Add conditional approval for AWS environment destruction #22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Deploy to AWS' | |
| on: | |
| push: | |
| branches: | |
| - create-terraform-configuration | |
| # - 'releases/**' | |
| workflow_dispatch: | |
| inputs: | |
| deploy-env: | |
| description: 'Environment to deploy' | |
| required: true | |
| type: choice | |
| options: | |
| - Development | |
| default: Development | |
| deploy-plan-only: | |
| description: 'Plan only' | |
| required: false | |
| type: boolean | |
| default: false | |
| # restore-db: | |
| # description: 'Restore database to original state (Reset database for Development and restore anon dump for Test and Pre-prod)' | |
| # required: false | |
| # type: boolean | |
| # default: false | |
| # clear-opensearch: | |
| # description: 'Clear the custom OpenSearch indexes and templates' | |
| # required: false | |
| # type: boolean | |
| # default: false | |
| jobs: | |
| init-and-plan: | |
| runs-on: ubuntu-latest | |
| environment: Development | |
| steps: | |
| - name: Get Environment Name for ${{ vars.ENV_NAME }} | |
| id: get_env_name | |
| uses: Entepotenz/change-string-case-action-min-dependencies@v1 | |
| with: | |
| string: ${{ vars.ENV_NAME }} | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Checkout config repository | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: 'speedandfunction/website-ci-secret' | |
| path: 'terraform-config' | |
| token: ${{ secrets.PAT }} | |
| - name: Copy tfvars for ${{ vars.ENV_NAME }} | |
| run: | | |
| cat "terraform-config/${{ vars.ENV_NAME }}.tfvars" "deployment/environments/${{ vars.ENV_NAME }}.tfvars" > "deployment/terraform.tfvars" | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.12.0 | |
| terraform_wrapper: false | |
| - name: Terraform Plan for ${{ vars.ENV_NAME }} | |
| run: | | |
| cd deployment | |
| terraform init -backend-config="environments/backend-${{ vars.ENV_NAME }}.hcl" | |
| terraform plan -out="${{ vars.ENV_NAME }}.tfplan" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: "us-east-1" | |
| - name: Copy planfile to S3 bucket for ${{ vars.ENV_NAME }} | |
| run: aws s3 cp "deployment/${{ vars.ENV_NAME }}.tfplan" "s3://${{ env.SETTINGS_BUCKET }}/plans/${{ vars.ENV_NAME }}.tfplan" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| SETTINGS_BUCKET: sf-website-infrastructure | |
| AWS_DEFAULT_REGION: "us-east-1" | |
| - name: Copy lock file to S3 bucket for ${{ vars.ENV_NAME }} | |
| run: aws s3 cp "deployment/.terraform.lock.hcl" "s3://${{ env.SETTINGS_BUCKET }}/plans/${{ vars.ENV_NAME }}.terraform.lock.hcl" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| SETTINGS_BUCKET: sf-website-infrastructure | |
| AWS_DEFAULT_REGION: "us-east-1" | |
| apply: | |
| needs: [init-and-plan] | |
| runs-on: ubuntu-latest | |
| environment: Development | |
| if: ${{ inputs.deploy-plan-only == false }} | |
| steps: | |
| - name: Get Environment Name for ${{ vars.ENV_NAME }} | |
| id: get_env_name | |
| uses: Entepotenz/change-string-case-action-min-dependencies@v1 | |
| with: | |
| string: ${{ vars.ENV_NAME }} | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v2 | |
| with: | |
| terraform_version: 1.12.0 | |
| terraform_wrapper: false | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Get planfile from S3 bucket for ${{ vars.ENV_NAME }} | |
| run: aws s3 cp "s3://${{ env.SETTINGS_BUCKET }}/plans/${{ vars.ENV_NAME }}.tfplan" "deployment/${{ vars.ENV_NAME }}.tfplan" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| SETTINGS_BUCKET: sf-website-infrastructure | |
| AWS_DEFAULT_REGION: "us-east-1" | |
| - name: Get lock file from S3 bucket for ${{ vars.ENV_NAME }} | |
| run: aws s3 cp "s3://${{ env.SETTINGS_BUCKET }}/plans/${{ vars.ENV_NAME }}.terraform.lock.hcl" "deployment/.terraform.lock.hcl" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| SETTINGS_BUCKET: sf-website-infrastructure | |
| AWS_DEFAULT_REGION: "us-east-1" | |
| - name: Terraform Apply for ${{ vars.ENV_NAME }} | |
| run: | | |
| cd deployment | |
| terraform init -backend-config="environments/backend-${{ vars.ENV_NAME }}.hcl" | |
| terraform apply "${{ vars.ENV_NAME }}.tfplan" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| AWS_DEFAULT_REGION: "us-east-1" | |
| build_and_push_docker_image: | |
| needs: [apply] | |
| runs-on: ubuntu-latest | |
| environment: Development | |
| if: ${{ inputs.deploy-plan-only == false }} | |
| steps: | |
| - name: Get Environment Name for ${{ vars.ENV_NAME }} | |
| id: get_env_name | |
| uses: Entepotenz/change-string-case-action-min-dependencies@v1 | |
| with: | |
| string: ${{ vars.ENV_NAME }} | |
| - name: Checkout repo | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS credentials for ${{ vars.ENV_NAME }} | |
| uses: aws-actions/configure-aws-credentials@v1 | |
| with: | |
| aws-access-key-id: ${{ secrets.TF_AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.TF_AWS_SECRET_ACCESS_KEY }} | |
| aws-region: "us-east-1" | |
| - name: Login to Amazon ECR | |
| uses: aws-actions/amazon-ecr-login@v1 | |
| - name: Build and push Apostrophe Docker image to ECR for ${{ vars.ENV_NAME }} | |
| run: | | |
| docker build --platform linux/amd64 -t $ECR_REPOSITORY:$IMAGE_TAG . | |
| docker push $ECR_REPOSITORY:$IMAGE_TAG | |
| env: | |
| IMAGE_TAG: latest | |
| ECR_REPOSITORY: 695912022152.dkr.ecr.us-east-1.amazonaws.com/sf-website-${{ vars.ENV_NAME }} | |