├── .gitignore
├── sample-templates
    └── sample-lambda-function-template
    │   └── v1
    │       └── .compatible-envs
├── wiki
    └── assets
    │   ├── flow_chart.png
    │   └── env_pr_created.png
├── env_config.json
├── my_first_tf_env_2
    ├── proton.auto.tfvars.json
    ├── .proton
    │   └── deployment-metadata.json
    ├── Fourth-attempt-tf-fourth-tf-instance
    │   ├── outputs.tf
    │   ├── .proton
    │   │   └── deployment-metadata.json
    │   ├── config.tf
    │   ├── proton.auto.tfvars.json
    │   ├── proton.service_instance.variables.tf
    │   └── lambda.tf
    ├── proton.environment.variables.tf
    ├── config.tf
    ├── outputs.tf
    └── vpc.tf
├── CODE_OF_CONDUCT.md
├── LICENSE
├── GitHubConfiguration.yaml
├── CONTRIBUTING.md
├── README.md
└── .github
    └── workflows
        └── proton_run.yml


/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 | 


--------------------------------------------------------------------------------
/sample-templates/sample-lambda-function-template/v1/.compatible-envs:
--------------------------------------------------------------------------------
1 | sample-vpc-environment-template:1
2 | 


--------------------------------------------------------------------------------
/wiki/assets/flow_chart.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-proton-terraform-github-actions-sample/HEAD/wiki/assets/flow_chart.png


--------------------------------------------------------------------------------
/wiki/assets/env_pr_created.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/aws-samples/aws-proton-terraform-github-actions-sample/HEAD/wiki/assets/env_pr_created.png


--------------------------------------------------------------------------------
/env_config.json:
--------------------------------------------------------------------------------
1 | {
2 |     "REPLACE_ME": {
3 |         "role": "arn:aws:iam::111111111111:role/REPLACE_ME",
4 |         "region": "us-west-2",
5 |         "state_bucket":"REPLACE_ME"
6 |     }
7 | }


--------------------------------------------------------------------------------
/my_first_tf_env_2/proton.auto.tfvars.json:
--------------------------------------------------------------------------------
1 | {
2 |   "environment" : {
3 |     "name" : "my_first_tf_env_2",
4 |     "inputs" : {
5 |       "vpc_name" : "my_tf_vpc"
6 |     }
7 |   },
8 |   "//" : "arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2"
9 | }


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | ## Code of Conduct
2 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
3 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
4 | opensource-codeofconduct@amazon.com with any additional questions or comments.
5 | 


--------------------------------------------------------------------------------
/my_first_tf_env_2/.proton/deployment-metadata.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "deploymentId" : "fcda9f18-f569-4079-8474-0832f45b97ea",
 3 |   "isResourceDeleted" : false,
 4 |   "resourceMetadata" : {
 5 |     "arn" : "arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2",
 6 |     "templateArn" : "arn:aws:proton:us-east-1:987544922694:environment-template/sample-vpc-environment-template",
 7 |     "templateMajorVersion" : "1",
 8 |     "templateMinorVersion" : "0"
 9 |   }
10 | }


--------------------------------------------------------------------------------
/my_first_tf_env_2/Fourth-attempt-tf-fourth-tf-instance/outputs.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:service/Fourth-attempt-tf/service-instance/fourth-tf-instance
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | output "lambda_arn" {
10 |   value = "whocares"
11 | }


--------------------------------------------------------------------------------
/my_first_tf_env_2/proton.environment.variables.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | variable "environment" {
10 |   type = object({
11 |     inputs = map(string)
12 |     name   = string
13 |   })
14 |   default = null
15 | }
16 | 
17 | 


--------------------------------------------------------------------------------
/my_first_tf_env_2/Fourth-attempt-tf-fourth-tf-instance/.proton/deployment-metadata.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "deploymentId" : "cd9a940c-7d24-40bd-8d75-186387284867",
 3 |   "isResourceDeleted" : false,
 4 |   "resourceMetadata" : {
 5 |     "arn" : "arn:aws:proton:us-east-1:987544922694:service/Fourth-attempt-tf/service-instance/fourth-tf-instance",
 6 |     "templateArn" : "arn:aws:proton:us-east-1:987544922694:service-template/sample-lambda-function-template",
 7 |     "templateMajorVersion" : "1",
 8 |     "templateMinorVersion" : "0",
 9 |     "environmentArn" : "arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2"
10 |   }
11 | }


