Stage-to-Main: Enable Multi-Region ECR Deploys

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,30 +1,30 @@
-#### Developer Checklist
+## Developer Checklist
 
 - [ ] The README contains any additional info needed outside of the terraform docs generated
 - [ ] Any special variables have values configured in AWS SSM
 - [ ] Stakeholder approval has been confirmed (or is not needed)
 
-#### What does this PR do?
+## What does this PR do?
 
 A few sentences describing the overall goals of the pull request's commits.
 Why are we making these changes? Is there more work to be done to fully
 achieve these goals?
 
-#### Helpful background context
+## Helpful background context
 
 Describe any additional context beyond what the PR accomplishes if it is likely
 to be useful to a reviewer.
 
 Delete this section if it isn't applicable to the PR.
 
-#### What are the relevant tickets?
+## What are the relevant tickets?
 
 Include links to Jira Software and/or Jira Service Management tickets here.
 
-#### Requires Database Migrations?
+## Requires Database Migrations?
 
 YES | NO
 
-#### Includes new or updated dependencies?
+## Includes new or updated dependencies?
 
 YES | NO

README.md

@@ -132,7 +132,7 @@ This is a core infrastructure repository that defines infrastructure related to
 
 * Owner: See [CODEOWNERS](./.github/CODEOWNERS)
 * Team: See [CODEOWNERS](./.github/CODEOWNERS)
-* Last Maintenance: 2025-03
+* Last Maintenance: 2025-05
 
 ## TF markdown is automatically inserted at the bottom of this file, nothing should be written beyond this point
 
@@ -161,6 +161,7 @@ This is a core infrastructure repository that defines infrastructure related to
 | ecr\_carbon | ./modules/ecr | n/a |
 | ecr\_cdps\_curt | ./modules/ecr | n/a |
 | ecr\_cdps\_s3\_bagit\_validator | ./modules/ecr | n/a |
+| ecr\_cdps\_s3\_bagit\_validator\_west | ./modules/ecr | n/a |
 | ecr\_creditcardslips | ./modules/ecr | n/a |
 | ecr\_dsc | ./modules/ecr | n/a |
 | ecr\_dss | ./modules/ecr | n/a |
@@ -269,9 +270,13 @@ This is a core infrastructure repository that defines infrastructure related to
 | ppod\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the ppod repo |
 | ppod\_stage\_build\_workflow | Full contents of the stage-build.yml for the ppod repo |
 | s3\_bagit\_validator\_dev\_build\_workflow | Full contents of the dev-build.yml for the s3-bagit-validator repo |
+| s3\_bagit\_validator\_dev\_build\_workflow\_west | Additional job for the dev-build.yml for the s3-bagit-validator repo to deploy in us-west-2 |
 | s3\_bagit\_validator\_makefile | Full contents of the Makefile for the s3-bagit-validator repo (allows devs to push to Dev account only) |
+| s3\_bagit\_validator\_makefile\_west | Full contents of the Makefile for the s3-bagit-validator repo (allows devs to push to Dev account only) |
 | s3\_bagit\_validator\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the s3-bagit-validator repo |
+| s3\_bagit\_validator\_prod\_promote\_workflow\_west | Additional job for the prod-promote.yml for the s3-bagit-validator repo to deploy in us-west-2 |
 | s3\_bagit\_validator\_stage\_build\_workflow | Full contents of the stage-build.yml for the s3-bagit-validator repo |
+| s3\_bagit\_validator\_stage\_build\_workflow\_west | Additional job for the stage-build.yml for the s3-bagit-validator repo to deploy in us-west-2 |
 | sapinvoices\_dev\_build\_workflow | Full contents of the dev-build.yml for the alma-sapinvoices repo |
 | sapinvoices\_makefile | Full contents of the Makefile for the alma-sapinvoices repo (allows devs to push to Dev account only) |
 | sapinvoices\_prod\_promote\_workflow | Full contents of the prod-promote.yml for the alma-sapinvoices repo |

