fix: attach bucket access policy to content bucket instead of assembler #46

Workflow file for this run

.github/workflows/deploy-terraform.yml at 710346e

	name: Deploy

	on:
	push:
	branches: [terraform]
	paths-ignore:
	- LICENSE
	- README.md
	concurrency: ${{ github.ref }}
	env:
	tf_version: "1.4.5" # must match value in terraform-iac/*/app/main.tf
	node_version: "16.x"

	jobs:
	env:
	name: Set Env Vars
	runs-on: ubuntu-latest
	steps:
	- name: Set up DEV Environment Variables
	if: github.ref == 'refs/heads/terraform'
	run: \|
	matrix='{
	"env":[
	{
	"aws_account":"863362256468",
	"aws_gha_role":"web-cdn-dev-gha",
	"rfc_key_name":"standard_change_sandbox_client_key",
	"rfc_secret_name":"standard_change_sandbox_client_secret",
	"rfc_template_id":"Codepipeline-Standard-Change",
	"cdn_name": "web-community-cdn",
	"account_stack_name": "web-community-cdn-account",
	"config_repo": "byu-oit/web-cdn",
	"extra_tags": "data-sensitivity=public repo=https://github.com/byu-oit/web-cdn",
	"env" : "dev",
	"root_dns" : "cdn-dev.byu.edu",
	"config_branch": "terraform",
	"certificate_arn" : "arn:aws:acm:us-east-1:632558792265:certificate/1bc2f81c-2f79-46b3-9d3b-54ce672ba8be",
	"assembler_ecr_repo_name" : "cdn-terraform-assembler",
	"tf_working_dir":"./iac/dev/app"
	}
	]
	}'
	echo matrix=`echo $matrix \| jq -c .` >> $GITHUB_ENV

	# TODO: Update for prd
	- name: Set up PRD Environment Variables
	if: github.ref == 'refs/heads/master'
	run: \|
	matrix='{
	"env":[
	{
	"aws_account":"204581410681",
	"aws_gha_role":"web-cdn-prd-gha",
	"rfc_key_name":"standard_change_production_client_key",
	"rfc_secret_name":"standard_change_production_client_secret",
	"rfc_template_id":"Codepipeline-Standard-Change",
	"cdn_name": "web-community-cdn",
	"account_stack_name": "web-community-cdn-account",
	"config_repo": "byu-oit/web-cdn",
	"extra_tags": "data-sensitivity=public repo=https://github.com/byu-oit/web-cdn",
	"env" : "prd",
	"root_dns" : "cdn.byu.edu",
	"config_branch": "master",
	"certificate_arn" : "arn:aws:acm:us-east-1:204581410681:certificate/18c1b547-de51-43d3-afa5-2bd05493c41c"
	"assembler_ecr_repo_name": "web-cdn-prd-assembler",
	"tf_working_dir":"./iac/prd/app"
	}
	]
	}'
	echo matrix=`echo $matrix \| jq -c .` >> $GITHUB_ENV

	outputs:
	matrix: ${{ env.matrix }}

	build_and_deploy:
	name: Build CDN pipeline
	runs-on: ubuntu-latest
	needs: env
	strategy:
	matrix: ${{ fromJson(needs.env.outputs.matrix) }}
	permissions: write-all
	steps:
	- name: Check out
	uses: actions/checkout@v3

	- name: Disallow Concurrent Runs
	uses: byu-oit/github-action-disallow-concurrent-runs@v2
	with:
	token: ${{ github.token }}

	- name: Configure AWS Credentials
	id: awscreds
	uses: aws-actions/configure-aws-credentials@v2
	with:
	role-to-assume: "arn:aws:iam::${{ matrix.env.aws_account }}:role/${{ matrix.env.aws_gha_role }}"
	role-session-name: ${{ github.sha }}
	aws-region: us-east-1

	- name: Set up Node.js
	uses: actions/setup-node@v2
	with:
	node-version: ${{ env.node_version }}

	- name: Setup
	run: .codebuild/setup.sh

	- name: Install AWSCLI
	run: pip install awscli --upgrade --user

	- name: Lerna Boostrap
	run: lerna bootstrap

	- name: Echo ROOT_DNS
	env:
	root_dns: ${{ matrix.env.root_dns }}
	run: echo $root_dns