--------------------------------------------------------------------------------
/my_first_tf_env_2/config.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | terraform {
10 |   required_providers {
11 |     aws = {
12 |       source  = "hashicorp/aws"
13 |       version = "~> 3.0"
14 |     }
15 |   }
16 | 
17 |   backend "s3" {}
18 | }
19 | 
20 | # Configure the AWS Provider
21 | provider "aws" {}
22 | 
23 | variable "aws_region" {
24 |   type = string
25 | }
26 | 


--------------------------------------------------------------------------------
/my_first_tf_env_2/outputs.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | output "vpc_arn" {
10 |   value = module.vpc.vpc_arn
11 | }
12 | 
13 | output "subnet_id" {
14 |   value = one(module.vpc.private_subnets) # there is a known issue with terraform lists as outputs for proton
15 | }
16 | 
17 | output "security_group_id" {
18 |   value = module.vpc.default_security_group_id
19 | }


--------------------------------------------------------------------------------
/my_first_tf_env_2/Fourth-attempt-tf-fourth-tf-instance/config.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:service/Fourth-attempt-tf/service-instance/fourth-tf-instance
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | terraform {
10 |   required_providers {
11 |     aws = {
12 |       source  = "hashicorp/aws"
13 |       version = "~> 3.0"
14 |     }
15 |   }
16 | 
17 |   backend "s3" {}
18 | }
19 | 
20 | # Configure the AWS Provider
21 | provider "aws" {}
22 | 
23 | variable "aws_region" {
24 |   type = string
25 | }
26 | 


--------------------------------------------------------------------------------
/my_first_tf_env_2/vpc.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:environment/my_first_tf_env_2
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | module "vpc" {
10 |   source = "terraform-aws-modules/vpc/aws"
11 | 
12 |   name = var.environment.inputs.vpc_name
13 |   cidr = "10.0.0.0/16"
14 | 
15 |   azs             = ["${var.aws_region}a"]
16 |   private_subnets = ["10.0.1.0/24"]
17 |   public_subnets  = ["10.0.101.0/24"]
18 | 
19 |   enable_nat_gateway = true
20 |   enable_vpn_gateway = true
21 | 
22 |   tags = {
23 |     Terraform   = "true"
24 |     Environment = var.environment.name
25 |   }
26 | }
27 | 
28 | 


--------------------------------------------------------------------------------
/my_first_tf_env_2/Fourth-attempt-tf-fourth-tf-instance/proton.auto.tfvars.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "environment" : {
 3 |     "account_id" : "987544922694",
 4 |     "name" : "my_first_tf_env_2",
 5 |     "outputs" : {
 6 |       "security_group_id" : "sg-070e9604b5be86bf9",
 7 |       "subnet_id" : "subnet-08a92ece5f555dcab",
 8 |       "vpc_arn" : "arn:aws:ec2:us-east-1:987544922694:vpc/vpc-0eebeefc7abf77b0b"
 9 |     }
10 |   },
11 |   "service" : {
12 |     "name" : "Fourth-attempt-tf"
13 |   },
14 |   "service_instance" : {
15 |     "name" : "fourth-tf-instance",
16 |     "inputs" : {
17 |       "function_name" : "one-function",
18 |       "handler" : "lamba_function.lambda_handler",
19 |       "lambda_runtime" : "python3.8",
20 |       "function_s3_bucket" : "my-lambda-bucket-for-tf",
21 |       "function_s3_key" : "deployment-package.zip"
22 |     }
23 |   },
24 |   "//" : "arn:aws:proton:us-east-1:987544922694:service/Fourth-attempt-tf/service-instance/fourth-tf-instance"
25 | }


--------------------------------------------------------------------------------
/my_first_tf_env_2/Fourth-attempt-tf-fourth-tf-instance/proton.service_instance.variables.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:service/Fourth-attempt-tf/service-instance/fourth-tf-instance
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | variable "environment" {
10 |   type = object({
11 |     account_id = string
12 |     name       = string
13 |     outputs    = map(string)
14 |   })
15 |   default = null
16 | }
17 | 
18 | variable "service" {
19 |   type = object({
20 |     name = string
21 |   })
22 | }
23 | 
24 | variable "service_instance" {
25 |   type = object({
26 |     name   = string
27 |     inputs = map(string)
28 |   })
29 |   default = null
30 | }
31 | 
32 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 | Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 2 | 
 3 | Permission is hereby granted, free of charge, to any person obtaining a copy of
 4 | this software and associated documentation files (the "Software"), to deal in
 5 | the Software without restriction, including without limitation the rights to
 6 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
 7 | the Software, and to permit persons to whom the Software is furnished to do so.
 8 | 
 9 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
10 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
11 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
12 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
13 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
14 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
15 | 
16 | 


