feat: Refactor to use a layered approach instead of full environment configs for easier deployment. (#38)

Author: jamesiarmes

.github/actions/changed-modules/action.yaml

@@ -0,0 +1,53 @@
+name: Discover changed OpenTofu modules
+description: |
+  Finds all OpenTofu modules that have changed in a pull request or push to a
+  branch.
+outputs:
+  modules:
+    description: A JSON array of all changed modules.
+    value: ${{ steps.modified.outputs.modules }}
+inputs:
+  working-directory:
+    description: The working directory to search for modules in.
+    required: false
+    default: tofu
+runs:
+  using: composite
+  steps:
+    - name: Find all OpenTofu modules
+      id: find
+      uses: bendrucker/find-terraform-modules@v1
+      with:
+        working-directory: ${{ inputs.working-directory }}
+    - name: Show all matching modules
+      shell: bash
+      run: |
+        mods=(${{ join(fromJSON(steps.find.outputs.modules), ' ') }})
+        printf "%s\n" "${mods[@]}"
+    - name: Find all changed files
+      id: diff
+      uses: technote-space/get-diff-action@v6
+      with:
+        FORMAT: json
+    - name: Show changed files
+      shell: bash
+      run: |
+        echo "${{ steps.diff.outputs.diff }}"
+    - name: Get the modified modules
+      id: modified
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const modules = ${{ steps.find.outputs.modules }}
+          const diff = ${{ steps.diff.outputs.diff }}
+          const modifiedModules = modules.filter(
+            (module) => {
+              return !!diff.find(file => new RegExp(`^${module}/.+`).test(file))
+            }
+          )
+
+          core.setOutput('modules', modifiedModules)
+    - name: Show modified modules
+      shell: bash
+      run: |
+        echo "${{ steps.modified.outputs.modules }}"

.github/actions/setup-opentofu/action.yaml

@@ -0,0 +1,32 @@
+name: Setup OpenTofu
+description: Sets up OpenTofu and related environment variables
+inputs:
+  config:
+    description: OpenTofu configuration to initialize.
+    required: true
+    default: service
+  cache-key:
+    description: Cache key for OpenTofu initialization.
+    required: false
+    default: ''
+runs:
+  using: composite
+  steps:
+    - name: Cache OpenTofu
+      uses: actions/cache@v4
+      with:
+        path: ./tofu/config/${{ inputs.config }}/.terraform
+        key: ${{ runner.os }}-tofu-${{ inputs.config }}-${{ inputs.cache-key }}-${{ hashFiles('./tofu/config/${{ inputs.config }}/.terraform.lock.hcl') }}
+        restore-keys: |
+          ${{ runner.os }}-tofu-${{ inputs.config }}-${{ inputs.cache-key }}-
+    - name: Setup OpenTofu
+      uses: opentofu/setup-opentofu@v1
+      with:
+        tofu_wrapper: false
+    - name: Display OpenTofu version
+      shell: bash
+      run: tofu version
+    - name: Initialize OpenTofu
+      shell: bash
+      working-directory: ./tofu/config/${{ inputs.config }}
+      run: tofu init

.github/workflows/branch.yaml

@@ -26,33 +26,39 @@ jobs:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     env:
+      # Set required secrets and variables.
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
       DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
+
+      TF_VAR_application: ${{ inputs.application }}
+      TF_VAR_environment: ${{ vars.TF_VAR_ENVIRONMENT }}
+      TF_VAR_program: ${{ vars.TF_VAR_PROGRAM }}
+      TF_VAR_project: ${{ vars.TF_VAR_PROJECT }}
     steps:
       - name: distinct ID ${{ inputs.distinct_id || github.run_id }}
         uses: imesense/[email protected]
         with:
           input-string: ${{ inputs.distinct_id || github.run_id }}
       - name: Checkout code
         uses: actions/checkout@v4
+      - name: Verify the application exists
+        uses: andstor/file-existence-action@v3
+        with:
+          fail: true
+          files: "tofu/config/hosting/specs/${{ inputs.application }}.yaml"
       - name: Set up AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
       - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/${{ inputs.environment }}/infra
-        run: tofu init
-      - name: Verify the application exists
-        working-directory: ./tofu/config/${{ inputs.environment }}/infra
-        run: tofu state list module.app\[\"${{ inputs.application }}\"]
+        uses: ./.github/actions/setup-opentofu
+        with:
+          cache-key: ${{ inputs.application }}
+          config: hosting
       - name: Apply changes
-        working-directory: ./tofu/config/${{ inputs.environment }}/infra
-        run: tofu apply --target module.app\[\"${{ inputs.application }}\"] --auto-approve
+        working-directory: ./tofu/config/hosting
+        run: tofu apply --auto-approve

.github/workflows/deploy-app.yaml

@@ -3,6 +3,14 @@ name: Deploy infrastructure
 on:
   workflow_dispatch:
     inputs:
+      config:
+        description: Configuration to deploy.
+        required: true
+        type: choice
+        options:
+          - foundation
+          - networking
+          - docs
       environment:
         description: Environment to deploy to.
         default: development
@@ -14,14 +22,22 @@ permissions:
 
 jobs:
   deploy:
-    name: Deploy infrastrucure to ${{ inputs.environment }}
+    name: Deploy ${{ inputs.config }} to ${{ inputs.environment }}
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment }}
     env:
+      # Set required secrets and variables.
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
       AWS_REGION: ${{ vars.AWS_REGION || 'us-east-1' }}
       DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
+      TF_VAR_public_subnet_cidrs: ${{ secrets.TF_VAR_PUBLIC_SUBNET_CIDRS }}
+      TF_VAR_private_subnet_cidrs: ${{ secrets.TF_VAR_PRIVATE_SUBNET_CIDRS }}
+
+      TF_VAR_vpc_cidr: ${{ secrets.TF_VAR_VPC_CIDR }}
+      TF_VAR_environment: ${{ vars.TF_VAR_ENVIRONMENT }}
+      TF_VAR_program: ${{ vars.TF_VAR_PROGRAM }}
+      TF_VAR_project: ${{ vars.TF_VAR_PROJECT }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -32,12 +48,9 @@ jobs:
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: us-east-1
       - name: Setup OpenTofu
-        uses: opentofu/setup-opentofu@v1
-      - name: Display OpenTofu version
-        run: tofu version
-      - name: Initialize OpenTofu
-        working-directory: ./tofu/config/${{ inputs.environment }}/infra
-        run: tofu init
+        uses: ./.github/actions/setup-opentofu
+        with:
+          config: ${{ inputs.config }}
       - name: Apply changes
-        working-directory: ./tofu/config/${{ inputs.environment }}/infra
+        working-directory: ./tofu/config/${{ inputs.config }}
         run: tofu apply --auto-approve