Merge pull request #463 from NEU-DSG/update-configure-aws-credentials
#767
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Infrastructure Deployment | |
| # Controls when the action will run. Triggers the workflow on push or pull request | |
| # events but only for the main branch | |
| on: | |
| release: | |
| types: [released, prereleased] | |
| push: | |
| branches: [main] | |
| paths-ignore: | |
| - "**/README.md" | |
| - "**/readme.md" | |
| - "doc/**/*.md" | |
| concurrency: | |
| group: infra-${{ github.ref }} | |
| # Cancelling terraform deployments will screw up terraform's own locking mechanism | |
| cancel-in-progress: false | |
| # A workflow run is made up of one or more jobs that can run sequentially or in parallel | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| environment: ${{ github.event_name == 'release' && ( github.event.action == 'released' && 'Production' || 'Development') || 'Development' }} | |
| env: | |
| DATABASE_PASSWORD: ${{ github.event.action == 'prereleased' && secrets.UAT_DATABASE_PASSWORD || secrets.DATABASE_PASSWORD }} | |
| GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }} | |
| AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }} | |
| AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }} | |
| AWS_ZONE_PRIMARY: ${{ secrets.AWS_ZONE_PRIMARY }} | |
| AWS_SUBNET_SECONDARY0: ${{ secrets.AWS_SUBNET_SECONDARY0 }} | |
| AWS_ZONE_SECONDARY0: ${{ secrets.AWS_ZONE_SECONDARY0 }} | |
| AWS_SUBNET_SECONDARY1: ${{ secrets.AWS_SUBNET_SECONDARY1 }} | |
| AWS_ZONE_SECONDARY1: ${{ secrets.AWS_ZONE_SECONDARY1 }} | |
| AWS_SSH_KEY: ${{ secrets.AWS_SSH_KEY }} | |
| GIT_REPOSITORY_URL: https://github.com/neu-dsg/dailp-encoding | |
| OAUTH_TOKEN: ${{ secrets.OAUTH_TOKEN }} | |
| RUST_LOG: info | |
| # Stage is Development if not based on a release event, is Staging/UAT if event action is prereleased, is Production if event action is released | |
| TF_STAGE: ${{ github.event_name == 'release' && ( github.event.action == 'prereleased' && 'uat' || 'prod') || 'dev' }} | |
| # Steps represent a sequence of tasks that will be executed as part of the job | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 0 | |
| - name: Push to release branch | |
| if: ${{ github.event_name == 'release' }} | |
| uses: ad-m/github-push-action@master | |
| with: | |
| branch: ${{ github.event.action == 'prereleased' && 'uat' || 'release' }} | |
| force: true | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-1 | |
| - uses: dorny/paths-filter@v2 | |
| id: filter | |
| with: | |
| base: ${{ github.ref }} | |
| filters: | | |
| backend: | |
| - 'types/**' | |
| - 'graphql/**' | |
| - 'flake.nix' | |
| - 'flake.lock' | |
| - 'terraform/**' | |
| data: | |
| - 'types/**' | |
| - 'migration/**' | |
| - 'graphql/**' | |
| rust: | |
| - '**/*.rs' | |
| - 'Cargo.lock' | |
| - name: Install Nix | |
| uses: cachix/install-nix-action@v20 | |
| with: | |
| nix_path: nixpkgs=channel:nixos-21.11 | |
| - name: Use binary cache for nix store | |
| uses: cachix/cachix-action@v12 | |
| with: | |
| name: dailp | |
| # If you chose API tokens for write access OR if you have a private cache | |
| authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}" | |
| pushFilter: "(-dailp$|-dailp-|-terraform-config$|-source$|\\.tar\\.gz$|-output$|-plan$|-apply-now$|-apply$)" | |
| - name: Build and test project | |
| # nix -L argument shows the full build log and --impure allows it to access environment variables. | |
| env: | |
| BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }} | |
| run: | | |
| nix build --impure -L | |
| - name: Deploy back-end to AWS via terraform | |
| env: | |
| BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }} | |
| run: | | |
| nix run --impure -L .#tf-apply-now | |
| SECURITY_GROUP_ID=$(nix run --impure .#tf-output access_security_group_id) | |
| echo "ACCESS_SECURITY_GROUP=$SECURITY_GROUP_ID" >> $GITHUB_ENV | |
| - name: Update database schema | |
| env: | |
| BASTION_IP: ${{ (env.TF_STAGE == 'prod' && secrets.PROD_BASTION_IP ) || (env.TF_STAGE == 'uat' && secrets.UAT_BASTION_IP) || secrets.DEV_BASTION_IP }} | |
| BASTION_ID: ${{ (env.TF_STAGE == 'prod' && secrets.EC2_INSTANCE ) || (env.TF_STAGE == 'uat' && secrets.UAT_EC2_INSTANCE) || secrets.DEV_EC2_INSTANCE }} | |
| run: | | |
| echo "Retrieving terraform outputs..." | |
| DATABASE_ADDRESS=$(nix run --impure .#tf-output database_address) | |
| echo "Connecting to bastion via SSM..." | |
| aws ssm start-session \ | |
| --target ${{ env.BASTION_ID }} \ | |
| --document-name AWS-StartPortForwardingSessionToRemoteHost \ | |
| --parameters '{"host":[ '"\"$DATABASE_ADDRESS\""' ],"portNumber":["5432"], "localPortNumber":["5432"]}' & | |
| echo "Updating shell variables..." | |
| export DAILP_API_URL=$(nix run --impure .#tf-output functions_url) | |
| export DATABASE_URL=postgres://dailp:$DATABASE_PASSWORD@localhost:5432/dailp | |
| echo "Migrating schema..." | |
| nix run --impure .#migrate-schema | |
| - name: Publish website | |
| run: | | |
| curl -X POST -d {} "$(nix run --impure .#tf-output amplify_webhook)" -H "Content-Type:application/json" |