UCEAP · kurowski · Oct 24, 2025 · May 15, 2025 · May 21, 2025 · May 30, 2025
diff --git a/.devcontainer/onCreate.sh b/.devcontainer/onCreate.sh
@@ -1,26 +1,21 @@
 #!/bin/bash
 set -eo pipefail
 
-# Download and extract files
-if [ -z "$TERMINUS_TOKEN" ]; then
-  # Fallback to DEVOPS_TERMINUS_TOKEN if personal token is not set (intended for Codespaces).
-  if [ -z "$DEVOPS_TERMINUS_TOKEN" ]; then
-    echo "Please set the TERMINUS_TOKEN environment variable."
-    exit 1
-  fi
-  export TERMINUS_TOKEN=$DEVOPS_TERMINUS_TOKEN
-fi
-terminus auth:login --machine-token=$TERMINUS_TOKEN
-export TERMINUS_ENV="dev"
-terminus backup:get --element=files --to=files.tar.gz
-tar zx --no-same-permissions --strip-components 1 -C web/sites/default/files -f files.tar.gz
-rm files.tar.gz
+# Install Terraform
+# TODO move this into base image
 
-# no-same-permissions doesn't seem to work so we fix it here
-sudo find web/sites/default/files -type d -exec chmod g+ws {} +
-sudo find web/sites/default/files -type f -exec chmod g+w {} +
+sudo apt-get install -y gnupg
+wget -O- https://apt.releases.hashicorp.com/gpg | \
+  gpg --dearmor | \
+  sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg > /dev/null
+gpg --no-default-keyring \
+  --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg \
+  --fingerprint
+echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | \
+  sudo tee /etc/apt/sources.list.d/hashicorp.list > /dev/null
+sudo apt update
+sudo apt-get install -y terraform
 
-# Set up infrastructure tooling
+# Install AWS CLI
 # TODO move this into base image
-build/install-terraform.sh
-build/install-azure-cli.sh
+sudo apt-get install -y awscli
diff --git a/.devcontainer/postCreate.sh b/.devcontainer/postCreate.sh
diff --git a/.github/workflows/build_deploy_and_test.yml b/.github/workflows/build_deploy_and_test.yml
@@ -69,76 +69,32 @@ jobs:
   build_for_aws:
     name: Build for AWS
     runs-on: ubuntu-latest
-    if: false
-    permissions:
-      contents: read
-      packages: write
-    steps:
-      - uses: actions/checkout@v4
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-      - name: Log in to GitHub container registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-      - name: Lowercase the repo name and username
-        run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-      - name: Build and push container image to registry
-        uses: docker/build-push-action@v6
-        with:
-          push: true
-          tags: |
-            ghcr.io/${{ env.REPO }}-aws:${{ github.sha }}
-            ghcr.io/${{ env.REPO }}-aws:latest
-          file: ./Dockerfile
-          build-args: |
-            MYSQL_HOST=${{ vars.AWS_MYSQL_HOST }}
-            MYSQL_TCP_PORT=${{ vars.AWS_MYSQL_TCP_PORT }}
-            MYSQL_USER=${{ vars.AWS_MYSQL_USER }}
-            MYSQL_PASSWORD=${{ secrets.AWS_MYSQL_PASSWORD }}
-            MYSQL_DATABASE=${{ vars.AWS_MYSQL_DATABASE }}
-            REDIS_HOST=${{ vars.AWS_REDIS_HOST }}
-            REDIS_AUTH=${{ secrets.AWS_REDIS_AUTH }}
-            HASH_SALT=${{ secrets.AWS_HASH_SALT }}
-
-  build_for_azure:
-    name: Build for Azure
-    runs-on: ubuntu-latest
     if: github.ref_name == 'main'
     permissions:
       contents: read
-      packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      - name: Log in to GitHub container registry
-        uses: docker/login-action@v3
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ github.token }}
-      - name: Lowercase the repo name and username
-        run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-      - name: Build and push container image to registry
+          aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Log in to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          mask-password: 'true'
+      - name: Build and push container image to ECR
         uses: docker/build-push-action@v6
         with:
           push: true
           tags: |
-            ghcr.io/${{ env.REPO }}-azure:${{ github.sha }}
-            ghcr.io/${{ env.REPO }}-azure:latest
+            ${{ vars.ECR_REPOSITORY_URL }}:${{ github.sha }}
+            ${{ vars.ECR_REPOSITORY_URL }}:latest
           file: ./Dockerfile
-          build-args: |
-            MYSQL_HOST=${{ vars.AZURE_MYSQL_HOST }}
-            MYSQL_TCP_PORT=${{ vars.AZURE_MYSQL_TCP_PORT }}
-            MYSQL_USER=${{ vars.AZURE_MYSQL_USER }}
-            MYSQL_PASSWORD=${{ secrets.AZURE_MYSQL_PASSWORD }}
-            MYSQL_DATABASE=${{ vars.AZURE_MYSQL_DATABASE }}
-            REDIS_HOST=${{ vars.AZURE_REDIS_HOST }}
-            REDIS_AUTH=${{ secrets.AZURE_REDIS_AUTH }}
-            HASH_SALT=${{ secrets.AZURE_HASH_SALT }}
 