--------------------------------------------------------------------------------
/my_first_tf_env_2/Fourth-attempt-tf-fourth-tf-instance/lambda.tf:
--------------------------------------------------------------------------------
 1 | /*
 2 | This file is managed by AWS Proton. Any changes made directly to this file will be overwritten the next time AWS Proton performs an update.
 3 | 
 4 | To manage this resource, see AWS Proton Resource: arn:aws:proton:us-east-1:987544922694:service/Fourth-attempt-tf/service-instance/fourth-tf-instance
 5 | 
 6 | If the resource is no longer accessible within AWS Proton, it may have been deleted and may require manual cleanup.
 7 | */
 8 | 
 9 | resource "aws_iam_role" "iam_for_lambda" {
10 |   name = "iam_for_lambda"
11 | 
12 |   managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]
13 | 
14 |   assume_role_policy = <<EOF
15 | {
16 |   "Version": "2012-10-17",
17 |   "Statement": [
18 |     {
19 |       "Action": "sts:AssumeRole",
20 |       "Principal": {
21 |         "Service": "lambda.amazonaws.com"
22 |       },
23 |       "Effect": "Allow",
24 |       "Sid": ""
25 |     }
26 |   ]
27 | }
28 | EOF
29 | }
30 | 
31 | resource "aws_lambda_function" "my_lambda" {
32 |   function_name = var.service_instance.inputs.function_name
33 |   role          = aws_iam_role.iam_for_lambda.arn
34 |   handler       = var.service_instance.inputs.handler
35 | 
36 |   s3_bucket = var.service_instance.inputs.function_s3_bucket
37 |   s3_key    = var.service_instance.inputs.function_s3_key
38 | 
39 |   runtime = var.service_instance.inputs.lambda_runtime
40 | 
41 |   vpc_config {
42 |     subnet_ids         = [var.environment.outputs.subnet_id]
43 |     security_group_ids = [var.environment.outputs.security_group_id]
44 |   }
45 | }


