fleet/.github/workflows/dogfood-deploy.yml

name: Deploy Dogfood Environment

on:
  workflow_dispatch:
    inputs:
      DOCKER_IMAGE:
        description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly.  Use the short hash instead.  If pull-rate limited, try using the quay.io/fleetdm/fleet mirror.'
        required: true

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash
    working-directory: infrastructure/dogfood/terraform/aws-tf-module

env:
  AWS_REGION: us-east-2
  ECR_REPOSITORY: fleet-test
  AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role
  TF_ACTIONS_WORKING_DIR: infrastructure/dogfood/terraform/aws-tf-module
  TF_WORKSPACE: fleet
  TF_VAR_fleet_image: ${{ github.event.inputs.DOCKER_IMAGE || 'fleetdm/fleet:main' }}
  TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}
  TF_VAR_slack_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}
  TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}
  TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}
  TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}
  TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}

permissions:
  id-token: write
  contents: read    # This is required for actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b

jobs:
  deploy:
    name: Deploy Fleet Dogfood Environment
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
      - id: fail-on-main
        run: "false"
        if: ${{ github.ref == 'main' }}
      - uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0
        with:
          role-to-assume: ${{env.AWS_IAM_ROLE}}
          aws-region: ${{ env.AWS_REGION }}
      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: ${{ vars.GO_VERSION }}
      - uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
        with:
          terraform_version: 1.6.3
          terraform_wrapper: false
      - name: Terraform Init
        id: init
        run: terraform init
      - name: Terraform fmt
        id: fmt
        run: terraform fmt -check
        continue-on-error: true
      - name: Terraform Validate
        id: validate
        run: terraform validate -no-color
      - name: Terraform Plan
        id: plan
        run: terraform plan -no-color
        continue-on-error: true
        # first we'll scale everything down and create the new task definitions
      - name: Terraform Apply
        id: apply
        run: terraform apply -auto-approve
add tf vars for cloudwatch log retention & rds snapshot backup retention (#6532) * add tf vars for cloudwatch log retention & rds snapshot backup retention, update github workflow to deploy new dogfood configurations for new tf vars * typo and tf fmt 2022-07-11 19:30:36 +00:00			`name: Deploy Dogfood Environment`
set default shell in workflows (#8108) * wait for mysql in workflows 2022-10-07 15:43:56 +00:00
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`on:`
			`workflow_dispatch:`
			`inputs:`
Fix confusion with tags on dogfood deploy workflow (#8964) * Fix confusion with tags on dogfood deploy workflow * Update .github/workflows/dogfood-deploy.yml Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> 2022-12-08 18:11:33 +00:00			`DOCKER_IMAGE:`
Warn against deploying fleetdm/fleet:main directly (#11316) Deploying `fleetdm/fleet:main` directly to dogfood has problems if migrations are needed and an image restarts. This causes crashloops in the containers and leads to being rate-limited for pulls on dockerhub. Warn against this and also suggest using quay.io as an alternative image location. 2023-04-25 18:22:59 +00:00			`description: 'The full name of the docker image to be deployed. (e.g. fleetdm/fleet:v4.30.0). Note: do not use fleetdm/fleet:main directly. Use the short hash instead. If pull-rate limited, try using the quay.io/fleetdm/fleet mirror.'`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`required: true`

add concurrency to ci (#8271) * add concurrency to ci * add readme for workflows 2022-10-24 20:01:00 +00:00			`# This allows a subsequently queued workflow run to interrupt previous runs`
			`concurrency:`
			`group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id}}`
			`cancel-in-progress: true`

