fix: terraform changes to go back to commit 36f6753131e372ca46ca732d3… #136
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy | |
| on: | |
| push: | |
| branches: [terraform] | |
| paths-ignore: | |
| - LICENSE | |
| - README.md | |
| concurrency: ${{ github.ref }} | |
| env: | |
| tf_version: "1.4.5" # must match value in terraform-iac/*/app/main.tf | |
| node_version: "16.x" # must match value in log-analyzer/sorter-lambda/package.json | |
| jobs: | |
| env: | |
| name: Set Env Vars | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set up DEV Environment Variables | |
| if: github.ref == 'refs/heads/terraform' | |
| run: | | |
| matrix='{ | |
| "env":[ | |
| { | |
| "aws_account":"637423550675", | |
| "aws_gha_role":"web-cdn-dev-gha", | |
| "rfc_key_name":"standard_change_sandbox_client_key", | |
| "rfc_secret_name":"standard_change_sandbox_client_secret", | |
| "rfc_template_id":"Codepipeline-Standard-Change", | |
| "assembler_ecr_repo_name" : "web-cdn-dev-assembler", | |
| "webhooks_ecr_repo_name" : "web-cdn-dev-webhooks", | |
| "log_sorter_ecr_repo_name" : "web-cdn-dev-log-sorter", | |
| "tf_working_dir":"./iac/dev/app" | |
| } | |
| ] | |
| }' | |
| echo matrix=`echo $matrix | jq -c .` >> $GITHUB_ENV | |
| # TODO: Update for prd | |
| - name: Set up PRD Environment Variables | |
| if: github.ref == 'refs/heads/master' | |
| run: | | |
| matrix='{ | |
| "env":[ | |
| { | |
| "aws_account":"204581410681", | |
| "aws_gha_role":"web-cdn-prd-gha", | |
| "rfc_key_name":"standard_change_production_client_key", | |
| "rfc_secret_name":"standard_change_production_client_secret", | |
| "rfc_template_id":"Codepipeline-Standard-Change", | |
| "assembler_ecr_repo_name" : "web-cdn-prd-assembler", | |
| "webhooks_ecr_repo_name" : "web-cdn-prd-webhooks", | |
| "log_sorter_ecr_repo_name" : "web-cdn-prd-log-sorter" | |
| "tf_working_dir":"./iac/prd/app" | |
| } | |
| ] | |
| }' | |
| echo matrix=`echo $matrix | jq -c .` >> $GITHUB_ENV | |
| outputs: | |
| matrix: ${{ env.matrix }} | |
| build_and_deploy: | |
| name: Build CDN pipeline | |
| runs-on: ubuntu-latest | |
| needs: env | |
| strategy: | |
| matrix: ${{ fromJson(needs.env.outputs.matrix) }} | |
| permissions: write-all | |
| steps: | |
| - name: Check out | |
| uses: actions/checkout@v3 | |
| - name: Disallow Concurrent Runs | |
| uses: byu-oit/github-action-disallow-concurrent-runs@v2 | |
| with: | |
| token: ${{ github.token }} | |
| - name: Configure AWS Credentials | |
| id: awscreds | |
| uses: aws-actions/configure-aws-credentials@v2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ matrix.env.aws_account }}:role/${{ matrix.env.aws_gha_role }}" | |
| role-session-name: ${{ github.sha }} | |
| aws-region: us-east-1 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: ${{ env.node_version }} | |
| # this is necessary because Lambda@Edge functions cannot be pulled from AWS ECR, so we cannot use a Dockerfile to deploy :( | |
| # this step installs the node_modules for the lambda, the terraform apply zips it up | |
| # see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html | |
| - name: npm install in enhanced-headers | |
| working-directory: edge-lambdas/enhanced-headers | |
| run: npm ci --prefer-offline | |
| # this is necessary because Lambda@Edge functions cannot be pulled from AWS ECR, so we cannot use a Dockerfile to deploy :( | |
| # this step installs the node_modules for the lambda, the terraform apply zips it up | |
| # see https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-edge-function-restrictions.html | |
| - name: npm install in eager-redirect | |
| working-directory: edge-lambdas/eager-redirect | |
| run: npm ci --prefer-offline | |
| # both the webhook (assembler trigger) lambda and the assembler need this file, but in order to keep the context of our docker builds simple, we copy it into both places here | |