--------------------------------------------------------------------------------
/GitHubConfiguration.yaml:
--------------------------------------------------------------------------------
 1 | Parameters:
 2 |   FullRepoName:
 3 |     Type: String
 4 |     Description: "The organization and name of the repository within which you will be utilizing created IAM Role within GitHub Actions (e.g. org/repo_name)"
 5 | 
 6 | Resources:
 7 |   Role:
 8 |     Type: AWS::IAM::Role
 9 |     # Creates the role that will be passed to Terraform to be able to deploy
10 |     # infrastructure in your AWS account. You will enter this role in your
11 |     # env_config.json file
12 |     # Note that this role has administrator access to your account, so that
13 |     # it can be used to provision any infrastructure in your templates. We
14 |     # recommend you scope down the role permissions to the resources that will be used
15 |     # in your Proton templates
16 |     Properties:
17 |       RoleName: ExampleGithubRole
18 |       ManagedPolicyArns: [arn:aws:iam::aws:policy/AdministratorAccess]
19 |       AssumeRolePolicyDocument:
20 |         Statement:
21 |           - Effect: Allow
22 |             Action: sts:AssumeRoleWithWebIdentity
23 |             Principal:
24 |               Federated: !Ref GithubOidc
25 |             Condition:
26 |               StringLike:
27 |                 token.actions.githubusercontent.com:sub: !Sub repo:${FullRepoName}:*
28 | 
29 |   GithubOidc:
30 |     # This identity provider is required to accept OpenID Connect credentials
31 |     # from GitHub
32 |     Type: AWS::IAM::OIDCProvider
33 |     Properties:
34 |       Url: https://token.actions.githubusercontent.com
35 |       ThumbprintList: [6938fd4d98bab03faadb97b34396831e3780aea1]
36 |       ClientIdList:
37 |         - sts.amazonaws.com
38 | 
39 |   StateFileBucket:
40 |     # This bucket will be used to store your Terraform Open Source state files
41 |     Type: AWS::S3::Bucket
42 |     Properties:
43 |       BucketName: !Join
44 |        - ''
45 |        - - 'aws-proton-terraform-bucket-'
46 |          - !Ref AWS::AccountId
47 | Outputs:
48 |   Role:
49 |     Description: "The role that will be used to provision infrastructure. Configure it per environment in your env_config.json file"
50 |     Value: !GetAtt Role.Arn
51 | 
52 |   BucketName:
53 |     Description: "Name of the bucket for our state files. Configure it per environment in your env_config.json file"
54 |     Value: !Ref StateFileBucket
55 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Contributing Guidelines
 2 | 
 3 | Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional
 4 | documentation, we greatly value feedback and contributions from our community.
 5 | 
 6 | Please read through this document before submitting any issues or pull requests to ensure we have all the necessary
 7 | information to effectively respond to your bug report or contribution.
 8 | 
 9 | 
10 | ## Reporting Bugs/Feature Requests
11 | 
12 | We welcome you to use the GitHub issue tracker to report bugs or suggest features.
13 | 
14 | When filing an issue, please check existing open, or recently closed, issues to make sure somebody else hasn't already
15 | reported the issue. Please try to include as much information as you can. Details like these are incredibly useful:
16 | 
17 | * A reproducible test case or series of steps
18 | * The version of our code being used
19 | * Any modifications you've made relevant to the bug
20 | * Anything unusual about your environment or deployment
21 | 
22 | 
23 | ## Contributing via Pull Requests
24 | Contributions via pull requests are much appreciated. Before sending us a pull request, please ensure that:
25 | 
26 | 1. You are working against the latest source on the *main* branch.
27 | 2. You check existing open, and recently merged, pull requests to make sure someone else hasn't addressed the problem already.
28 | 3. You open an issue to discuss any significant work - we would hate for your time to be wasted.
29 | 
30 | To send us a pull request, please:
31 | 
32 | 1. Fork the repository.
33 | 2. Modify the source; please focus on the specific change you are contributing. If you also reformat all the code, it will be hard for us to focus on your change.
34 | 3. Ensure local tests pass.
35 | 4. Commit to your fork using clear commit messages.
36 | 5. Send us a pull request, answering any default questions in the pull request interface.
37 | 6. Pay attention to any automated CI failures reported in the pull request, and stay involved in the conversation.
38 | 
39 | GitHub provides additional document on [forking a repository](https://help.github.com/articles/fork-a-repo/) and
40 | [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
41 | 
42 | 
43 | ## Finding contributions to work on
44 | Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels (enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any 'help wanted' issues is a great place to start.
45 | 
46 | 
47 | ## Code of Conduct
48 | This project has adopted the [Amazon Open Source Code of Conduct](https://aws.github.io/code-of-conduct).
49 | For more information see the [Code of Conduct FAQ](https://aws.github.io/code-of-conduct-faq) or contact
50 | opensource-codeofconduct@amazon.com with any additional questions or comments.
51 | 
52 | 
53 | ## Security issue notifications
54 | If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our [vulnerability reporting page](http://aws.amazon.com/security/vulnerability-reporting/). Please do **not** create a public github issue.
55 | 
56 | 
57 | ## Licensing
58 | 
