deployment files

.blueprints

@@ -0,0 +1,17 @@
+BLUEPRINTS_VERSION=4.10.0
+TENANT_NAME=engagement
+TENANT_PREFIX=engagement
+APP_NAME=permify
+APP_TYPE=
+GITHUB_ORG=CondeNast
+GITHUB_REPO=permify-cn
+DEFAULT_BRANCH=main
+CODE_DIR=
+INFRA_DIR=infra
+DOCKERFILE=
+NODEJS_VERSION=
+PYTHON_VERSION=
+JAVA_VERSION=
+CUSTOMISE_HELM_VALUES=
+NONPROD_ACCOUNT_ID=
+PROD_ACCOUNT_ID=

.github/workflows/code.yml

@@ -0,0 +1,64 @@
+name: code
+
+on:
+  push:
+    paths:
+      - ".github/workflows/code.yml"
+      - "**"
+
+concurrency: code
+
+jobs:
+  # gp-nonprod - 1
+  build-push-gp-nonprod:
+    runs-on: ubuntu-latest
+    environment:
+      name: gp-nonprod
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Global Build Push
+        id: build_push
+        uses: CondeNast/[email protected]
+        with:
+          ecr_repository_url: 166755036155.dkr.ecr.us-east-1.amazonaws.com/engagement-permify
+          aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          context: .
+          target: production
+          push: true
+          build_args: |
+            NPM_TOKEN=${{ secrets.NPM_TOKEN }}
+    outputs:
+      tag: ${{ steps.build_push.outputs.tag }}
+      image: ${{ steps.build_push.outputs.image }}
+
+  deploy-gp-nonprod-eu-0:
+    needs: build-push-gp-nonprod
+    if: ${{ github.ref_name == 'main' || github.ref_name == 'staging'}}
+    runs-on: ubuntu-latest
+    environment:
+      name: gp-nonprod-protected
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Deploy
+        id: deploy
+        uses: CondeNast/[email protected]
+        with:
+          aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws_region: eu-central-1
+          eks_cluster_name: gp-nonprod-eu-0
+          eks_namespace: engagement
+          helm_release_name: permify
+          helm_chart_name: gp-app
+          helm_chart_version: 9.x
+          helm_values_inline: |
+            deployment.app.image="166755036155.dkr.ecr.eu-central-1.amazonaws.com/engagement-permify:${{ needs.build-push-gp-nonprod.outputs.tag }}"
+            serviceAccount.roleArn="arn:aws:iam::166755036155:role/kubernetes/engagement/engagement-gp-nonprod-eu-0-permify"
+            readinessProbe.httpGet.path="/ping"
+            livenessProbe.httpGet.path="/ping"
+          helm_description: "tag:${{ needs.build-push-gp-nonprod.outputs.tag }}"
+          helm_values_file: ./kubernetes/gp-nonprod-eu-0.yml
+          deploy: true

.github/workflows/eks-tenant-infra.yml

@@ -0,0 +1,112 @@
+name: eks-tenant-infra
+
+on:
+  push:
+    paths:
+      - ".github/workflows/eks-tenant-infra.yml"
+      - "infra/**"
+
+concurrency: eks-tenant-infra
+
+jobs:
+  # gp-nonprod
+  gp-nonprod-ap-northeast-1:
+    uses: CondeNast/global-workflows/.github/workflows/[email protected]
+    with:
+      version: 1-1.2.6
+      environment_plan: gp-nonprod-readonly
+      environment_apply: gp-nonprod-protected
+      infra_dir: gp-nonprod/ap-northeast-1
+      working_dir: infra
+      aws_default_region: ap-northeast-1
+      main_branch: main
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ecr_aws_access_key_id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ecr_aws_secret_access_key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      terraform_modules_deploy_key: ${{ secrets.GLOBAL_TERRAFORM_MODULES_DEPLOY_KEY }}
+  gp-nonprod-eu-central-1:
+    uses: CondeNast/global-workflows/.github/workflows/[email protected]
+    with:
+      version: 1-1.2.6
+      environment_plan: gp-nonprod-readonly
+      environment_apply: gp-nonprod-protected
+      infra_dir: gp-nonprod/eu-central-1
+      working_dir: infra
+      aws_default_region: eu-central-1
+      main_branch: main
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ecr_aws_access_key_id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ecr_aws_secret_access_key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      terraform_modules_deploy_key: ${{ secrets.GLOBAL_TERRAFORM_MODULES_DEPLOY_KEY }}
+  gp-nonprod-us-east-1:
+    uses: CondeNast/global-workflows/.github/workflows/[email protected]
+    with:
+      version: 1-1.2.6
+      environment_plan: gp-nonprod-readonly
+      environment_apply: gp-nonprod-protected
+      infra_dir: gp-nonprod/us-east-1
+      working_dir: infra
+      aws_default_region: us-east-1
+      main_branch: main
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ecr_aws_access_key_id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ecr_aws_secret_access_key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      terraform_modules_deploy_key: ${{ secrets.GLOBAL_TERRAFORM_MODULES_DEPLOY_KEY }}
+  # gp-prod
+  gp-prod-ap-northeast-1:
+    needs: gp-nonprod-ap-northeast-1
+    uses: CondeNast/global-workflows/.github/workflows/[email protected]
+    with:
+      version: 1-1.2.6
+      environment_plan: gp-prod-readonly
+      environment_apply: gp-prod-protected
+      infra_dir: gp-prod/ap-northeast-1
+      working_dir: infra
+      aws_default_region: ap-northeast-1
+      main_branch: main
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ecr_aws_access_key_id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ecr_aws_secret_access_key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      terraform_modules_deploy_key: ${{ secrets.GLOBAL_TERRAFORM_MODULES_DEPLOY_KEY }}
+  gp-prod-eu-central-1:
+    needs: gp-nonprod-eu-central-1
+    uses: CondeNast/global-workflows/.github/workflows/[email protected]
+    with:
+      version: 1-1.2.6
+      environment_plan: gp-prod-readonly
+      environment_apply: gp-prod-protected
+      infra_dir: gp-prod/eu-central-1
+      working_dir: infra
+      aws_default_region: eu-central-1
+      main_branch: main
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ecr_aws_access_key_id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ecr_aws_secret_access_key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      terraform_modules_deploy_key: ${{ secrets.GLOBAL_TERRAFORM_MODULES_DEPLOY_KEY }}
+  gp-prod-us-east-1:
+    needs: gp-nonprod-us-east-1
+    uses: CondeNast/global-workflows/.github/workflows/[email protected]
+    with:
+      version: 1-1.2.6
+      environment_plan: gp-prod-readonly
+      environment_apply: gp-prod-protected
+      infra_dir: gp-prod/us-east-1
+      working_dir: infra
+      aws_default_region: us-east-1
+      main_branch: main
+    secrets:
+      aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      ecr_aws_access_key_id: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ecr_aws_secret_access_key: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      terraform_modules_deploy_key: ${{ secrets.GLOBAL_TERRAFORM_MODULES_DEPLOY_KEY }}

