrix should have a name with the stack name, awsAccountID, and iamRole
+      # with access to deploy AWS resources in you account. The easiest method is attaching AdministratorAccess Policy to role
       # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for details on implementing OIDC with Github Actions
       matrix:
-        arrays: [ 
-          stack: {name: "hub", iamRole: "arn:aws:iam::753080021511:role/pulumi-github-actions"}, 
-          stack: {name: "dev", iamRole: "arn:aws:iam::753080021511:role/pulumi-github-actions"}, 
-          stack: {name: "prod", iamRole: "arn:aws:iam::753080021511:role/pulumi-github-actions"}, 
+        arrays: [
+          stack: {name: "hub", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+          stack: {name: "dev", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+          stack: {name: "prod", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
         ]
     permissions:
       id-token: write
       contents: read
-    name: Deploy
+    name: Pulumi Deploy ${{ matrix.arrays.stack.name }}
     steps:
-      - uses: actions/checkout@v2
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v2
+      - name: Checkout 🛎️
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ matrix.arrays.stack.iamRole }}
-          aws-region: us-east-2
-      - run: |
+          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
+          ## the following creates an ARN based on the values entered into github secrets
+          role-to-assume: arn:aws:iam::${{ secrets[matrix.arrays.stack.awsAccountID] }}:role/${{ secrets[matrix.arrays.stack.iamRole] }}
+          role-session-name: myGitHubActions
+
+      - name: 📦️ Pulumi Install 📦️
+        uses: pulumi/actions@v5
+
+      # - name: Overrides Pulumi Config 🔨
+      #   working-directory: pulumi
+      #   env:
+      #     PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+      #   run: |
+      #     pulumi stack select ${{ matrix.arrays.stack.name }}
+      #     pulumi config set githubOrg ${GITHUB_REPOSITORY_OWNER}
+      #     pulumi config set githubRepo $(echo "${GITHUB_REPOSITORY}" | cut -d '/' -f2)
+      #     pulumi config set veleroBucketPrefix ${{ secrets.VELERO_BACKUP_BUCKET }}
+      #     if [ ${{ matrix.arrays.stack.name }} != "hub" ]; then
+      #       pulumi config set hubStackName ${{ secrets.PULUMI_ACCOUNT }}/${{ secrets.PULUMI_PROJECT }}/hub
+      #     fi
+      #     cat stacks/Pulumi.${{ matrix.arrays.stack.name }}.yaml
+
+      - name: Setup Node LTS ✨
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          # cache: npm
+          # cache-dependency-path: pulumi/src/package-lock.json
+
+      - name: Installing dependencies 📦️
+        run: |
           cd ./pulumi
           npm install
-      - uses: pulumi/actions@v3
+
+      - name: Deploy infrastructure 🚀
+        uses: pulumi/actions@v5
         with:
-          color: auto
           command: up
           work-dir: ./pulumi
           stack-name: ${{ matrix.arrays.stack.name }}
+          comment-on-summary: true
+          diff: true
+        env:
+         PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+         GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}
diff --git a/.github/workflows/destroy-pulumi.yaml b/.github/workflows/destroy-pulumi.yaml
@@ -0,0 +1,75 @@
+name: Pulumi Destroy
+on:
+  workflow_dispatch: null
+
+jobs:
+  preview:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      # This IAM Matrix should have a name with the stack name, awsAccountID, and iamRole
+      # with access to deploy AWS resources in you account. The easiest method is attaching AdministratorAccess Policy to role
+      # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for details on implementing OIDC with Github Actions
+      matrix:
+        arrays: [
+          stack: {name: "hub", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+          stack: {name: "dev", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+          stack: {name: "prod", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+        ]
+    permissions:
+      id-token: write
+      contents: read
+    name: Pulumi Destroy ${{ matrix.arrays.stack.name }}
+    steps:
+      - name: Checkout 🛎️
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
+          ## the following creates an ARN based on the values entered into github secrets
+          role-to-assume: arn:aws:iam::${{ secrets[matrix.arrays.stack.awsAccountID] }}:role/${{ secrets[matrix.arrays.stack.iamRole] }}
+          role-session-name: myGitHubActions
+
+      - name: 📦️ Pulumi Install 📦️
+        uses: pulumi/actions@v5
+
+      # - name: Overrides Pulumi Config 🔨
+      #   working-directory: pulumi
+      #   env:
+      #     PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+      #   run: |
+      #     pulumi stack select ${{ matrix.arrays.stack.name }}
+      #     pulumi config set githubOrg ${GITHUB_REPOSITORY_OWNER}
+      #     pulumi config set githubRepo $(echo "${GITHUB_REPOSITORY}" | cut -d '/' -f2)