59 | See the [LICENSE](LICENSE) file for our project's licensing. We will ask you to confirm the licensing of your contribution.
60 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | ## Terraform OpenSource GitHub Actions automation template for AWS Proton
 2 | 
 3 | Welcome! This repository should help you test how Proton works with Terraform Open Source to provision your infrastructure. In this repository you will find two things:
 4 | 
 5 | 1. A CloudFormation template (GitHubConfiguration.yaml) that will help you get the underlying roles and permissions set up
 6 | 2. A GitHub Actions task to run Terraform Open Source based on commits to this repo
 7 | 
 8 | If you are looking to find an example of what an AWS Proton Template looks like when authored for Terraform, head over to [aws-samples/aws-proton-terraform-sample-templates](https://github.com/aws-samples/aws-proton-terraform-sample-templates)
 9 | 
10 | ## How to:
11 | 
12 | You will need the following:
13 | - `$ENVIRONMENT_NAME`: the name of the environment you plan to create, this can be any name you would like
14 | - `$REGION`: the region into which you will be deploying this service
15 | - `$GITHUB_USER`: A GitHub account with which you can fork this repository
16 | 
17 | When you see these strings in the instructions below, you should replace them with the value you have chosen.
18 | 
19 | 1. Create a new repository from this repository
20 |    - If you plan on using this template as a starting point and making changes, this is a Repository Template, so you can just click "Use this template" and a new repository will get created in your account that is an exact copy of this one.
21 |    - If you don't plan on really making any changes, you can also fork this template, and then if/when it is updated you can get those updates.
22 | 2. We will be using Github Actions to deploy our Terraform template, and notify Proton of the deployment status. You can see the steps of our workflow in [proton_run.yml](https://github.com/aws-samples/aws-proton-terraform-github-actions-sample/blob/main/.github/workflows/proton_run.yml). Forked repositories do not have Actions enabled by default, see [this page](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository) for information on how to enable them.
23 | 3. Ensure you have a CodeStar Connection set up for the account into which you
24 |    forked the repo in the previous step. For information on how to set that up see [this documentation](https://docs.aws.amazon.com/dtconsole/latest/userguide/connections-create.html).
25 | 4. Run GitHubConfiguration.yaml through CloudFormation (https://aws.amazon.com/cloudformation/). This will create a role that GitHub Actions will use to provision resources into your account, as well as an S3 bucket to store Terraform Open Source state files. Make sure you use all lowercase names in the stack name, as we will use it to create an S3 bucket to save your state files.
26 | ```
27 | aws cloudformation create-stack --stack-name aws-proton-terraform-role-stack \
28 |    --template-body file:///$PWD/GitHubConfiguration.yaml \
29 |    --parameters ParameterKey=FullRepoName,ParameterValue=$GITHUB_USER/aws-proton-terraform-github-actions-sample \
30 |    --capabilities CAPABILITY_NAMED_IAM
31 | ```
32 | 5. Open the file `env_config.json`. Add a new object to the configuration dictionary where the key is `ENVIRONMENT_NAME`, `role` is the `Role` output from the stack created in (3), and the region with `REGION`. This will tell Terraform the role and region to use for deployments. You can use different roles for each environment by adding them to this file
33 | 6. In the same file update `state_bucket` with the `BucketName` output from (3). This will tell Terraform where to store the state file.
34 | 7. Commit your changes and push them to your forked repository.
35 | 8. At this point, you should register an Environment Template that you wish to deploy. If you need an example, head on over to [aws-samples/aws-proton-terraform-sample-templates](https://github.com/aws-samples/aws-proton-terraform-sample-templates) where there are some options to try out.
36 | 9. Register your repository with Proton by following the instructions [here](https://docs.aws.amazon.com/proton/latest/adminguide/ag-create-repo.html)
37 | 10. Deploy your environment in Proton by following the instructions using the following commands. Change `GITHUB_USER` to be name of the GitHub account with the forked repository. For more information see the documentation [here](https://docs.aws.amazon.com/proton/latest/adminguide/ag-create-env.html#ag-create-env-pull-request)
38 | ```
39 |  aws proton create-environment \
40 |         --name $ENVIRONMENT_NAME \
41 |         --template-name "ENVIRONMENT_TEMPLATE_NAME" \
42 |         --template-major-version "1" \
43 |         --provisioning-repository="branch=main,name=$GITHUB_USER/aws-proton-terraform-github-actions-sample,provider=GITHUB" \
44 |         --spec file:///$PWD/specs/env-spec.yml
45 | ```
46 | 11. Shortly after you trigger the deployment, come back to your repository to see the Pull Request. Once you merge it, you can go back to Proton and see the updated status of your newly created environment
47 | 
48 | Feel free to reach out with questions or open a ticket with suggestions in our public roadmap at https://github.com/aws/aws-proton-public-roadmap
49 | 
50 | Thank you!
51 | 
52 | 
53 | ## Security
54 | 
55 | See [CONTRIBUTING](CONTRIBUTING.md#security-issue-notifications) for more information.
56 | 
57 | ## License
58 | 
59 | This library is licensed under the MIT-0 License. See the LICENSE file.
60 | 
61 | 