set default shell in workflows (#8108) * wait for mysql in workflows 2022-10-07 15:43:56 +00:00			`defaults:`
			`run:`
			`# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference`
			`shell: bash`
Dogfood returns (#10345) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-03-08 21:38:53 +00:00			`working-directory: infrastructure/dogfood/terraform/aws-tf-module`
set default shell in workflows (#8108) * wait for mysql in workflows 2022-10-07 15:43:56 +00:00
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`env:`
			`AWS_REGION: us-east-2`
			`ECR_REPOSITORY: fleet-test`
			`AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role`
Dogfood returns (#10345) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-03-08 21:38:53 +00:00			`TF_ACTIONS_WORKING_DIR: infrastructure/dogfood/terraform/aws-tf-module`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`TF_WORKSPACE: fleet`
Fix confusion with tags on dogfood deploy workflow (#8964) * Fix confusion with tags on dogfood deploy workflow * Update .github/workflows/dogfood-deploy.yml Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> Co-authored-by: Michal Nicpon <39177923+michalnicp@users.noreply.github.com> 2022-12-08 18:11:33 +00:00			`TF_VAR_fleet_image: ${{ github.event.inputs.DOCKER_IMAGE \|\| 'fleetdm/fleet:main' }}`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`TF_VAR_fleet_license: ${{ secrets.DOGFOOD_LICENSE_KEY }}`
Update dogfood deploy help_p1 webhook secret name (#10537) 2023-03-16 21:56:46 +00:00			`TF_VAR_slack_webhook: ${{ secrets.SLACK_G_HELP_P1_WEBHOOK_URL }}`
Update the sentry environment variable name (#10943) 2023-04-03 19:12:16 +00:00			`TF_VAR_fleet_sentry_dsn: ${{ secrets.DOGFOOD_SENTRY_DSN }}`
Add elastic apm to dogfood (#11287) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-04-24 15:25:57 +00:00			`TF_VAR_elastic_url: ${{ secrets.ELASTIC_APM_SERVER_URL }}`
			`TF_VAR_elastic_token: ${{ secrets.ELASTIC_APM_SECRET_TOKEN }}`
GeoLite2 addon for Dogfood and Cloud (#15643) 2023-12-14 19:22:11 +00:00			`TF_VAR_geolite2_license: ${{ secrets.MAXMIND_LICENSE }}`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00
			`permissions:`
			`id-token: write`
Bump actions/checkout from 2 to 3.0.2 (#7301) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...2541b1294d2704b0964813337f33b291d3f8596b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-08-31 10:44:22 +00:00			`contents: read # This is required for actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00
			`jobs:`
			`deploy:`
			`name: Deploy Fleet Dogfood Environment`
			`runs-on: ubuntu-latest`
			`steps:`
Bump actions/checkout from 2 to 3.0.2 (#7301) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.0.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...2541b1294d2704b0964813337f33b291d3f8596b) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-08-31 10:44:22 +00:00			`- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b`
Make the github action fail if used on the main branch (#7967) 2022-09-29 17:30:47 +00:00			`- id: fail-on-main`
			`run: "false"`
			`if: ${{ github.ref == 'main' }}`
Pin actions to commit SHA (#10204) ## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-03-01 01:55:38 +00:00			`- uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`with:`
			`role-to-assume: ${{env.AWS_IAM_ROLE}}`
			`aws-region: ${{ env.AWS_REGION }}`
Dogfood github actions and monitoring module fixes (#14875) These items fix the github action for use with the updates to the monitoring module. Additionally there were some changes needed to the monitoring module to make it behave inside the GH action. Once this is approved/merged, the new tag for them monitoring module will be created as `tf-mod-addon-monitoring-v1.1.1` 2023-11-01 21:34:13 +00:00			`- name: Set up Go`
			`uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0`
			`with:`
update Go to 1.21.5 (#15592) for https://github.com/fleetdm/fleet/issues/15584 # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [x] Manual QA for all new/changed functionality 2023-12-13 16:57:12 +00:00			`go-version: ${{ vars.GO_VERSION }}`
Pin actions to commit SHA (#10204) ## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> 2023-03-01 01:55:38 +00:00			`- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`with:`
Dogfood github actions and monitoring module fixes (#14875) These items fix the github action for use with the updates to the monitoring module. Additionally there were some changes needed to the monitoring module to make it behave inside the GH action. Once this is approved/merged, the new tag for them monitoring module will be created as `tf-mod-addon-monitoring-v1.1.1` 2023-11-01 21:34:13 +00:00			`terraform_version: 1.6.3`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`terraform_wrapper: false`
			`- name: Terraform Init`
			`id: init`
			`run: terraform init`
			`- name: Terraform fmt`
			`id: fmt`
			`run: terraform fmt -check`
			`continue-on-error: true`
			`- name: Terraform Validate`
			`id: validate`
			`run: terraform validate -no-color`
			`- name: Terraform Plan`
			`id: plan`
			`run: terraform plan -no-color`
			`continue-on-error: true`
			`# first we'll scale everything down and create the new task definitions`
Terraform version bump (#10513) # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information. - [ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md) - [ ] Documented any permissions changes - [ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features. - [ ] Added/updated tests - [ ] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [ ] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - [ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)). 2023-03-15 16:41:25 +00:00			`- name: Terraform Apply`
			`id: apply`
add github action deploy via OIDC credentials (#5339) * remove unused iam poilcy attributes and remove github action on pull request, only workflow dispatch will be required * update github.tf, commenting out all resources, but leaving in place in case someone else wants to use ODIC providers & Github actions 2022-05-25 18:03:29 +00:00			`run: terraform apply -auto-approve`