Dockerfile

@@ -1,12 +1,57 @@
-FROM golang:1.23.2-alpine3.20@sha256:9dd2625a1ff2859b8d8b01d8f7822c0f528942fe56cfe7a1e7c38d3b8d72d679 as permify-builder
-WORKDIR /go/src/app
-RUN apk update && apk add --no-cache git
+# FROM golang:1.23.2-alpine3.20@sha256:9dd2625a1ff2859b8d8b01d8f7822c0f528942fe56cfe7a1e7c38d3b8d72d679 as permify-builder
+# WORKDIR /go/src/app
+# RUN apk update && apk add --no-cache git
+# COPY . .
+# RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v ./cmd/permify/
+
+# FROM cgr.dev/chainguard/static:latest@sha256:d07036a3beff43183f49bce5b2a0bd945f2ffe6e76f734ebd040059a40d371bc
+# COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.28 /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe
+# COPY --from=permify-builder /go/src/app/permify /usr/local/bin/permify
+# ENV PATH="$PATH:/usr/local/bin"
+# ENTRYPOINT ["permify"]
+# CMD ["serve"]
+
+
+# Use the official Golang image for building the project
+FROM golang:1.20 AS builder
+
+# Set the working directory inside the container
+WORKDIR /app
+
+# Copy the go.mod and go.sum files to download dependencies
+COPY go.mod go.sum ./
+
+# Download dependencies
+RUN go mod download
+
+# Copy the rest of the source code into the container
 COPY . .
-RUN --mount=type=cache,target=/root/.cache/go-build --mount=type=cache,target=/go/pkg/mod CGO_ENABLED=0 go build -v ./cmd/permify/
-
-FROM cgr.dev/chainguard/static:latest@sha256:d07036a3beff43183f49bce5b2a0bd945f2ffe6e76f734ebd040059a40d371bc
-COPY --from=ghcr.io/grpc-ecosystem/grpc-health-probe:v0.4.28 /ko-app/grpc-health-probe /usr/local/bin/grpc_health_probe
-COPY --from=permify-builder /go/src/app/permify /usr/local/bin/permify
-ENV PATH="$PATH:/usr/local/bin"
-ENTRYPOINT ["permify"]
-CMD ["serve"]
+
+# Build the Permify binary
+RUN go build -o permify ./cmd/permify/main.go
+
+# Use a smaller base image for the final container
+FROM debian:buster-slim
+
+# Install necessary tools
+RUN apt-get update && apt-get install -y ca-certificates curl && rm -rf /var/lib/apt/lists/*
+
+# Set environment variables
+ENV PORT=8080
+ENV PING_PATH=/ping
+
+# Expose port 8080 for the service
+EXPOSE 8080
+
+# Set the working directory
+WORKDIR /app
+
+# Copy the built binary from the builder stage
+COPY --from=builder /app/permify /app/permify
+
+# Healthcheck to ping the /ping endpoint
+HEALTHCHECK --interval=30s --timeout=10s --start-period=5s \
+    CMD curl --fail http://localhost:8080/ping || exit 1
+
+# Run Permify with the appropriate configuration
+CMD ["/app/permify", "serve", "--http-port", "8080"]

infra/gp-nonprod/ap-northeast-1/ecr/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/ap-northeast-1/ecr.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/ap-northeast-1/ecr/terraform.tfvars