--------------------------------------------------------------------------------
/.github/workflows/proton_run.yml:
--------------------------------------------------------------------------------
  1 | # This is a workflow created to run based on a commit made by AWS Proton
  2 | # It only works if there is only one resource modified as part of the commit.
  3 | 
  4 | name: 'proton-run'
  5 | 
  6 | on:
  7 |   pull_request:
  8 |     types:
  9 |       - opened
 10 |       - reopened
 11 |     paths:
 12 |       - '**/.proton/deployment-metadata.json'
 13 |   push:
 14 |     branches:
 15 |       - main
 16 |     paths:
 17 |       - '**/.proton/deployment-metadata.json'
 18 | 
 19 | jobs:
 20 |   get-deployment-data:
 21 |     name: Get Deployment Data
 22 |     runs-on: ubuntu-latest
 23 |     
 24 |     outputs:
 25 |       role_arn: ${{ steps.get-data.outputs.role_arn }}
 26 |       environment: ${{ steps.get-data.outputs.environment }}
 27 |       resource_arn: ${{ steps.get-data.outputs.resource_arn }}
 28 |       working_directory: ${{ steps.get-data.outputs.working_directory }}
 29 |       deployment_id: ${{ steps.get-data.outputs.deployment_id }}
 30 |       target_region: ${{ steps.get-data.outputs.target_region }}
 31 |       proton_region: ${{ steps.get-data.outputs.proton_region }}
 32 |       state_bucket: ${{ steps.get-data.outputs.state_bucket }}
 33 |       is_deleted: ${{ steps.get-data.outputs.is_deleted }}
 34 |     
 35 |     permissions:
 36 |       id-token: write
 37 |       contents: read
 38 | 
 39 |     continue-on-error: true
 40 |     
 41 |     steps:
 42 |     # Checkout the repository to the GitHub Actions runner
 43 |     - name: Checkout
 44 |       uses: actions/checkout@v2
 45 | 
 46 |     - name: Verify env_config updated
 47 |       run: |
 48 |         if grep -q REPLACE_ME env_config.json; then
 49 |           echo "You must update env_config.json or update this workflow to not require it."
 50 |           exit 1
 51 |         fi
 52 |       
 53 |     - name: Get changed files
 54 |       id: files
 55 |       uses: jitterbit/get-changed-files@v1
 56 |       
 57 |     - name: Find modified resource
 58 |       id: find-modified
 59 |       run: |
 60 |         found=false
 61 |         for changed_file in ${{ steps.files.outputs.all }}; do
 62 |           if [[ "$changed_file" == *".proton/deployment-metadata.json" ]]; then
 63 |             echo "found file"
 64 |             if [[ "$found" == true ]]; then
 65 |               echo "More than one resource found to have a new deployment, I'm not sure which one to update, exiting."
 66 |               exit 1
 67 |             fi
 68 |             echo "setting found to true"
 69 |             found=true
 70 |             echo "setting outputs"
 71 |             echo "::set-output name=deployment-metadata-path::$changed_file"
 72 |           fi
 73 |         done
 74 |         if [[ "$found" == false ]]; then
 75 |           echo "No change made to deployment-metadata.json, exiting"
 76 |           exit 1
 77 |         fi
 78 |     
 79 |     - name: Get data
 80 |       id: get-data
 81 |       run: |
 82 |         modified_resource_arn=$(jq -r '(.resourceMetadata.arn // .componentMetadata.arn)' ${{ steps.find-modified.outputs.deployment-metadata-path }})
 83 |         echo "::set-output name=resource_arn::$modified_resource_arn"
 84 |         
 85 |         IFS=':'
 86 |         read -a split_arn <<< "$modified_resource_arn"
 87 |         proton_region=${split_arn[3]}
 88 |         echo "::set-output name=proton_region::$proton_region"
 89 | 
 90 |         deployment_id=$(jq -r '.deploymentId' ${{ steps.find-modified.outputs.deployment-metadata-path }})
 91 |         echo "::set-output name=deployment_id::$deployment_id"
 92 | 
 93 |         is_deleted=$(jq -r '.isResourceDeleted' ${{ steps.find-modified.outputs.deployment-metadata-path }})
 94 |         echo "::set-output name=is_deleted::$is_deleted"
 95 | 
 96 | 
 97 |         if [[ "$modified_resource_arn" == *":environment/"* ]]; then
 98 |           environment_name=${modified_resource_arn##*/}
 99 |           working_directory="$environment_name/"
100 |         elif [[ "$modified_resource_arn" == *"/service-instance/"* ]]; then
101 |           environment_arn=$(jq -r '.resourceMetadata.environmentArn' ${{ steps.find-modified.outputs.deployment-metadata-path }})
102 |           environment_name=${environment_arn##*/}
103 | 
104 |           resource_portion=${modified_resource_arn##*:}
105 |           IFS='/'
106 |           read -a split_resources <<< "$resource_portion"
107 | 
108 |           service_name=${split_resources[1]}
109 |           instance_name=${split_resources[3]}
110 | 
111 |           working_directory=$environment_name/$service_name-$instance_name/
112 |         elif [[ "$modified_resource_arn" == *"/pipeline"* ]]; then
113 |           environment_name="pipeline"
114 | 
115 |           resource_portion=${modified_resource_arn##*:}
116 |           IFS='/'
117 |           read -a split_resources <<< "$resource_portion"
118 | 
