Add infra template -- rename infra/app -> infra/frontend, exclude PR …

…template overwrite because we've already made our own

.dockleconfig

@@ -0,0 +1,4 @@
+# This file is allows you to specify a list of files that is acceptable to Dockle
+# To allow multiple files, use a list of names, example below. Make sure to remove the leading #
+# DOCKLE_ACCEPT_FILES="file1,path/to/file2,file3/path,etc"
+# https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions

.github/actions/configure-aws-credentials/action.yml

@@ -0,0 +1,58 @@
+name: 'Configure AWS Credentials'
+description: 'Configure AWS Credentials for a given application and |
+  environment so that the GitHub Actions workflow can access AWS resources. |
+  This is a wrapper around https://github.com/aws-actions/configure-aws-credentials |
+  that first determines the account, role, and region based on the |
+  account_names_by_environment configuration in app-config'
+inputs:
+  app_name:
+    description: 'Name of application folder under /infra'
+    required: true
+  environment:
+    description: 'Name of environment (dev, staging, prod) that AWS resources live in, or "shared" for resources that are shared across environments'
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Get AWS account authentication details (AWS account, IAM role, AWS region)
+      run: |
+        # Get AWS account authentication details (AWS account, IAM role, AWS region)
+        # associated with the application environment to figure out which AWS
+        # account to log into, which IAM role to assume, and which AWS region to use
+
+        echo "::group::AWS account authentication details"
+
+        terraform -chdir=infra/project-config init > /dev/null
+        terraform -chdir=infra/project-config refresh > /dev/null
+        AWS_REGION=$(terraform -chdir=infra/project-config output -raw default_region)
+        echo "AWS_REGION=$AWS_REGION"
+        GITHUB_ACTIONS_ROLE_NAME=$(terraform -chdir=infra/project-config output -raw github_actions_role_name)
+        echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME"
+
+        terraform -chdir=infra/${{ inputs.app_name }}/app-config init > /dev/null
+        terraform -chdir=infra/${{ inputs.app_name }}/app-config refresh > /dev/null
+        ACCOUNT_NAME=$(terraform -chdir=infra/${{ inputs.app_name }}/app-config output -json account_names_by_environment | jq -r .${{ inputs.environment }})
+        echo "ACCOUNT_NAME=$ACCOUNT_NAME"
+
+        # Get the account id associated with the account name extracting the
+        # ACCOUNT_ID part of the tfbackend file name which looks like
+        # <ACCOUNT_NAME>.<ACCOUNT_ID>.s3.tfbackend.
+        # The cut command splits the string with period as the delimeter and
+        # extracts the second field.
+        ACCOUNT_ID=$(ls infra/accounts/$ACCOUNT_NAME.*.s3.tfbackend | cut -d. -f2)
+        echo "ACCOUNT_ID=$ACCOUNT_ID"
+
+        AWS_ROLE_TO_ASSUME=arn:aws:iam::$ACCOUNT_ID:role/$GITHUB_ACTIONS_ROLE_NAME
+        echo "AWS_ROLE_TO_ASSUME=$AWS_ROLE_TO_ASSUME"
+
+        echo "::endgroup::"
+
+        echo "Setting env vars AWS_ROLE_TO_ASSUME and AWS_REGION..."
+        echo "AWS_ROLE_TO_ASSUME=$AWS_ROLE_TO_ASSUME" >> "$GITHUB_ENV"
+        echo "AWS_REGION=$AWS_REGION" >> "$GITHUB_ENV"
+      shell: bash
+    - name: Configure AWS credentials
+      uses: aws-actions/configure-aws-credentials@v1
+      with:
+        role-to-assume: ${{ env.AWS_ROLE_TO_ASSUME }}
+        aws-region: ${{ env.AWS_REGION }}

.github/workflows/build-and-publish.yml

@@ -0,0 +1,41 @@
+name: Build and Publish
+
+on:
+  workflow_call:
+    inputs:
+      ref:
+        description: The branch, tag or SHA to checkout. When checking out the repository that triggered a workflow, this defaults to the reference or SHA for that event. Otherwise, use branch or tag that triggered the workflow run.
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: The branch, tag or SHA to checkout. When checking out the repository that triggered a workflow, this defaults to the reference or SHA for that event. Otherwise, use branch or tag that triggered the workflow run.
+        required: true
+        type: string
+
+jobs:
+  build-and-publish:
+    name: Build and publish
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          ref: ${{ inputs.ref }}
+
+      - name: Build release
+        run: make release-build
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          app_name: app
+          environment: shared
+
+      - name: Publish release
+        run: make release-publish