@@ -0,0 +1,2 @@
+account_id = "166755036155"
+region     = "ap-northeast-1"

infra/gp-nonprod/ap-northeast-1/eks-role/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/ap-northeast-1/eks-role.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/ap-northeast-1/eks-role/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id       = "166755036155"
+region           = "ap-northeast-1"
+eks_cluster_name = "gp-nonprod-ap-0"

infra/gp-nonprod/eu-central-1/ecr/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/eu-central-1/ecr.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/eu-central-1/ecr/terraform.tfvars

@@ -0,0 +1,2 @@
+account_id = "166755036155"
+region     = "eu-central-1"

infra/gp-nonprod/eu-central-1/eks-role/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/eu-central-1/eks-role.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/eu-central-1/eks-role/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id       = "166755036155"
+region           = "eu-central-1"
+eks_cluster_name = "gp-nonprod-eu-0"

infra/gp-nonprod/us-east-1/ecr/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/us-east-1/ecr.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/us-east-1/ecr/terraform.tfvars

@@ -0,0 +1,2 @@
+account_id = "166755036155"
+region     = "us-east-1"

infra/gp-nonprod/us-east-1/eks-role/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/us-east-1/eks-role.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/us-east-1/eks-role/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id       = "166755036155"
+region           = "us-east-1"
+eks_cluster_name = "gp-nonprod-na-0"

infra/gp-nonprod/us-east-1/secret/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-6f01bce1"
+dynamodb_table = "tenant-engagement-lock-table-6f01bce1"
+key            = "permify/us-east-1/secret.tfstate"
+region         = "ap-northeast-1"

infra/gp-nonprod/us-east-1/secret/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id      = "166755036155"
+region          = "us-east-1"
+replica_regions = ["eu-central-1", "ap-northeast-1"]

infra/gp-prod/ap-northeast-1/ecr/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/ap-northeast-1/ecr.tfstate"
+region         = "us-east-1"

infra/gp-prod/ap-northeast-1/ecr/terraform.tfvars

@@ -0,0 +1,2 @@
+account_id = "262764850394"
+region     = "ap-northeast-1"

infra/gp-prod/ap-northeast-1/eks-role/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/ap-northeast-1/eks-role.tfstate"
+region         = "us-east-1"

infra/gp-prod/ap-northeast-1/eks-role/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id       = "262764850394"
+region           = "ap-northeast-1"
+eks_cluster_name = "gp-prod-ap-0"

infra/gp-prod/eu-central-1/ecr/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/eu-central-1/ecr.tfstate"
+region         = "us-east-1"

infra/gp-prod/eu-central-1/ecr/terraform.tfvars

@@ -0,0 +1,2 @@
+account_id = "262764850394"
+region     = "eu-central-1"

infra/gp-prod/eu-central-1/eks-role/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/eu-central-1/eks-role.tfstate"
+region         = "us-east-1"

infra/gp-prod/eu-central-1/eks-role/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id       = "262764850394"
+region           = "eu-central-1"
+eks_cluster_name = "gp-prod-eu-0"

infra/gp-prod/us-east-1/ecr/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/us-east-1/ecr.tfstate"
+region         = "us-east-1"

infra/gp-prod/us-east-1/ecr/terraform.tfvars

@@ -0,0 +1,2 @@
+account_id = "262764850394"
+region     = "us-east-1"

infra/gp-prod/us-east-1/eks-role/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/us-east-1/eks-role.tfstate"
+region         = "us-east-1"

infra/gp-prod/us-east-1/eks-role/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id       = "262764850394"
+region           = "us-east-1"
+eks_cluster_name = "gp-prod-na-0"

infra/gp-prod/us-east-1/secret/backend.tfvars

@@ -0,0 +1,4 @@
+bucket         = "tenant-engagement-state-bucket-3f4c9e9d"
+dynamodb_table = "tenant-engagement-lock-table-3f4c9e9d"
+key            = "permify/us-east-1/secret.tfstate"
+region         = "us-east-1"

infra/gp-prod/us-east-1/secret/terraform.tfvars

@@ -0,0 +1,3 @@
+account_id      = "262764850394"
+region          = "us-east-1"
+replica_regions = ["eu-central-1", "ap-northeast-1"]

infra/terraform/ecr/main.tf

@@ -0,0 +1,6 @@
+module "ecr" {
+  source                 = "[email protected]:CondeNast/global-terraform-modules.git//modules/ecr?ref=ecr/1.2.0"
+  tenant_prefix          = var.tenant_prefix
+  name                   = var.name
+  lifecycle_policy_rules = var.lifecycle_policy_rules
+}