   lint:
     name: Check lint
@@ -252,10 +208,16 @@ jobs:
           fi
           echo TERMINUS_ENV=$TERMINUS_ENV >> $GITHUB_ENV
           echo terminus_env=$TERMINUS_ENV >> $GITHUB_OUTPUT
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          TERMINUS_TOKEN: op://secrets-example/pantheon-terminus/credential
       - name: Create Pantheon environment
         env:
           TERMINUS_SITE: ${{ vars.TERMINUS_SITE }}
-          TERMINUS_TOKEN: ${{ secrets.TERMINUS_TOKEN }}
         run: |
           terminus -n auth:login --machine-token="$TERMINUS_TOKEN"
           set +e
@@ -278,12 +240,18 @@ jobs:
           name: deployment-build
       - name: Fix file modes
         run: find vendor/bin -type f | xargs chmod +x
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          TERMINUS_TOKEN: op://secrets-example/pantheon-terminus/credential
+          SSH_PRIVATE_KEY: op://secrets-example/pantheon-ssh/private key
       - name: deploy to Pantheon
         env:
-          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
           TERMINUS_SITE: ${{ vars.TERMINUS_SITE }}
-          TERMINUS_ENV: ${{needs.prepare_pantheon.outputs.terminus_env}}
-          TERMINUS_TOKEN: ${{ secrets.TERMINUS_TOKEN }}
+          TERMINUS_ENV: ${{ needs.prepare_pantheon.outputs.terminus_env }}
         run: |
           echo "$SSH_PRIVATE_KEY" > ../private.key
           chmod 600 ../private.key
@@ -300,36 +268,43 @@ jobs:
     if: github.ref_name == 'main'
     runs-on: ubuntu-latest
     needs: [build_for_aws]
+    permissions:
+      contents: read
     steps:
-      - name: Deploy to AWS
-        run: echo "Hello, world!"
-
-  deploy_to_azure:
-    name: Deploy to Azure
-    if: github.ref_name == 'main'
-    runs-on: ubuntu-latest
-    needs: [build_for_azure]
-    environment:
-      name: 'Development'
-      url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
-    steps:
-      - name: Lowercase the repo name and username
-        run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
-      - name: Deploy to Azure Web App
-        id: deploy-to-webapp
-        uses: azure/webapps-deploy@v2
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          app-name: ${{ env.AZURE_WEBAPP_NAME }}
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
-          images: 'ghcr.io/${{ env.REPO }}-azure:${{ github.sha }}'
-      - name: Drush deploy
+          aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: ${{ vars.AWS_REGION }}
+      - name: Update ECS service with new image
         run: |
-          az webapp create-remote-connection \
-            --resource-group drupal-example-stirred-dove \
-            --name drupal-example-precious-seasnail \
-            --port 16385 &
-          sleep 30
-          sshpass -pDocker\! ssh root@127.0.0.1 -m hmac-sha1 -p 16385 -o "StrictHostKeyChecking no" /var/www/vendor/bin/drush deploy
+          # Get the current task definition
+          TASK_DEF=$(aws ecs describe-task-definition \
+            --task-definition ${{ vars.AWS_ECS_TASK_DEFINITION }} \
+            --region ${{ vars.AWS_REGION }} \
+            --query 'taskDefinition' --output json)
+
+          # Update the image in the task definition
+          NEW_TASK_DEF=$(echo "$TASK_DEF" | jq \
+            --arg IMAGE "${{ vars.ECR_REPOSITORY_URL }}:${{ github.sha }}" \
+            '.containerDefinitions[0].image = $IMAGE |
+             del(.taskDefinitionArn, .revision, .status, .requiresAttributes, .compatibilities, .registeredAt, .registeredBy)')
+
+          # Register the new task definition
+          NEW_TASK_DEF_ARN=$(aws ecs register-task-definition \
+            --region ${{ vars.AWS_REGION }} \
+            --cli-input-json "$(echo "$NEW_TASK_DEF" | jq -c .)" \
+            --query 'taskDefinition.taskDefinitionArn' \
+            --output text)
+
+          # Update the ECS service to use the new task definition
+          aws ecs update-service \
+            --cluster ${{ vars.AWS_ECS_CLUSTER }} \
+            --service ${{ vars.AWS_ECS_SERVICE }} \
+            --task-definition "$NEW_TASK_DEF_ARN" \
+            --region ${{ vars.AWS_REGION }} \
+            --force-new-deployment
 