.github/workflows/cd.yml

@@ -0,0 +1,62 @@
+name: Deploy
+# Need to set a default value for when the workflow is triggered from a git push,
+# which bypasses the default configuration for inputs and cannot use env.ENVIRONMENT
+# since env context is not accessible in this context
+run-name: Deploy ${{ github.ref_name }} to ${{ inputs.environment || 'dev' }}
+
+on:
+  # !! Uncomment the following lines once you've set up the dev environment and ready to turn on continuous deployment
+  # push:
+  #   branches:
+  #     - 'main'
+  #   paths:
+  #     - 'app/**'
+  #     - 'bin/**'
+  #     - 'infra/**'
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "target environment"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+
+env:
+  APP_NAME: app
+  # Need to set a default value for when the workflow is triggered from a git push,
+  # which bypasses the default configuration for inputs
+  ENVIRONMENT: ${{ inputs.environment || 'dev' }}
+
+# Need to repeat the expression since env.ENVIRONMENT is not accessible in this context
+concurrency: cd-${{ inputs.environment || 'dev' }}
+
+jobs:
+  # Don't need to call the build-and-publish workflow since the database-migrations
+  # workflow already calls it
+  database-migrations:
+    name: Database migrations
+    uses: ./.github/workflows/database-migrations.yml
+    with:
+      environment: ${{ inputs.environment || 'dev' }}
+  deploy:
+    name: Deploy
+    runs-on: ubuntu-latest
+    needs: [database-migrations]
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          app_name: ${{ env.APP_NAME }}
+          environment: ${{ env.ENVIRONMENT }}
+
+      - name: Deploy release
+        run: make release-deploy APP_NAME=$APP_NAME ENVIRONMENT="$ENVIRONMENT"

.github/workflows/check-infra-auth.yml

@@ -0,0 +1,30 @@
+name: Check GitHub Actions AWS Authentication
+
+on:
+  workflow_dispatch:
+    inputs:
+      aws_region:
+        description: AWS region
+        default: us-east-1
+        required: false
+      role_to_assume:
+        description: ARN of IAM role to assume
+        required: true
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  caller-identity:
+    name: Check caller identity
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-region: ${{ inputs.aws_region }}
+          role-to-assume: ${{ inputs.role_to_assume }}
+      - run: aws sts get-caller-identity

.github/workflows/ci-infra.yml

@@ -0,0 +1,103 @@
+name: CI Infra Checks
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - infra/**
+      - .github/workflows/ci-infra.yml
+  pull_request:
+    paths:
+      - infra/**
+      - test/**
+      - .github/workflows/ci-infra.yml
+
+jobs:
+  check-terraform-format:
+    name: Check Terraform format
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.4.6
+          terraform_wrapper: false
+      - name: Run infra-lint
+        run: |
+          echo "If this fails, run 'make infra-format'"
+          make infra-lint
+  validate-terraform:
+    name: Validate Terraform modules
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.4.6
+          terraform_wrapper: false
+      - name: Run infra-validate
+        run: make infra-validate
+  check-compliance-with-checkov:
+    name: Check compliance with checkov
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-python@v4
+        with:
+          python-version: "3.10"
+      - name: Run Checkov check
+        # Pin to specific checkov version rather than running from checkov@master
+        # since checkov frequently adds new checks that can cause CI checks to fail unpredictably.
+        # There is currently no way to specify the checkov version to pin to (See https://github.com/bridgecrewio/checkov-action/issues/41)
+        # so we need to pin the version of the checkov-action, which indirectly pins the checkov version.
+        # In this case, checkov-action v12.2296.0 is mapped to checkov v2.3.194.
+        uses: bridgecrewio/[email protected]
+        with:
+          directory: infra
+          framework: terraform
+          quiet: true # only displays failed checks
+  check-compliance-with-tfsec:
+    name: Check compliance with tfsec
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      pull-requests: write
+
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run tfsec check
+        uses: aquasecurity/[email protected]
+        with:
+          github_token: ${{ github.token }}
+  # !! Uncomment to trigger automated infra tests once dev environment is set up
+  # infra-test-e2e:
+  #   name: End-to-end tests
+  #   runs-on: ubuntu-latest
+  #
+  #   permissions:
+  #     contents: read
+  #     id-token: write
+  #
+  #   steps:
+  #     - uses: actions/checkout@v3
+
+  #     - uses: hashicorp/setup-terraform@v2
+  #       with:
+  #         terraform_version: 1.2.1
+  #         terraform_wrapper: false
+
+  #     - uses: actions/setup-go@v3
+  #       with:
+  #         go-version: ">=1.19.0"
+
+  #     - name: Configure AWS credentials
+  #       uses: ./.github/actions/configure-aws-credentials
+  #       with:
+  #         app_name: app
+  #         # Run infra CI on dev environment
+  #         environment: dev
+
+  #     - name: Run Terratest
+  #       run: make infra-test