-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathaction.yaml
309 lines (297 loc) · 13.8 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
name: 'Deploy Amazon RDS DB instance'
description: 'Deploys an AWS RDS database (Postgres, MySQL, MariaDB or MSSQL)'
branding:
icon: upload-cloud
color: red
inputs:
bitops_code_only:
description: 'Will run only the generation phase of BitOps, where the Terraform and Ansible code is built.'
required: false
bitops_code_store:
description: 'Store BitOps code as a GitHub artifact'
required: false
default: false
# AWS
aws_access_key_id:
description: 'AWS access key ID'
required: true
aws_secret_access_key:
description: 'AWS secret access key'
required: true
aws_session_token:
description: 'AWS session token'
required: false
aws_default_region:
description: 'AWS default region'
required: false
default: us-east-1
aws_resource_identifier:
description: 'Set to override the AWS resource identifier for the deployment. Defaults to `${org}-{repo}-{branch}`. Use with destroy to destroy specific resources.'
required: false
aws_additional_tags:
description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
required: false
# Terraform
tf_stack_destroy:
description: 'Set to "true" to Destroy the stack through Terraform.'
required: false
tf_state_file_name:
description: 'Change this to be anything you want to. Carefull to be consistent here. A missing file could trigger recreation, or stepping over destruction of non-defined objects.'
required: false
tf_state_file_name_append:
description: 'Append a string to the tf-state-file. Setting this to `unique` will generate `tf-state-aws-unique`. Can co-exist with the tf_state_file_name variable. '
required: false
tf_state_bucket:
description: 'AWS S3 bucket to use for Terraform state. Defaults to `${org}-${repo}-{branch}-tf-state`'
required: false
tf_state_bucket_destroy:
description: 'Force purge and deletion of S3 bucket defined. Any file contained there will be destroyed. `tf_stack_destroy` must also be `true`'
required: false
# AWS RDS
aws_rds_db_enable:
description: 'Set to true to enable an RDS DB.'
required: false
default: true
aws_rds_db_proxy:
description: 'Set to true to add a RDS DB Proxy'
required: false
aws_rds_db_identifier:
description: 'Database identifier that will appear in the AWS Console. Defaults to aws_resource_identifier if none set.'
required: false
aws_rds_db_name:
description: 'The name of the database to create when the DB instance is created.'
required: false
aws_rds_db_user:
description: 'Username for the db. Defaults to dbuser.'
required: false
aws_rds_db_engine:
description: 'Which Database engine to use. Default is postgres'
required: false
aws_rds_db_engine_version:
description: 'Which Database engine version to use.'
required: false
aws_rds_db_ca_cert_identifier:
description: 'Certificate to use with the database. Defaults to rds-ca-ecc384-g1'
required: false
aws_rds_db_security_group_name:
description: 'The name of the database security group. Defaults to SG for aws_resource_identifier - RDS.'
required: false
aws_rds_db_allowed_security_groups:
description: 'Comma separated list of security groups to add to the DB SG'
required: false
aws_rds_db_ingress_allow_all:
description: 'Allow incoming traffic from 0.0.0.0/0.'
required: false
aws_rds_db_publicly_accessible:
description: 'Allow the database to be publicly accessible.'
required: false
aws_rds_db_port:
description: ' Port where the DB listens to.'
required: false
aws_rds_db_subnets:
description: 'Specify which subnets to use as a list of strings. '
required: false
aws_rds_db_allocated_storage:
description: 'Storage size. Defaults to 10.'
required: false
aws_rds_db_max_allocated_storage:
description: 'Max storage size. Defaults to 0 to disable auto-scaling.'
required: false
aws_rds_db_storage_encrypted:
description: 'Toogle storage encryption. Defatuls to false.'
required: false
aws_rds_db_storage_type:
description: 'Storage type. Like gp2 / gp3. Defaults to gp2.'
required: false
aws_rds_db_kms_key_id:
description: 'The ARN for the KMS encryption key.'
required: false
aws_rds_db_instance_class:
description: 'DB instance server type. Defaults to db.t3.micro.'
required: false
aws_rds_db_final_snapshot:
description: 'Generates a snapshot of the database before deletion.'
required: false
aws_rds_db_restore_snapshot_identifier:
description: 'Name of the snapshot to restore the database from.'
required: false
aws_rds_db_cloudwatch_logs_exports:
description: 'Set of log types to enable for exporting to CloudWatch logs.'
