ci: Added new input variables.

Author: jamesiarmes

.github/workflows/branch.yaml

@@ -95,14 +95,6 @@ jobs:
     steps:
       - name: Checkout source code
         uses: actions/checkout@v4
-      - name: GHAS not enabled warning
-        if: ${{ !github.event.repository.security_and_analysis.advanced_security_enabled && github.event.repository.private }}
-        run: |
-          echo "Warning: GitHub Advanced Security is not enabled. Please enable it to upload SARIF results."
-      - name: GHAS enabled notice
-        if: ${{ github.event.repository.security_and_analysis.advanced_security_enabled || !github.event.repository.private }}
-        run: |
-          echo "GitHub Advanced Security is enabled. SARIF results will be uploaded to the Security tab on the main branch."
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/[email protected]
         with:

.github/workflows/deploy.yaml

@@ -36,10 +36,12 @@ jobs:
       AWS_REGION: ${{ secrets.AWS_REGION }}
       AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }}
       TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+      TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
       TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
       TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
       TF_VAR_ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
       TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+      TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
       TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
       TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
       TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }}
@@ -80,19 +82,22 @@ jobs:
           # For any of these that have a value, the corresponding TF_VAR_*
           # environment variable will be set.
           APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
           DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
           DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
           ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
           EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
           KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
           PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
           PROJECT: ${{ secrets.TF_VAR_PROJECT }}
           REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
         run: |
           variables=(
-            "apply_database_updates_immediately" "database_skip_final_snapshot"
-            "deletion_protection" "environment" "export_expiration"
-            "key_recovery_period" "program" "project" "repository"
+            "apply_database_updates_immediately" "consumer_container_count"
+            "database_skip_final_snapshot" "deletion_protection" "environment"
+            "export_expiration" "image_tags_mutable" "key_recovery_period"
+            "program" "project" "repository"
           )
           for var in ${variables[@]}; do
             name="$(echo $var | tr '[:lower:]' '[:upper:]')"

.github/workflows/plan.yaml

@@ -18,6 +18,8 @@ on:
       AWS_ROLE_ARN:
       TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY:
         required: false
+      TF_VAR_CONSUMER_CONTAINER_COUNT:
+        required: false
       TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT:
         required: false
       TF_VAR_DELETION_PROTECTION:
@@ -26,6 +28,8 @@ on:
         required: false
       TF_VAR_EXPORT_EXPIRATION:
         required: false
+      TF_VAR_IMAGE_TAGS_MUTABLE:
+        required: false
       TF_VAR_KEY_RECOVERY_PERIOD:
         required: false
       TF_VAR_PROGRAM:
@@ -90,19 +94,22 @@ jobs:
           # For any of these that have a value, the corresponding TF_VAR_*
           # environment variable will be set.
           APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }}
+          CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }}
           DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }}
           DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }}
           ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }}
           EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }}
+          IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }}
           KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }}
           PROGRAM: ${{ secrets.TF_VAR_PROGRAM }}
           PROJECT: ${{ secrets.TF_VAR_PROJECT }}
           REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }}
         run: |
           variables=(
-            "apply_database_updates_immediately" "database_skip_final_snapshot"
-            "deletion_protection" "environment" "export_expiration"
-            "key_recovery_period" "program" "project" "repository"
+            "apply_database_updates_immediately" "consumer_container_count"
+            "database_skip_final_snapshot" "deletion_protection" "environment"
+            "export_expiration" "image_tags_mutable" "key_recovery_period"
+            "program" "project" "repository"
           )
           for var in ${variables[@]}; do
             name="$(echo $var | tr '[:lower:]' '[:upper:]')"

tofu/config/service/main.tf

@@ -18,16 +18,18 @@ module "inputs" {
 module "system" {
   source = "../../modules/system"
 
