Initial commit

Author: BrianMMcClain

.github/scripts/bump_and_create_tag.sh

@@ -0,0 +1,25 @@
+#! /usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+set -eEuo pipefail
+
+git fetch --prune --prune-tags
+
+# Default tag if no tags exist
+TAG="1.0.0"
+
+echo "Checking if tags exists . . ."
+tags=$(git tag)
+if [ ! -z "$tags" ]; then
+    # Tag exists, bump minor semver
+    OLD_TAG=`git tag --sort=v:refname | tail -1`
+    echo "Existing tag $OLD_TAG found"
+    TAG=`echo $OLD_TAG | awk 'BEGIN{FS="."; OFS="."} { print $1, ($2+1), $3 }'`
+fi
+
+echo "Creating tag $TAG . . ."
+git config --local user.name "github-actions[bot]"
+git config --local user.email "41898282+github-actions[bot]@users.noreply.github.com"
+git tag -a $TAG -m "Create tag $TAG"
+git push origin $TAG

.github/scripts/check_files_changed.sh

@@ -0,0 +1,27 @@
+#! /usr/bin/env bash
+
+set -eEuo pipefail
+
+PATHS="$1"
+EVENT="$2"
+HEAD_SHA="$3"
+COMMIT_SHA="$4"
+
+if [ $EVENT = "pull_request" ]; then
+    # Pull requests compares to the base commit of the compared branch
+    CHANGED_FILES=$(git diff --name-only $HEAD_SHA $COMMIT_SHA)
+else
+    # A commit to main compares one commit back
+    CHANGED_FILES=$(git diff --name-only HEAD^ HEAD)
+fi
+
+# Check if any changed files match our paths
+FILES_CHANGED=false
+for path in $PATHS; do
+    if echo "$CHANGED_FILES" | grep -q "^${path}"; then
+        FILES_CHANGED=true
+    break
+    fi
+done
+
+echo "changed=$FILES_CHANGED" >> $GITHUB_OUTPUT

.github/scripts/create_channel_version.sh

@@ -0,0 +1,88 @@
+#! /usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+
+set -eEuo pipefail
+
+usage() {
+  cat <<EOF
+This script is a helper for setting a channel version in HCP Packer
+Usage:
+   $(basename "$0") <bucket_slug> <sha> <channel_name>
+---
+Requires the following environment variables to be set:
+ - HCP_CLIENT_ID
+ - HCP_CLIENT_SECRET
+ - HCP_ORGANIZATION_ID
+ - HCP_PROJECT_ID
+EOF
+  exit 1
+}
+
+echo 
+
+# Entry point
+test "$#" -eq 3 || usage
+
+bucket_slug="$1"
+github_sha="$2"
+channel_name="$3"
+auth_url="${HCP_AUTH_URL:-https://auth.hashicorp.com}"
+api_host="${HCP_API_HOST:-https://api.cloud.hashicorp.com}"
+base_url="$api_host/packer/2023-01-01/organizations/$HCP_ORGANIZATION_ID/projects/$HCP_PROJECT_ID"
+
+# Authenticate
+echo "Authenticating . . ."
+response=$(curl --request POST --silent \
+  --url "$auth_url/oauth/token" \
+  --data grant_type=client_credentials \
+  --data client_id="$HCP_CLIENT_ID" \
+  --data client_secret="$HCP_CLIENT_SECRET" \
+  --data audience="https://api.hashicorp.cloud")
+api_error=$(echo "$response" | jq -r '.error')
+if [ "$api_error" != null ]; then
+  echo "Failed to get access token: $api_error"
+  exit 1
+fi
+bearer=$(echo "$response" | jq -r '.access_token')
+
+# Get the fingerprint of the build from this commit
+echo "Getting latest build fingerprint . . ."
+response=$(curl --request GET --silent \
+  --url "$base_url/buckets/$bucket_slug/versions" \
+  --header "authorization: Bearer $bearer")
+
+version_fingerprint=$( echo "$response" | jq -r ".versions[] | select(.builds[].metadata.vcs.details.commit == \"${github_sha}\") | .fingerprint")
+
+echo "Attempting to assign version ${version_fingerprint} in bucket ${bucket_slug} to channel ${channel_name}"
+
+# Get or create channel
+echo "Getting channel ${channel_name}"
+response=$(curl --request GET --silent \
+  --url "$base_url/buckets/$bucket_slug/channels/$channel_name" \
+  --header "authorization: Bearer $bearer")
+api_error=$(echo "$response" | jq -r '.message')
+if [ "$api_error" != null ]; then
+  echo "Channel ${channel_name} like doesn't exist, creating new channel"
+  # Channel likely doesn't exist, create it
+  api_error=$(curl --request POST --silent \
+    --url "$base_url/buckets/$bucket_slug/channels" \
+    --data-raw '{"name":"'"$channel_name"'"}' \
+    --header "authorization: Bearer $bearer" | jq -r '.error')
+  if [ "$api_error" != null ]; then
+    echo "Error creating channel: $api_error"
+    exit 1
+  fi
+fi
+
+# Update channel to point to version
+echo "Updating channel ${channel_name} to version fingerprint ${version_fingerprint}"
+api_error=$(curl --request PATCH --silent \
+  --url "$base_url/buckets/$bucket_slug/channels/$channel_name" \
+  --data-raw '{"version_fingerprint": "'$version_fingerprint'", "update_mask": "versionFingerprint"}' \
+  --header "authorization: Bearer $bearer" | jq -r '.message')
+if [ "$api_error" != null ]; then
+    echo "Error updating channel: $api_error"
+    exit 1
+fi