	# - name: Lerna Exec
	# env:
	# ENV: ${{ matrix.env.env }}
	# AWS_ACCOUNT_ID: ${{ steps.awscreds.outputs.aws-account-id }}
	# ROOT_DNS: ${{ matrix.env.root_dns }}
	# run: lerna exec -- ./codebuild.sh

	- name: find
	run: find ./* -mtime +10950 -exec touch {} \;

	- name: Log into Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v1

	- name: Get Current Timestamp
	id: date
	run: echo "timestamp=$(date +'%Y-%m-%d_%H-%M-%S')" >> $GITHUB_OUTPUT

	- name: Setup Docker Buildx
	uses: docker/setup-buildx-action@v2

	- name: Build and push the Assembler Docker image
	env:
	ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
	ECR_REPO: ${{ matrix.env.assembler_ecr_repo_name }}
	IMAGE_TAG: ${{ steps.date.outputs.timestamp }}
	uses: docker/build-push-action@v3
	with:
	context: assembler
	push: true
	tags: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPO}}:${{ env.IMAGE_TAG }}
	cache-from: type=gha
	cache-to: type=gha,mode=max

	- name: Terraform Setup
	uses: hashicorp/setup-terraform@v2
	with:
	terraform_version: ${{ env.tf_version }}
	terraform_wrapper: false

	- name: Terraform Init
	working-directory: ${{ matrix.env.tf_working_dir }}
	run: terraform init

	- name: Terraform Format
	working-directory: "./"
	run: terraform fmt -check -recursive

	- name: Terraform Plan
	working-directory: ${{ matrix.env.tf_working_dir }}
	run: terraform plan -var 'image_tag=${{ steps.date.outputs.timestamp }}' -input=false -out=plan

	- name: Analyze Terraform Plan
	uses: byu-oit/github-action-tf-plan-analyzer@v2
	with:
	working-directory: ${{ matrix.env.tf_working_dir }}
	terraform-plan-file: plan
	divvycloud-username: ${{ secrets.DIVVYCLOUD_USERNAME }}
	divvycloud-password: ${{ secrets.DIVVYCLOUD_PASSWORD }}

	- name: Start Standard Change
	uses: byu-oit/github-action-start-standard-change@v1
	id: start-standard-change
	with:
	client-key: ${{ secrets[matrix.env.rfc_key_name] }}
	client-secret: ${{ secrets[matrix.env.rfc_secret_name] }}
	template-id: ${{ matrix.env.rfc_template_id }}

	- name: Terraform Apply
	working-directory: ${{ matrix.env.tf_working_dir }}
	run: terraform apply plan

	# - name: deploy
	# env:
	# cdn_name: ${{ matrix.env.cdn_name }}
	# env: ${{ matrix.env.env }}
	# root_dns: ${{ matrix.env.root_dns }}
	# account_stack_name: ${{ matrix.env.account_stack_name }}
	# certificate_arn: ${{ matrix.env.certificate_arn }}
	# config_repo: ${{ matrix.env.config_repo }}
	# config_branch: ${{ matrix.env.config_branch }}
	# extra_tags: ${{ matrix.env.extra_tags }}
	# run: .aws-infrastructure/deploy-environment.sh $cdn_name $env $root_dns $account_stack_name $certificate_arn $config_repo $config_branch "$extra_tags"

	- name: End Standard Change
	uses: byu-oit/github-action-end-standard-change@v1
	if: always() && steps.start-standard-change.outcome == 'success' # Run if RFC started, even if the deploy failed
	with:
	client-key: ${{ secrets[matrix.env.rfc_key_name] }}
	client-secret: ${{ secrets[matrix.env.rfc_secret_name] }}
	change-sys-id: ${{ steps.start-standard-change.outputs.change-sys-id }}
	work-start: ${{ steps.start-standard-change.outputs.work-start }}
	success: ${{ job.status == 'success' }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: attach bucket access policy to content bucket instead of assembler #46

Workflow file

fix: attach bucket access policy to content bucket instead of assembler #46

Jobs

Run details

Workflow file for this run