119 |           service_name=${split_resources[1]}
120 | 
121 |           working_directory=$service_name/pipeline
122 |         elif [[ "$modified_resource_arn" == *":component/"* ]]; then
123 |           environment_arn=$(jq -r '.componentMetadata.environmentArn' ${{ steps.find-modified.outputs.deployment-metadata-path }})
124 |           environment_name=${environment_arn##*/}
125 |           resource_portion=${modified_resource_arn##*:}
126 |           IFS='/'
127 |           read -a split_resources <<< "$resource_portion"
128 |           component_name=${split_resources[1]}
129 |           working_directory=$environment_name/$component_name/  
130 |         fi
131 | 
132 |         if [[ $(jq -r --arg env $environment_name 'has($env)' env_config.json) = "true" ]]; then
133 |           role_arn=$(jq -r --arg env $environment_name '.[$env]["role"]' env_config.json)
134 |           target_region=$(jq -r --arg env $environment_name '.[$env]["region"]' env_config.json)
135 |           state_bucket=$(jq -r --arg env $environment_name '.[$env]["state_bucket"]' env_config.json)   
136 |         else     
137 |           if [[ $(jq -r --arg env $environment_name 'has("*")' env_config.json) = "true" ]]; then
138 |             role_arn=$(jq -r --arg env $environment_name '.["*"]["role"]' env_config.json)
139 |             target_region=$(jq -r --arg env $environment_name '.["*"]["region"]' env_config.json)
140 |             state_bucket=$(jq -r --arg env $environment_name '.["*"]["state_bucket"]' env_config.json)
141 |           else
142 |             echo "Missing $environment_name or * from env_config.json, exiting"
143 |             exit 1
144 |           fi
145 |         fi
146 |         
147 |         echo "::set-output name=working_directory::$working_directory"
148 |         echo "::set-output name=environment::$environment_name"
149 |         
150 |         echo "::set-output name=role_arn::$role_arn"
151 |         echo "::set-output name=target_region::$target_region"
152 |         echo "::set-output name=state_bucket::$state_bucket"
153 | 
154 |   terraform:
155 |     name: 'Terraform'
156 |     needs: get-deployment-data
157 |     runs-on: ubuntu-latest
158 |     environment: ${{ needs.get-deployment-data.outputs.environment }}
159 | 
160 |     permissions:
161 |       id-token: write
162 |       contents: read
163 |     
164 |     defaults:
165 |       run:
166 |         working-directory: ${{ needs.get-deployment-data.outputs.working_directory }}
167 |         shell: bash # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
168 | 
169 |     if: needs.get-deployment-data.result == 'success' && needs.get-deployment-data.outputs.is_deleted == 'false'
170 |     
171 |     continue-on-error: true
172 | 
173 |     outputs:
174 |       success: ${{ steps.mark_success.outputs.success }}
175 | 
176 |     steps:
177 |     # Checkout the repository to the GitHub Actions runner
178 |     - name: Checkout
179 |       uses: actions/checkout@v2
180 |     
181 |     - name: Configure AWS Credentials
182 |       id: assume_role
183 |       uses: aws-actions/configure-aws-credentials@v1
184 |       with:
185 |         aws-region: ${{ needs.get-deployment-data.outputs.target_region }}
186 |         role-to-assume: ${{ needs.get-deployment-data.outputs.role_arn }}
187 |         role-session-name: TF-Github-Actions
188 |         mask-aws-account-id: 'no'
189 | 
190 |     # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
191 |     - name: Setup Terraform
192 |       id: tf_setup
193 |       uses: hashicorp/setup-terraform@v1
194 |       with:
195 |         terraform_version: 1.0.7
196 |         terraform_wrapper: false
197 | 
198 |     # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
199 |     - name: Terraform Init
200 |       id: tf_init
201 |       run: terraform init -backend-config="bucket=${{ needs.get-deployment-data.outputs.state_bucket }}" -backend-config="key=${{ needs.get-deployment-data.outputs.working_directory }}terraform.tfstate" -backend-config="region=${{ needs.get-deployment-data.outputs.target_region }}"
202 | 
203 |     # Checks that all Terraform configuration files adhere to a canonical format
204 |     - name: Terraform Format
205 |       id: tf_fmt
206 |       run: terraform fmt -diff -check
207 | 
208 |     # Generates an execution plan for Terraform
209 |     - name: Terraform Plan
210 |       id: tf_plan
211 |       run: terraform plan -var="aws_region=${{ needs.get-deployment-data.outputs.target_region }}"
212 | 
213 |     # On push to main, build or change infrastructure according to Terraform configuration files
214 |     # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
215 |     - name: Terraform Apply
216 |       id: tf_apply
217 |       if: github.ref == 'refs/heads/main' && github.event_name == 'push'
218 |       run: terraform apply -auto-approve -var="aws_region=${{ needs.get-deployment-data.outputs.target_region }}"
219 |     
220 |     # If this completes, then the entire workflow has successfully completed
221 |     - name: Mark Success
222 |       id: mark_success
223 |       run: echo "::set-output name=success::True"
