github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: move terraform/ to private repo (#9421)

Browse Source 
Since we'll be adding ops playbooks and other things here, it makes
sense to separate infra from product source.

---------

Signed-off-by: Jamil <jamilbk@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This commit is contained in:
Jamil
2025-06-05 12:24:06 -07:00
committed by GitHub
parent 7b0e33f0a2
commit 1e94afdb98
99 changed files with 14 additions and 7798 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
.github/CODEOWNERS vendored
View File

@@ -1,7 +1,6 @@
# .github/ @AndrewDryga @jamilbk
# elixir/ @AndrewDryga @bmanifold
# terraform/ @AndrewDryga @bmanifold
# website/ @jamilbk @AndrewDryga
# rust/ @thomaseizinger @conectado @ReactorScram
# swift/ @jamilbk @ReactorScram
# kotlin/ @jamilbk @conectado
# .github/ @jamilbk @bmanifold @thomaseizinger
# elixir/ @jamilbk @bmanifold
# website/ @jamilbk @bmanifold @thomaseizinger
# rust/ @jamilbk @thomaseizinger
# swift/ @jamilbk @thomaseizinger
# kotlin/ @jamilbk @thomaseizinger

16
.github/dependabot.yml vendored
View File

@@ -144,19 +144,3 @@ updates:
directory: elixir/apps/web/assets/
schedule:
interval: monthly
- package-ecosystem: terraform
directory: terraform/environments/staging/
schedule:
interval: monthly
groups:
google:
patterns:
- hashicorp/google*
- package-ecosystem: terraform
directory: terraform/environments/production/
schedule:
interval: monthly
groups:
google:
patterns:
- hashicorp/google*

203
.github/workflows/_deploy_production.yml vendored
View File

@@ -1,203 +0,0 @@
name: Deploy Production
run-name: Triggered by ${{ github.actor }}
on:
workflow_call:
inputs:
tag:
description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
type: string
default: ${{ github.sha }}
required: false
concurrency:
group: "production-deploy"
cancel-in-progress: false
jobs:
sanity-check:
runs-on: ubuntu-22.04
steps:
- name: Ensure CI passed for the given sha
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh api \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
"repos/firezone/firezone/actions/runs?head_sha=${{ inputs.tag }}&status=success" \
| jq -e '.workflow_runs | length > 0' || exit 1
push:
needs: sanity-check
runs-on: ubuntu-22.04
permissions:
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image: [domain, api, web, gateway, relay, client]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Login to staging registry
uses: ./.github/actions/gcp-docker-login
id: login-staging
with:
project: firezone-staging
- name: Login to production registry
uses: ./.github/actions/gcp-docker-login
id: login-production
with:
project: firezone-prod
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Pull and push images
run: |
set -xe
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
docker buildx imagetools create \
-t ${{ steps.login-production.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }} \
$SOURCE_TAG
- name: Authenticate to Google Cloud
id: auth
uses: google-github-actions/auth@ba79af03959ebeac9769e648f473a284504d9193 # v2.1.10
with:
workload_identity_provider: "projects/397012414171/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions"
service_account: "github-actions@github-iam-387915.iam.gserviceaccount.com"
export_environment_variables: true
create_credentials_file: true
- name: Copy Google Cloud Storage binaries to "edge" version
# TODO: Add relay here when we deploy Relay from prod artifacts instead of Docker
# To do that properly we need to:
# - Update publish.yml to publish versioned Relays too (and start versioning Relay changes)
# - Add arm64 and armv7l architectures to the Relay builds (we only build for amd64 currently because that's all we need to)
if: ${{ matrix.image == 'gateway' || matrix.image == 'client' }}
run: |
set -xe
ARCHITECTURES=(x86_64 aarch64 armv7)
for arch in "${ARCHITECTURES[@]}"; do
# Copy sha256sum.txt
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}.sha256sum.txt
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}.sha256sum.txt
# Copy binaries
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/edge/${arch}
gcloud storage cp \
gs://firezone-staging-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch} \
gs://firezone-prod-artifacts/firezone-${{ matrix.image }}/${{ github.sha }}/${arch}
done
deploy-production:
needs: push
runs-on: ubuntu-22.04
environment: gcp_production
permissions:
contents: write
env:
TF_CLOUD_ORGANIZATION: "firezone"
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
TF_WORKSPACE: "production"
steps:
# First, checkout the main ref for setting up Terraform
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: true
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
- name: Tool Versions
id: versions
uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: ${{ steps.versions.outputs.terraform }}
# Then, checkout the ref specified in the workflow run
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.workflow_run.head_branch }}
submodules: true
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
- name: Upload Configuration
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: apply-upload
with:
workspace: ${{ env.TF_WORKSPACE }}
# Subdirectory is set in the project settings:
# https://app.terraform.io/app/firezone/workspaces/production/settings/general
directory: "./"
- name: Create Plan Run
uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: apply-run
env:
TF_VAR_image_tag: '"${{ inputs.tag }}"'
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
- name: Apply
uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
id: apply
with:
run: ${{ steps.apply-run.outputs.run_id }}
comment: "Apply Run from GitHub Actions CI ${{ inputs.tag }}"
# Some intrepid users are self-hosting these, so support them as best we can by making our
# infrastructure images available to them.
publish-infra-images:
# Only publish if our own deploy was successful
needs: deploy-production
runs-on: ubuntu-22.04
permissions:
packages: write
id-token: write
strategy:
fail-fast: false
matrix:
image: [domain, api, web, relay]
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Login to staging registry
uses: ./.github/actions/gcp-docker-login
id: login-staging
with:
project: firezone-staging
- name: Login to GitHub Container Registry
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
- name: Pull and push
run: |
set -xe
SOURCE_TAG=${{ steps.login-staging.outputs.registry }}/firezone/${{ matrix.image }}:${{ inputs.tag }}
docker buildx imagetools create \
-t ghcr.io/firezone/${{ matrix.image }}:${{ inputs.tag }} \
-t ghcr.io/firezone/${{ matrix.image }}:latest \
$SOURCE_TAG
update-vercel:
needs: deploy-production
runs-on: ubuntu-22.04
env:
VERCEL_TEAM_ID: firezone
VERCEL_EDGE_CONFIG_ID: ecfg_hmorgeez26rwyncgsuj1yaibfx4p
steps:
- name: Update FIREZONE_DEPLOYED_SHA
run: |
curl --fail -X PATCH "https://api.vercel.com/v1/edge-config/${VERCEL_EDGE_CONFIG_ID}/items?teamId=${VERCEL_TEAM_ID}" \
-H "Authorization: Bearer ${{ secrets.VERCEL_TOKEN }}" \
-H "Content-Type: application/json" \
-d '{ "items": [ { "operation": "upsert", "key": "deployed_sha", "value": "${{ inputs.tag }}" } ] }'

