bump aws sdks #605
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [dev, stg, prd] | |
| paths-ignore: | |
| - 'README.md' | |
| - 'LICENSE' | |
| - '.gitignore' | |
| env: | |
| node_version: "18.x" | |
| tf_version: "1.7.0" # must match value in terraform-iac/*/app/main.tf | |
| FORCE_COLOR: 3 | |
| concurrency: ${{ github.ref }} | |
| jobs: | |
| env: | |
| name: Set Env Vars | |
| timeout-minutes: 1 | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set up DEV Environment Variables | |
| if: github.ref == 'refs/heads/dev' | |
| run: | | |
| matrix='{ | |
| "env":[ | |
| { | |
| "environment_name":"dev", | |
| "tf_working_dir":"./terraform-iac/dev/app", | |
| "aws_account":"977306314792", | |
| "aws_gha_role":"hw-lambda-api-dev-gha", | |
| "rfc_key_name":"standard_change_sandbox_client_key", | |
| "rfc_secret_name":"standard_change_sandbox_client_secret", | |
| "rfc_template_id":"Codepipeline-Standard-Change" | |
| } | |
| ] | |
| }' | |
| echo matrix=`echo $matrix | jq -c .` >> $GITHUB_ENV | |
| - name: Set up STG Environment Variables | |
| if: github.ref == 'refs/heads/stg' | |
| run: | | |
| matrix='{ | |
| "env":[ | |
| { | |
| "environment_name":"stg", | |
| "tf_working_dir":"./terraform-iac/stg/app", | |
| "aws_account":"977306314792", | |
| "aws_gha_role":"hw-lambda-api-stg-gha", | |
| "rfc_key_name":"standard_change_sandbox_client_key", | |
| "rfc_secret_name":"standard_change_sandbox_client_secret", | |
| "rfc_template_id":"Codepipeline-Standard-Change" | |
| } | |
| ] | |
| }' | |
| echo matrix=`echo $matrix | jq -c .` >> $GITHUB_ENV | |
| - name: Set up PRD/CPY Environment Variables | |
| if: github.ref == 'refs/heads/prd' | |
| # TODO: When prd really is production, in prd environment (first block below): | |
| # * Change standard_change_sandbox_client_key to standard_change_production_client_key | |
| # * Change standard_change_sandbox_client_secret to standard_change_production_client_secret | |
| # You probably don't want to do this in cpy (second block), or you will get two RFCs everytime you push to prd | |
| run: | | |
| matrix='{ | |
| "env":[ | |
| { | |
| "environment_name":"prd", | |
| "tf_working_dir":"./terraform-iac/prd/app", | |
| "aws_account":"539738229445", | |
| "aws_gha_role":"hw-lambda-api-prd-gha", | |
| "rfc_key_name":"standard_change_sandbox_client_key", | |
| "rfc_secret_name":"standard_change_sandbox_client_secret", | |
| "rfc_template_id":"Codepipeline-Standard-Change" | |
| }, | |
| { | |
| "environment_name":"cpy", | |
| "tf_working_dir":"./terraform-iac/cpy/app", | |
| "aws_account":"539738229445", | |
| "aws_gha_role":"hw-lambda-api-cpy-gha", | |
| "rfc_key_name":"standard_change_sandbox_client_key", | |
| "rfc_secret_name":"standard_change_sandbox_client_secret", | |
| "rfc_template_id":"Codepipeline-Standard-Change" | |
| } | |
| ] | |
| }' | |
| echo matrix=`echo $matrix | jq -c .` >> $GITHUB_ENV | |
| outputs: | |
| matrix: ${{ env.matrix }} | |
| build_and_deploy: | |
| name: Build and Deploy | |
| timeout-minutes: 60 | |
| runs-on: ubuntu-latest | |
| needs: env | |
| strategy: | |
| matrix: ${{ fromJson(needs.env.outputs.matrix) }} | |
| fail-fast: false | |
| environment: | |
| name: ${{ matrix.env.environment_name }} | |
| url: https://${{ steps.url.outputs.stdout }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Check out | |
| uses: actions/checkout@v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.node_version }} | |
| cache: npm | |
| cache-dependency-path: '**/package-lock.json' | |
| - name: Audit | |
| working-directory: src | |
