diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 93bdb74..534cafd 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,12 +7,12 @@ repos: - --args=-recursive - id: terraform_validate - repo: https://github.com/terraform-docs/terraform-docs - rev: "v0.21.0" + rev: "v0.23.0" hooks: - id: terraform-docs-go args: ["markdown", "table", "--config", "./.terraform-docs.yaml", "--recursive", "--output-file", "README.md", "./"] - repo: https://github.com/bridgecrewio/checkov.git - rev: '3.2.500' + rev: '3.2.526' hooks: - id: checkov verbose: false diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 85c8ce9..e05347f 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -2,24 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "6.35.0" + version = "6.44.0" constraints = "~> 6.0" hashes = [ - "h1:1iT6jfU18fnDQCUzsWGsT0EUfLm//UcTh3QVN//gv7k=", - "zh:0ae4d5a1fc094b173e0d47649981b6cb8d4f5a24182f08aeb0f1812071d5bacc", - "zh:21acdf0d5671df0aee7e9c6a226b08ce40d637d3f6d44cb33bd89a532e58ac81", - "zh:2706f83d54ee74d0c3238ef451a10aae94c25c275fff945f24c81cc8c3185c6f", - "zh:336fc3be04864e2cb326df3ba03523a23e17efc978d95a5b3622bc2a2051d56c", - "zh:399a05362eaa2e6ff1446b42350d6bcdfbd13c48e7e5bceeaec987e7145743b8", - "zh:402a326a938120a0d6d2839d1eacd6862e3a51679f53cbb41e400c6deb36bd7e", - "zh:74497cc6185fb8f7a7c916f35006413fc5852e5d7414dca25d25efca527f3721", - "zh:8afd2759d9355270def8fa345c8880ab52d35ec4aa5bc463c392afe740a67863", + "h1:+xHWvYNFliL9ukFNIPBdqmOQ15Jtw41TN3Qv0CPxi+g=", + "zh:0462747d28f6dcd7b1b723bea9da1600526b7cdcf929ed4be54352d74b0746e6", + "zh:0c9b7e7b04050360f609ff5700d8a76227fb4ea84dac92b844d82a2013706705", + "zh:2877a6854edf237f9d6c66dc928294cbbcf29d3f52577fb8f232d0cfd11d5c0d", + "zh:3347b82e222bbfad326b79c408e53a9252b80c6c762f4dd4f4617583394f0a4e", + "zh:33997dbe611b5abf49c87a31f29d8f797c97421f67b71fec8aa688799511b758", + "zh:5d5c37375c5e776e6e8f95fb8cbd8009258618b9f51c55551a18adc09ef5814a", + "zh:67d6bd61c52ca5f4c37c96a76f6820c9f1902e4b83f89faddf9fd7f17ba0b160", + "zh:739588639fa30db7084d6939c2eb9b4dd2d7f58dbb5d5b3b2c4bda2a35dcf521", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a69117698044b5e6eb0f178790f1166059ea009a82e60922309117751b75d9f3", - "zh:e8c12582c93a977a3082ca640f1b9d6050f2153dd27e8f337c8e0f1c47abb322", - "zh:e944e74e08b22ce7c5601cded1caa090e209d2ad550f945afd059c7098cfc28b", - "zh:edefaf9dc0e3c2a08e80b2ce0f8544ea433cbce2382bcb4913250ba71f4267dc", - "zh:eedd5a91f263b92092d1d174bcd60d8e3e5fe3588972c397664d36d548a77551", - "zh:f42d1289f85b1bc76de8a6f51f36fded9d933a313c5a28f61e5df0191398f4d8", + "zh:a953797142df4245bd8f456b9e78690f501a0fff2f58552db4eb2da409cd99e9", + "zh:aeb8d616dd34a9f1c5048ed4cdd6d7692db93cd33a468872618d4cd38c4784aa", + "zh:dc8420556aca50658247b097de6734259fc3a6012ff1cf96612fca10b3982f9d", + "zh:f9083d6d9fb9cbdcd91e38c92f96e67223ecc7ce6d0986bd5eb8e6d52e9aa02b", + "zh:f9418aa1e4d29f9026aa6f521e97d085e000902ea929debbbef61135185e3ad4", + "zh:fb2494a6c92118055cfb2c114a4fe5c750946a1b0d6be6bf02ab3e37a091fb8b", ] } diff --git a/README.md b/README.md index 7049e80..0876eec 100644 --- a/README.md +++ b/README.md @@ -125,6 +125,7 @@ This is a core infrastructure repository that defines infrastructure related to * [TIMDEX](https://github.com/MITLibraries/mitlib-tf-workloads-timdex-infrastructure) * [TIMDEX Application](https://github.com/MITLibraries/timdex) * [TIMDEX Dataset API](https://github.com/MITLibraries/timdex-dataset-api) + * [TIMDES DSpace Fulltext Harvester](https://github.com/MITLibraries/dspace-fulltext-harvester) * [TIMDEX Embeddings](https://github.com/MITLibraries/timdex-embeddings) * [TIMDEX