109
.github/workflows/_terraform.yml vendored
View File

@@ -1,109 +0,0 @@
name: Terraform
on:
workflow_call:
jobs:
plan-deploy:
runs-on: ubuntu-22.04
permissions:
contents: read
pull-requests: write
env:
TF_CLOUD_ORGANIZATION: "firezone"
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
TF_WORKSPACE: "staging"
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: true
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
- run: ls -alR terraform/environments
- name: Tool Versions
id: versions
uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: ${{ steps.versions.outputs.terraform }}
- name: Validate cloud-init
run: |
sudo apt-get update
sudo apt-get install -y cloud-init
cloud-init schema --config-file terraform/modules/google-cloud/apps/relay/templates/cloud-init.yaml
# This doesn't work if the file contains interpolated variables
# cloud-init schema --config-file terraform/modules/google-cloud/apps/elixir/templates/cloud-init.yaml
- name: Check Formatting
working-directory: terraform
run: |
terraform fmt --check --recursive
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
id: changes
with:
filters: |
terraform:
- 'terraform/**'
- if: steps.changes.outputs.terraform == 'true'
name: Upload Configuration
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: plan-upload
with:
workspace: ${{ env.TF_WORKSPACE }}
# Subdirectory is set in the project settings:
# https://app.terraform.io/app/firezone/workspaces/staging/settings/general
directory: "./"
speculative: true
- if: steps.changes.outputs.terraform == 'true'
name: Create Plan Run
uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: plan-run
env:
TF_VAR_image_tag: '"${{ github.sha }}"'
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.plan-upload.outputs.configuration_version_id }}
plan_only: true
- if: steps.changes.outputs.terraform == 'true'
name: Get Plan Output
uses: hashicorp/tfc-workflows-github/actions/plan-output@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: plan-output
with:
plan: ${{ fromJSON(steps.plan-run.outputs.payload).data.relationships.plan.data.id }}
- name: Update PR
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
id: plan-comment
if: ${{ github.event_name == 'pull_request' && steps.changes.outputs.terraform == 'true' }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Terraform Cloud Plan Output')
});
const output = `#### Terraform Cloud Plan Output
\`\`\`
Plan: ${{ steps.plan-output.outputs.add }} to add, ${{ steps.plan-output.outputs.change }} to change, ${{ steps.plan-output.outputs.destroy }} to destroy.
\`\`\`
[Terraform Cloud Plan](${{ steps.plan-run.outputs.run_link }})
`;
// 3. Update previous comment or create new one
if (botComment) {
github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
});
} else {
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
});
}

