feat: add CodeBuild GitHub Runner for status checks (#284)

Add Terraform to manage a CodeBuild project.  This project will provide a
serverless GitHub runner for the Upptime status check workflow.

The goal is to have the runner executing in AWS infrastructure as it is less
likely that it will be blocked by the AWS WAF managed IP reputation rule group.

.devcontainer/devcontainer.json

@@ -0,0 +1,27 @@
+{
+  "name": "status-statut",
+  "image": "mcr.microsoft.com/devcontainers/base:bullseye@sha256:f485b76ec2971017849252b494e61f4b7d97cd75d094db8161c34343edc026e9",
+  "containerEnv": {
+    "SHELL": "/bin/zsh"
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/aws-cli:1": {
+      "version": "latest"
+    },
+    "ghcr.io/devcontainers/features/terraform:1": {
+      "version": "1.10.5",
+      "terragrunt": "0.72.9"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "hashicorp.terraform",
+        "github.copilot",
+        "github.vscode-github-actions",
+        "hashicorp.hcl"
+      ]
+    }
+  },
+  "remoteUser": "vscode"
+}

.github/workflows/terraform-apply.yml

@@ -0,0 +1,42 @@
+name: "Terraform apply"
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-apply.yml"
+
+env:
+  AWS_REGION: ca-central-1
+  CONFTEST_VERSION: 0.27.0
+  TERRAFORM_VERSION: 1.10.5
+  TERRAGRUNT_VERSION: 0.72.9
+  TF_INPUT: false
+  TF_VAR_github_personal_access_token: ${{ secrets.CODEBUILD_RUNNER_PERSONAL_ACCESS_TOKEN }}
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  terraform-apply:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup terraform tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+      - name: Configure AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::283582579564:role/status-statut-apply
+          role-session-name: TFApply
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terragrunt apply
+        working-directory: "terraform"
+        run: terragrunt apply --terragrunt-non-interactive -auto-approve

.github/workflows/terraform-plan.yml

@@ -0,0 +1,48 @@
+name: "Terraform plan"
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "terraform/**"
+      - ".github/workflows/terraform-plan.yml"
+
+env:
+  AWS_REGION: ca-central-1
+  CONFTEST_VERSION: 0.27.0
+  TERRAFORM_VERSION: 1.10.5
+  TERRAGRUNT_VERSION: 0.72.9
+  TF_INPUT: false
+  TF_VAR_github_personal_access_token: ${{ secrets.CODEBUILD_RUNNER_PERSONAL_ACCESS_TOKEN }}
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+jobs:
+  terraform-plan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Setup terraform tools
+        uses: cds-snc/terraform-tools-setup@v1
+
+      - name: Configure AWS credentials using OIDC
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          role-to-assume: arn:aws:iam::283582579564:role/status-statut-plan
+          role-session-name: TFPlan
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terragrunt plan
+        uses: cds-snc/terraform-plan@d79bcf0eccf632a0ad9e9193072b42c970766c5b # v3.3.1
+        with:
+          directory: "terraform"
+          comment-delete: "true"
+          comment-title: "Terraform: GitHub Runner :octocat:"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"

.gitignore

@@ -0,0 +1,5 @@
+# Terraform
+.terragrunt-cache
+.terraform
+*.tfstate
+*.tfvars

terraform/codebuild.tf

@@ -0,0 +1,9 @@
+module "github_runner" {
+  source = "github.com/cds-snc/terraform-modules//codebuild_github_runner?ref=v10.3.0"
+
+  project_name                 = "cds-snc-status-statut"
+  github_repository_url        = "https://github.com/cds-snc/status-statut.git"
+  github_personal_access_token = var.github_personal_access_token
+
+  billing_tag_value = "SRE"
+}

terraform/provider.tf

@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.region
+}

terraform/terragrunt.hcl

@@ -0,0 +1,26 @@
+locals {
+  region = "ca-central-1"
+}
+
+terraform {
+  source = "."
+}
+
+inputs = {
+  region = local.region
+}
+
+remote_state {
+  backend = "s3"
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+  config = {
+    encrypt             = true
+    bucket              = "status-statut-tf"
+    use_lockfile        = true
+    region              = local.region
+    key                 = "./terraform.tfstate"
+  }
+}

terraform/variables.tf

@@ -0,0 +1,10 @@
+variable "github_personal_access_token" {
+  description = "The GitHub personal access token to use for the CodeBuild project"
+  type        = string
+  sensitive   = true
+}
+
+variable "region" {
+  description = "The AWS region to deploy to"
+  type        = string
+}