Index Manager](https://github.com/MITLibraries/timdex-index-manager) * [TIMDEX Pipeline Lambdas](https://github.com/MITLibraries/timdex-pipeline-lambdas) @@ -141,7 +142,7 @@ This is a core infrastructure repository that defines infrastructure related to * Owner: See [CODEOWNERS](./.github/CODEOWNERS) * Team: See [CODEOWNERS](./.github/CODEOWNERS) -* Last Maintenance: 2026-03 +* Last Maintenance: 2026-05 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point @@ -149,20 +150,20 @@ This is a core infrastructure repository that defines infrastructure related to ## Requirements | Name | Version | -|------|---------| +| ---- | ------- | | terraform | ~> 1.14 | | aws | ~> 6.0 | ## Providers | Name | Version | -|------|---------| -| aws | 6.35.0 | +| ---- | ------- | +| aws | 6.44.0 | ## Modules | Name | Source | Version | -|------|--------|---------| +| ---- | ------ | ------- | | ecr\_alma\_webhook\_lambdas | ./modules/ecr | n/a | | ecr\_apt | ./modules/ecr | n/a | | ecr\_asati | ./modules/ecr | n/a | @@ -173,6 +174,7 @@ This is a core infrastructure repository that defines infrastructure related to | ecr\_cdps\_s3\_bagit\_validator\_west | ./modules/ecr | n/a | | ecr\_creditcardslips | ./modules/ecr | n/a | | ecr\_dsc | ./modules/ecr | n/a | +| ecr\_dspace\_fulltext\_harvester | ./modules/ecr | n/a | | ecr\_dss | ./modules/ecr | n/a | | ecr\_hrqb\_client | ./modules/ecr | n/a | | ecr\_marimo | ./modules/ecr | n/a | @@ -198,7 +200,7 @@ This is a core infrastructure repository that defines infrastructure related to ## Resources | Name | Type | -|------|------| +| ---- | ---- | | [aws_iam_policy.login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | | [aws_iam_policy_document.login](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_ssm_parameter.oidc_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameter) | data source | @@ -206,7 +208,7 @@ This is a core infrastructure repository that defines infrastructure related to ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| +| ---- | ----------- | ---- | ------- | :------: | | appinput\_ssm\_path | Standard prefix in Parameter Store for Terraform outputs specifically needed by | `string` | n/a | yes | | aws\_region | The AWS region where this infrastructure will be deployed. | `string` | `"us-east-1"` | no | | environment | The name of the environment/stage/workspace (e.g., `stage`, `prod`, `dev`) | `string` | n/a | yes | @@ -219,7 +221,7 @@ This is a core infrastructure repository that defines infrastructure related to ## Outputs | Name | Description | -|------|-------------| +| ---- | ----------- | | alma\_webhook\_lambdas\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-webhook-lambdas repo | | alma\_webhook\_lambdas\_makefile | Full contents of the Makefile for the alma-webhook-lambdas repo (allows devs to push to Dev account only) | | alma\_webhook\_lambdas\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-webhook-lambdas repo | @@ -256,6 +258,10 @@ This is a core infrastructure repository that defines infrastructure related to | dsc\_fargate\_makefile | Full contents of the Makefile for the dsc repo (allows devs to push to Dev account only) | | dsc\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dsc repo | | dsc\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the dsc repo | +| dspace\_fulltext\_harvester\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the dspace-fulltext-harvester repo | +| dspace\_fulltext\_harvester\_fargate\_makefile | Full contents of the Makefile for the dspace-fulltext-harvester repo (allows devs to push to Dev