chore: add Aspect Workflows CI (on AWS + GitHub Actions) (#410)

aspect-build · Aug 18, 2023 · be97fd8 · be97fd8
1 parent 42094e8
commit be97fd8
Show file tree

Hide file tree

Showing 16 changed files with 715 additions and 24 deletions.
diff --git a/.aspect/workflows/README.md b/.aspect/workflows/README.md
@@ -0,0 +1,31 @@
+# Aspect Workflows demonstration deployment
+
+This deployment of [Aspect Workflows](https://www.aspect.build/workflows) is configured to run on AWS + GitHub Actions.
+
+You can see this Aspect Workflows demonstration deployment live at
+https://github.com/aspect-build/rules_ts/actions/workflows/aspect-workflows.yaml.
+
+The three components of the configuration are,
+
+1. Aspect Workflows terraform module
+1. Aspect Workflows configuration yaml
+1. GitHub Actions workflows configurations
+
+## Aspect Workflows terraform module
+
+This is found under the [.aspect/workflows/terraform](./terraform) directory.
+
+## Aspect Workflows configuration yaml
+
+This is the [config.yaml](./config.yaml) file in this directory.
+
+## GitHub Actions workflows configurations
+
+This includes 3 files:
+
+1.  [.github/workflows/aspect-workflows.yaml](../../.github/workflows/aspect-workflows.yaml) : Aspect Workflows CI workflow
+
+1.  [.github/workflows/aspect-workflows-warming.yaml](../../.github/workflows/aspect-workflows-warming.yaml) : Aspect Workflows warming cron workflow
+
+1.  [.github/workflows/.aspect-workflows-reusable.yaml](../../.github/workflows/.aspect-workflows-reusable.yaml) : Aspect Workflows Reusable Workflow for GitHub Actions.
+    This files is kept up-to date with the [upstream](https://github.com/aspect-build/workflows-action/blob/main/.github/workflows/.aspect-workflows-reusable.yaml) source-of-truth with a `write_source_file` target in [.github/workflows/BUILD.bazel](../../.github/workflows/BUILD.bazel).
diff --git a/.aspect/workflows/config.yaml b/.aspect/workflows/config.yaml
@@ -0,0 +1,12 @@
+# See https://docs.aspect.build/v/workflows/config
+---
+bazel:
+    flags:
+        - --enable_bzlmod
+tasks:
+    buildifier:
+    test:
+        bazel:
+            flags:
+                # Allows tests to run bazelisk-in-bazel, since this is the cache folder used
+                - --test_env=XDG_CACHE_HOME
diff --git a/.aspect/workflows/terraform/.terraform.lock.hcl b/.aspect/workflows/terraform/.terraform.lock.hcl
diff --git a/.aspect/workflows/terraform/README.md b/.aspect/workflows/terraform/README.md
@@ -0,0 +1,7 @@
+# Aspect Workflows demonstration deployment terraform
+
+The terraform configuration found here is for a clean AWS sub-account with only Aspect Workflows deployed.
+
+-   `main.tf` : terraform backend configuration
+-   `vpc.tf` : VPC configuration
+-   `workflows.tf` : Aspect Workflows terraform module & AMI configuration
diff --git a/.aspect/workflows/terraform/main.tf b/.aspect/workflows/terraform/main.tf
@@ -0,0 +1,57 @@
+terraform {
+  required_version = "~> 1.4.0"
+
+  backend "s3" {
+    bucket   = "aw-deployment-terraform-state-rules-ts"
+    key      = "global/s3/terraform.tfstate"
+    region   = "us-west-2"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws",
+      version = "~> 4.58.0"
+    }
+  }
+}
+
+provider "aws" {
+  region  = "us-west-2"
+
+}
+
+resource "aws_s3_bucket" "terraform_state" {
+  bucket = "aw-deployment-terraform-state-rules-ts"
+
+  lifecycle {
+    prevent_destroy = true
+  }
+}
+
+resource "aws_s3_bucket_versioning" "terraform_state_versioning" {
+  bucket = aws_s3_bucket.terraform_state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "terraform_state_encryption" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+}
+
+resource "aws_s3_bucket_public_access_block" "terraform_state_pab" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
+data "aws_region" "default" {}
diff --git a/.aspect/workflows/terraform/vpc.tf b/.aspect/workflows/terraform/vpc.tf
@@ -0,0 +1,49 @@
+locals {
+  cidr = "10.0.0.0/16"
+  azs  = ["us-west-2a", "us-west-2b", "us-west-2c"]
+
+  num_azs                 = length(local.azs)
+  num_bits_needed_for_azs = ceil(log(local.num_azs, 2))
+
+  private_cidr = cidrsubnet(local.cidr, 1, 0)
+  private_subnets = [
+    for i in range(local.num_azs) : cidrsubnet(local.private_cidr, local.num_bits_needed_for_azs, i)
+  ]
+
+  public_cidr = cidrsubnet(local.cidr, 1, 1)
+  public_subnets = [
+    for i in range(local.num_azs) : cidrsubnet(local.public_cidr, local.num_bits_needed_for_azs, i)
+  ]
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "4.0.2"
+
+  name = "aw_dev_vpc"
+  cidr = local.cidr
+
+  azs             = local.azs
+  private_subnets = local.private_subnets
+  public_subnets  = local.public_subnets
+
+  enable_nat_gateway      = true
+  single_nat_gateway      = true
+  enable_vpn_gateway      = false
+  map_public_ip_on_launch = true
+}
+
+module "vpc_endpoints" {
+  source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
+  version = "4.0.2"
+
+  vpc_id = module.vpc.vpc_id
+  endpoints = {
+    s3 = {
+      service         = "s3"
+      service_type    = "Gateway"
+      tags            = { Name = "s3-vpc-endpoint" }
+      route_table_ids = module.vpc.private_route_table_ids
+    },
+  }
+}