From 1fe53ca359f105dbc6ca7be7c80497b553157c09 Mon Sep 17 00:00:00 2001 From: Greg Tyler Date: Wed, 13 Dec 2023 10:53:16 +0000 Subject: [PATCH] Deploy preprod, prod and demo environments Test deployments in the PR workflow, then deploy them in the main workflow. Includes access for related environments in MRLPA #major --- .github/workflows/env-deploy.yml | 9 ++++- .github/workflows/workflow-main.yml | 41 ++++++++++++++++++++- .github/workflows/workflow-pr.yml | 18 +++++++++ terraform/environment/terraform.tfvars.json | 30 +++++++++++++++ 4 files changed, 96 insertions(+), 2 deletions(-) diff --git a/.github/workflows/env-deploy.yml b/.github/workflows/env-deploy.yml index a5bab711..0123e06e 100644 --- a/.github/workflows/env-deploy.yml +++ b/.github/workflows/env-deploy.yml @@ -11,6 +11,11 @@ on: description: "The docker image tag to deploy in the environment" required: true type: string + apply: + description: "Whether to apply the deployment" + required: false + type: boolean + default: false secrets: aws_access_key_id: description: "AWS Access Key ID" @@ -30,7 +35,7 @@ jobs: terraform_environment_workflow: runs-on: ubuntu-latest environment: - name: ${{ inputs.workspace_name }} + name: ${{ inputs.apply && inputs.workspace_name || null }} url: ${{ steps.terraform_outputs.outputs.url }} outputs: url: ${{ steps.terraform_outputs.outputs.url }} @@ -72,6 +77,7 @@ jobs: working-directory: ./terraform/environment - name: Terraform Apply + if: inputs.apply == true env: TF_WORKSPACE: ${{ inputs.workspace_name }} TF_VAR_app_version: ${{ inputs.version_tag }} @@ -80,6 +86,7 @@ jobs: working-directory: ./terraform/environment - name: Terraform Outputs + if: inputs.apply == true id: terraform_outputs env: TF_WORKSPACE: ${{ inputs.workspace_name }} diff --git a/.github/workflows/workflow-main.yml b/.github/workflows/workflow-main.yml index ebba45d8..58dc4e05 100644 --- a/.github/workflows/workflow-main.yml +++ b/.github/workflows/workflow-main.yml @@ -68,9 +68,22 @@ jobs: aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + deploy-preproduction-env: + name: Deploy Preproduction Environment + needs: [deploy-preproduction-account, generate-tag] + uses: ./.github/workflows/env-deploy.yml + with: + workspace_name: preproduction + version_tag: ${{ needs.generate-tag.outputs.tag }} + apply: true + secrets: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + github_access_token: ${{ secrets.GITHUB_TOKEN }} + deploy-production-account: name: TF Deploy Production Account - needs: [deploy-preproduction-account] + needs: [deploy-preproduction-env] uses: ./.github/workflows/account-deploy.yml with: workspace_name: production @@ -78,3 +91,29 @@ jobs: secrets: aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + + deploy-production-env: + name: Deploy Production Environment + needs: [deploy-production-account, generate-tag] + uses: ./.github/workflows/env-deploy.yml + with: + workspace_name: production + version_tag: ${{ needs.generate-tag.outputs.tag }} + apply: true + secrets: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + github_access_token: ${{ secrets.GITHUB_TOKEN }} + + deploy-demo-env: + name: Deploy Demo Environment + needs: [deploy-production-env, generate-tag] + uses: ./.github/workflows/env-deploy.yml + with: + workspace_name: demo + version_tag: ${{ needs.generate-tag.outputs.tag }} + apply: true + secrets: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + github_access_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/workflow-pr.yml b/.github/workflows/workflow-pr.yml index 0126ef1f..5e750f34 100644 --- a/.github/workflows/workflow-pr.yml +++ b/.github/workflows/workflow-pr.yml @@ -71,6 +71,23 @@ jobs: aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + plan-environment: + strategy: + matrix: + environment: + - preproduction + - production + name: "TF Plan Environment: ${{ matrix.environment }}" + needs: [generate-tag] + uses: ./.github/workflows/env-deploy.yml + with: + workspace_name: ${{ matrix.environment }} + version_tag: ${{ needs.generate-tag.outputs.tag }} + secrets: + aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + github_access_token: ${{ secrets.GITHUB_TOKEN }} + deploy-pr-env: name: Deploy PR Environment needs: @@ -84,6 +101,7 @@ jobs: with: workspace_name: ${{ needs.generate-environment-workspace-name.outputs.environment_workspace_name }} version_tag: ${{ needs.generate-tag.outputs.tag }} + apply: true secrets: aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} diff --git a/terraform/environment/terraform.tfvars.json b/terraform/environment/terraform.tfvars.json index 93069607..521c3774 100644 --- a/terraform/environment/terraform.tfvars.json +++ b/terraform/environment/terraform.tfvars.json @@ -20,6 +20,36 @@ "arn:aws:iam::653761790766:role/breakglass", "arn:aws:iam::653761790766:root" ] + }, + "demo": { + "account_id": "493907465011", + "account_name": "demo", + "is_production": false, + "allowed_arns": [ + "arn:aws:iam::493907465011:role/operator", + "arn:aws:iam::493907465011:role/lpa-store-ci", + "arn:aws:iam::653761790766:role/demo-app-task-role" + ] + }, + "preproduction": { + "account_id": "936779158973", + "account_name": "preproduction", + "is_production": false, + "allowed_arns": [ + "arn:aws:iam::936779158973:role/operator", + "arn:aws:iam::936779158973:role/lpa-store-ci", + "arn:aws:iam::792093328875:role/preproduction-app-task-role" + ] + }, + "production": { + "account_id": "764856231715", + "account_name": "production", + "is_production": true, + "allowed_arns": [ + "arn:aws:iam::764856231715:role/operator", + "arn:aws:iam::764856231715:role/lpa-store-ci", + "arn:aws:iam::313879017102:role/production-app-task-role" + ] } } }