required: false
aws_rds_db_multi_az:
description: 'Specifies if the RDS instance is multi-AZ'
required: false
aws_rds_db_maintenance_window:
description: 'The window to perform maintenance in. Eg: Mon:00:00-Mon:03:00 '
required: false
aws_rds_db_apply_immediately:
description: 'Specifies whether any database modifications are applied immediately, or during the next maintenance window'
required: false
aws_rds_db_additional_tags:
description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
required: false
# RDS Proxy
aws_db_proxy_name:
description: 'DB Proxy name'
required: false
aws_db_proxy_client_password_auth_type:
description: 'Auth type to use, will use the following, depending on DB the family. MYSQL_NATIVE_PASSWORD, POSTGRES_SCRAM_SHA_256, and SQL_SERVER_AUTHENTICATION'
required: false
aws_db_proxy_tls:
description: 'Toogle TLS enforcement for connection'
required: false
aws_db_proxy_security_group_name:
description: 'Name for the proxy security group. Default to aws_resource_identifier if none.'
required: false
aws_db_proxy_database_security_group_allow:
description: 'Will add an incoming rule from every security group associated with the DB'
required: false
aws_db_proxy_allowed_security_group:
description: 'Comma separated list of SG Ids to add.'
required: false
aws_db_proxy_allow_all_incoming:
description: 'Allow all incoming traffic to the DB Proxy. Mind that the proxy is only available from the internal network except manually exposed.'
required: false
aws_db_proxy_cloudwatch_enable:
description: 'Toggle Cloudwatch logs. Will be stored in /aws/rds/proxy/rds_proxy.name'
required: false
aws_db_proxy_cloudwatch_retention_days:
description: 'Number of days to retain logs'
required: false
aws_db_proxy_additional_tags:
description: 'A list of strings that will be added to created resources'
required: false
# AWS VPC Inputs
aws_vpc_create:
description: 'Define if a VPC should be created'
required: false
aws_vpc_name:
description: 'Set a specific name for the VPC'
required: false
aws_vpc_cidr_block:
description: 'Define Base CIDR block which is divided into subnet CIDR blocks. Defaults to 10.0.0.0/16.'
required: false
aws_vpc_public_subnets:
description: 'Comma separated list of public subnets. Defaults to 10.10.110.0/24'
required: false
aws_vpc_private_subnets:
description: 'Comma separated list of private subnets. If none, none will be created.'
required: false
aws_vpc_availability_zones:
description: 'Comma separated list of availability zones. Defaults to `aws_default_region.'
required: false
aws_vpc_id:
description: 'AWS VPC ID. Accepts `vpc-###` values.'
required: false
aws_vpc_subnet_id:
description: 'Specify a Subnet to be used with the instance. If none provided, will pick one.'
required: false
aws_vpc_enable_nat_gateway:
description: 'Enables NAT gateway'
required: false
aws_vpc_single_nat_gateway:
description: 'Creates only one NAT gateway'
required: false
aws_vpc_external_nat_ip_ids:
description: 'Comma separated list of IP IDS to reuse in the NAT gateways'
required: false
aws_vpc_additional_tags:
description: 'A JSON object of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
required: false
outputs:
aws_vpc_id:
description: "The selected VPC ID used."
value: ${{ steps.deploy.outputs.aws_vpc_id }}
db_endpoint:
description: "RDS Endpoint"
value: ${{ steps.deploy.outputs.db_endpoint }}
db_secret_details_name:
description: "AWS Secret name containing db credentials"
value: ${{ steps.deploy.outputs.db_secret_details_name }}
db_sg_id:
description: "SG ID for the RDS instance"
value: ${{ steps.deploy.outputs.db_sg_id }}
db_proxy_rds_endpoint:
description: "Database proxy endpoint"
value: ${{ steps.deploy.outputs.db_proxy_rds_endpoint }}
db_proxy_secret_name_rds:
description: "AWS Secret name containing proxy credentials"
value: ${{ steps.deploy.outputs.db_proxy_secret_name_rds }}
db_proxy_sg_id_rds:
description: "SG ID for the RDS Proxy instance"
value: ${{ steps.deploy.outputs.db_proxy_sg_id_rds }}
runs:
using: 'composite'
steps:
- name: Deploy with BitOps
id: deploy