224 | 
225 |   notify-proton:
226 |     name: 'Notify Proton'
227 |     needs: 
228 |     - get-deployment-data
229 |     - terraform
230 |     runs-on: ubuntu-latest
231 |     environment: ${{ needs.get-deployment-data.outputs.environment }}
232 | 
233 |     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.get-deployment-data.outputs.is_deleted == 'false'
234 |     
235 |     permissions:
236 |       id-token: write
237 |       contents: read
238 |       
239 |     defaults:
240 |       run:
241 |         working-directory: ${{ needs.get-deployment-data.outputs.working_directory }}
242 |         shell: bash # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
243 | 
244 |     steps:
245 |     # Checkout the repository to the GitHub Actions runner
246 |     - name: Checkout
247 |       uses: actions/checkout@v2
248 |       
249 |     - name: Configure AWS Credentials
250 |       id: assume_role
251 |       uses: aws-actions/configure-aws-credentials@v1
252 |       with:
253 |         aws-region: ${{ needs.get-deployment-data.outputs.target_region }}
254 |         role-to-assume: ${{ needs.get-deployment-data.outputs.role_arn }}
255 |         role-session-name: TF-Github-Actions-Notify-Proton
256 |         mask-aws-account-id: 'no'
257 |         
258 |     # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
259 |     - name: Terraform Init
260 |       id: tf_init
261 |       continue-on-error: true
262 |       run: terraform init -backend-config="bucket=${{ needs.get-deployment-data.outputs.state_bucket }}" -backend-config="key=${{ needs.get-deployment-data.outputs.working_directory }}terraform.tfstate" -backend-config="region=${{ needs.get-deployment-data.outputs.target_region }}"
263 | 
264 |     - name: Notify Proton Success
265 |       id: notify_success
266 |       if: needs.terraform.outputs.success == 'True' && steps.tf_init.outcome == 'success'
267 |       run: |
268 |         # Get outputs as json
269 |         outputs_json=$(terraform output -json)
270 | 
271 |         # Map Terraform output JSON to Proton outputs JSON
272 |         formatted_outputs=( $(echo $outputs_json | jq "to_entries|map({key: .key, valueString: .value.value})") )
273 |       
274 |         # Notify proton
275 |         aws proton notify-resource-deployment-status-change --region ${{ needs.get-deployment-data.outputs.proton_region }} --resource-arn ${{ needs.get-deployment-data.outputs.resource_arn }} --status SUCCEEDED --deployment-id ${{ needs.get-deployment-data.outputs.deployment_id }} --outputs "${formatted_outputs[*]}"
276 |         echo "Notify success!"   
277 |         
278 |     - name: Notify Proton Failure
279 |       if: needs.terraform.outputs.success != 'True' || steps.tf_init.outcome != 'success'
280 |       run: |
281 |         aws proton notify-resource-deployment-status-change --region ${{ needs.get-deployment-data.outputs.proton_region }} --resource-arn ${{ needs.get-deployment-data.outputs.resource_arn }} --status FAILED --deployment-id ${{ needs.get-deployment-data.outputs.deployment_id }}
282 |         echo "Notify failure!"
283 | 
284 |   terraform-destroy:
285 |     name: 'Run terraform destroy'
286 |     needs: 
287 |     - get-deployment-data
288 |     runs-on: ubuntu-latest
289 |     environment: ${{ needs.get-deployment-data.outputs.environment }}
290 | 
291 |     if: github.event_name == 'push' && github.ref == 'refs/heads/main' && needs.get-deployment-data.outputs.is_deleted == 'true'
292 |     
293 |     permissions:
294 |       id-token: write
295 |       contents: read
296 |       
297 |     defaults:
298 |       run:
299 |         working-directory: ${{ needs.get-deployment-data.outputs.working_directory }}
300 |         shell: bash # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
301 | 
302 |     steps:
303 |     # Checkout the repository to the GitHub Actions runner
304 |     - name: Checkout
305 |       uses: actions/checkout@v2
306 |       
307 |     - name: Configure AWS Credentials
308 |       id: assume_role
309 |       uses: aws-actions/configure-aws-credentials@v1
310 |       with:
311 |         aws-region: ${{ needs.get-deployment-data.outputs.target_region }}
312 |         role-to-assume: ${{ needs.get-deployment-data.outputs.role_arn }}
313 |         role-session-name: TF-Github-Actions-Notify-Proton
314 |         mask-aws-account-id: 'no'
315 |         
316 |     # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
317 |     - name: Terraform Init
318 |       id: tf_init
319 |       run: terraform init -backend-config="bucket=${{ needs.get-deployment-data.outputs.state_bucket }}" -backend-config="key=${{ needs.get-deployment-data.outputs.working_directory }}terraform.tfstate" -backend-config="region=${{ needs.get-deployment-data.outputs.target_region }}"
320 |     
321 |     - name: Terraform Destroy
322 |       id: tf_destroy
323 |       run: terraform apply -auto-approve -destroy -var="aws_region=${{ needs.get-deployment-data.outputs.target_region }}"
324 | 


--------------------------------------------------------------------------------