Merge pull request #2 from capcom6/feature/terraform

Added: Docker Swarm deployment with Terraform
capcom6 · Jun 29, 2023 · 356e5d4 · 356e5d4
2 parents 496174b + 2c971d9
commit 356e5d4
Show file tree

Hide file tree

Showing 9 changed files with 246 additions and 17 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -1,6 +1,8 @@
 name: Docker
 
-on: push
+on:
+  push:
+  pull_request:
 
 jobs:
   build:
@@ -10,7 +12,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Docker meta
         id: meta
@@ -22,18 +24,62 @@ jobs:
             type=ref,event=pr
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
 
       - name: Log into Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v2
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v2
+        uses: docker/build-push-action@v3
         with:
           file: build/package/Dockerfile
           build-args: APP=service-monitor-tgbot
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+          # cache-from: type=gha
+          # cache-to: type=gha,mode=max
+
+  deploy:
+    runs-on: ubuntu-latest
+    # run only in v* tags
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs:
+      - build
+
+    env:
+      AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
+      AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.4.6
+
+      - name: Initialize Terraform
+        working-directory: deployments/docker-swarm-terraform
+        run: terraform init
+
+      - name: Deploy Docker service to Swarm
+        working-directory: deployments/docker-swarm-terraform
+        env:
+          CPU_LIMIT: ${{ vars.CPU_LIMIT }}
+          MEMORY_LIMIT: ${{ vars.MEMORY_LIMIT }}
+        run: |
+          eval "$(ssh-agent -s)"
+          ssh-add <(echo "${{ secrets.SSH_PRIVATE_KEY }}")
+          terraform apply -auto-approve -input=false \
+          -var 'swarm-manager-host=${{ secrets.SWARM_MANAGER_HOST }}' \
+          -var 'app-name=${{ vars.APP_NAME }}' \
+          -var "app-version=${GITHUB_REF#refs/tags/v}" \
+          -var 'app-config-b64=${{ secrets.APP_CONFIG_B64 }}' \
+          -var 'app-env-json-b64=${{ secrets.APP_ENV_JSON_B64 }}' \
+          -var "cpu-limit=${CPU_LIMIT:-1000000000}" \
+          -var "memory-limit=${MEMORY_LIMIT:-128000000}"
diff --git a/.gitignore b/.gitignore
@@ -1,6 +1,6 @@
 # File created using '.gitignore Generator' for Visual Studio Code: https://bit.ly/vscode-gig
-# Created by https://www.toptal.com/developers/gitignore/api/windows,visualstudiocode,go,linux,macos
-# Edit at https://www.toptal.com/developers/gitignore?templates=windows,visualstudiocode,go,linux,macos
+# Created by https://www.toptal.com/developers/gitignore/api/windows,visualstudiocode,macos,linux,go,terraform
+# Edit at https://www.toptal.com/developers/gitignore?templates=windows,visualstudiocode,macos,linux,go,terraform
 
 ### Go ###
 # If you prefer the allow list template instead of the deny list, see community template:
@@ -25,10 +25,6 @@
 # Go workspace file
 go.work
 
-### Go Patch ###
-/vendor/
-/Godeps/
-
 ### Linux ###
 *~
 
@@ -77,6 +73,42 @@ Temporary Items
 # iCloud generated files
 *.icloud
 
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
 ### VisualStudioCode ###
 .vscode/*
 !.vscode/settings.json
@@ -96,12 +128,6 @@ Temporary Items
 .history
 .ionide
 
-# Support for Project snippet scope
-.vscode/*.code-snippets
-
-# Ignore code-workspaces
-*.code-workspace
-
 ### Windows ###
 # Windows thumbnail cache files
 Thumbs.db
@@ -128,7 +154,7 @@ $RECYCLE.BIN/
 # Windows shortcuts
 *.lnk
 
-# End of https://www.toptal.com/developers/gitignore/api/windows,visualstudiocode,go,linux,macos
+# End of https://www.toptal.com/developers/gitignore/api/windows,visualstudiocode,macos,linux,go,terraform
 
