-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setup CICD pipeline #100
Open
hamzajaved-csiro
wants to merge
79
commits into
develop
Choose a base branch
from
ci-cd
base: develop
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Setup CICD pipeline #100
Changes from 13 commits
Commits
Show all changes
79 commits
Select commit
Hold shift + click to select a range
d8b5e3b
Create ci cd pipeline
hamzajaved-csiro 21cf0a2
helm config fixes
brucehyslop e33b14d
Update application.properties
joe-lipson 1c1db3f
refactored to externalise helm config paramaters
brucehyslop 5dd6161
removed Cognito client ID from config
brucehyslop 251687d
Merge branch 'ci-cd' of https://github.com/AtlasOfLivingAustralia/spe…
brucehyslop 5d28179
added DB CF template config parameters
brucehyslop 86430e4
adjusted db config and tag name of db resources
brucehyslop 7f6791c
fixed tag name substitution
brucehyslop de9c71d
Merge branch 'develop' into ci-cd-2
brucehyslop 2aba7e0
added UI build environment
brucehyslop 8fe31b7
added UI build Environment
brucehyslop c22d68a
changed case of main entry point to match for case insensitive FS
brucehyslop 090ba0d
added testing environment config
brucehyslop 5dda803
configuration of variables via helm
brucehyslop a3c16b6
remove unused dependencies
joe-lipson 526287b
export the full repo URI from the base stack
joe-lipson c64e8c4
only generate the secret on first launch
joe-lipson f30c755
remove pre-bedrock vars
joe-lipson 057002a
add ssl certificate vars
joe-lipson 6c914d7
fix environment name
joe-lipson 35a22c6
get the EKS cluster name from the regolith export
joe-lipson 937b579
user the certificate ARN variable
joe-lipson a757306
add vars for image and tag
joe-lipson ad0ac55
move environment import to the pipeline
joe-lipson 842ca47
need to prevent string key too
joe-lipson 9031d23
revert to hard coded context
joe-lipson f4c594c
add unset var script
joe-lipson 7790df9
fix path
joe-lipson f9b05c0
add comment
joe-lipson 464d272
add comment
joe-lipson aa2ac1f
space
joe-lipson 9a8d6a8
move debug print
joe-lipson aa28687
temporarily force secret regen
joe-lipson b3f1227
fix json
joe-lipson d25132f
force true
joe-lipson 915caf9
revert the first build condition
joe-lipson 3376767
cant work out how do to this with a generated secret, reverting
joe-lipson e381e49
debug print
joe-lipson 8f48828
Merge branch 'develop' into ci-cd
brucehyslop 77e3d88
updated cognito client id for lists.test.ala.org.au
brucehyslop 778a056
fixed auth redirect url
brucehyslop 8c3407f
changed oidc client id
brucehyslop 9c06bcf
updated truststore to include CA cert for ala.org.au domain
brucehyslop 9d8df55
configuration of namematching service baseUrl
brucehyslop 1668348
added config checksum annotations to trigger pod rotation on change
brucehyslop 7e844db
config for cognito auth and helm values
brucehyslop 04e44fe
passing through env config to deploy stage
brucehyslop 98c5f20
change db resource naming to support feature env
brucehyslop 5a930f4
fixed env variable names
brucehyslop 3d5996d
removed souring app.env
brucehyslop b5f2ee5
generate helm value override file
brucehyslop 4b90f38
buildspec fix
brucehyslop b985ab9
config adjustments
brucehyslop 888807a
block style yaml config
brucehyslop 4242b4f
added extra quotes
brucehyslop fa5234d
extra config mappings
brucehyslop 067e07b
added missing mongo user env
brucehyslop 1c3dfe5
docdb config fixes
brucehyslop 35c74db
indentation of generated yaml config overrides
brucehyslop e7f0e06
add domain to deploy environment
joe-lipson 12789a3
update certificate var name
joe-lipson 1e327d3
remove leading $
joe-lipson fae1147
remove leading $
joe-lipson 313e799
Fixed frontend crash with missing classification & updated pipeline t…
jack-brinkman 7ae43c1
configurable helm release name
brucehyslop e1b6ee1
added configurable helm chart name
brucehyslop 740e253
update cert config name
brucehyslop ec13f98
added uninstall action to remove resources deployed in deploy build spec