cdps_ecrs_west.tf

@@ -0,0 +1,68 @@
+##############################################################################
+# s3-bagit-validator for the CDPS project in the us-west-2 region
+# We use the same locals block as the _default
+
+module "ecr_cdps_s3_bagit_validator_west" {
+  source = "./modules/ecr"
+  providers = {
+    aws = aws.west-2
+  }
+  repo_name         = "s3-bagit-validator"
+  login_policy_arn  = aws_iam_policy.login.arn
+  oidc_arn          = data.aws_ssm_parameter.oidc_arn.value
+  environment       = var.environment
+  tfoutput_ssm_path = var.tfoutput_ssm_path
+  tags = {
+    app-repo = "s3-bagit-validator"
+  }
+}
+
+## For s3-bagit-validator application repo and ECR repository in us-west-2
+# Outputs in dev
+output "s3_bagit_validator_dev_build_workflow_west" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-extra-region.tpl", {
+    region   = "us-west-2"
+    role     = module.ecr_cdps_s3_bagit_validator.gha_role
+    ecr      = module.ecr_cdps_s3_bagit_validator_west.repository_name
+    function = local.ecr_cdps_s3_bagit_validator_function_name
+    }
+  )
+  description = "Additional job for the dev-build.yml for the s3-bagit-validator repo to deploy in us-west-2"
+}
+
+output "s3_bagit_validator_makefile_west" {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-extra-region.tpl", {
+    region   = "us-west-2"
+    ecr_name = module.ecr_cdps_s3_bagit_validator_west.repository_name
+    ecr_url  = module.ecr_cdps_s3_bagit_validator_west.repository_url
+    function = local.ecr_cdps_s3_bagit_validator_function_name
+    }
+  )
+  description = "Full contents of the Makefile for the s3-bagit-validator repo (allows devs to push to Dev account only)"
+}
+
+# Outputs in stage
+output "s3_bagit_validator_stage_build_workflow_west" {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-extra-region.tpl", {
+    region   = "us-west-2"
+    role     = module.ecr_cdps_s3_bagit_validator.gha_role
+    ecr      = module.ecr_cdps_s3_bagit_validator_west.repository_name
+    function = local.ecr_cdps_s3_bagit_validator_function_name
+    }
+  )
+  description = "Additional job for the stage-build.yml for the s3-bagit-validator repo to deploy in us-west-2"
+}
+
+# Outputs after promotion to prod
+output "s3_bagit_validator_prod_promote_workflow_west" {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-extra-region.tpl", {
+    region     = "us-west-2"
+    role_stage = "${module.ecr_cdps_s3_bagit_validator_west.repo_name}-gha-stage"
+    role_prod  = "${module.ecr_cdps_s3_bagit_validator_west.repo_name}-gha-prod"
+    ecr_stage  = "${module.ecr_cdps_s3_bagit_validator_west.repo_name}-stage"
+    ecr_prod   = "${module.ecr_cdps_s3_bagit_validator_west.repo_name}-prod"
+    function   = local.ecr_cdps_s3_bagit_validator_function_name
+    }
+  )
+  description = "Additional job for the prod-promote.yml for the s3-bagit-validator repo to deploy in us-west-2"
+}

docs/adrs/0004-make-repo-multi-region.md

@@ -0,0 +1,23 @@
+# 4. Make repository mulit-region capable
+
+Date: 2025-05-06
+
+## Status
+
+Proposed
+
+## Context
+
+We are now at the place in our infrastructure that we need to be able to deploy ECR repositories in  multiple AWS regions so that we can deploy containerized applications (Fargate & Lambda) in mulitple regions. This is primarly driven by the CDPS project, but will be available to any other project that expects containers in more than just `us-east-1`.
+
+As we extend this to multiple regions, it is **very import** that we do not modify any of the existing outputs from this repository, either to SSM Parameter Store or to Terraform Cloud outputs -- too many other repositories are already dependent on those values and would all need refactoring if any of the outputs change.
+
+## Decision
+
+1. Add additional provider blocks in the root of the repository, as needed.
+1. Update the embedded `ecr` module to handle ECR repository creation for containers that need to be deployed in multiple AWS regions.
+1. Update the generated GHA workflows and Makefile outputs to support multiple AWS regions.
+
+## Consequences
+
+If this is done correctly, there will be no consequences.

files/dev-build-extra-region.tpl

@@ -0,0 +1,15 @@
+### This is the Terraform-generated extra workflow job for the
+### ${ecr} app repository.
+### This should be added to jobs section of the dev-build.yml.
+### If this is a Lambda function, uncomment the FUNCTION: line
+
+  deploy-${region}:
+    name: Dev Container Deploy ${region}
+    uses: mitlibraries/.github/.github/workflows/ecr-shared-deploy-dev.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE: "${role}"
+      ECR: "${ecr}"
+      # FUNCTION: "${function}"
+      # PREBUILD: 

files/makefile-extra-region.tpl

@@ -0,0 +1,19 @@
+### Add the following lines to the Makefile header:
+ECR_URL_OTHER_DEV:=${ecr_url}
+### End of Terraform-generated header
+
+
+### Add the following lines to the docker build command in the dist-dev command
+	    -t $(ECR_URL_OTHER_DEV):latest \
+		-t $(ECR_URL_OTHER_DEV):`git describe --always` \
+
+
+### Add the following lines to the publish-dev command:
+publish-dev: dist-dev ## Build, tag and push (intended for developer-based manual publish)
+	docker login -u AWS -p $$(aws ecr get-login-password --region ${region}) $(ECR_URL_OTHER_DEV)
+	docker push $(ECR_URL_OTHER_DEV):latest
+	docker push $(ECR_URL_OTHER_DEV):`git describe --always`
+
+
+### Add the following line to the update-lambda-dev command if this is a Lambda Function
+#	aws lambda update-function-code --region ${region} --function-name $(FUNCTION_DEV) --image-uri $(ECR_URL_OTHER_DEV):latest