 # Custom rules (everything added below won't be overriden by 'Generate .gitignore File' if you use 'Update' option)
 
@@ -142,3 +168,5 @@ $RECYCLE.BIN/
 /api/docs.go
 
 .env
+
+*.tfplan
diff --git a/deployments/docker-swarm-terraform/.env.example b/deployments/docker-swarm-terraform/.env.example
@@ -0,0 +1,3 @@
+export AWS_DEFAULT_REGION="ru-1"
+export AWS_ACCESS_KEY_ID="access_key"
+export AWS_SECRET_ACCESS_KEY="secret_key"
diff --git a/deployments/docker-swarm-terraform/.terraform.lock.hcl b/deployments/docker-swarm-terraform/.terraform.lock.hcl
diff --git a/deployments/docker-swarm-terraform/backend.tf b/deployments/docker-swarm-terraform/backend.tf
@@ -0,0 +1,11 @@
+terraform {
+  backend "s3" {
+    bucket                      = "terraform"
+    key                         = "monitor.tfstate"
+    endpoint                    = "s3.storage.selcloud.ru"
+    region                      = "ru-1"
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+}
diff --git a/deployments/docker-swarm-terraform/main.tf b/deployments/docker-swarm-terraform/main.tf
@@ -0,0 +1,59 @@
+data "docker_registry_image" "app-image" {
+  name = "capcom6/${var.app-name}:${var.app-version}"
+}
+
+data "docker_network" "proxy" {
+  name = "proxy"
+}
+
+
+resource "docker_image" "app" {
+  name          = data.docker_registry_image.app-image.name
+  pull_triggers = [data.docker_registry_image.app-image.sha256_digest]
+  keep_locally  = true
+}
+
+resource "docker_config" "app" {
+  name = "${var.app-name}-config.yml-${replace(timestamp(), ":", ".")}"
+  data = var.app-config-b64
+
+  lifecycle {
+    ignore_changes        = [name]
+    create_before_destroy = true
+  }
+}
+
+resource "docker_service" "app" {
+  name = var.app-name
+
+  task_spec {
+    container_spec {
+      image = docker_image.app.image_id
+
+      configs {
+        config_id   = docker_config.app.id
+        config_name = docker_config.app.name
+        file_name   = "/app/config.yml"
+        file_uid    = 405
+        file_gid    = 100
+      }
+
+      env = jsondecode(base64decode(var.app-env-json-b64))
+    }
+    networks_advanced {
+      name = data.docker_network.proxy.id
+    }
+
+    resources {
+      limits {
+        # nano_cpus    = var.cpu-limit
+        memory_bytes = var.memory-limit
+      }
+
+      reservation {
+        # nano_cpus    = 10 * 10000000
+        memory_bytes = 16 * 1024 * 1024
+      }
+    }
+  }
+}
diff --git a/deployments/docker-swarm-terraform/providers.tf b/deployments/docker-swarm-terraform/providers.tf
@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
+  }
+}
+
+provider "docker" {
+  host     = var.swarm-manager-host
+  ssh_opts = ["-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null"]
+}
diff --git a/deployments/docker-swarm-terraform/secrets.tfvars.example b/deployments/docker-swarm-terraform/secrets.tfvars.example
@@ -0,0 +1,5 @@
+swarm-manager-host = "ssh://user@host:22"
+app-name           = "service-monitor-tgbot"
+app-version        = "1.0.1"
+app-config-b64     = ""
+app-env-json-b64   = ""
diff --git a/deployments/docker-swarm-terraform/variables.tf b/deployments/docker-swarm-terraform/variables.tf
@@ -0,0 +1,40 @@
+variable "swarm-manager-host" {
+  type        = string
+  sensitive   = true
+  description = "Address of swarm manager"
+}
+
+variable "app-name" {
+  type        = string
+  description = "Name of app"
+}
+
+variable "app-version" {
+  type        = string
+  description = "Version of Docker image of app"
+  default     = "1.0"
+}
+
+variable "app-config-b64" {
+  type        = string
+  description = "Application config file"
+  sensitive   = true
+}
+
+variable "app-env-json-b64" {
+  type        = string
+  description = "Application env file in JSON format"
+  sensitive   = true
+}
+
+variable "cpu-limit" {
+  type        = number
+  description = "CPU limit in nanoseconds"
+  default     = 100 * 10000000
+}
+
+variable "memory-limit" {
+  type        = number
+  description = "Memory limit in bytes"
+  default     = 32 * 1024 * 1024
+}