brucehyslop f535398
fixed helm release name env var
brucehyslop 4204e76
removed un-used code build environement
brucehyslop 668bd2b
removed config of namespace, defined by helm install
brucehyslop 588ce76
fixed uninstall env config
brucehyslop f71064a
removed unused secret for uninstall spec
brucehyslop 7d4d4ac
added missing EKS_CLUSTER_NAME env
brucehyslop de043eb
removed setting of namespace config
brucehyslop 27a082c
fixes to uninstall action
brucehyslop e62f13f
changed helm release name env var name
brucehyslop 6a9af8f
Merge branch 'ci-cd' into feature/cicd-pipeline
brucehyslop File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
AWSTemplateFormatVersion: '2010-09-09' | ||
|
||
Description: Base resources for the Lists service | ||
|
||
Parameters: | ||
pBuild: | ||
Type: String | ||
Description: The build number | ||
pCleanBranch: | ||
Type: String | ||
Description: The clean branch, can be used in resource names | ||
pEnvironment: | ||
Type: String | ||
Description: The AWS environment this belongs to | ||
|
||
Conditions: | ||
|
||
IsDev: !Equals | ||
- !Ref pEnvironment | ||
- development | ||
NotProd: !Not | ||
- !Equals | ||
- !Ref pEnvironment | ||
- production | ||
|
||
Resources: | ||
|
||
ListsRepository: | ||
Type: AWS::ECR::Repository | ||
Properties: | ||
EmptyOnDelete: !If [ NotProd, true, false ] | ||
EncryptionConfiguration: | ||
EncryptionType: AES256 | ||
ImageScanningConfiguration: | ||
ScanOnPush: true | ||
RepositoryName: !Sub | ||
- lists-${ResourceName} | ||
- ResourceName: !If [ IsDev, !Ref pCleanBranch, !Ref pEnvironment ] | ||
RepositoryPolicyText: | ||
Version: 2012-10-17 | ||
Statement: | ||
- Sid: AllowPublicPull | ||
Effect: Allow | ||
Principal: '*' | ||
Action: | ||
- 'ecr:GetDownloadUrlForLayer' | ||
- 'ecr:BatchGetImage' | ||
- 'ecr:BatchCheckLayerAvailability' | ||
Tags: | ||
- Key: Environment | ||
Value: !Ref pEnvironment | ||
- Key: Branch | ||
Value: !Ref pCleanBranch | ||
|
||
ListsSecret: | ||
Type: 'AWS::SecretsManager::Secret' | ||
Properties: | ||
Name: !Sub | ||
- lists-${ResourceName} | ||
- ResourceName: !If [ IsDev, !Ref pCleanBranch, !Ref pEnvironment ] | ||
Description: !Sub Lists app ${pEnvironment} secrets | ||
GenerateSecretString: | ||
GenerateStringKey: db-password | ||
PasswordLength: 12 | ||
ExcludeCharacters: "/@\" " | ||
SecretStringTemplate: | | ||
{ | ||
"db-password": "" | ||
} | ||
|
||
|
||
|
||
Outputs: | ||
|
||
ListsRepositoryArn: | ||
Description: The ECR repository ARN for the Lists service | ||
Value: !GetAtt ListsRepository.Arn | ||
|
||
ListsRepositoryName: | ||
Description: The ECR repository ARN for the Lists service | ||
Value: !Ref ListsRepository | ||
|
||
ListsSecret: | ||
Description: The Secrets name for lists | ||
Value: !Ref ListsSecret |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
{ | ||
"Parameters" : { | ||
"pBuild" : "{{ codebuild_build_number }}", | ||
"pCleanBranch" : "{{ clean_branch }}", | ||
"pEnvironment" : "{{ environment }}" | ||
}, | ||
"Tags" : { | ||
"product" : "{{ product_name }}", | ||
"component" : "{{ product_component }}", | ||
"environment" : "{{ environment }}", | ||
"branch" : "{{ src_branch }}", | ||
"version" : "{{ commit_id }}", | ||
"build" : "{{ codebuild_build_number }}" | ||
}, | ||
"StackPolicy" : { | ||
"Statement" : [ | ||
{ | ||
"Effect" : "Allow", | ||
"Action" : "Update:*", | ||
"Principal": "*", | ||
"Resource" : "*" | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
[DEFAULT] | ||
PRODUCT_COMPONENT = base | ||
PIPELINE_STACK_NAME = ala-${PRODUCT_NAME}-${PRODUCT_COMPONENT}-pipeline-${ENVIRONMENT} | ||
BASE_STACK_FILE_PFIX = base | ||
BASE_STACK_NAME = ala-${PRODUCT_NAME}-${PRODUCT_COMPONENT}-${ENVIRONMENT} | ||
AUTO_DEPLOY = false | ||
SLACK_DEPLOY_NOTIFICATION = false | ||
SLACK_ALERT_CHANNEL = deployments | ||
|
||
[development] | ||
