Ecr fixes + opentofu

.github/actions/push_on_ecr/action.yml

@@ -23,6 +23,10 @@ inputs:
   image_tag:
     description: Directory that must be run against the linters
     required: true
+  image_target:
+    description: Image target stage
+    required: true
+    default: BASE
 
   aws_region:
     description: Aws region
@@ -46,11 +50,12 @@ runs:
       uses: docker/setup-buildx-action@v3
 
     - name: Build and push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
       with:
         context: ${{ inputs.working_directory }}
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
         tags: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com/${{ inputs.repository }}:${{ inputs.image_tag }}
         file: ${{ inputs.working_directory }}/${{ inputs.dockerfile }}
+        target: ${{ inputs.image_target }}

.github/workflows/_detect_changes.yml

@@ -16,12 +16,22 @@ on:
         description: Space separated list of frontend directories
         required: false
         type: string
-      
+
       frontend_exclusions:
         description: Space separated list of frontend directories or files to be excluded
         required: false
         type: string
 
+      infrastructure_directories:
+        description: Space separated list of infrastructure directories
+        required: false
+        type: string
+
+      infrastructure_exclusions:
+        description: Space separated list of infrastructure directories or files to be excluded
+        required: false
+        type: string
+
       ubuntu_version:
         description: Ubuntu version to use
         type: string
@@ -37,13 +47,19 @@ on:
         description: Number of files changed in frontend
         value: ${{ jobs.detect-changes.outputs.frontend }}
 
+      infrastructure:
+        description: Number of files changed in infrastructure
+        value: ${{ jobs.detect-changes.outputs.infrastructure }}
+
 jobs:
   detect-changes:
     name: Detect changes
     runs-on: ubuntu-${{ inputs.ubuntu_version }}
     outputs:
       backend: ${{steps.diff_check_backend.outputs.backend}}
       frontend: ${{steps.diff_check_frontend.outputs.frontend}}
+      infrastructure: ${{steps.diff_check_infrastructure.outputs.infrastructure}}
+
     steps:
     - name: Check out PR target branch
       uses: actions/checkout@v4
@@ -56,7 +72,7 @@ jobs:
         clean: false
 
     - name: Generate summary
-      if: ${{inputs.backend_directories != ''}} | ${{inputs.frontend_directories != ''}}
+      if: ${{inputs.backend_directories != ''}} | ${{inputs.frontend_directories != ''}} | ${{inputs.infrastructure_directories != ''}}
       run: |
         echo "### Detect Changes summary" >> $GITHUB_STEP_SUMMARY
         echo "" >> $GITHUB_STEP_SUMMARY
@@ -92,7 +108,23 @@ jobs:
         FRONTEND_CHANGES=$(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 | wc -l)
         echo "frontend=$FRONTEND_CHANGES" >> $GITHUB_OUTPUT
         echo "Frontend Changes: $FRONTEND_CHANGES" >> $GITHUB_STEP_SUMMARY
-        echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.backend_directories }} $FRONTEND_EXCLUSIONS"
-        echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.backend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 )"
+        echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS"
+        echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.frontend_directories }} $FRONTEND_EXCLUSIONS | head -n -1 )"
         echo "frontend $FRONTEND_CHANGES"
 
+    - name: Generate diffs for infrastructure
+      if: ${{inputs.infrastructure_directories != ''}}
+      id: diff_check_infrastructure
+      run: |
+        INFRASTRUCTURE_EXCLUSIONS=""
+        if ${{ inputs.infrastructure_exclusions != ''}}; then
+          for exclusion in ${{ inputs.infrastructure_exclusions }}; do
+            INFRASTRUCTURE_EXCLUSIONS+=":(glob,exclude)$exclusion "
+          done
+        fi
+        INFRASTRUCTURE_CHANGES=$(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS | head -n -1 | wc -l)
+        echo "infrastructure=$INFRASTRUCTURE_CHANGES" >> $GITHUB_OUTPUT
+        echo "Infrastructure Changes: $INFRASTRUCTURE_CHANGES" >> $GITHUB_STEP_SUMMARY
+        echo "::debug::diff command:git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS"
+        echo "::debug::diff command results: $(git diff --compact-summary origin/${{ github.base_ref }} -- ${{ inputs.infrastructure_directories }} $INFRASTRUCTURE_EXCLUSIONS | head -n -1 )"
+        echo "infrastructure $INFRASTRUCTURE_CHANGES"