   e2e_test:
     name: Feature tests

diff --git a/.github/workflows/cleanup_multidevs.yml b/.github/workflows/cleanup_multidevs.yml
@@ -0,0 +1,28 @@
+name: Cleanup multidevs
+on:
+  pull_request:
+    types: [closed]
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  cleanup_multidevs:
+    name: Cleanup multidevs
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/uceap/devcontainer-drupal:main
+    steps:
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          TERMINUS_TOKEN: op://secrets-example/pantheon-terminus/credential
+      - name: Prune stale multidev environments
+        env:
+          TERMINUS_SITE: ${{ vars.TERMINUS_SITE }}
+          GH_TOKEN: ${{ github.token }}
+          GH_REPO: ${{ github.repository }}
+        run: uceap cleanup-multidevs
diff --git a/.github/workflows/deploy_to_live.yml b/.github/workflows/deploy_to_live.yml
@@ -6,10 +6,16 @@ jobs:
     container:
       image: ghcr.io/uceap/devcontainer-drupal:main
     env:
-      TERMINUS_TOKEN: ${{ secrets.TERMINUS_TOKEN }}
       TERMINUS_SITE: ${{ vars.TERMINUS_SITE }}
-      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
     steps:
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          TERMINUS_TOKEN: op://secrets-example/pantheon-terminus/credential
+          SSH_PRIVATE_KEY: op://secrets-example/pantheon-ssh/private key
       - name: Deploy to LIVE
         run: |
           echo "$SSH_PRIVATE_KEY" > ../private.key

diff --git a/.github/workflows/deploy_to_test.yml b/.github/workflows/deploy_to_test.yml
@@ -16,11 +16,16 @@ jobs:
     container:
       image: ghcr.io/uceap/devcontainer-drupal:main
     env:
-      TERMINUS_TOKEN: ${{ secrets.TERMINUS_TOKEN }}
       TERMINUS_SITE: ${{ vars.TERMINUS_SITE }}
-      SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
-      DRUSH_TASK: ${{ vars.DRUSH_TASK }}
     steps:
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v2
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          TERMINUS_TOKEN: op://secrets-example/pantheon-terminus/credential
+          SSH_PRIVATE_KEY: op://secrets-example/pantheon-ssh/private key
       - name: Sync content and deploy to TEST
         if: ${{ github.event.inputs.deployment_type == 'normal' }}
         run: |

diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,3 @@
-# check=skip=SecretsUsedInArgOrEnv
-
 FROM ghcr.io/uceap/devcontainer-drupal:v2.3.0
 
 # Install SSH server
@@ -12,23 +10,13 @@ RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
 COPY docker-uceap-entrypoint /usr/local/bin/docker-uceap-entrypoint
 ENTRYPOINT ["docker-uceap-entrypoint"]
 
-ARG MYSQL_HOST
-ARG MYSQL_TCP_PORT
-ARG MYSQL_USER
-ARG MYSQL_PASSWORD
-ARG MYSQL_DATABASE
-ARG REDIS_HOST
-ARG REDIS_AUTH
-ARG HASH_SALT
-
 COPY build /var/www/build
 COPY config /var/www/config
 COPY composer.json /var/www/
 COPY web /var/www/web
 
 WORKDIR /var/www
 
-RUN composer initialize-container && \
-  composer install --no-dev --no-interaction --no-progress --optimize-autoloader && \
+RUN composer install --no-dev --no-interaction --no-progress --optimize-autoloader && \
   sed -i 's-/var/www/html-/var/www/web-' /etc/apache2/sites-available/*.conf && \
   sed -i 's/# Listen\s*80$/Listen 80/' /etc/apache2/ports.conf