diff --git a/README.md b/README.md index 6cf60be7..5cb6a03b 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This is a generic skeleton project that can be used to quickly get a new [cisagov](https://github.com/cisagov) GitHub -[packer](https://packer.io) project started. This skeleton project +[Packer](https://packer.io) project started. This skeleton project contains [licensing information](LICENSE), as well as [pre-commit hooks](https://pre-commit.com) and [GitHub Actions](https://github.com/features/actions) configurations @@ -23,76 +23,79 @@ terraform init --upgrade=true terraform apply ``` -Once the user is created you will need to update the `.travis.yml` file with the -new encrypted environment variables. +Once the user is created you will need to update the +[repository's secrets](https://github.com/cisagov/skeleton-packer/settings/secrets) +with the new encrypted environment variables. ```console terraform state show module.iam_user.aws_iam_access_key.key ``` -Take the `id` and `secret` fields from the above command's output and [encrypt -and place in the `.travis.yml` file](https://docs.travis-ci.com/user/encryption-keys/). - -Here is an example of encrypting the credentials for Travis: - -```console - travis encrypt --com --no-interactive "AWS_ACCESS_KEY_ID=AKIAxxxxxxxxxxxxxxxx" - travis encrypt --com --no-interactive "AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" - travis encrypt --com --no-interactive "GITHUB_ACCESS_TOKEN=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" -``` +Take the `id` and `secret` fields from the above command's output and create the +`AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` environment variables in the +[repository's secrets](https://github.com/cisagov/skeleton-packer/settings/secrets). ## Building the Image ## -### Using Travis-CI ### +### Using GitHub Actions ### 1. Create a [new release](https://help.github.com/en/articles/creating-releases) in GitHub. 1. There is no step 2! -Travis-CI can build this project in three different modes depending on +GitHub Actions can build this project in three different modes depending on how the build was triggered from GitHub. -1. **Non-release test**: After a normal commit or pull request Travis +1. **Non-release test**: After a normal commit or pull request GitHub Actions will build the project, and run tests and validation on the packer configuration. It will __not__ build an image. 1. **Pre-release deploy**: Publish a GitHub release with the "This is a pre-release" checkbox checked. An image will be built - and deployed to the single region defined by the `PACKER_BUILD_REGION` - environment variable. + and deployed using the [`prerelease`](.github/workflows/prerelease.yml) + workflow. This should be configured to deploy the image to a single region + using a non-production account. 1. **Production release deploy**: Publish a GitHub release with the "This is a pre-release" checkbox unchecked. An image will be built - in the `PACKER_BUILD_REGION` and copied to each region listed in the - `PACKER_DEPLOY_REGION_KMS_MAP` environment variable. + and deployed using the [`release`](.github/workflows/release.yml) + workflow. This should be configured to deploy the image to multiple regions + using a production account. ### Using Your Local Environment ### -The following environment variables are used by Packer: +Packer will use your +[standard AWS environment](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-envvars.html) +to build the image. + +The [Packer template](src/packer.json) requires one environment variable to be defined: + +- `BUILD_REGION`: the region in which to build the image. + +Additionally, the following optional environment variables can be used +by the [Packer template](src/packer.json) to tag the final image: -- Required - - `PACKER_BUILD_REGION`: the region in which to build the image. - - `PACKER_DEPLOY_REGION_KMS_MAP`: a map of deploy regions to KMS keys. -- Optional - - `GITHUB_ACCESS_TOKEN`: a personal GitHub token to use for API access. - - `PACKER_IMAGE_VERSION`: the version tag applied to the final image. +- `GITHUB_IS_PRERELEASE`: boolean pre-release status +- `GITHUB_RELEASE_TAG`: image version +- `GITHUB_RELEASE_URL`: URL pointing to the related GitHub release Here is an example of how to kick off a pre-release build: ```console pip install --requirement requirements-dev.txt -export PACKER_BUILD_REGION="us-east-2" -export PACKER_DEPLOY_REGION_KMS_MAP="us-east-1:alias/cool/ebs,us-east-2:alias/cool/ebs,us-west-1:alias/cool/ebs,us-west-2:alias/cool/ebs" -export PACKER_IMAGE_VERSION=$(./bump_version.sh show) ansible-galaxy install --force --force-with-deps --role-file src/requirements.yml -./patch_packer_config.py pre-release src/packer.json +export BUILD_REGION="us-east-2" +export GITHUB_RELEASE_TAG=$(./bump_version.sh show) +echo "us-east-2:alias/cool/ebs" | ./patch_packer_config.py src/packer.json packer build --timestamp-ui src/packer.json ``` If you are satisfied with your pre-release image, you can easily create a release -that deploys to all regions by changing the `pre-release` command of -`patch_packer_config.py` to `release` and rerunning packer: +that deploys to all regions by changing the input to +`patch_packer_config.py` to include additional comma-separated regions:kms_keys +and rerunning packer: ```console -./patch_packer_config.py release src/packer.json +echo "us-east-1:alias/cool/ebs,us-east-2:alias/cool/ebs,us-west-1:alias/cool/ebs,\ +us-west-2:alias/cool/ebs" | ./patch_packer_config.py src/packer.json packer build --timestamp-ui src/packer.json ```