+      #     pulumi config set veleroBucketPrefix ${{ secrets.VELERO_BACKUP_BUCKET }}
+      #     if [ ${{ matrix.arrays.stack.name }} != "hub" ]; then
+      #       pulumi config set hubStackName ${{ secrets.PULUMI_ACCOUNT }}/${{ secrets.PULUMI_PROJECT }}/hub
+      #     fi
+      #     cat stacks/Pulumi.${{ matrix.arrays.stack.name }}.yaml
+
+      - name: Setup Node LTS ✨
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          # cache: npm
+          # cache-dependency-path: pulumi/src/package-lock.json
+
+      - name: Installing dependencies 📦️
+        run: |
+          cd ./pulumi
+          npm install
+
+      - name: Destroy infrastructure 🚀
+        uses: pulumi/actions@v5
+        with:
+          command: destroy
+          work-dir: ./pulumi
+          stack-name: ${{ matrix.arrays.stack.name }}
+          comment-on-summary: true
+          diff: true
+        env:
+         PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+         GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}
+         PULUMI_K8S_DELETE_UNREACHABLE: true
diff --git a/.github/workflows/pr-pulumi.yaml b/.github/workflows/pr-pulumi.yaml
@@ -1,41 +1,77 @@
-name: Pulumi Prototype Preview
+name: Pulumi Preview
 on:
-  - pull_request
-env:
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
-  GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}
+  pull_request:
+    paths:
+      - pulumi/**
+  workflow_dispatch: null
 
 jobs:
   preview:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
-      # This IAM Matrix should have a name with the stack name and an iamRole
+      # This IAM Matrix should have a name with the stack name, awsAccountID, and iamRole
       # with access to deploy AWS resources in you account. The easiest method is attaching AdministratorAccess Policy to role
       # See https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services for details on implementing OIDC with Github Actions
       matrix:
-        arrays: [ 
-          stack: {name: "hub", iamRole: "arn:aws:iam::753080021511:role/pulumi-github-actions"},
-          stack: {name: "dev", iamRole: "arn:aws:iam::753080021511:role/pulumi-github-actions"}, 
-          stack: {name: "prod", iamRole: "arn:aws:iam::753080021511:role/pulumi-github-actions"}, 
+        arrays: [
+          stack: {name: "hub", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+          stack: {name: "dev", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
+          stack: {name: "prod", awsAccountID: "AWS_ACCOUNT_ID", iamRole: "AWS_DEPLOY_ROLE"},
         ]
     permissions:
       id-token: write
       contents: read
-    name: Deploy
+    name: Pulumi Preview ${{ matrix.arrays.stack.name }}
     steps:
-      - uses: actions/checkout@v2
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v2
+      - name: Checkout 🛎️
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ matrix.arrays.stack.iamRole }}
-          aws-region: us-east-2
-      - run: |
+          aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
+          ## the following creates an ARN based on the values entered into github secrets
+          role-to-assume: arn:aws:iam::${{ secrets[matrix.arrays.stack.awsAccountID] }}:role/${{ secrets[matrix.arrays.stack.iamRole] }}
+          role-session-name: myGitHubActions
+
+      - name: 📦️ Pulumi Install 📦️
+        uses: pulumi/actions@v5
+
+      # - name: Overrides Pulumi Config 🔨
+      #   working-directory: pulumi
+      #   env:
+      #     PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+      #   run: |
+      #     pulumi stack select ${{ matrix.arrays.stack.name }}
+      #     pulumi config set githubOrg ${GITHUB_REPOSITORY_OWNER}
+      #     pulumi config set githubRepo $(echo "${GITHUB_REPOSITORY}" | cut -d '/' -f2)
+      #     pulumi config set veleroBucketPrefix ${{ secrets.VELERO_BACKUP_BUCKET }}
+      #     if [ ${{ matrix.arrays.stack.name }} != "hub" ]; then
+      #       pulumi config set hubStackName ${{ secrets.PULUMI_ACCOUNT }}/${{ secrets.PULUMI_PROJECT }}/hub
+      #     fi
+      #     cat stacks/Pulumi.${{ matrix.arrays.stack.name }}.yaml
+
+      - name: Setup Node LTS ✨
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          # cache: npm
+          # cache-dependency-path: pulumi/src/package-lock.json
+
+      - name: Installing dependencies 📦️
+        run: |
           cd ./pulumi
           npm install
-      - uses: pulumi/actions@v3
+
+      - name: Preview infrastructure 🚀
+        uses: pulumi/actions@v5
         with:
-          color: auto
           command: preview
           work-dir: ./pulumi
           stack-name: ${{ matrix.arrays.stack.name }}
+          comment-on-summary: true
+          diff: true
+        env:
+         PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+         GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}
diff --git a/pulumi/Pulumi.yaml b/pulumi/Pulumi.yaml
@@ -1,3 +1,4 @@
 name: gitopscon-2024-na-demo
 runtime: nodejs
 description: GitOpsCon 2024 North America Demo Project
+