.github/workflows/_opentofu.yml

@@ -0,0 +1,51 @@
+name: Reusable opentofu workflow
+on:
+  workflow_call:
+    inputs:
+      working_directory:
+        description: Directory that must be run against the linters
+        type: string
+        required: true
+
+
+jobs:
+  python:
+    name: Run opentofu test suite
+    runs-on: ubuntu-latest
+    env:
+      STAGE: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' )  && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' )  && 'stag' || 'test' }}
+    strategy:
+      matrix:
+        directory: ["infrastructure", "application" ]
+      fail-fast: false
+    environment: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' )  && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' )  && 'stag' || 'test' }}
+    permissions: write-all
+    steps:
+      - name: Check out latest commit
+        uses: actions/checkout@v4
+
+      - name: tofu fmt ${{ matrix.directory }}
+        uses: dflook/tofu-fmt-check@v2
+        with:
+          path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }}
+
+      - name: tofu validate ${{ matrix.directory }}
+        uses: dflook/tofu-validate@v2
+        with:
+          path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }}
+
+      - name: tofu plan ${{ matrix.directory }}
+        uses: dflook/tofu-plan@v2
+        env:
+          GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
+          TF_VAR_github_token : ${{ secrets.GITHUB_TOKEN }}
+          TF_VAR_github_organization_name : certego
+          TF_VAR_aws_account_id : ${{ secrets.AWS_ACCOUNT_ID }}
+          TF_VAR_aws_access_key : ${{ secrets.AWS_ACCESS_KEY }}
+          TF_VAR_aws_secret_key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        with:
+          path: ${{inputs.working_directory}}/opentofu/${{ env.STAGE }}/${{ matrix.directory }}
+          label: ${{ matrix.path }}
+          # TODO per qualche ragione di permessi (credo del token github) non riesce a recuperarsi le chiavi
+          exclude: |
+            module.github_ecr_access_keys

.github/workflows/_release_and_tag.yml

@@ -36,16 +36,12 @@ on:
         type: boolean
         required: false
         default: false
-      repository:
-        description: Repository name
-        type: string
-        required: false
-        default: ${{ github.event.repository.name }}
 
-      dockerfiles:
-        description: Path for dockerfiles from working directory
+      docker_mapping:
+        description: List[Dict[dockerfile sep "dockerfile_path", repository sep "repository_name"]]
         type: string
         required: false
+
       working_directory:
         description: Docker build context
         type: string
@@ -148,39 +144,68 @@ jobs:
           access_token_secret: ${{ secrets.TWITTER_ACCESS_TOKEN_SECRET }}
 
 
-  push_on_ecr:
+  push_on_ecr_branch:
     runs-on: ubuntu-latest
-    needs: release_and_tag
-    if: github.event.pull_request.merged == true && inputs.publish_on_ecr == true
+    environment: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' )  && 'prod' || ( github.base_ref == 'develop' || github.base_ref == 'dev' )  && 'stag' || 'test' }}
+    if: inputs.publish_on_ecr == true
     strategy:
       matrix:
-        dockerfile: ${{ fromJson(inputs.dockerfiles) }}
+        docker_mapping: ${{ fromJson(inputs.docker_mapping) }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # otherwise, you do not retrieve the tags
-      - name: Push on ecr branch
+
+      - name: Push on ecr branch from merge
         uses: ./.github/actions/push_on_ecr
-        if: github.base_ref == 'master' || github.base_ref == 'main' || github.base_ref == 'develop' || github.base_ref == 'dev'
+        if: github.event.pull_request.merged == true && (github.base_ref == 'master' || github.base_ref == 'develop')
         with:
-          repository: ${{ inputs.repository }}
+          repository: ${{ matrix.docker_mapping.repository }}
           aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
           aws_access_key: ${{ secrets.AWS_ACCESS_KEY}}
           aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          dockerfile: ${{ matrix.dockerfile }}
+          dockerfile: ${{ matrix.docker_mapping.dockerfile }}
           image_tag: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' )  && 'prod' || 'stag' }}
           aws_region: ${{ inputs.aws_region }}
           working_directory: ${{ inputs.working_directory }}
+          image_target: ${{ ( github.base_ref == 'main' || github.base_ref == 'master' )  && 'prod' || 'stag' }}
+
+      - name: Push on ecr branch from push
+        uses: ./.github/actions/push_on_ecr
+        if: github.ref_name == 'test' || github.ref_name == 'opentofu'
+        with:
+          repository: ${{ matrix.docker_mapping.repository }}
+          aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
+          aws_access_key: ${{ secrets.AWS_ACCESS_KEY}}
+          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          dockerfile: ${{ matrix.docker_mapping.dockerfile }}
+          image_tag: 'test'
+          aws_region: ${{ inputs.aws_region }}
+          working_directory: ${{ inputs.working_directory }}
+          image_target: 'test'
+
+  push_on_ecr_tag:
+    runs-on: ubuntu-latest
+    needs: release_and_tag
+    environment: "prod"
+    if: github.event.pull_request.merged == true && inputs.publish_on_ecr == true
+    strategy:
+      matrix:
+        docker_mapping: ${{ fromJson(inputs.docker_mapping) }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # otherwise, you do not retrieve the tags
 