-  environment         = var.environment
-  project             = var.project
-  export_expiration   = var.export_expiration
-  key_recovery_period = var.key_recovery_period
-  logging_bucket      = module.inputs.values["logging/bucket"]
-  logging_key_arn     = module.inputs.values["logging/key"]
-  tags                = merge({ awsApplication : module.inputs.values["application/tag"] }, var.tags)
-  vpc_id              = module.inputs.values["vpc/id"]
-  database_subnets    = split(",", module.inputs.values["vpc/private_subnets"])
-  container_subnets   = split(",", module.inputs.values["vpc/private_subnets"])
+  environment              = var.environment
+  project                  = var.project
+  export_expiration        = var.export_expiration
+  key_recovery_period      = var.key_recovery_period
+  logging_bucket           = module.inputs.values["logging/bucket"]
+  logging_key_arn          = module.inputs.values["logging/key"]
+  tags                     = merge({ awsApplication : module.inputs.values["application/tag"] }, var.tags)
+  vpc_id                   = module.inputs.values["vpc/id"]
+  database_subnets         = split(",", module.inputs.values["vpc/private_subnets"])
+  container_subnets        = split(",", module.inputs.values["vpc/private_subnets"])
+  consumer_container_count = var.consumer_container_count
+  image_tags_mutable       = var.image_tags_mutable
 
   apply_database_updates_immediately = var.apply_database_updates_immediately
   database_skip_final_snapshot       = var.database_skip_final_snapshot

tofu/config/service/variables.tf

@@ -4,6 +4,12 @@ variable "apply_database_updates_immediately" {
   default     = false
 }
 
+variable "consumer_container_count" {
+  type        = number
+  description = "Number of containers to run persistently for the consumer service."
+  default     = 1
+}
+
 variable "database_skip_final_snapshot" {
   type        = bool
   description = "Whether to skip the final snapshot when the database cluster is deleted."
@@ -28,6 +34,12 @@ variable "export_expiration" {
   description = "Number of days before export files expire."
 }
 
+variable "image_tags_mutable" {
+  type        = bool
+  description = "Whether to allow image tags to be mutable."
+  default     = false
+}
+
 variable "key_recovery_period" {
   type        = number
   default     = 30

tofu/modules/system/ecs.tf

@@ -47,15 +47,14 @@ module "ecs" {
 }
 
 module "tools" {
-  source = "../ephemeral_service"
+  source     = "../ephemeral_service"
+  depends_on = [aws_iam_policy.secrets]
 
   environment        = var.environment
   project            = var.project
   service            = "tools"
   execution_policies = [aws_iam_policy.secrets.arn]
-
-  # Until we get the database initialized.
-  image_tags_mutable = true
+  image_tags_mutable = var.image_tags_mutable
 
   environment_variables = {
     PGHOST : module.database.cluster_endpoint
@@ -70,14 +69,15 @@ module "tools" {
     SENZING_ENGINE_CONFIGURATION_JSON = module.senzing_config.ssm_parameter_arn
   }
 
-  # TODO: Do we need these?
+  # TODO: Do we need this?
   logging_key_id = var.logging_key_arn
 
   tags = var.tags
 }
 
 module "consumer" {
-  source = "../fargate_service"
+  source     = "../fargate_service"
+  depends_on = [aws_iam_policy.queue, aws_iam_policy.secrets]
 
   environment        = var.environment
   project            = var.project
@@ -88,10 +88,8 @@ module "consumer" {
   logging_key_id     = var.logging_key_arn
   cluster_arn        = module.ecs.arn
   security_groups    = [module.task_security_group.security_group_id]
-
-  # TODO: Until we get the database initialized.
-  desired_containers = 1
-  image_tags_mutable = true
+  desired_containers = var.consumer_container_count
+  image_tags_mutable = var.image_tags_mutable
 
   environment_variables = {
     Q_URL : module.sqs.queue_url

tofu/modules/system/variables.tf

@@ -4,6 +4,12 @@ variable "apply_database_updates_immediately" {
   default     = false
 }
 
+variable "consumer_container_count" {
+  type        = number
+  description = "Number of containers to run persistently for the consumer service."
+  default     = 1
+}
+
 variable "container_subnets" {
   description = "The IDs of the subnets in which the container resources should be deployed."
   type        = list(string)
@@ -83,6 +89,12 @@ variable "export_lock_period" {
   }
 }
 
+variable "image_tags_mutable" {
+  type        = bool
+  description = "Whether to allow image tags to be mutable."
+  default     = false
+}
+
 variable "key_recovery_period" {
   type        = number
   default     = 30