| # a better implementation of the webhook lambda might not need the main-config.yml file if we authenticated the github repos calling the lambda in a better way, but that is beyond the scope of the current work | |
| - name: Copy main-config.yml to /webhooks and /assembler | |
| run: cp ./main-config.yml ./assembler/main-config.yml && cp ./main-config.yml ./webhooks/main-config.yml | |
| - name: Log into Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Get Current Timestamp | |
| id: date | |
| run: echo "timestamp=$(date +'%Y-%m-%d_%H-%M-%S')" >> $GITHUB_OUTPUT | |
| - name: Setup Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Build and push the Assembler Docker image | |
| env: | |
| ASSEMBLER_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ASSEMBLER_ECR_REPO: ${{ matrix.env.assembler_ecr_repo_name }} | |
| ASSEMBLER_IMAGE_TAG: ${{ steps.date.outputs.timestamp }} | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: assembler | |
| push: true | |
| tags: ${{ env.ASSEMBLER_ECR_REGISTRY }}/${{ env.ASSEMBLER_ECR_REPO }}:${{ env.ASSEMBLER_IMAGE_TAG }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push the Log Sorter Docker image | |
| env: | |
| ANALYZER_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ANALYZER_ECR_REPO: ${{ matrix.env.log_sorter_ecr_repo_name }} | |
| ANALYZER_IMAGE_TAG: ${{ steps.date.outputs.timestamp }} | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: log-analyzer/sorter-lambda | |
| provenance: false # see https://github.com/orgs/byu-oit/discussions/56 | |
| push: true | |
| tags: ${{ env.ANALYZER_ECR_REGISTRY }}/${{ env.ANALYZER_ECR_REPO }}:${{ env.ANALYZER_IMAGE_TAG }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Build and push the Webhook Docker image | |
| env: | |
| WEBHOOKS_ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| WEBHOOKS_ECR_REPO: ${{ matrix.env.webhooks_ecr_repo_name }} | |
| WEBHOOKS_IMAGE_TAG: ${{ steps.date.outputs.timestamp }} | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: webhooks | |
| provenance: false # see https://github.com/orgs/byu-oit/discussions/56 | |
| push: true | |
| tags: ${{ env.WEBHOOKS_ECR_REGISTRY }}/${{ env.WEBHOOKS_ECR_REPO }}:${{ env.WEBHOOKS_IMAGE_TAG }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Terraform Setup | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: ${{ env.tf_version }} | |
| terraform_wrapper: false | |
| - name: Terraform Init | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: terraform init | |
| - name: Terraform Format | |
| working-directory: "./" | |
| run: terraform fmt -check -recursive | |
| - name: Terraform Plan | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: terraform plan -var 'image_tag=${{ steps.date.outputs.timestamp }}' -input=false -out=plan | |
| - name: Analyze Terraform Plan | |
| uses: byu-oit/github-action-tf-plan-analyzer@v2 | |
| with: | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| terraform-plan-file: plan | |
| divvycloud-username: ${{ secrets.DIVVYCLOUD_USERNAME }} | |
| divvycloud-password: ${{ secrets.DIVVYCLOUD_PASSWORD }} | |
| - name: Start Standard Change | |
| uses: byu-oit/github-action-start-standard-change@v1 | |
| id: start-standard-change | |
| with: | |
| client-key: ${{ secrets[matrix.env.rfc_key_name] }} | |
| client-secret: ${{ secrets[matrix.env.rfc_secret_name] }} | |
| template-id: ${{ matrix.env.rfc_template_id }} | |
| - name: Terraform Apply | |
| working-directory: ${{ matrix.env.tf_working_dir }} | |
| run: terraform apply plan | |
| - name: End Standard Change | |
| uses: byu-oit/github-action-end-standard-change@v1 | |
| if: always() && steps.start-standard-change.outcome == 'success' # Run if RFC started, even if the deploy failed | |
| with: | |
| client-key: ${{ secrets[matrix.env.rfc_key_name] }} | |
| client-secret: ${{ secrets[matrix.env.rfc_secret_name] }} | |
| change-sys-id: ${{ steps.start-standard-change.outputs.change-sys-id }} | |
| work-start: ${{ steps.start-standard-change.outputs.work-start }} | |
| success: ${{ job.status == 'success' }} |