Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build PR environments #6

Merged
merged 2 commits into from
Oct 2, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
90 changes: 90 additions & 0 deletions .github/workflows/build-push-images.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
name: "[Job] Docker Build, Scan and Push to ECR"

on:
workflow_call:
inputs:
docker_tag:
description: "Tag for docker image"
required: true
type: string
checkout_tag:
description: "Ref or tag to checkout"
default: ${{ github.ref }}
required: false
type: string
secrets:
aws_access_key_id:
description: 'AWS Access Key ID'
required: true
aws_secret_access_key:
description: 'AWS Secret Access Key'
required: true

defaults:
run:
shell: bash

permissions:
id-token: write
contents: write
security-events: write
pull-requests: read

jobs:
docker_build_scan_push:
strategy:
matrix:
include:
- ecr_repository: lpa-store/lambda/api-create
dir: create
runs-on: ubuntu-latest
name: ${{ matrix.ecr_repository }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout_tag }}
- name: Build ${{ matrix.ecr_repository }} Image
id: build_image
run: |
docker build -f ./lambda/Dockerfile -t ${{ matrix.ecr_repository }} --build-arg DIR=${{ matrix.dir }} .
- name: Trivy Image Vulnerability Scanner for ${{ matrix.ecr_repository }}
id: trivy_scan
uses: aquasecurity/[email protected]
with:
image-ref: ${{ matrix.ecr_repository }}:latest
severity: "HIGH,CRITICAL"
format: "sarif"
output: "trivy-results.sarif"
- name: Upload Trivy scan results to GitHub Security tab for ${{ matrix.ecr_repository }}
id: trivy_upload_sarif
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: "trivy-results.sarif"
- uses: unfor19/install-aws-cli-action@v1
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
role-to-assume: arn:aws:iam::311462405659:role/lpa-store-ci
role-duration-seconds: 3600
role-session-name: GitHubActions
- name: ECR Login
id: login_ecr
uses: aws-actions/[email protected]
with:
mask-password: true
registries: 311462405659
- name: Push ${{ matrix.ecr_repository }} Image to ECR
env:
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
ECR_REPOSITORY: ${{ matrix.ecr_repository }}
run: |
docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.docker_tag }}
if ${{ github.workflow == 'Path To Live' }}; then
docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest
docker tag ${{ matrix.ecr_repository }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:main-${{ inputs.docker_tag }}
fi
docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY
27 changes: 0 additions & 27 deletions .github/workflows/build.yml

This file was deleted.

83 changes: 83 additions & 0 deletions .github/workflows/env-deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
name: "[Job] Deploy to Environment"

on:
workflow_call:
inputs:
workspace_name:
description: "The terraform workspace to target for environment actions"
required: true
type: string
version_tag:
description: "The docker image tag to deploy in the environment"
required: true
type: string
secrets:
aws_access_key_id:
description: "AWS Access Key ID"
required: true
aws_secret_access_key:
description: "AWS Secret Access Key"
required: true
github_access_token:
description: 'Github Token'
required: true

jobs:
terraform_environment_workflow:
runs-on: ubuntu-latest
# environment:
# name: ${{ inputs.workspace_name }} popup environment
# url: ${{ steps.terraform_outputs.outputs.url }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- uses: unfor19/install-aws-cli-action@v1
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.4.6
terraform_wrapper: false
- name: Configure AWS Credentials For Terraform
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: eu-west-1
role-duration-seconds: 3600
role-session-name: OPGLpaStoreGithubAction

- name: Lint Terraform
run: terraform fmt -check -recursive
working-directory: ./terraform/environment
continue-on-error: true

- name: Terraform Init
run: terraform init -input=false
working-directory: ./terraform/environment

- name: Terraform Plan
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_app_version: ${{ inputs.version_tag }}
run: |
terraform workspace show
echo "plan_summary=$(terraform plan -no-color -lock-timeout=300s -input=false -parallelism=30 | grep -ioE 'Plan: [[:digit:]]+ to add, [[:digit:]]+ to change, [[:digit:]]+ to destroy|No changes. Your infrastructure matches the configuration.')" >> $GITHUB_OUTPUT
terraform plan -lock-timeout=300s -input=false -parallelism=30
working-directory: ./terraform/environment

- name: Terraform Apply
env:
TF_WORKSPACE: ${{ inputs.workspace_name }}
TF_VAR_app_version: ${{ inputs.version_tag }}
run: |
terraform apply -lock-timeout=300s -input=false -auto-approve -parallelism=30
working-directory: ./terraform/environment

