This repository has been archived by the owner on Apr 13, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 160
333 lines (331 loc) · 14.1 KB
/
deploy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
#
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
#
name: Unit Tests, Deploy, Integration Test
on:
push:
branches:
- develop
jobs:
build-validate:
name: Build and validate
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Use Node.js
uses: actions/setup-node@v1
with:
node-version: 14
- uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Install dependencies
run: |
cd auditLogMover
yarn install
cd ..
yarn install
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Build, lint, and run unit tests
run: |
cd auditLogMover
yarn release
cd ..
yarn release
- name: Build Hapi validator
run: |
cd javaHapiValidatorLambda
mvn --batch-mode --update-snapshots --no-transfer-progress clean install
cd ..
pre-deployment-check:
needs: build-validate
runs-on: ubuntu-latest
timeout-minutes: 10
steps:
- name: 'Block Concurrent Deployments'
uses: softprops/turnstyle@v1
with:
poll-interval-seconds: 10
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
deploy:
needs: pre-deployment-check
name: Deploy to Dev - enableMultiTenancy=${{ matrix.enableMultiTenancy }}
runs-on: ubuntu-latest
strategy:
matrix:
include:
- enableMultiTenancy: false
region: us-west-2
- enableMultiTenancy: true
region: us-west-1
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets.AWS_ACCESS_ROLE_ARN }}
role-duration-seconds: 7200
- name: Use Node.js
uses: actions/setup-node@v1
with:
node-version: 14
- uses: actions/setup-java@v1
with:
java-version: 1.8
- name: Setup config file
env:
DEV_AWS_USER_ACCOUNT_ARN: ${{ secrets.DEV_AWS_USER_ACCOUNT_ARN }}
run: sed "s#<dev-arn>#$DEV_AWS_USER_ACCOUNT_ARN#g" serverless_config.template.json > serverless_config.json
- name: Install npm dependencies
run: yarn install
- name: Download US Core IG
# NOTE if updating the IG version. Please see update implementationGuides.test.ts test too.
run: |
mkdir -p implementationGuides
curl http://hl7.org/fhir/us/core/STU3.1.1/package.tgz | tar xz -C implementationGuides
- name: Compile IGs
run: yarn run compile-igs
- name: Setup allowList for Subscriptions integ tests
run: cp integration-tests/infrastructure/allowList-integTests.ts src/subscriptions/allowList.ts
- name: Install serverless
run: npm install -g serverless@2.64.1
- name: Deploy Hapi validator
run: |
cd javaHapiValidatorLambda
mvn --batch-mode --update-snapshots --no-transfer-progress clean install
serverless deploy --stage dev --region ${{ matrix.region }} --conceal
cd ..
- name: Deploy FHIR Server and ddbToEs
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
serverless deploy --stage dev --region ${{ matrix.region }} --useHapiValidator true --enableMultiTenancy ${{ matrix.enableMultiTenancy }} --enableSubscriptions true --conceal
- name: Deploy auditLogMover
run: |
cd auditLogMover
yarn install
serverless deploy --stage dev --region ${{ matrix.region }} --conceal
# Get credentials for CDK Account
- name: Configure AWS Credentials CDK
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets.CDK_AWS_ACCESS_ROLE_ARN }}
role-duration-seconds: 7200
- name: Deploy FHIR Server and Hapi Validator with CDK
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
yarn deploy -c region=${{ matrix.region }} -c useHapiValidator=true -c enableMultiTenancy=${{ matrix.enableMultiTenancy }} -c enableSubscriptions=true --all --require-approval never
crucible-test:
needs: deploy
name: Run Crucible Tests - enableMultiTenancy=${{ matrix.enableMultiTenancy }}
runs-on: ubuntu-20.04
strategy:
matrix:
include:
- enableMultiTenancy: false
region: us-west-2
serviceUrlSuffix: ''
serviceUrlSecretName: SERVICE_URL