       - name: Push on ecr new release
         if: needs.release_and_tag.outputs.match == 'true' && (github.base_ref == 'master' || github.base_ref == 'main' )
         uses: ./.github/actions/push_on_ecr
         with:
-          repository: ${{ inputs.repository }}
+          repository: ${{ matrix.docker_mapping.repository }}
           aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
           aws_access_key: ${{ secrets.AWS_ACCESS_KEY}}
           aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-          dockerfile: ${{ inputs.dockerfile }}
+          dockerfile: ${{ matrix.docker_mapping.dockerfile }}
           image_tag: ${{ github.event.pull_request.title }}
           aws_region: ${{ inputs.aws_region }}
           working_directory: ${{ inputs.working_directory }}

.github/workflows/pull_request_automation.yml

@@ -106,3 +106,11 @@ jobs:
         ["3.12"]
       max_timeout: 15
       ubuntu_version: latest
+
+  opentofu_test:
+    needs: detect-changes
+    if: ${{ needs.detect-changes.outputs.infrastructure > 0 }}
+    uses: ./.github/workflows/_opentofu.yml
+    secrets: inherit
+    with:
+      working_directory: .

.github/workflows/release.yml

@@ -4,6 +4,15 @@ on:
   pull_request:
     types:
       - closed
+    branches:
+      - 'master'
+      - 'main'
+      - 'develop'
+      - 'test'
+  push:
+    branches:
+      - 'test'
+      - 'opentofu'
 
 # discard previous execution if you commit to a branch that is already running
 concurrency:
@@ -23,6 +32,5 @@ jobs:
       publish_on_ecr: false
       repository: certego-test
       working_directory: .github/test/python_test
-      dockerfiles: >-
-        ["Dockerfile"]
+      docker_mapping: '[{ dockerfile: "docker/Dockerfile", repository: "test"}]'
       aws_region: eu-central-1

.pre-commit-config.yaml

@@ -52,3 +52,9 @@ repos:
       - id: ruff
         name: ruff-lint
         args: ["--config", "./.github/configurations/python_linters/.ruff.toml"]
+
+-   repo: https://github.com/tofuutils/pre-commit-opentofu
+    rev: v2.2.1
+    hooks:
+      - id: tofu_fmt
+      - id: tofu_validate

actions/push_on_ecr/action.yml

@@ -23,6 +23,10 @@ inputs:
   image_tag:
     description: Directory that must be run against the linters
     required: true
+  image_target:
+    description: Image target stage
+    required: true
+    default: BASE
 
   aws_region:
     description: Aws region
@@ -46,11 +50,12 @@ runs:
       uses: docker/setup-buildx-action@v3
 
     - name: Build and push
-      uses: docker/build-push-action@v5
+      uses: docker/build-push-action@v6
       with:
         context: ${{ inputs.working_directory }}
         push: true
         cache-from: type=gha
         cache-to: type=gha,mode=max
         tags: ${{inputs.aws_account_id}}.dkr.ecr.${{inputs.aws_region}}.amazonaws.com/${{ inputs.repository }}:${{ inputs.image_tag }}
         file: ${{ inputs.working_directory }}/${{ inputs.dockerfile }}
+        target: ${{ inputs.image_target }}