search

18F / newrelic-terraform

New Relic Automation for TTS
https://docs.google.com/document/d/13Cf_3iMBBzmFPYyryKhRgNiC6upayeBvzEOn47Owh_c/edit
Other
0 stars 4 forks source link

readme

TTS New Relic Automation

Requirements

Getting Started

Copy env.sample to .env and edit the values to use your password/secret manager to populate the environment variables.

Source your secrets.

$ source .env

Initialize Terraform.

$ terraform init

Apply changes.

$ terraform apply

Development

Format your Terraform code before pushing.

$ terraform fmt

Update the list of sites

TODO Provide a script to make the manual steps 1) download 2) run script.

Follow these steps to update the sites.csv.

  1. Download the GSA Website Inventory as a CSV.
  2. Filter the list Production Status != Decommissioned, Sub-Office starts with "TTS*".
  3. Copy the first column (list of domains) into sites.csv.

Initial setup

The first time you setup this project, you'll need to create the Terraform backend and setup CI.

Terraform backend

This assumes you'll be using an S3 bucket with DynamoDB for locking.

Create the bucket in S3, ensure "Block all public access" is checked.

Create the DynamoDB table.

Create an IAM user with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::tts-newrelic-terraform"
    },
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:PutObject"],
      "Resource": "arn:aws:s3:::tts-newrelic-terraform/production/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:GetItem",
        "dynamodb:PutItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:*:*:table/newrelic-terraform-state-lock"
    }
  ]
}

GitHub Actions

Add these secrets for use in GitHub Actions.

Secret Description
AWS_ACCESS_KEY_ID AWS access key Id for accessing the S3+DynamoDB Terraform state.
AWS_SECRET_ACCESS_KEY AWS secret key for accessing the S3+DynamoDB Terraform state.
NEW_RELIC_API_KEY NewRelic API key.
NEW_RELIC_ACCOUNT_ID NewRelic account Id.

To enforce the workflow, you should enable protected branches for the main branch configured with these options:

Public domain

This project is in the worldwide public domain. As stated in CONTRIBUTING:

This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.

All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.