New GHA Templates

Why these changes are being introduced:
The new option to pick a CPU architecture for a container requires new
caller workflow templates and new Makefile commands for building and
deploying a container.

How this addresses that need:
* Create new template files for dev, stage, and prod GHA caller
workflows
* Create new Makefile commands (and remove the almost-never-used make
commands to build and push a container directly to Stage-Workloads)
* Update the outputs for the testing repository

Side effects of this change:
None.

Relevant ticket(s):
* https://mitlibraries.atlassian.net/browse/IN-1448

Author: cabutlermit

ect_workflow_text_ecr.tf renamed to ecr_workflow_test_ecr.tf

@@ -22,7 +22,7 @@ module "ecr_workflowtest" {
 ## For workflowtest application repo and ECR repository
 # Outputs in dev
 output "workflowtest_dev_build_workflow" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/dev-build-cpu-arch.tpl", {
     region   = var.aws_region
     role     = module.ecr_workflowtest.gha_role
     ecr      = module.ecr_workflowtest.repository_name
@@ -32,7 +32,7 @@ output "workflowtest_dev_build_workflow" {
   description = "Full contents of the dev-build.yml for the ecr-workflow-test repo"
 }
 output "workflowtest_makefile" {
-  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile.tpl", {
+  value = var.environment == "prod" || var.environment == "stage" ? null : templatefile("${path.module}/files/makefile-cpu-arch.tpl", {
     ecr_name = module.ecr_workflowtest.repository_name
     ecr_url  = module.ecr_workflowtest.repository_url
     function = ""
@@ -43,7 +43,7 @@ output "workflowtest_makefile" {
 
 # Outputs in stage
 output "workflowtest_stage_build_workflow" {
-  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build.tpl", {
+  value = var.environment == "prod" || var.environment == "dev" ? null : templatefile("${path.module}/files/stage-build-cpu-arch.tpl", {
     region   = var.aws_region
     role     = module.ecr_workflowtest.gha_role
     ecr      = module.ecr_workflowtest.repository_name
@@ -55,7 +55,7 @@ output "workflowtest_stage_build_workflow" {
 
 # Outputs after promotion to prod
 output "workflowtest_prod_promote_workflow" {
-  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote.tpl", {
+  value = var.environment == "stage" || var.environment == "dev" ? null : templatefile("${path.module}/files/prod-promote-cpu-arch.tpl", {
     region     = var.aws_region
     role_stage = "${module.ecr_workflowtest.repo_name}-gha-stage"
     role_prod  = "${module.ecr_workflowtest.repo_name}-gha-prod"

files/dev-build-cpu-arch-extra-region.tpl

@@ -0,0 +1,17 @@
+### This is the Terraform-generated extra workflow job for the             ###
+### ${ecr} app repository.                                                 ###
+### This should be added to jobs section of the dev-build.yml. If this is  ### 
+### a Lambda function, uncomment the FUNCTION: line                        ###
+
+  deploy-${region}:
+    needs: prep
+    name: Dev Deploy ${region}
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE: "${role}"
+      ECR: "${ecr}"
+      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # FUNCTION: "${function}"
+      # PREBUILD: 

files/dev-build-cpu-arch.tpl

@@ -0,0 +1,60 @@
+### This is the Terraform-generated dev-build.yml workflow for the         ### 
+### ${ecr} app repository.                                                 ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of    ### 
+### the document. If the container requires any additional pre-build       ### 
+### commands, uncomment and edit the PREBUILD line at the end of the       ###
+### document.                                                              ###
+
+name: Dev Container Build and Deploy
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths-ignore:
+      - '.github/**'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  prep:
+    name: Prep for Build
+    runs-on: ubuntu-latest
+    outputs: 
+      cpuarch: $${{ steps.setarch.outputs.cpuarch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set CPU Architecture
+        id: setarch
+        run: |
+          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
+          if [[ -f .aws-architecture ]]; then
+            ARCH=$(cat .aws-architecture)
+            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          else
+            ARCH="linux/amd64"
+            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          fi
+          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
+            echo "$ARCH is INVALID architecture!"
+            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
+
+  deploy:
+    needs: prep
+    name: Dev Deploy
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-dev.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE: "${role}"
+      ECR: "${ecr}"
+      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # FUNCTION: "${function}"
+      # PREBUILD: 