.github/workflows/build_and_tag.yml

@@ -0,0 +1,175 @@
+name: Build and Tag
+
+on:
+  push:
+      branches: [main]
+  workflow_dispatch:
+
+env:
+    REGISTRY: ghcr.io
+    FRONTEND_IMAGE_NAME: terramino-frontend
+    BACKEND_IMAGE_NAME: terramino-backend
+    HCP_CLIENT_ID: ${{ secrets.HCP_CLIENT_ID }}
+    HCP_CLIENT_SECRET: ${{ secrets.HCP_CLIENT_SECRET }}
+    HCP_PROJECT_ID: ${{ secrets.HCP_PROJECT_ID }}
+    HCP_ORGANIZATION_ID: ${{ secrets.HCP_ORGANIZATION_ID }}
+    AWS_REGION: ${{ secrets.AWS_REGION }}
+
+jobs:
+    check-files-changed:
+        name : Check changed files
+        runs-on: ubuntu-latest
+        
+        outputs:
+            build-packer:  ${{ steps.check-packer.outputs.changed }}
+            build-container: ${{ steps.check-app.outputs.changed }}
+            update-terraform: ${{ steps.check-terraform.changed }}
+            manual-run: ${{ steps.manual-run.manual }}
+
+        steps:
+            - name: Checkout Repository
+              uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+              with:
+                fetch-depth: 2
+
+            - name: Check for Packer changes
+              id: check-packer
+              working-directory: .github/scripts
+              run: ./check_files_changed.sh "shared/** image.pkr.hcl" "${{ github.event_name }}" "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}"
+
+            - name: Check for application changes
+              id: check-app
+              working-directory: .github/scripts
+              run: ./check_files_changed.sh "app/**" "${{ github.event_name }}" "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}"
+
+            - name: Check for Terraform changes
+              id: check-terraform
+              working-directory: .github/scripts
+              run: ./check_files_changed.sh "*.tf" "${{ github.event_name }}" "${{ github.event.pull_request.base.sha }}" "${{ github.sha }}"
+
+            - name: Check for manual run
+              id: manual-run
+              #run: echo "manual=${{ github.event_name == 'workflow_dispatch' }}" >> $GITHUB_ENV
+              run: echo "manual=false" >> $GITHUB_ENV
+    
+    build-packer:
+        name: Build AMI
+        runs-on: ubuntu-latest
+        needs: check-files-changed
+        if: ${{ needs.check-files-changed.outputs.build-packer == 'true' || needs.check-files-changed.outputs.manual-run == 'true' }}
+        steps:
+            - name: Checkout Repository
+              uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+            - name: Configure AWS Credentials
+              uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
+              with:
+                aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+                aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+                aws-region: ${{ secrets.AWS_REGION }}
+
+            - name: Setup Packer
+              uses: hashicorp/setup-packer@main
+              id: setup-packer
+
+            - name: Packer Init
+              run: packer init .
+
+            - name: Packer Build
+              run: PKR_VAR_region="$AWS_REGION" packer build . 
+            
+            - name: Create and set channel
+              working-directory: .github/scripts
+              run: ./create_channel_version.sh nomad-consul-vault ${{ github.sha }} production
+
+    build-application:
+        name: Build Terramino images
