Merge pull request #416 from NEU-DSG/enable-auto-db-backups #666
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Infrastructure Deployment | |
| # Controls when the action will run. Triggers the workflow on push or pull request | |
| # events but only for the main branch | |
| on: | |
| release: | |
| types: [released, prereleased] | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - "**/README.md" | |
| - "**/readme.md" | |
| - "doc/**/*.md" | |
| concurrency: | |
| group: infra-${{ github.ref }} | |
| # Cancelling terraform deployments will screw up terraform's own locking mechanism | |
| cancel-in-progress: false | |
| # A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
| jobs: | |
| build: | |
| runs-on: ubuntu-20.04 | |
| environment: ${{ github.event_name == 'release' && ( github.event.action == 'released' && 'Production' || 'Development') || 'Development' }} | |
| env: | |
| DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }} | |
| GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} | |
| AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }} | |
| AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }} | |
| AWS_ZONE_PRIMARY: ${{ secrets.AWS_ZONE_PRIMARY }} | |
| AWS_SUBNET_SECONDARY0: ${{ secrets.AWS_SUBNET_SECONDARY0 }} | |
| AWS_ZONE_SECONDARY0: ${{ secrets.AWS_ZONE_SECONDARY0 }} | |
| AWS_SUBNET_SECONDARY1: ${{ secrets.AWS_SUBNET_SECONDARY1 }} | |
| AWS_ZONE_SECONDARY1: ${{ secrets.AWS_ZONE_SECONDARY1 }} | |
| AWS_SSH_KEY: ${{ secrets.AWS_SSH_KEY }} | |
| GIT_REPOSITORY_URL: https://github.com/neu-dsg/dailp-encoding | |
| OAUTH_TOKEN: ${{ secrets.OAUTH_TOKEN }} | |
| RUST_LOG: info | |
| # Stage is Development if not based on a release event, is Staging/UAT if event action is prereleased, is Production if event action is released | |
| TF_STAGE: ${{ github.event_name == 'release' && ( github.event.action == 'prereleased' && 'uat' || 'prod') || 'dev' }} | |
| # Steps represent a sequence of tasks that will be executed as part of the job | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Push to release branch | |
| if: ${{ github.event_name == 'release' }} | |
| uses: ad-m/github-push-action@master | |
| with: | |
| branch: ${{ github.event.action == 'prereleased' && 'uat' || 'release' }} | |
| force: true | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - uses: dorny/paths-filter@v2 | |
| id: filter | |
| with: | |
| base: ${{ github.ref }} | |
| filters: | | |
| backend: | |
| - 'types/**' | |
| - 'graphql/**' | |
| - 'flake.nix' | |
| - 'flake.lock' | |
| - 'terraform/**' | |
| data: | |
| - 'types/**' | |
| - 'migration/**' | |
| - 'graphql/**' | |
| rust: | |
| - '**/*.rs' | |
| - 'Cargo.lock' | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@v20 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-21.11 | |
| - name: Use binary cache for nix store | |
| uses: cachix/cachix-action@v12 | |
| with: | |
| name: dailp | |
| # If you chose API tokens for write access OR if you have a private cache | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| pushFilter: "(-dailp$|-dailp-|-terraform-config$|-source$|\\.tar\\.gz$|-output$|-plan$|-apply-now$|-apply$)" | |
| - name: Build and test project | |
| # nix -L argument shows the full build log and --impure allows it to access environment variables. | |
| run: | | |
| nix build --impure -L | |
| - name: Deploy back-end to AWS via terraform | |
| run: | | |
| nix run --impure -L .#tf-apply-now | |
| SECURITY_GROUP_ID=$(nix run --impure .#tf-output access_security_group_id) | |
| echo "ACCESS_SECURITY_GROUP=$SECURITY_GROUP_ID" >> $GITHUB_ENV | |
| # - name: Validate spreadsheets | |
| # env: | |
| # RUST_LOG: warn | |
| # run: nix run --impure -L .#validate-data | |
| - name: Allow SSH access to bastion host | |
| uses: sohelamin/aws-security-group-add-ip-action@master | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| aws-security-group-id: ${{ env.ACCESS_SECURITY_GROUP }} | |
| port: 22 | |
| to-port: 22 | |
| protocol: tcp | |
| - name: Encode documents as TEI and database entries | |
| # Sets up port forwarding to remote database on port 5432 | |
| run: | | |
| echo "Creating SSH key file..." | |
| echo "${{secrets.AWS_BASTION_SSH_KEY}}" > dailp-deployment-key.pem | |
| chmod 400 ./dailp-deployment-key.pem | |
| echo "Retrieving terraform outputs..." | |
| BASTION_IP=$(nix run --impure .#tf-output bastion_ip) | |
| DATABASE_ENDPOINT=$(nix run --impure .#tf-output database_endpoint) | |
| echo "Configuring SSH client..." | |
| mkdir -p ~/.ssh | |
| echo "Still configuring SSH client..." | |
| ssh-keyscan -H $BASTION_IP >> ~/.ssh/known_hosts | |
| echo "Forwarding port 5432 to remote database $DATABASE_ENDPOINT through $BASTION_IP" | |
| ssh -i ./dailp-deployment-key.pem -f -N -L 5432:$DATABASE_ENDPOINT ec2-user@$BASTION_IP | |
| export DAILP_API_URL=$(nix run --impure .#tf-output functions_url) | |
| export DATABASE_URL=postgres://dailp:$DATABASE_PASSWORD@localhost:5432/dailp | |
| nix run --impure .#migrate-schema | |
| export CF_URL=$(nix run --impure .#tf-output cloudfront_distro_url) | |
| nix run --impure .#migrate-data | |
| - name: Publish website | |
| run: | | |
| curl -X POST -d {} "$(nix run --impure .#tf-output amplify_webhook)" -H "Content-Type:application/json" |