# code pipeline | ||
PIPELINE_STACK_NAME = ala-${PRODUCT_NAME}-${PRODUCT_COMPONENT}-pipeline-${CLEAN_BRANCH} | ||
BASE_STACK_NAME = ala-${PRODUCT_NAME}-${PRODUCT_COMPONENT}-${CLEAN_BRANCH} | ||
SLACK_DEPLOY_NOTIFICATION = true | ||
SLACK_ALERT_CHANNEL = zabbix-lists | ||
AUTO_DEPLOY = true | ||
|
||
[develop] | ||
|
||
[staging] | ||
|
||
[production] | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should always send a deploy notification for a production release
|
59 changes: 59 additions & 0 deletions
59
lists-service/cicd/base/pipeline/deploy_notification_buildspec.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
version: 0.2 | ||
### | ||
# This build project sends out the various deploy notifications | ||
|
||
env: | ||
shell: bash | ||
variables: | ||
DEBIAN_FRONTEND: "noninteractive" | ||
exported-variables: | ||
- CODEBUILD_BUILD_NUMBER | ||
secrets-manager: | ||
DD_API_KEY: ala-secrets-production:datadog-api-key | ||
SLACK_OAUTH_TOKEN: ala-secrets-production:slack-oauth-token | ||
|
||
phases: | ||
|
||
install: | ||
commands: | ||
- echo Running on $(lsb_release -d | cut -f2) | ||
- echo aws-cli version $(aws --version) | ||
finally: | ||
- #echo This always runs even if the update or install command fails | ||
|
||
|
||
pre_build: | ||
commands: | ||
- echo Entered the pre_build phase... | ||
- # have to get the commit message here because passing it as an env var from | ||
- # the pipeline doesn't work when the commit message contains json breaking characters | ||
- export PIPELINE_NAME=$(echo $CODEBUILD_INITIATOR | cut -d'/' -f2) | ||
- export COMMIT_MSG=$(aws codepipeline list-pipeline-executions --pipeline-name $PIPELINE_NAME --max-items 1 --query 'pipelineExecutionSummaries[0].sourceRevisions[0].revisionSummary' | jq -r '. | fromjson | .CommitMessage') | ||
- echo source branch is $SRC_BRANCH | ||
- echo clean branch is $CLEAN_BRANCH | ||
- echo Environment is $ENVIRONMENT | ||
- echo commit msg is $COMMIT_MSG | ||
- echo commit id is $COMMIT_ID | ||
- echo Repo is $REPO | ||
- export DEPLOY_MSG="$AUTHOR has released a $ENVIRONMENT update to $PRODUCT_NAME $PRODUCT_COMPONENT." | ||
- echo $DEPLOY_MSG | ||
finally: | ||
- #echo This always runs | ||
|
||
build: | ||
commands: | ||
- echo Datadog deploy notification | ||
- lists-service/cicd/dd_notification.sh | ||
- echo Slack Deploy notification | ||
- | | ||
if [ "$SLACK_DEPLOY_NOTIFICATION" == "true" ] ; then | ||
lists-service/cicd/slack_notification.sh | ||
fi | ||
|
||
finally: | ||
- #echo This always runs | ||
|
||
|
||
post_build: | ||
commands: | ||
- #echo Entered the post_build phase... |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,153 @@ | ||
#!/bin/bash | ||
set -ueo pipefail | ||
|
||
### | ||
# Deploy the codepipeline for the lists app | ||
# You must have AWS CLI authentication for this to run. | ||
|
||
usage() { | ||
echo "Usage: $0 [OPTIONS]" | ||
echo "Options:" | ||
echo " -e The environment. Optional but must be \"prod\" to launch in production" | ||
echo " -b Branch override. Used when we're not on a branch (detached head)" | ||
} | ||
|
||
ENV=nonprod | ||
BRANCH_OVERRIDE= | ||
SCRIPT_DIR=$(dirname "$(realpath "$0")") | ||
|
||
while getopts "e:b:" flag; do | ||
case $flag in | ||
e) # Handle the -e environment flag | ||
# must be "prod" to launch in production | ||
ENV=$OPTARG | ||
;; | ||
b) # Handle the -b branch override flag | ||
# branch override is used when we're not on a branch (detached head) | ||
BRANCH_OVERRIDE=$OPTARG | ||
;; | ||
\?) | ||
usage | ||
exit 1 | ||
;; | ||
esac | ||
done | ||
|
||
# get the branch | ||
branch=$(git branch --show-current) | ||
|
||
# confirm which environment we're deploying to if it wasnt explicitly set | ||
if [ "$branch" = "main" ] && [ "$ENV" = "nonprod" ]; then | ||
echo "Deploy to production or staging?" | ||
echo "1) production" | ||
echo "2) staging" | ||
read -p "Enter your choice (1 or 2): " choice | ||
|
||
case $choice in | ||
1) | ||
ENV="prod" | ||