files/makefile-cpu-arch.tpl

@@ -0,0 +1,57 @@
+### This is the Terraform-generated header for ${ecr_name}. If  ###
+###   this is a Lambda repo, uncomment the FUNCTION line below  ###
+###   and review the other commented lines in the document.     ###
+ECR_NAME_DEV := ${ecr_name}
+ECR_URL_DEV := ${ecr_url}
+CPU_ARCH ?= $(shell cat .aws-architecture 2>/dev/null || echo "linux/amd64")
+# FUNCTION_DEV := ${function}
+### End of Terraform-generated header                            ###
+
+
+### Terraform-generated Developer Deploy Commands for Dev environment ###
+check-arch:
+	@ARCH_FILE=".aws-architecture"; \
+	if [[ "$(CPU_ARCH)" != "linux/amd64" && "$(CPU_ARCH)" != "linux/arm64" ]]; then \
+        echo "Invalid CPU_ARCH: $(CPU_ARCH)"; exit 1; \
+    fi; \
+	if [[ -f $$ARCH_FILE ]]; then \
+		echo "latest-$(shell echo $(CPU_ARCH) | cut -d'/' -f2)" > .arch_tag; \
+	else \
+		echo "latest" > .arch_tag; \
+	fi
+
+dist-dev: check-arch ## Build docker container (intended for developer-based manual build)
+	@ARCH_TAG=$$(cat .arch_tag); \
+	docker buildx inspect $(ECR_NAME_DEV) >/dev/null 2>&1 || docker buildx create --name $(ECR_NAME_DEV) --use; \
+	docker buildx use $(ECR_NAME_DEV); \
+	docker buildx build --platform $(CPU_ARCH) \
+		--load \
+	    --tag $(ECR_URL_DEV):make-$$ARCH_TAG \
+		--tag $(ECR_URL_DEV):make-$(shell git describe --always) \
+		--tag $(ECR_NAME_DEV):$$ARCH_TAG \
+		.
+
+publish-dev: dist-dev ## Build, tag and push (intended for developer-based manual publish)
+	@ARCH_TAG=$$(cat .arch_tag); \
+	aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin $(ECR_URL_DEV); \
+	docker push $(ECR_URL_DEV):make-$$ARCH_TAG; \
+	docker push $(ECR_URL_DEV):make-$(shell git describe --always); \
+	docker push $(ECR_URL_DEV):make-$(shell echo $(CPU_ARCH) | cut -d'/' -f2)
+
+### If this is a Lambda repo, uncomment the two lines below     ###
+# update-lambda-dev: ## Updates the lambda with whatever is the most recent image in the ecr (intended for developer-based manual update)
+#	@ARCH_TAG=$$(cat .arch_tag); \
+#	aws lambda update-function-code \
+#		--region us-east-1 \
+#		--function-name $(FUNCTION_DEV) \
+#		--image-uri $(ECR_URL_DEV):make-$$ARCH_TAG
+
+docker-clean: ## Clean up Docker detritus
+	@ARCH_TAG=$$(cat .arch_tag); \
+	echo "Cleaning up Docker leftovers (containers, images, builders)"; \
+	docker rmi -f $(ECR_URL_DEV):make-$$ARCH_TAG; \
+	docker rmi -f $(ECR_URL_DEV):make-$(shell git describe --always) || true; \
+    docker rmi -f $(ECR_URL_DEV):make-$(shell echo $(CPU_ARCH) | cut -d'/' -f2) || true; \
+    docker rmi -f $(ECR_NAME_DEV):$$ARCH_TAG || true; \
+	docker buildx rm $(ECR_NAME_DEV) || true
+	@rm -rf .arch_tag

files/prod-promote-cpu-arch-extra-region.tpl

@@ -0,0 +1,17 @@
+### This should be added to jobs section of the prod-promote.yml.
+### If this is a Lambda function, uncomment the FUNCTION: line
+
+  deploy-${region}:
+    needs: prep
+    name: Deploy ${region}
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE_STAGE: ${role_stage}
+      GHA_ROLE_PROD: ${role_prod}
+      ECR_STAGE: "${ecr_stage}"
+      ECR_PROD: "${ecr_prod}"
+      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # FUNCTION: "${function}"
+ 