63
.github/workflows/cd.yml vendored
View File

@@ -2,12 +2,6 @@ name: Continuous Delivery
on:
# Used for debugging the workflow by manually calling it
workflow_dispatch:
inputs:
deploy-staging:
description: "Also deploy to staging. By default the deploy is not executed when triggering this workflow manually."
type: boolean
default: false
required: false
push:
branches:
- main
@@ -40,60 +34,3 @@ jobs:
with:
profile: "release"
stage: "release"
deploy-staging:
if: ${{ github.event_name != 'workflow_dispatch' || inputs.deploy-staging }}
runs-on: ubuntu-22.04
environment: gcp_staging
permissions:
contents: write
# Cancel old workflow runs if new code is pushed
concurrency:
group: "staging-deploy-${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: false
needs: ci
env:
TF_CLOUD_ORGANIZATION: "firezone"
TF_API_TOKEN: "${{ secrets.TF_API_TOKEN }}"
TF_WORKSPACE: "staging"
steps:
# First, checkout the main ref for setting up Terraform
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
submodules: true
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
- name: Tool Versions
id: versions
uses: marocchino/tool-versions-action@18a164fa2b0db1cc1edf7305fcb17ace36d1c306 # v1.2.0
- uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
with:
terraform_version: ${{ steps.versions.outputs.terraform }}
# Then, checkout the ref specified in the workflow run
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ github.event.workflow_run.head_branch }}
submodules: true
ssh-key: ${{ secrets.ENVIRONMENTS_REPO_DEPLOY_KEY }}
- name: Upload Configuration
uses: hashicorp/tfc-workflows-github/actions/upload-configuration@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: apply-upload
with:
workspace: ${{ env.TF_WORKSPACE }}
# Subdirectory is set in the project settings:
# https://app.terraform.io/app/firezone/workspaces/staging/settings/general
directory: "./"
- name: Create Plan Run
uses: hashicorp/tfc-workflows-github/actions/create-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
id: apply-run
env:
TF_VAR_image_tag: '"${{ github.sha }}"'
with:
workspace: ${{ env.TF_WORKSPACE }}
configuration_version: ${{ steps.apply-upload.outputs.configuration_version_id }}
- name: Apply
uses: hashicorp/tfc-workflows-github/actions/apply-run@8e08d1ba957673f5fbf971a22b3219639dc45661 # v1.3.2
if: fromJSON(steps.apply-run.outputs.payload).data.attributes.actions.IsConfirmable
id: apply
with:
run: ${{ steps.apply-run.outputs.run_id }}
comment: "Apply Run from GitHub Actions CI ${{ github.sha }}"

3
.github/workflows/ci.yml vendored
View File

@@ -32,9 +32,6 @@ jobs:
secrets: inherit
static-analysis:
uses: ./.github/workflows/_static-analysis.yml
terraform:
uses: ./.github/workflows/_terraform.yml
secrets: inherit
codeql:
uses: ./.github/workflows/_codeql.yml
secrets: inherit

39
.github/workflows/deploy.yml vendored
View File

@@ -1,39 +0,0 @@
name: Deploy Production
run-name: Triggered by ${{ github.actor }} on ${{ github.event_name }}
on:
workflow_dispatch:
inputs:
confirmation:
description: "Are you SURE you want to deploy all changes from the selected commit to production?"
type: boolean
tag:
description: "Image tag to deploy. Defaults to the last commit SHA in the branch."
type: string
required: false
concurrency:
group: "deploy-production-${{ github.event_name }}-${{ github.workflow }}-${{ github.ref }}"
cancel-in-progress: false
jobs:
# This is *not* run in CI on main in order to allow
# breaking changes to be merged as administrator and have the
# resulting CI green on main.
# So run them here.
compatibility-tests:
uses: ./.github/workflows/_integration_tests.yml
secrets: inherit
with:
relay_image: "us-east1-docker.pkg.dev/firezone-staging/firezone/relay"
gateway_image: "ghcr.io/firezone/gateway"
gateway_tag: "latest"
client_image: "ghcr.io/firezone/client"
client_tag: "latest"
deploy-production:
if: ${{ inputs.confirmation }}
needs: compatibility-tests
secrets: inherit
uses: ./.github/workflows/_deploy_production.yml
with:
tag: ${{ inputs.tag || github.sha }}