cognitoClientIdSecretName: COGNITO_CLIENT_ID
apiKeySecretName: API_KEY
- enableMultiTenancy: true
region: us-west-1
serviceUrlSuffix: /tenant/tenant1
serviceUrlSecretName: MULTITENANCY_SERVICE_URL
cognitoClientIdSecretName: MULTITENANCY_COGNITO_CLIENT_ID
apiKeySecretName: MULTITENANCY_API_KEY
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v2
with:
repository: nguyen102/plan_executor
ref: r4-aws-fhir-solution
- uses: actions/setup-ruby@v1
with:
ruby-version: '2.6'
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets.AWS_ACCESS_ROLE_ARN }}
role-duration-seconds: 7200
- name: Install dependency
run: |
gem install bundler
bundle install
- name: Execute tests
env:
SERVICE_URL: ${{ secrets[matrix.serviceUrlSecretName] }}${{ matrix.serviceUrlSuffix }}
API_KEY: ${{ secrets[matrix.apiKeySecretName] }}
COGNITO_CLIENT_ID: ${{ secrets[matrix.cognitoClientIdSecretName] }}
COGNITO_USERNAME: ${{ secrets.COGNITO_USERNAME_PRACTITIONER }}
COGNITO_PASSWORD: ${{ secrets.COGNITO_PASSWORD }}
run: |
ACCESS_TOKEN=$(aws cognito-idp initiate-auth --region ${{ matrix.region }} --client-id $COGNITO_CLIENT_ID \
--auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=$COGNITO_USERNAME,PASSWORD=$COGNITO_PASSWORD | \
python -c 'import json,sys;obj=json.load(sys.stdin);print(obj["AuthenticationResult"]["IdToken"])')
bundle exec rake crucible:execute_hearth_tests[$SERVICE_URL,$API_KEY,$ACCESS_TOKEN]
- name: Configure AWS Credentials CDK
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets.CDK_AWS_ACCESS_ROLE_ARN }}
role-duration-seconds: 7200
- name: Execute tests on CDK
env:
SERVICE_URL: ${{ secrets.CDK_SERVICE_URL }}
API_KEY: ${{ secrets.CDK_API_KEY }}
COGNITO_CLIENT_ID: ${{ secrets.CDK_COGNITO_CLIENT_ID }}
COGNITO_USERNAME: ${{ secrets.CDK_COGNITO_USERNAME_PRACTITIONER }}
COGNITO_PASSWORD: ${{ secrets.CDK_COGNITO_PASSWORD }}
run: |
ACCESS_TOKEN=$(aws cognito-idp initiate-auth --region us-west-2 --client-id $COGNITO_CLIENT_ID \
--auth-flow USER_PASSWORD_AUTH --auth-parameters USERNAME=$COGNITO_USERNAME,PASSWORD=$COGNITO_PASSWORD | \
python -c 'import json,sys;obj=json.load(sys.stdin);print(obj["AuthenticationResult"]["IdToken"])')
bundle exec rake crucible:execute_hearth_tests[$SERVICE_URL,$API_KEY,$ACCESS_TOKEN]
custom-integration-tests:
needs: crucible-test
name: Run custom integration tests - enableMultiTenancy=${{ matrix.enableMultiTenancy }}
runs-on: ubuntu-20.04
strategy:
matrix:
include:
- enableMultiTenancy: false
region: us-west-2
serviceUrlSecretName: SERVICE_URL
cognitoClientIdSecretName: COGNITO_CLIENT_ID
apiKeySecretName: API_KEY
subscriptionsNotificationsTableSecretName: SUBSCRIPTIONS_NOTIFICATIONS_TABLE
subscriptionsEndpointSecretName: SUBSCRIPTIONS_ENDPOINT
subscriptionsApiKeySecretName: SUBSCRIPTIONS_API_KEY
cdk_serviceUrlSecretName: CDK_SERVICE_URL
cdk_cognitoClientIdSecretName: CDK_COGNITO_CLIENT_ID
cdk_apiKeySecretName: CDK_API_KEY
cdk_subscriptionsNotificationsTableSecretName: CDK_SUBSCRIPTIONS_NOTIFICATIONS_TABLE
cdk_subscriptionsEndpointSecretName: CDK_SUBSCRIPTIONS_ENDPOINT
cdk_subscriptionsApiKeySecretName: CDK_SUBSCRIPTIONS_API_KEY
- enableMultiTenancy: true
region: us-west-1
serviceUrlSecretName: MULTITENANCY_SERVICE_URL
cognitoClientIdSecretName: MULTITENANCY_COGNITO_CLIENT_ID
apiKeySecretName: MULTITENANCY_API_KEY
subscriptionsNotificationsTableSecretName: MULTITENANCY_SUBSCRIPTIONS_NOTIFICATIONS_TABLE
subscriptionsEndpointSecretName: MULTITENANCY_SUBSCRIPTIONS_ENDPOINT
subscriptionsApiKeySecretName: MULTITENANCY_SUBSCRIPTIONS_API_KEY
cdk_serviceUrlSecretName: CDK_MT_SERVICE_URL
cdk_cognitoClientIdSecretName: CDK_MT_COGNITO_CLIENT_ID
cdk_apiKeySecretName: CDK_MT_API_KEY
cdk_subscriptionsNotificationsTableSecretName: CDK_MT_SUBSCRIPTIONS_NOTIFICATIONS_TABLE