account only) | +| dspace\_fulltext\_harvester\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dspace-fulltext-harvester repo | +| dspace\_fulltext\_harvester\_fargate\_stage\_build\_workflow | Full contents of the stage-build.yml for the dspace-fulltext-harvester repo | | dss\_fargate\_dev\_build\_workflow | Full contents of the dev-build.yml for the dss repo | | dss\_fargate\_makefile | Full contents of the Makefile for the dss repo (allows devs to push to Dev account only) | | dss\_fargate\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the dss repo | diff --git a/files/dev-build-cpu-arch-extra-region.tpl b/files/dev-build-cpu-arch-extra-region.tpl index ce0284c..fe37e91 100644 --- a/files/dev-build-cpu-arch-extra-region.tpl +++ b/files/dev-build-cpu-arch-extra-region.tpl @@ -3,15 +3,14 @@ ### This should be added to jobs section of the dev-build.yml. If this is ### ### a Lambda function, uncomment the FUNCTION: line ### - deploy-${region}: - needs: prep - name: Dev Deploy ${region} + build-push-${region}: + name: Dev Build and Push ${region} uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main secrets: inherit with: AWS_REGION: "${region}" GHA_ROLE: "${role}" ECR: "${ecr}" - CPU_ARCH: $${{ needs.prep.outputs.cpuarch }} + # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"! # FUNCTION: "${function}" # PREBUILD: diff --git a/files/dev-build-cpu-arch.tpl b/files/dev-build-cpu-arch.tpl index 9d84932..a08cb4f 100644 --- a/files/dev-build-cpu-arch.tpl +++ b/files/dev-build-cpu-arch.tpl @@ -19,42 +19,14 @@ permissions: contents: read jobs: - prep: - name: Prep for Build - runs-on: ubuntu-latest - outputs: - cpuarch: $${{ steps.setarch.outputs.cpuarch }} - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Set CPU Architecture - id: setarch - run: | - echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY - if [[ -f .aws-architecture ]]; then - ARCH=$(cat .aws-architecture) - echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY - else - ARCH="linux/amd64" - echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY - fi - if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then - echo "$ARCH is INVALID architecture!" - echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY - exit 1 - fi - echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT - - deploy: - needs: prep - name: Dev Deploy + build-push: + name: Dev Build and Push uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main secrets: inherit with: AWS_REGION: "${region}" GHA_ROLE: "${role}" ECR: "${ecr}" - CPU_ARCH: $${{ needs.prep.outputs.cpuarch }} + # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"! # FUNCTION: "${function}" # PREBUILD: diff --git a/files/prod-promote-cpu-arch-extra-region.tpl b/files/prod-promote-cpu-arch-extra-region.tpl index 556b1c7..f210d65 100644 --- a/files/prod-promote-cpu-arch-extra-region.tpl +++ b/files/prod-promote-cpu-arch-extra-region.tpl @@ -1,9 +1,8 @@ ### This should be added to jobs section of the prod-promote.yml. ### If this is a Lambda function, uncomment the FUNCTION: line - deploy-${region}: - needs: prep - name: Deploy ${region} + promote-${region}: + name: Prod promote ${region} uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main secrets: inherit with: @@ -12,6 +11,6 @@ GHA_ROLE_PROD: ${role_prod} ECR_STAGE: "${ecr_stage}" ECR_PROD: "${ecr_prod}" - CPU_ARCH: $${{ needs.prep.outputs.cpuarch }} + # DEFAULT_BRANCH: # Only if the default branch is not "main"! # FUNCTION: "${function}" \ No newline at end of file diff --git a/files/prod-promote-cpu-arch.tpl b/files/prod-promote-cpu-arch.tpl