files/prod-promote-cpu-arch.tpl

@@ -0,0 +1,57 @@
+### This is the Terraform-generated prod-promote.yml workflow for the      ###
+### ${ecr_prod} repository.                                                ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of    ###
+### the document.                                                          ###
+
+name: Prod Container Promote
+on:
+  workflow_dispatch:
+  release:
+    types: [published]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  prep:
+    name: Prep for Promote
+    runs-on: ubuntu-latest
+    outputs: 
+      cpuarch: $${{ steps.setarch.outputs.cpuarch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set CPU Architecture
+        id: setarch
+        run: |
+          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
+          if [[ -f .aws-architecture ]]; then
+            ARCH=$(cat .aws-architecture)
+            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          else
+            ARCH="linux/amd64"
+            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          fi
+          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
+            echo "$ARCH is INVALID architecture!"
+            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
+
+  deploy:
+    needs: prep
+    name: Deploy
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-promote-prod.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE_STAGE: ${role_stage}
+      GHA_ROLE_PROD: ${role_prod}
+      ECR_STAGE: "${ecr_stage}"
+      ECR_PROD: "${ecr_prod}"
+      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # FUNCTION: "${function}"
+ 

files/stage-build-cpu-arch-extra-region.tpl

@@ -0,0 +1,17 @@
+### This is the Terraform-generated extra workflow job for the             ###
+### ${ecr} app repository.                                                 ###
+### This should be added to jobs section of the stage-build.yml. If this   ### 
+### is a Lambda function, uncomment the FUNCTION: line                     ###
+
+  deploy-${region}:
+    needs: prep
+    name: Stage Deploy ${region}
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE: "${role}"
+      ECR: "${ecr}"
+      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # FUNCTION: "${function}"
+      # PREBUILD: 

files/stage-build-cpu-arch.tpl

@@ -0,0 +1,60 @@
+### This is the Terraform-generated dev-build.yml workflow for the         ###
+### ${ecr} app repository.                                                 ###
+### If this is a Lambda repo, uncomment the FUNCTION line at the end of    ###
+### the document. If the container requires any additional pre-build       ###
+### commands, uncomment and edit the PREBUILD line at the end of the       ###
+### document.                                                              ###
+
+name: Stage Container Build and Deploy
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '.github/**'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  prep:
+    name: Prep for Build
+    runs-on: ubuntu-latest
+    outputs: 
+      cpuarch: $${{ steps.setarch.outputs.cpuarch }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Set CPU Architecture
+        id: setarch
+        run: |
+          echo "### :abacus: Architecture Selection" >> $GITHUB_STEP_SUMMARY
+          if [[ -f .aws-architecture ]]; then
+            ARCH=$(cat .aws-architecture)
+            echo "\`$ARCH\` was read from \`.aws-architecture\` and passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          else
+            ARCH="linux/amd64"
+            echo "No \`.aws-architecture\` file, so default \`$ARCH\` was passed to the deploy job." >> $GITHUB_STEP_SUMMARY
+          fi
+          if [[ "$ARCH" != "linux/arm64" && "$ARCH" != "linux/amd64" ]]; then
+            echo "$ARCH is INVALID architecture!"
+            echo "$ARCH is INVALID architecture!" >> $GITHUB_STEP_SUMMARY
+            exit 1
+          fi
+          echo "cpuarch=$ARCH" >> $GITHUB_OUTPUT
+
+  deploy:
+    needs: prep
+    name: Stage Deploy
+    uses: mitlibraries/.github/.github/workflows/ecr-multi-arch-deploy-stage.yml@main
+    secrets: inherit
+    with:
+      AWS_REGION: "${region}"
+      GHA_ROLE: "${role}"
+      ECR: "${ecr}"
+      CPU_ARCH: $${{ needs.prep.outputs.cpuarch }}
+      # FUNCTION: "${function}"
+      # PREBUILD: