GitHub Actions Runner, Dev Deploy Fixes (#128)

- Specify self-hosted runner infrastructure, policies, security groups
- Fix bugs with dev configuration

Co-authored-by: Blaine Price <william.price@cms.hhs.gov>

Author: wbprice

infrastructure/envs/dev/main.tf

@@ -98,10 +98,11 @@ module "ecs" {
 module "fhir-api" {
   source = "../../modules/fhir-api"
 
-  account_name             = local.account_name
-  fhir_api_migration_image = var.migration_image
-  fhir_api_image           = var.fhir_api_image
-  ecs_cluster_id           = module.ecs.cluster_id
+  account_name              = local.account_name
+  fhir_api_migration_image  = var.migration_image
+  fhir_api_image            = var.fhir_api_image
+  ecs_cluster_id            = module.ecs.cluster_id
+  redirect_to_strategy_page = false
   db = {
     db_instance_master_user_secret_arn = module.api-db.db_instance_master_user_secret_arn
     db_instance_address                = module.api-db.db_instance_address
@@ -130,3 +131,12 @@ module "frontend" {
   account_name = local.account_name
 }
 
+# CI/CD
+module "github-actions" {
+  source = "../../modules/github-actions-runner"
+
+  account_name = local.account_name
+  vpc_id       = module.networking.vpc_id
+  subnet_id    = module.networking.etl_subnet_ids[0]
+}
+

infrastructure/envs/dev/outputs.tf

@@ -8,4 +8,12 @@ output "api_db_instance_endpoint" {
 
 output "etl_db_instance_endpoint" {
   value = module.etl-db.db_instance_endpoint
-}
+}
+
+output "api_ecr_repository_name" {
+  value = module.fhir-api.api_ecr_repository_name
+}
+
+output "api_migrations_ecr_repository_name" {
+  value = module.fhir-api.api_migrations_ecr_repository_name
+}

infrastructure/envs/prod/outputs.tf

@@ -9,3 +9,11 @@ output "api_db_instance_endpoint" {
 output "etl_db_instance_endpoint" {
   value = module.etl-db.db_instance_endpoint
 }
+
+output "api_ecr_repository_name" {
+  value = module.fhir-api.api_ecr_repository_name
+}
+
+output "api_migrations_ecr_repository_name" {
+  value = module.fhir-api.api_migrations_ecr_repository_name
+}

infrastructure/modules/fhir-api/main.tf

@@ -291,7 +291,7 @@ resource "aws_lb_listener" "forward_to_task_group" {
 
   default_action {
     type             = "forward"
-    target_group_arn = aws_lb_target_group.fhir_api_tg[1].arn
+    target_group_arn = aws_lb_target_group.fhir_api_tg[0].arn
   }
 }
 

infrastructure/modules/fhir-api/outputs.tf

@@ -1,3 +1,11 @@
 output "api_alb_dns_name" {
   value = aws_lb.fhir_api_alb.dns_name
-}
+}
+
+output "api_ecr_repository_name" {
+  value = aws_ecr_repository.fhir_api.name
+}
+
+output "api_migrations_ecr_repository_name" {
+  value = aws_ecr_repository.fhir_api_migrations.name
+}

infrastructure/modules/github-actions-runner/README.md

@@ -0,0 +1,56 @@
+# GitHub Action Runner
+
+## Manual Work After Deploy
+
+1. Get GitHub self-hosted runner script from GitHub
+2. Install on instance
+3. cp to /opt/actions-runner
+4. give ec2-user ownership of /opt/actions-runner
+
+```bash
+sudo chown -R ec2-user:ec2-user /opt/github-runner
+```
+
+5. Create a github action service using this template:
+
+```bash
+sudo tee /etc/systemd/system/github-runner.service > /dev/null <<'EOF'
+[Unit]
+Description=GitHub Actions Runner
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+User=ec2-user
+WorkingDirectory=/opt/actions-runner
+ExecStart=/opt/actions-runner/run.sh
+Restart=always
+RestartSec=5s
+KillMode=process
+Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+
+[Install]
+WantedBy=multi-user.target
+EOF
+```
+
+6. enable service `systemctl start github-runner.service`
+7. Configure Docker
+
+```bash
+sudo yum update -y
+sudo yum install docker -y
+sudo service docker start
+sudo usermod -a -G docker ec2-user
+sudo systemctl start docker
+sudo systemctl enable docker
+```
+
+8. Install Git
+
+```bash
+sudo yum install git -y
+```
+
+9. Restart the instance
+10. Confirm GH Runner is available on GH

infrastructure/modules/github-actions-runner/main.tf

@@ -0,0 +1,87 @@
+data "aws_caller_identity" "current" {}
+
+locals {
+  account_id = data.aws_caller_identity.current.account_id
+}
+
+data "aws_security_groups" "cms_cloud_sg" {
+  filter {
+    name   = "group-name"
+    values = ["cmscloud*"]
+  }
+
+  filter {
+    name   = "vpc-id"
+    values = [var.vpc_id]
+  }
+}
+
+resource "aws_iam_role" "github_runner_resource_creation_role" {
+  description = "Role to be assumed for resource creation"
+  name        = "${var.account_name}-github-actions-runner-creation-role"
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [{
+      Effect = "Allow"
+      Action = "sts:AssumeRoleWithWebIdentity"
+      Condition = {
+        StringEquals = {
+          "token.actions.githubusercontent.com:aud" = "sts.amazonaws.com"
+        }
+        StringLike = {
+          "token.actions.githubusercontent.com:sub" = "repo:CMS-Enterprise/NPD:*"
+        }
+      }
+      Principal = {
+        Federated = "arn:aws:iam::${local.account_id}:oidc-provider/token.actions.githubusercontent.com"
+      }
+    }]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "github_runner_has_admin" {
+  role       = aws_iam_role.github_runner_resource_creation_role.id
+  policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
+}
+
+resource "aws_iam_role_policy_attachment" "github_runner_has_ado_restriction" {
+  role       = aws_iam_role.github_runner_resource_creation_role.id
+  policy_arn = "arn:aws:iam::${local.account_id}:policy/ADO-Restriction-Policy"
+}
+
+resource "aws_iam_role_policy_attachment" "github_runner_has_region_restriction" {
+  role       = aws_iam_role.github_runner_resource_creation_role.id
+  policy_arn = "arn:aws:iam::${local.account_id}:policy/CMSCloudApprovedRegions"
+}
+
+resource "aws_iam_role_policy_attachment" "github_runner_has_user_creation_restriction" {
+  role       = aws_iam_role.github_runner_resource_creation_role.id
+  policy_arn = "arn:aws:iam::${local.account_id}:policy/ct-iamCreateUserRestrictionPolicy"
+}
+
+resource "aws_security_group" "github_runner_security_group" {
+  description = "Defines traffic flows to/from the GitHub Action runner"
+  name        = "${var.account_name}-github-actions-runner-sg"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_vpc_security_group_egress_rule" "github_runner_can_make_outgoing_requests" {
+  description       = "Allows the GitHub Runner instance to make outgoing requests"
+  ip_protocol       = "-1"
+  cidr_ipv4         = "0.0.0.0/0"
+  security_group_id = aws_security_group.github_runner_security_group.id
+}
+
+resource "aws_instance" "github_actions_instance" {
+  ami           = "ami-04345af6ff8317b5e"
+  instance_type = "m5.xlarge"
+  vpc_security_group_ids = concat(
+    data.aws_security_groups.cms_cloud_sg.ids,
+    [aws_security_group.github_runner_security_group.id]
+  )
+  subnet_id            = var.subnet_id
+  iam_instance_profile = "cms-cloud-base-ec2-profile-v4"
+  tags = {
+    Name = "github-actions-runner-instance"
+  }
+}

infrastructure/modules/github-actions-runner/variables.tf

@@ -0,0 +1,3 @@
+variable "subnet_id" {}
+variable "vpc_id" {}
+variable "account_name" {}