# - name: Terraform Outputs
# id: terraform_outputs
# env:
# TF_WORKSPACE: ${{ inputs.workspace_name }}
# TF_VAR_app_version: ${{ inputs.version_tag }}
# run: |
# echo "url=$(terraform output -raw app_fqdn)" >> $GITHUB_OUTPUT
# working-directory: ./terraform/environment
54 changes: 54 additions & 0 deletions .github/workflows/env-destroy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: "[Job] Destroy Environment"

on:
workflow_call:
inputs:
workspace_name:
description: "The terraform workspace to target for environment actions"
required: true
type: string
secrets:
aws_access_key_id:
description: "AWS Access Key ID"
required: true
aws_secret_access_key:
description: "AWS Secret Access Key"
required: true

jobs:
terraform_environment_workflow:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- uses: unfor19/install-aws-cli-action@v1
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.4.6
terraform_wrapper: false
- name: Configure AWS Credentials For Terraform
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.aws_access_key_id }}
aws-secret-access-key: ${{ secrets.aws_secret_access_key }}
aws-region: eu-west-1
role-duration-seconds: 3600
role-session-name: OPGLpaStoreGithubAction

- name: Lint Terraform
run: terraform fmt -check -recursive
working-directory: ./terraform/environment
continue-on-error: true

- name: Terraform Init
run: terraform init -input=false
working-directory: ./terraform/environment

- name: Terraform Destroy
run: |
terraform workspace select ${{ inputs.workspace_name }}
terraform destroy -auto-approve
terraform workspace select default
terraform workspace delete ${{ inputs.workspace_name }}
working-directory: ./terraform/environment
2 changes: 1 addition & 1 deletion .github/workflows/validate-api.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
name: Validate
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v3
Expand Down
41 changes: 41 additions & 0 deletions .github/workflows/workflow-pr-close.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: PR Workflow

on:
pull_request:
types:
- closed
branches:
- main
workflow_dispatch:

defaults:
run:
shell: bash

jobs:
generate-environment-workspace-name:
runs-on: ubuntu-latest
steps:
- name: Generate workspace name
id: name_workspace
run: |
workspace=${{ github.event.number }}${{ github.head_ref }}
workspace=${workspace//-}
workspace=${workspace//_}
workspace=${workspace//\/}
workspace=${workspace:0:11}
workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]')
echo "name=${workspace}" >> $GITHUB_OUTPUT
echo ${workspace}
outputs:
environment_workspace_name: ${{ steps.name_workspace.outputs.name }}

destroy-pr-env:
name: Destroy PR Environment
needs: [generate-environment-workspace-name]
uses: ./.github/workflows/env-destroy.yml
with:
workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
84 changes: 84 additions & 0 deletions .github/workflows/workflow-pr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: PR Workflow

on:
pull_request:
branches:
- main
workflow_dispatch:

defaults:
run:
shell: bash

jobs:
generate-tags:
name: Generate tags
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: "0"
- name: Extract branch name
id: extract_branch
run: |
if [ "$GITHUB_EVENT_NAME" == "push" ]; then
echo BRANCH_NAME=main >> $GITHUB_ENV
else
branch=${{ github.head_ref }}
branch=${branch//-}
branch=${branch//_}
branch=${branch//\/}
echo BRANCH_NAME=${branch} >> $GITHUB_ENV
fi
- name: Bump version
id: bump_version
uses: anothrNick/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INITIAL_VERSION: 0.0.0
DEFAULT_BUMP: minor
PRERELEASE: true
PRERELEASE_SUFFIX: ${{ env.BRANCH_NAME }}
RELEASE_BRANCHES: main
WITH_V: true
outputs:
docker_tag: ${{ steps.bump_version.outputs.tag }}

generate-environment-workspace-name:
runs-on: ubuntu-latest
steps:
- name: Generate workspace name
id: name_workspace
run: |
workspace=${{ github.event.number }}${{ github.head_ref }}
workspace=${workspace//-}
workspace=${workspace//_}
workspace=${workspace//\/}
workspace=${workspace:0:11}
workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]')
echo "name=${workspace}" >> $GITHUB_OUTPUT
echo ${workspace}
outputs:
environment_workspace_name: ${{ steps.name_workspace.outputs.name }}

build:
name: Build, Scan & Push Images
needs: [generate-tags]
uses: ./.github/workflows/build-push-images.yml
with:
docker_tag: ${{ needs.generate-tags.outputs.docker_tag }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

deploy-pr-env:
name: Deploy PR Environment
needs: [build, generate-environment-workspace-name]
uses: ./.github/workflows/env-deploy.yml
with:
workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }}
version_tag: ${{ needs.generate-tags.outputs.docker_tag }}
secrets:
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
github_access_token: ${{ secrets.GITHUB_TOKEN }}
Loading