uses: bitovi/github-actions-commons@v1
with:
# AWS
aws_access_key_id: ${{ inputs.aws_access_key_id }}
aws_secret_access_key: ${{ inputs.aws_secret_access_key }}
aws_session_token: ${{ inputs.aws_session_token }}
aws_default_region: ${{ inputs.aws_default_region }}
aws_resource_identifier: ${{ inputs.aws_resource_identifier }}
aws_additional_tags: ${{ inputs.aws_additional_tags }}
# Terraform
tf_stack_destroy: ${{ inputs.tf_stack_destroy }}
tf_state_file_name: ${{ inputs.tf_state_file_name }}
tf_state_file_name_append: ${{ inputs.tf_state_file_name_append }}
tf_state_bucket: ${{ inputs.tf_state_bucket }}
tf_state_bucket_destroy: ${{ inputs.tf_state_bucket_destroy }}
# Current repo vars
bitops_code_only: ${{ inputs.bitops_code_only }}
bitops_code_store: ${{ inputs.bitops_code_store }}
# AWS RDS
aws_rds_db_enable: ${{ inputs.aws_rds_db_enable }}
aws_rds_db_proxy: ${{ inputs.aws_rds_db_proxy }}
aws_rds_db_identifier: ${{ inputs.aws_rds_db_identifier }}
aws_rds_db_name: ${{ inputs.aws_rds_db_name }}
aws_rds_db_user: ${{ inputs.aws_rds_db_user }}
aws_rds_db_engine: ${{ inputs.aws_rds_db_engine }}
aws_rds_db_engine_version: ${{ inputs.aws_rds_db_engine_version }}
aws_rds_db_ca_cert_identifier: ${{ inputs.aws_rds_db_ca_cert_identifier }}
aws_rds_db_security_group_name: ${{ inputs.aws_rds_db_security_group_name }}
aws_rds_db_allowed_security_groups: ${{ inputs.aws_rds_db_allowed_security_groups }}
aws_rds_db_ingress_allow_all: ${{ inputs.aws_rds_db_ingress_allow_all }}
aws_rds_db_publicly_accessible: ${{ inputs.aws_rds_db_publicly_accessible }}
aws_rds_db_port: ${{ inputs.aws_rds_db_port }}
aws_rds_db_subnets: ${{ inputs.aws_rds_db_subnets }}
aws_rds_db_allocated_storage: ${{ inputs.aws_rds_db_allocated_storage }}
aws_rds_db_max_allocated_storage: ${{ inputs.aws_rds_db_max_allocated_storage }}
aws_rds_db_storage_encrypted: ${{ inputs.aws_rds_db_storage_encrypted }}
aws_rds_db_storage_type: ${{ inputs.aws_rds_db_storage_type }}
aws_rds_db_kms_key_id: ${{ inputs.aws_rds_db_kms_key_id }}
aws_rds_db_instance_class: ${{ inputs.aws_rds_db_instance_class }}
aws_rds_db_final_snapshot: ${{ inputs.aws_rds_db_final_snapshot }}
aws_rds_db_restore_snapshot_identifier: ${{ inputs.aws_rds_db_restore_snapshot_identifier }}
aws_rds_db_cloudwatch_logs_exports: ${{ inputs.aws_rds_db_cloudwatch_logs_exports }}
aws_rds_db_multi_az: ${{ inputs.aws_rds_db_multi_az }}
aws_rds_db_maintenance_window: ${{ inputs.aws_rds_db_maintenance_window }}
aws_rds_db_apply_immediately: ${{ inputs.aws_rds_db_apply_immediately }}
aws_rds_db_additional_tags: ${{ inputs.aws_rds_db_additional_tags }}
# DB Proxy
aws_db_proxy_name: ${{ inputs.aws_db_proxy_name }}
aws_db_proxy_client_password_auth_type: ${{ inputs.aws_db_proxy_client_password_auth_type }}
aws_db_proxy_tls: ${{ inputs.aws_db_proxy_tls }}
aws_db_proxy_security_group_name: ${{ inputs.aws_db_proxy_security_group_name }}
aws_db_proxy_database_security_group_allow: ${{ inputs.aws_db_proxy_database_security_group_allow }}
aws_db_proxy_allowed_security_group: ${{ inputs.aws_db_proxy_allowed_security_group }}
aws_db_proxy_allow_all_incoming: ${{ inputs.aws_db_proxy_allow_all_incoming }}
aws_db_proxy_cloudwatch_enable: ${{ inputs.aws_db_proxy_cloudwatch_enable }}
aws_db_proxy_cloudwatch_retention_days: ${{ inputs.aws_db_proxy_cloudwatch_retention_days }}
aws_db_proxy_additional_tags: ${{ inputs.aws_db_proxy_additional_tags }}
# AWS VPC Inputs
aws_vpc_create: ${{inputs.aws_vpc_create }}
aws_vpc_name: ${{inputs.aws_vpc_name }}
aws_vpc_cidr_block: ${{inputs.aws_vpc_cidr_block }}
aws_vpc_public_subnets: ${{inputs.aws_vpc_public_subnets }}
aws_vpc_private_subnets: ${{inputs.aws_vpc_private_subnets }}
aws_vpc_availability_zones: ${{inputs.aws_vpc_availability_zones }}
aws_vpc_id: ${{inputs.aws_vpc_id }}
aws_vpc_subnet_id: ${{inputs.aws_vpc_subnet_id }}
aws_vpc_enable_nat_gateway: ${{ inputs.aws_vpc_enable_nat_gateway }}
aws_vpc_single_nat_gateway: ${{ inputs.aws_vpc_single_nat_gateway }}
aws_vpc_external_nat_ip_ids: ${{ inputs.aws_vpc_external_nat_ip_ids }}
aws_vpc_additional_tags: ${{inputs.aws_vpc_additional_tags }}