cdk_subscriptionsEndpointSecretName: CDK_MT_SUBSCRIPTIONS_ENDPOINT
cdk_subscriptionsApiKeySecretName: CDK_MT_SUBSCRIPTIONS_API_KEY
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets.AWS_ACCESS_ROLE_ARN }}
role-duration-seconds: 7200
- name: Use Node.js
uses: actions/setup-node@v1
with:
node-version: 14
- name: Install dependencies
run: |
yarn install
- name: Execute tests
env:
API_URL: ${{ secrets[matrix.serviceUrlSecretName] }}
API_KEY: ${{ secrets[matrix.apiKeySecretName] }}
API_AWS_REGION: ${{ matrix.region }}
COGNITO_CLIENT_ID: ${{ secrets[matrix.cognitoClientIdSecretName] }}
COGNITO_USERNAME_PRACTITIONER: ${{ secrets.COGNITO_USERNAME_PRACTITIONER }}
COGNITO_USERNAME_AUDITOR: ${{ secrets.COGNITO_USERNAME_AUDITOR }}
COGNITO_USERNAME_PRACTITIONER_ANOTHER_TENANT: ${{ secrets.COGNITO_USERNAME_PRACTITIONER_ANOTHER_TENANT }}
COGNITO_PASSWORD: ${{ secrets.COGNITO_PASSWORD }}
MULTI_TENANCY_ENABLED: ${{ matrix.enableMultiTenancy }}
SUBSCRIPTIONS_ENABLED: 'true'
SUBSCRIPTIONS_NOTIFICATIONS_TABLE: ${{ secrets[matrix.subscriptionsNotificationsTableSecretName] }}
SUBSCRIPTIONS_ENDPOINT: ${{ secrets[matrix.subscriptionsEndpointSecretName] }}
SUBSCRIPTIONS_API_KEY: ${{ secrets[matrix.subscriptionsApiKeySecretName] }}
AWS_REGION: ${{ matrix.region }}
run: yarn int-test
- name: Configure AWS Credentials CDK
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: ${{ matrix.region }}
role-to-assume: ${{ secrets.CDK_AWS_ACCESS_ROLE_ARN }}
role-duration-seconds: 7200
- name: Execute tests on CDK
env:
API_URL: ${{ secrets[matrix.cdk_serviceUrlSecretName] }}
API_KEY: ${{ secrets[matrix.cdk_apiKeySecretName] }}
API_AWS_REGION: ${{ matrix.region }}
COGNITO_CLIENT_ID: ${{ secrets[matrix.cdk_cognitoClientIdSecretName] }}
COGNITO_USERNAME_PRACTITIONER: ${{ secrets.CDK_COGNITO_USERNAME_PRACTITIONER }}
COGNITO_USERNAME_AUDITOR: ${{ secrets.CDK_COGNITO_USERNAME_AUDITOR }}
COGNITO_USERNAME_PRACTITIONER_ANOTHER_TENANT: ${{ secrets.CDK_COGNITO_USERNAME_PRACTITIONER_ANOTHER_TENANT }}
COGNITO_PASSWORD: ${{ secrets.CDK_COGNITO_PASSWORD }}
MULTI_TENANCY_ENABLED: ${{ matrix.enableMultiTenancy }}
SUBSCRIPTIONS_ENABLED: 'true'
SUBSCRIPTIONS_NOTIFICATIONS_TABLE: ${{ secrets[matrix.cdk_subscriptionsNotificationsTableSecretName] }}
SUBSCRIPTIONS_ENDPOINT: ${{ secrets[matrix.cdk_subscriptionsEndpointSecretName] }}
SUBSCRIPTIONS_API_KEY: ${{ secrets[matrix.cdk_subscriptionsApiKeySecretName] }}
AWS_REGION: ${{ matrix.region }}
run: yarn int-test
merge-develop-to-mainline:
needs: custom-integration-tests
name: Merge develop to mainline
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
token: ${{secrets.MERGE_TOKEN}}
fetch-depth: 0
# There's no way for github actions to push to a protected branch. This is a workaround
# See https://github.community/t/how-to-push-to-protected-branches-in-a-github-action/16101/30
- name: Temporarily disable branch protection
uses: octokit/request-action@v2.x
with:
route: DELETE /repos/{owner}/{repo}/branches/{branch}/protection/enforce_admins
owner: awslabs
repo: fhir-works-on-aws-deployment
branch: mainline
env:
GITHUB_TOKEN: ${{ secrets.MERGE_TOKEN }}
- name: Merge to mainline
run: |
git checkout mainline
echo
echo " Attempting to merge the 'develop' branch ($(git log -1 --pretty=%H develop))"
echo " into the 'mainline' branch ($(git log -1 --pretty=%H mainline))"
echo
git merge --ff-only --no-edit develop
git push origin mainline
- name: Enable branch protection
uses: octokit/request-action@v2.x
if: always() # Make sure to enable branch protection even if other steps fail
with:
route: POST /repos/{owner}/{repo}/branches/{branch}/protection/enforce_admins
owner: awslabs
repo: fhir-works-on-aws-deployment
branch: mainline
env:
GITHUB_TOKEN: ${{ secrets.MERGE_TOKEN }}