+        runs-on: ubuntu-latest
+        needs: check-files-changed
+        if: ${{ needs.check-files-changed.outputs.build-container == 'true' || needs.check-files-changed.outputs.manual-run == 'true' }}
+
+        permissions:
+            contents: write
+            packages: write
+            
+        steps:
+        - name: Set Timestamp
+          id: timestamp
+          run: echo "TIMESTAMP=$(date +%s)" >> $GITHUB_ENV
+
+        - name: Set repository name
+          id: set-repo
+          run: echo "REPO=${GITHUB_REPOSITORY@L}" >> "${GITHUB_ENV}"
+
+        - name: Checkout repo
+          uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+        - name: Log in to GHCR
+          uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+          with:
+            registry: ${{ env.REGISTRY }}
+            username: ${{ github.actor }}
+            password: ${{ secrets.GITHUB_TOKEN }}
+
+        # Frontend image build and push
+        - name: Build and push frontend image
+          id: frontend-push
+          uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+          with:
+            context: app/
+            file: app/Dockerfile.frontend
+            push: true
+            tags: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.FRONTEND_IMAGE_NAME }}:${{ env.TIMESTAMP }}
+
+        - id: get-frontend-build-name
+          name: Save frontend image path to file
+          env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          run: |
+            imageName=${{ fromJSON(steps.frontend-push.outputs.metadata)['image.name'] }}
+            echo "$imageName" > latest-frontend.version
+
+        # Backend image build and push
+        - name: Build and push backend image
+          id: backend-push
+          uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+          with:
+            context: app/
+            file: app/Dockerfile.backend
+            push: true
+            tags: ${{ env.REGISTRY }}/${{ env.REPO }}/${{ env.BACKEND_IMAGE_NAME }}:${{ env.TIMESTAMP }}
+
+        - id: get-backend-build-name
+          name: Save backend image path to file
+          run: |
+            imageName=${{ fromJSON(steps.backend-push.outputs.metadata)['image.name'] }}
+            echo "$imageName" > latest-backend.version
+
+        - name: Commit image files to repo
+          env:
+            GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          run: |
+            git config user.name "github-actions"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git add latest-frontend.version latest-backend.version
+            git commit -m "Updated frontend and backend image URIs."
+            git push
+    
+    tag-release:
+        name: Create tag
+        runs-on: ubuntu-latest
+        needs: [check-files-changed, build-packer, build-application]
+        if: ${{ always() && (needs.build-packer.result == 'success' || needs.build-application.result == 'success' || needs.check-files-changed.outputs.update-terraform == 'true' ||  needs.check-files-changed.outputs.manual-run == 'true' ) }}
+        
+        permissions:
+            contents: write
+            packages: write
+        
+        steps:
+        - name: Checkout Repository
+          uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+        - name: Bump version and create tag
+          working-directory: .github/scripts
+          run: ./bump_and_create_tag.sh
+