-
Notifications
You must be signed in to change notification settings - Fork 1
248 lines (215 loc) · 8.18 KB
/
terraform-serverless-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
---
name: Terraform and Serverless Deployment
# https://github.com/hashicorp/setup-terraform#setup-terraform
# yamllint disable-line rule:truthy
on:
pull_request:
branches: [main]
# only if we've changed terraform/ or botcpdf/ directories
paths:
- botcpdf/**
- data/**
- icons/**
- templates/**
- terraform/**
- www/**
push:
tags:
- '*'
# only allow one workflow to run at a time
concurrency:
group: terraform-matrix
cancel-in-progress: false
permissions:
id-token: write
contents: read
issues: write
pull-requests: write
# set default (empty) env vars (keeps liter happy in IDE)
env:
WORKSPACE: ''
DEPLOY_ENV: ''
jobs:
terraform-matrix:
name: Terraform Matrix
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
aws-account-id:
- 436158765452
session-tag:
- botc-json2pdf
include:
- account-name-prefix: chizography
aws-account-id: 436158765452
aws-deployment-role: botc/deploy_json2pdf
aws-region: eu-west-2
terraform-dir: terraform
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Set Workspace Env
# if we're a PR then we user 'dev', otherwise we use 'prod'
# https://support.hashicorp.com/hc/en-us/articles/360043550953-Selecting-a-workspace-when-running-Terraform-in-automation
run: |
if [ -n "${{ github.event.pull_request.head.sha }}" ]; then
echo "WORKSPACE=dev" >> "$GITHUB_ENV"
else
echo "WORKSPACE=prod" >> "$GITHUB_ENV"
fi
# because we know some of our terraform has an external poetry data
# source, we need to install poetry
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Setup Poetry
uses: abatilo/actions-poetry@v2
with:
poetry-version: 1.4.2
- name: Prerelease Version
shell: bash
if: github.event_name == 'pull_request'
run: |
# for convenience we bump the version number (prerelease) if we're a
# PR; we don't care about keeping this, we just _never_ want to have
# a PR with a normal release version number
poetry version prerelease
- name: Run terraform actions
id: run-terraform-actions
# yamllint disable-line rule:line-length
uses: chizmw/[email protected]
with:
# yamllint disable rule:line-length
use-workspaces: true
workspace: ${{ env.WORKSPACE }}
terraform-dir: ${{ matrix.terraform-dir }}
# state-key: ${{ github.repository }}-${{ matrix.aws-account-id }}-${{ matrix.session-tag }}.tfstate
aws-account-id: ${{ matrix.aws-account-id }}
aws-account-name-prefix: ${{ matrix.account-name-prefix }}
aws-session-tag: ${{ matrix.session-tag }}
aws-access-key-id: ${{ secrets.CHIZOGRAPHY_GITHUB_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.CHIZOGRAPHY_GITHUB_AWS_SECRET_ACCESS_KEY }}
aws-deployment-role: ${{ matrix.aws-deployment-role }}
github-token: ${{ secrets.GITHUB_TOKEN }}
aws-region: ${{ matrix.aws-region }}
# if we're in a PR or a tag push, set auto-apply to true
auto-apply: ${{ github.event_name == 'pull_request' || github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') }}
# yamllint enable rule:line-length
linting:
name: Deploy Lambda
runs-on: ubuntu-latest
strategy:
matrix:
include:
- aws-account-name: chizography
aws-account-id: 436158765452
aws-deployment-role: botc/deploy_json2pdf
steps:
- uses: actions/checkout@v4
# do this early so it can fail fast
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
# yamllint disable rule:line-length
aws-access-key-id: ${{ secrets.CHIZOGRAPHY_GITHUB_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.CHIZOGRAPHY_GITHUB_AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
role-to-assume: arn:aws:iam::${{ matrix.aws-account-id }}:role/${{ matrix.aws-deployment-role }}
role-skip-session-tagging: true
role-duration-seconds: 1800 # 30 minute session
mask-aws-account-id: false
# yamllint enable rule:line-length
- name: Show AWS Credentials
shell: bash
run: |
env |sort |grep AWS
aws sts get-caller-identity
- uses: actions/setup-node@v3
with:
node-version: 16
- name: Set Environment Env
# if we're a PR then we user 'dev', otherwise we use 'prod'
# yamllint disable rule:line-length
run: |
# debug pesky sls
echo "SLS_DEBUG=*" >> "$GITHUB_ENV"
# pull request
if [ -n "${{ github.event.pull_request.head.sha }}" ]; then
echo "DEPLOY_ENV=dev" >> "$GITHUB_ENV"
# push to default branch
elif [ "${{ github.event_name }}" == "push" ] && [ "${{ github.ref }}" == "refs/heads/main" ]; then
echo "DEPLOY_ENV=prod" >> "$GITHUB_ENV"
# it's a tag event
elif [ "${{ github.event_name }}" == "push" ] && [[ "${{ github.ref }}" == refs/tags/* ]]; then
echo "DEPLOY_ENV=prod" >> "$GITHUB_ENV"
# no idea what's going on
else
# ::error
echo "::error::Unknown event type: ${{ github.event_name }} ${{ github.ref }}"
exit 66
fi
# yamllint enable rule:line-length
- name: SLS Prep
shell: bash
run: |
npm --version
npm install -g serverless@3
serverless plugin install -n serverless-docker
- name: Debug Matrix
shell: bash
run: |
echo "::notice::aws-account-name: ${{matrix.aws-account-name}}"
echo "::notice::aws-account-id: ${{matrix.aws-account-id}}"
echo "::notice::aws-deployment-role: ${{matrix.aws-deployment-role}}"
echo "::notice::DEPLOY_ENV: ${{env.DEPLOY_ENV}}"
# install python and poetry so we can run the tests
- name: Setup Python
uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Setup Poetry
uses: abatilo/actions-poetry@v2
with:
poetry-version: 1.4.2
- name: Prerelease Version
shell: bash
if: github.event_name == 'pull_request'
run: |
# for convenience we bump the version number (prerelease) if we're a
# PR; we don't care about keeping this, we just _never_ want to have
# a PR with a normal release version number
poetry version prerelease
- name: Run Tests
shell: bash
run: |
make test
- name: SLS List Deploy
shell: bash
run: |
sls deploy list
- name: Install AWS RIE
shell: bash
# yamllint disable rule:line-length
run: |
mkdir -p ~/.aws-lambda-rie \
&& curl -Lo ~/.aws-lambda-rie/aws-lambda-rie https://github.com/aws/aws-lambda-runtime-interface-emulator/releases/latest/download/aws-lambda-rie \
&& chmod +x ~/.aws-lambda-rie/aws-lambda-rie
# yamllint enable rule:line-length
- name: SLS Deploy (by env)
shell: bash
# yamllint disable-line rule:line-length
if: github.event_name == 'pull_request' || github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
run: |
sls deploy --stage ${{ env.DEPLOY_ENV }}
- name: Notify Discord
uses: th0th/[email protected]
if: ${{ always() }}
env:
# yamllint disable rule:line-length
DISCORD_WEBHOOK_URL: https://discord.com/api/webhooks/1099136707108020305/r86TwsFW_T3BDX0VOvdcCNVFaGTLTSeVkwS8NikvynVrU-4jZLqq--FlyPVGAmQWJWu9
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_JOB_NAME: Deploy Serverless (${{ env.DEPLOY_ENV }})
GITHUB_JOB_STATUS: ${{ job.status }}