;; | ||
esac | ||
fi | ||
|
||
# check if we're on a detached head | ||
if [[ -n $branch ]]; then | ||
real_branch=1 | ||
elif [[ -z $branch && -n $BRANCH_OVERRIDE ]]; then | ||
real_branch=0 | ||
branch=$BRANCH_OVERRIDE | ||
else | ||
echo "You must specify a branch override or run this script from a git branch" | ||
exit 1; | ||
fi | ||
|
||
echo branch: $branch | ||
|
||
# get the commit_ids | ||
COMMIT_ID=$(git rev-parse HEAD) | ||
echo commit id: $COMMIT_ID | ||
LATEST_COMMIT_ID=$(git log -n 1 --pretty=format:"%H" $branch) | ||
|
||
# check if we're rolling back to a previous commit | ||
if [[ "$COMMIT_ID" != "$LATEST_COMMIT_ID" ]]; then | ||
echo latest commit is $LATEST_COMMIT_ID | ||
echo but we are releasing $COMMIT_ID | ||
echo we are rolling back to a previous commit | ||
RESTART_PIPELINE_ON_UPDATE=false | ||
else | ||
RESTART_PIPELINE_ON_UPDATE=true | ||
fi | ||
|
||
# check that any changes are commited and pushed | ||
if [[ $real_branch -eq 1 && -n "$(git status --porcelain)" ]] ; then | ||
echo "changes must be committed and pushed before deploying" | ||
exit 1; | ||
fi | ||
|
||
# check the remote branch exists | ||
if [[ $real_branch -eq 1 ]] && ! git ls-remote --exit-code origin $branch > /dev/null 2>&1 ; then | ||
echo "changes must be committed and pushed before deploying" | ||
exit 1; | ||
fi | ||
|
||
# check there are no differences with remote | ||
if [[ $real_branch -eq 1 && -n "$(git diff $branch origin/$branch)" ]] ; then | ||
echo "changes must be committed and pushed before deploying" | ||
exit 1; | ||
fi | ||
|
||
# get the clean version of the branch | ||
clean_branch=$($SCRIPT_DIR/../../clean_branch.sh $branch) | ||
echo clean branch: $clean_branch | ||
|
||
# get the environment based on the branch | ||
environment=$($SCRIPT_DIR/../../branch_2_env.py --branch $branch --env $ENV) | ||
echo environment: $environment | ||
|
||
# load environment vars | ||
$SCRIPT_DIR/../../gen_env_vars.py --env $environment --clean-branch $clean_branch --conf $SCRIPT_DIR/../config.ini > env.txt | ||
source env.txt | ||
rm env.txt | ||
|
||
# Determine the operating system | ||
OS=$(uname) | ||
|
||
# Calculate pipeline MD5 based on the operating system | ||
case "$OS" in | ||
"Darwin") | ||
# macOS | ||
PIPELINE_MD5=$(md5 -q pipeline.yaml) | ||
;; | ||
"Linux") | ||
# Linux | ||
PIPELINE_MD5=$(md5sum pipeline.yaml | awk '{ print $1 }') | ||
;; | ||
*) | ||
echo "Unsupported OS: $OS" | ||
exit 1 | ||
;; | ||
esac | ||
|
||
# deploy/update the template | ||
echo "Deploying the pipeline template" | ||
aws cloudformation deploy \ | ||
--template-file pipeline.yaml \ | ||
--stack-name $PIPELINE_STACK_NAME \ | ||
--tags product=$PRODUCT_NAME component=cicd environment=$environment branch=$branch version=$COMMIT_ID \ | ||
--region $REGION \ | ||
--capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \ | ||
--parameter-overrides \ | ||
pAutoDeploy=$AUTO_DEPLOY \ | ||
pBootstrapStackName=$BOOTSTRAP_STACK_NAME \ | ||
pBucketsStackName=$BUCKETS_STACK_NAME \ | ||
pCleanBranch=$clean_branch \ | ||
pEksClusterName=$EKS_CLUSTER_NAME \ | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. pEksClusterName can be removed, it's not in the CF template |
||
pEnvironment=$environment \ | ||
pGitHubBranch=$branch \ | ||
pGitHubOwner=$GITHUB_OWNER \ | ||
pGitHubRepositoryName=$GITHUB_REPO_NAME \ | ||
pPipelineFingerprint=$PIPELINE_MD5 \ | ||
pProductComponent=$PRODUCT_COMPONENT \ | ||
pProductName=$PRODUCT_NAME \ | ||
pRestartExecutionOnUpdate=$RESTART_PIPELINE_ON_UPDATE \ | ||
|
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An issue I've run into with this on other products is that if you update anything in the base config then it resets all the secrets which you usually dont want to do. I just used this in userdetails to make it create the secrets on the first deploy then for subsequent deploys or updates to the base component it leaves them alone