index d917497..7165d1c 100644 --- a/files/prod-promote-cpu-arch.tpl +++ b/files/prod-promote-cpu-arch.tpl @@ -14,36 +14,8 @@ permissions: contents: read jobs: - prep: - name: Prep for Promote - runs-on: ubuntu-latest - outputs: - cpuarch: $${{ steps.setarch.outputs.cpuarch }} - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Set CPU Architecture - id: setarch - run: | - echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY - if [[ -f .aws-architecture ]]; then - ARCH=$(cat .aws-architecture) - echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY - else - ARCH="linux/amd64" - echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY - fi - if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then - echo "$ARCH is INVALID architecture!" - echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY - exit 1 - fi - echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT - deploy: - needs: prep - name: Deploy + name: Prod promote uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main secrets: inherit with: @@ -52,6 +24,6 @@ jobs: GHA_ROLE_PROD: ${role_prod} ECR_STAGE: "${ecr_stage}" ECR_PROD: "${ecr_prod}" - CPU_ARCH: $${{ needs.prep.outputs.cpuarch }} + # DEFAULT_BRANCH: # Only if the default branch is not "main"! # FUNCTION: "${function}" \ No newline at end of file diff --git a/files/stage-build-cpu-arch-extra-region.tpl b/files/stage-build-cpu-arch-extra-region.tpl index 610d9cd..3e805cb 100644 --- a/files/stage-build-cpu-arch-extra-region.tpl +++ b/files/stage-build-cpu-arch-extra-region.tpl @@ -3,15 +3,14 @@ ### This should be added to jobs section of the stage-build.yml. If this ### ### is a Lambda function, uncomment the FUNCTION: line ### - deploy-${region}: - needs: prep - name: Stage Deploy ${region} + build-push-${region}: + name: Stage Build and Push ${region} uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main secrets: inherit with: AWS_REGION: "${region}" GHA_ROLE: "${role}" ECR: "${ecr}" - CPU_ARCH: $${{ needs.prep.outputs.cpuarch }} + # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"! # FUNCTION: "${function}" # PREBUILD: diff --git a/files/stage-build-cpu-arch.tpl b/files/stage-build-cpu-arch.tpl index 74446d8..cf59521 100644 --- a/files/stage-build-cpu-arch.tpl +++ b/files/stage-build-cpu-arch.tpl @@ -19,42 +19,14 @@ permissions: contents: read jobs: - prep: - name: Prep for Build - runs-on: ubuntu-latest - outputs: - cpuarch: $${{ steps.setarch.outputs.cpuarch }} - steps: - - name: Checkout - uses: actions/checkout@v5 - - - name: Set CPU Architecture - id: setarch - run: | - echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY - if [[ -f .aws-architecture ]]; then - ARCH=$(cat .aws-architecture) - echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY - else - ARCH="linux/amd64" - echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY - fi - if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then - echo "$ARCH is INVALID architecture!" - echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY - exit 1 - fi - echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT - - deploy: - needs: prep - name: Stage Deploy + build-push: + name: Stage Build and Push uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main secrets: inherit with: AWS_REGION: "${region}" GHA_ROLE: "${role}" ECR: "${ecr}" - CPU_ARCH: $${{ needs.prep.outputs.cpuarch }} + # DOCKERFILE: # only if the name of the Dockerfile is not "Dockerfile"! # FUNCTION: "${function}" # PREBUILD: diff --git a/matomo_ecr.tf b/matomo_ecr.tf index ced365c..fd9627c 100644 --- a/matomo_ecr.tf +++ b/matomo_ecr.tf @@ -21,7 +21,7 @@ module "ecr_matomo" { ## For matomo application repo and ECR repository # Outputs in dev output "matomo_fargate_dev_build_workflow" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch-extra-region.tpl", { region = var.aws_region role = module.ecr_matomo.gha_role ecr = module.ecr_matomo.repository_name @@ -31,7 +31,7 @@ output "matomo_fargate_dev_build_workflow" { description = "Full contents of the dev-build.yml for the matomo repo" } output "matomo_fargate_makefile" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { ecr_name = module.ecr_matomo.repository_name ecr_url = module.ecr_matomo.repository_url function = "" @@ -42,7 +42,7 @@ output "matomo_fargate_makefile" { # Outputs in stage output "matomo_fargate_stage_build_workflow" { - value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch-extra-region.tpl", { region = var.aws_region role = module.ecr_matomo.gha_role ecr = module.ecr_matomo.repository_name @@ -54,7 +54,7 @@ output "matomo_fargate_stage_build_workflow" { # Outputs after promotion to prod output "matomo_fargate_prod_promote_workflow" { - value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch-extra-region.tpl", { region = var.aws_region role_stage = "${module.ecr_matomo.repo_name}-gha-stage" role_prod = "${module.ecr_matomo.repo_name}-gha-prod" diff --git a/modules/ecr/.terraform.lock.hcl b/modules/ecr/.terraform.lock.hcl index 44626cf..e05347f 100644 --- a/modules/ecr/.terraform.lock.hcl +++ b/modules/ecr/.terraform.lock.hcl @@ -2,25 +2,24 @@ # Manual edits may be lost in future updates. provider "registry.terraform.io/hashicorp/aws" { - version = "5.62.0" - constraints = "~> 5.0" + version = "6.44.0" + constraints = "~> 6.0" hashes = [ - "h1:8tevkFG+ea/sNZYiQ2GQ02hknPcWBukxkrpjRCodQC0=", - "h1:X3LAZdkVhb/77gTlhPwKYCA9oblBCSu866fZDDOojPY=", - "zh:1f366cbcda72fb123015439a42ab19f96e10ce4edb404273f4e1b7e06da20b73", - "zh:25f098454a34b483279e0382b24b4f42e51c067222c6e797eda5d3ec33b9beb1", - "zh:4b59d48b527e3cefd73f196853bfc265b3e1e57b55c1c8a2d12ff6e3534b4f07", - "zh:7bb88c1ca95e2b3f0f1fe8636925133b9813fc5b137cc467ba6a233ddf4b360e", - "zh:8a93dece40e816c92647e762839d0370e9cad2aa21dc4ca95baee9385f116459", - "zh:8dfe82c55ab8f633c1e2a39c687e9ca8c892d1c2005bf5166ac396ce868ecd05", + "h1:+xHWvYNFliL9ukFNIPBdqmOQ15Jtw41TN3Qv0CPxi+g=", + "zh:0462747d28f6dcd7b1b723bea9da1600526b7cdcf929ed4be54352d74b0746e6", + "zh:0c9b7e7b04050360f609ff5700d8a76227fb4ea84dac92b844d82a2013706705", + "zh:2877a6854edf237f9d6c66dc928294cbbcf29d3f52577fb8f232d0cfd11d5c0d", + "zh:3347b82e222bbfad326b79c408e53a9252b80c6c762f4dd4f4617583394f0a4e", + "zh:33997dbe611b5abf49c87a31f29d8f797c97421f67b71fec8aa688799511b758", + "zh:5d5c37375c5e776e6e8f95fb8cbd8009258618b9f51c55551a18adc09ef5814a", + "zh:67d6bd61c52ca5f4c37c96a76f6820c9f1902e4b83f89faddf9fd7f17ba0b160", + "zh:739588639fa30db7084d6939c2eb9b4dd2d7f58dbb5d5b3b2c4bda2a35dcf521", "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a754952d69b4860480d5207390e3ab42350c964dbca9a5ac0c6912dd24b4c11d", - "zh:b2a4dbf4abee0e9ec18c5d323b99defdcd3c681f8c4306fb6e02cff7de038f85", - "zh:b57d84be258b571c04271015f03858ab215768b82e47c11ecd86e789d577030a", - "zh:be811b03289407c8d59e6b199bf16e6071165565ffe502148172d0886cf849c4", - "zh:d4144c7366c840eff1ac15ba13d96063f798f0983d24053a832362033624fe6f", - "zh:d88612856d453c4e10c49c76e4ef522b7d068b4f7c3e2e0b03dd74540986eecd", - "zh:e8bd231a5d0786cc4aab8471bb6dabd5a5df1c598afda077a9f27987ada57b67", - "zh:ffb40a66b4d000a8ee4c54227eeb998f887ad867419c3af7d3981587788de074", + "zh:a953797142df4245bd8f456b9e78690f501a0fff2f58552db4eb2da409cd99e9", + "zh:aeb8d616dd34a9f1c5048ed4cdd6d7692db93cd33a468872618d4cd38c4784aa", + "zh:dc8420556aca50658247b097de6734259fc3a6012ff1cf96612fca10b3982f9d", + "zh:f9083d6d9fb9cbdcd91e38c92f96e67223ecc7ce6d0986bd5eb8e6d52e9aa02b", + "zh:f9418aa1e4d29f9026aa6f521e97d085e000902ea929debbbef61135185e3ad4", + "zh:fb2494a6c92118055cfb2c114a4fe5c750946a1b0d6be6bf02ab3e37a091fb8b", ] } diff --git a/modules/ecr/README.md b/modules/ecr/README.md index 24cc56e..8e84bc1 100644 --- a/modules/ecr/README.md +++ b/modules/ecr/README.md @@ -15,15 +15,15 @@ The following resources are generated when this module is called ## Requirements | Name | Version | -|------|---------| +| ---- | ------- | | terraform | ~> 1.14 | | aws | ~> 6.0 | ## Providers | Name | Version | -|------|---------| -| aws | 5.62.0 | +| ---- | ------- | +| aws | 6.44.0 | ## Modules @@ -32,7 +32,7 @@ No modules. ## Resources | Name | Type | -|------|------| +| ---- | ---- | | [aws_ecr_lifecycle_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_lifecycle_policy) | resource | | [aws_ecr_repository.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_repository) | resource | | [aws_iam_policy.rw_this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | @@ -50,7 +50,7 @@ No modules. ## Inputs | Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| +| ---- | ----------- | ---- | ------- | :------: | | environment | The environment (dev, stage, or prod) | `string` | n/a | yes | | gh\_organization | The name of the GitHub Organization. | `string` | `"MITLibraries"` | no | | login\_policy\_arn | The ARN of the shared ECR login policy | `string` | n/a | yes | @@ -62,7 +62,7 @@ No modules. ## Outputs | Name | Description | -|------|-------------| +| ---- | ----------- | | gha\_role | Github action role used to update the ECR repository | | repo\_name | The repo\_name that was passed in to the module for naming purposes | | repository\_name | The name of the ECR repository | diff --git a/timdex_ecrs.tf b/timdex_ecrs.tf index c447414..879f16a 100644 --- a/timdex_ecrs.tf +++ b/timdex_ecrs.tf @@ -2,7 +2,6 @@ ### Timdex related ECR's ### - ############################################################################## ## oaiharvester # oaiharvester ECR repo @@ -19,7 +18,7 @@ module "ecr_oaiharvester" { } # Outputs in dev output "oaiharvester_dev_build_workflow" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_oaiharvester.gha_role ecr = module.ecr_oaiharvester.repository_name @@ -29,7 +28,7 @@ output "oaiharvester_dev_build_workflow" { description = "Full contents of the dev-build.yml for the oaiharvester repo" } output "oaiharvester_makefile" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { ecr_name = module.ecr_oaiharvester.repository_name ecr_url = module.ecr_oaiharvester.repository_url function = "" @@ -40,7 +39,7 @@ output "oaiharvester_makefile" { # Outputs in stage output "oaiharvester_stage_build_workflow" { - value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_oaiharvester.gha_role ecr = module.ecr_oaiharvester.repository_name @@ -52,7 +51,7 @@ output "oaiharvester_stage_build_workflow" { # Outputs after promotion to prod output "oaiharvester_prod_promote_workflow" { - value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", { region = var.aws_region role_stage = "${module.ecr_oaiharvester.repo_name}-gha-stage" role_prod = "${module.ecr_oaiharvester.repo_name}-gha-prod" @@ -81,7 +80,7 @@ module "ecr_timdex_transmogrifier" { } # Outputs in dev output "transmogrifier_dev_build_workflow" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_transmogrifier.gha_role ecr = module.ecr_timdex_transmogrifier.repository_name @@ -91,7 +90,7 @@ output "transmogrifier_dev_build_workflow" { description = "Full contents of the dev-build.yml for the transmogrifier repo" } output "transmogrifier_makefile" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { ecr_name = module.ecr_timdex_transmogrifier.repository_name ecr_url = module.ecr_timdex_transmogrifier.repository_url function = "" @@ -101,7 +100,7 @@ output "transmogrifier_makefile" { } # Outputs in stage output "transmogrifier_stage_build_workflow" { - value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_transmogrifier.gha_role ecr = module.ecr_timdex_transmogrifier.repository_name @@ -112,7 +111,7 @@ output "transmogrifier_stage_build_workflow" { } # Outputs after promotion to prod output "transmogrifier_prod_promote_workflow" { - value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", { region = var.aws_region role_stage = "${module.ecr_timdex_transmogrifier.repo_name}-gha-stage" role_prod = "${module.ecr_timdex_transmogrifier.repo_name}-gha-prod" @@ -143,7 +142,7 @@ module "ecr_timdex_lambdas" { } # Outputs in dev output "timdex_lambdas_dev_build_workflow" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_lambdas.gha_role ecr = module.ecr_timdex_lambdas.repository_name @@ -153,7 +152,7 @@ output "timdex_lambdas_dev_build_workflow" { description = "Full contents of the dev-build.yml for the timdex-pipeline-lambdas repo" } output "timdex_lambdas_makefile" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { ecr_name = module.ecr_timdex_lambdas.repository_name ecr_url = module.ecr_timdex_lambdas.repository_url function = local.ecr_timdex_lambdas_function_name @@ -164,7 +163,7 @@ output "timdex_lambdas_makefile" { # Outputs in stage output "timdex_lambdas_stage_build_workflow" { - value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_lambdas.gha_role ecr = module.ecr_timdex_lambdas.repository_name @@ -176,7 +175,7 @@ output "timdex_lambdas_stage_build_workflow" { # Outputs after promotion to prod output "timdex_lambdas_prod_promote_workflow" { - value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", { region = var.aws_region role_stage = "${module.ecr_timdex_lambdas.repo_name}-gha-stage" role_prod = "${module.ecr_timdex_lambdas.repo_name}-gha-prod" @@ -205,7 +204,7 @@ module "ecr_timdex_tim" { } # Outputs in dev output "tim_dev_build_workflow" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_tim.gha_role ecr = module.ecr_timdex_tim.repository_name @@ -215,7 +214,7 @@ output "tim_dev_build_workflow" { description = "Full contents of the dev-build.yml for the timdex-index-manager repo" } output "tim_makefile" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { ecr_name = module.ecr_timdex_tim.repository_name ecr_url = module.ecr_timdex_tim.repository_url function = "" @@ -225,7 +224,7 @@ output "tim_makefile" { } # Outputs in stage output "tim_stage_build_workflow" { - value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_tim.gha_role ecr = module.ecr_timdex_tim.repository_name @@ -236,7 +235,7 @@ output "tim_stage_build_workflow" { } # Outputs after promotion to prod output "tim_prod_promote_workflow" { - value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", { region = var.aws_region role_stage = "${module.ecr_timdex_tim.repo_name}-gha-stage" role_prod = "${module.ecr_timdex_tim.repo_name}-gha-prod" @@ -329,7 +328,7 @@ module "ecr_timdex_geo" { } # Outputs in dev output "geo_dev_build_workflow" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_geo.gha_role ecr = module.ecr_timdex_geo.repository_name @@ -339,7 +338,7 @@ output "geo_dev_build_workflow" { description = "Full contents of the dev-build.yml for the geo-harvester repo" } output "geo_makefile" { - value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { ecr_name = module.ecr_timdex_geo.repository_name ecr_url = module.ecr_timdex_geo.repository_url function = "" @@ -349,7 +348,7 @@ output "geo_makefile" { } # Outputs in stage output "geo_stage_build_workflow" { - value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", { region = var.aws_region role = module.ecr_timdex_geo.gha_role ecr = module.ecr_timdex_geo.repository_name @@ -360,7 +359,7 @@ output "geo_stage_build_workflow" { } # Outputs after promotion to prod output "geo_prod_promote_workflow" { - value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", { region = var.aws_region role_stage = "${module.ecr_timdex_geo.repo_name}-gha-stage" role_prod = "${module.ecr_timdex_geo.repo_name}-gha-prod" @@ -502,3 +501,69 @@ output "timdex_semantic_builder_lambda_prod_promote_workflow" { ) description = "Full contents of the prod-promote.yml for the timdex-semantic-builder repo" } + + +############################################################################## +# dspace-fulltext-harvester containers +# This is a standard ECR for an ECS with a Fargate launch type +module "ecr_dspace_fulltext_harvester" { + source = "./modules/ecr" + repo_name = "dspace-fulltext-harvester" + login_policy_arn = aws_iam_policy.login.arn + oidc_arn = data.aws_ssm_parameter.oidc_arn.value + environment = var.environment + tfoutput_ssm_path = var.tfoutput_ssm_path + tags = { + app-repo = "timdex-infrastructure-dspace-fulltext-harvester" + } +} + +## Outputs to Terraform Cloud for devs ## + +## For timdex-embeddings application repo and ECR repository +# Outputs in dev +output "dspace_fulltext_harvester_fargate_dev_build_workflow" { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", { + region = var.aws_region + role = module.ecr_dspace_fulltext_harvester.gha_role + ecr = module.ecr_dspace_fulltext_harvester.repository_name + function = "" + } + ) + description = "Full contents of the dev-build.yml for the dspace-fulltext-harvester repo" +} +output "dspace_fulltext_harvester_fargate_makefile" { + value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", { + ecr_name = module.ecr_dspace_fulltext_harvester.repository_name + ecr_url = module.ecr_dspace_fulltext_harvester.repository_url + function = "" + } + ) + description = "Full contents of the Makefile for the dspace-fulltext-harvester repo (allows devs to push to Dev account only)" +} + +# Outputs in stage +output "dspace_fulltext_harvester_fargate_stage_build_workflow" { + value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", { + region = var.aws_region + role = module.ecr_dspace_fulltext_harvester.gha_role + ecr = module.ecr_dspace_fulltext_harvester.repository_name + function = "" + } + ) + description = "Full contents of the stage-build.yml for the dspace-fulltext-harvester repo" +} + +# Outputs after promotion to prod +output "dspace_fulltext_harvester_fargate_prod_promote_workflow" { + value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", { + region = var.aws_region + role_stage = "${module.ecr_dspace_fulltext_harvester.repo_name}-gha-stage" + role_prod = "${module.ecr_dspace_fulltext_harvester.repo_name}-gha-prod" + ecr_stage = "${module.ecr_dspace_fulltext_harvester.repo_name}-stage" + ecr_prod = "${module.ecr_dspace_fulltext_harvester.repo_name}-prod" + function = "" + } + ) + description = "Full contents of the prod-promote.yml for the dspace-fulltext-harvester repo" +}