core-github-actions/.github/workflows/deploy_feature_branch.yml at main · OpenSesame/core-github-actions · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: "Deploy Feature Branch to Dev"

on:
  workflow_call:
    inputs:
      terraform_workspace:
        description: 'Terraform workspace'
        required: true
        type: string
      terraform-root:
        description: 'Root directory of terraform dev. When omitted, terraform/dev is used'
        required: false
        type: string
        default: 'terraform/dev'
      oidc-domain:
        description: 'OIDC Domain. Ex: "core" or "reveng"'
        required: true
        type: string
      role_session_name_suffix:
        description: 'Suffix for the role session name'
        required: true
        type: string
      deploy_fargate:
        description: 'Deploy Fargate'
        required: false
        default: false
        type: boolean
    secrets:
      ORG_READ_ONLY_SSH_KEY:
        required: true
      ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN:
        required: true

    outputs:
      name_prefix:
        value: ${{ jobs.build_and_apply.outputs.name_prefix }}
      api_endpoint:
        value: ${{ jobs.build_and_apply.outputs.api_endpoint }}
      deploy_fargate:
        value: ${{ inputs.deploy_fargate }}

permissions:
  id-token: write
  contents: read

jobs:
  build_and_apply:
    runs-on: ubuntu-latest
    environment: dev
    outputs:
      name_prefix: ${{ steps.build_apply.outputs.name_prefix }}
      api_endpoint: ${{ steps.build_apply.outputs.api_endpoint }}
      deploy_fargate: ${{ inputs.deploy_fargate }}

    steps:
      - id: get-role-arn
        uses: OpenSesame/gha-oidc-access/get-role-arn@v2
        with:
          domain: ${{ inputs.oidc-domain }}
          env: dev
          ORG_READ_ONLY_SSH_KEY: ${{ secrets.ORG_READ_ONLY_SSH_KEY }}

      - uses: aws-actions/configure-aws-credentials@v4
        with:
          role-to-assume: ${{ steps.get-role-arn.outputs.role-arn }}
          role-session-name: deployBranchDev-Run${{ inputs.role_session_name_suffix }}
          aws-region: ${{ steps.get-role-arn.outputs.region }}

      - name: Actions - Checkout Repo
        uses: actions/checkout@v4

      - name: Setup Node
        uses: actions/setup-node@v4
        with:
          node-version: "20.x"
          registry-url: "https://npm.pkg.github.com"

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.6.3
          terraform_wrapper: false

      - name: Login to Amazon ECR
        if: ${{ inputs.deploy_fargate }}
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v1

      - name: Install IUM App Packages & Build App
        if: ${{ inputs.deploy_fargate }}
        run: |
          cd lambdas/user-management-api
          npm ci
          npm run build

      - name: Build And Apply Feature Branch to Dev
        uses: opensesame/core-github-actions/build-apply@v1
        id: build_apply
        with:
          github_ssh_key: ${{ secrets.ORG_READ_ONLY_SSH_KEY }}
          terraform_root: ${{ inputs.terraform-root }}
          terraform_workspace: ${{ inputs.terraform_workspace }}
          node_auth_token: ${{ secrets.ORG_GITHUB_PACKAGES_READ_ONLY_TOKEN }}

      - name: Get Feature Branch Prefix
        if: ${{ inputs.deploy_fargate }}
        id: get_branch_prefix
        run: |
          FEATURE_BRANCH_ENV=$(echo "${{ github.ref }}" | awk -F'/' '{print tolower($NF)}' | tr '_' '-' | cut -c 1-15 | sed 's/-*$//')
          echo "FEATURE_BRANCH_ENV=$FEATURE_BRANCH_ENV" >> $GITHUB_ENV
          echo "::set-output name=feature_branch_env::$FEATURE_BRANCH_ENV"

      - name: Build, Tag, and Push IUM API Image to Dev ECR
        if: ${{ inputs.deploy_fargate }}
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          IMAGE_TAG: latest
          ECR_REPOSITORY: ${{ env.FEATURE_BRANCH_ENV }}-ium-ecr-repository
        run: |
          cd lambdas/user-management-api
          docker build -t $ECR_REPOSITORY:latest --platform linux/arm64 -f Dockerfile .
          docker tag $ECR_REPOSITORY:$IMAGE_TAG $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
          docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG

      - name: Update IUM ECS Service to use new image
        if: ${{ inputs.deploy_fargate }}
        env:
          ECR_CLUSTER: ${{ env.FEATURE_BRANCH_ENV }}-ium-ecr-cluster
          ECS_SERVICE: ${{ env.FEATURE_BRANCH_ENV }}-ium-ecs-service
        run: |
          aws ecs update-service --cluster $ECR_CLUSTER --service $ECS_SERVICE --force-new-deployment

      - name: Deploy to Dev
        uses: opensesame/core-github-actions/deploy@v1
        with:
          github_ssh_key: ${{ secrets.ORG_READ_ONLY_SSH_KEY }}
          terraform_root: ${{ inputs.terraform-root }}
          terraform_workspace: ${{ inputs.terraform_workspace }}