| run: npm audit --audit-level=critical | |
| - name: Build | |
| working-directory: src | |
| run: npm ci --prefer-offline | |
| - name: Lint | |
| working-directory: src | |
| run: npm run lint | |
| - name: Test | |
| working-directory: src | |
| run: npm test | |
| - name: Report test coverage to Codecov | |
| uses: codecov/codecov-action@v4 | |
| if: env.CODECOV_TOKEN | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| # We only want the production dependencies in the zip file | |
| - name: Package | |
| working-directory: src | |
| run: | | |
| npm prune --production | |
| zip -r lambda.zip * | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ matrix.env.aws_account }}:role/${{ matrix.env.aws_gha_role }}" | |
| role-session-name: ${{ github.sha }} | |
| aws-region: us-west-2 | |
| - name: Terraform Setup | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ env.tf_version }} | |
| terraform_wrapper: false | |
| - name: Terraform Init | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: terraform init | |
| - name: Terraform Format | |
| working-directory: "./" | |
| run: terraform fmt -check -recursive | |
| - name: Terraform Plan | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: terraform plan -input=false -out=plan | |
| - name: Analyze Terraform Plan | |
| uses: byu-oit/github-action-tf-plan-analyzer@v2 | |
| if: github.repository_owner == 'byu-oit' | |
| # If you're at BYU, but outside the byu-oit GitHub org, you may be able to obtain credentials by contacting cloudoffice@byu.edu | |
| with: | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| terraform-plan-file: plan | |
| divvycloud-username: ${{ secrets.DIVVYCLOUD_USERNAME }} | |
| divvycloud-password: ${{ secrets.DIVVYCLOUD_PASSWORD }} | |
| - name: Start Standard Change | |
| uses: byu-oit/github-action-start-standard-change@v1 | |
| id: start-standard-change | |
| with: | |
| client-key: ${{ secrets[matrix.env.rfc_key_name] }} | |
| client-secret: ${{ secrets[matrix.env.rfc_secret_name] }} | |
| template-id: ${{ matrix.env.rfc_template_id }} | |
| - name: Terraform Apply | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: terraform apply plan | |
| - name: Get Terraform Outputs | |
| id: terraform-outputs | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: | | |
| echo "codedeploy_app_name=$(terraform output -raw codedeploy_app_name)" >> $GITHUB_OUTPUT | |
| echo "codedeploy_deployment_group_name=$(terraform output -raw codedeploy_deployment_group_name)" >> $GITHUB_OUTPUT | |
| echo "codedeploy_appspec_json_file=$(terraform output -raw codedeploy_appspec_json_file)" >> $GITHUB_OUTPUT | |
| echo "url=$(terraform output -raw url)" >> $GITHUB_OUTPUT | |
| - name: CodeDeploy | |
| id: deploy | |
| uses: byu-oit/github-action-codedeploy@v2 | |
| with: | |
| application-name: ${{ steps.terraform-outputs.outputs.codedeploy_app_name }} | |
| deployment-group-name: ${{ steps.terraform-outputs.outputs.codedeploy_deployment_group_name }} | |
| appspec-file: ${{ steps.terraform-outputs.outputs.codedeploy_appspec_json_file }} | |
| - name: End Standard Change | |
| uses: byu-oit/github-action-end-standard-change@v1 | |
| if: always() && steps.start-standard-change.outcome == 'success' # Run if RFC started, even if the deploy failed | |
| with: | |
| client-key: ${{ secrets[matrix.env.rfc_key_name] }} | |
| client-secret: ${{ secrets[matrix.env.rfc_secret_name] }} | |
| change-sys-id: ${{ steps.start-standard-change.outputs.change-sys-id }} | |
| work-start: ${{ steps.start-standard-change.outputs.work-start }} | |
| success: ${{ job.status == 'success' }} | |