Release r-0353 #45
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: deploy-production | |
| concurrency: | |
| group: deploy-production | |
| cancel-in-progress: true | |
| on: | |
| release: | |
| types: [published] | |
| permissions: | |
| id-token: write # required for OIDC connectiong to AWS | |
| contents: read | |
| jobs: | |
| deploy-prod-iac: | |
| environment: production | |
| if: startsWith(github.ref_name, 'r-') # the prefix we have added to the tag | |
| runs-on: ubuntu-latest | |
| outputs: | |
| bucket: ${{ steps.output-bucket-name.outputs.bucket }} | |
| cloudfront_id: ${{ steps.output-cloudfront-distro.outputs.cloudfront_id }} | |
| env: | |
| TF_VAR_region: ${{ vars.AWS_REGION }} | |
| TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }} | |
| TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}" | |
| TF_VAR_app_env: ${{ vars.APP_ENV }} | |
| TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }} | |
| TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }} | |
| TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }} | |
| TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }} | |
| TF_VAR_log_level: ${{ vars.LOG_LEVEL }} | |
| TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }} | |
| TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }} | |
| TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }} | |
| TF_VAR_zoom_secret: ${{ vars.zoom_secret }} | |
| TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }} | |
| TF_VAR_ssl_cert_arn: ${{ vars.SSL_CERT_ARN }} | |
| steps: | |
| - name: Get Artifact from Release | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: iac.zip | |
| - name: Unzip Artifact | |
| run: unzip iac.zip | |
| - name: install opentofu | |
| uses: opentofu/setup-opentofu@v1 | |
| with: | |
| tofu_version: ${{ vars.TF_VERSION }} | |
| tofu_wrapper: false | |
| - name: install terragrunt | |
| run: | | |
| sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64" | |
| sudo chmod +x /bin/terragrunt | |
| terragrunt -v | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.IAM_ROLE }} | |
| role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC | |
| aws-region: ${{ vars.AWS_REGION }} | |
| - name: vpc | |
| working-directory: ./tofu/environments/prod/network/vpc | |
| run: | | |
| terragrunt init -upgrade | |
| terragrunt validate | |
| terragrunt plan -out tfplan | |
| terragrunt apply tfplan | |
| - name: backend-infra | |
| working-directory: ./tofu/environments/prod/services/backend-infra | |
| run: | | |
| terragrunt init -upgrade | |
| terragrunt validate | |
| terragrunt plan -out tfplan | |
| terragrunt apply tfplan | |
| - name: cache | |
| working-directory: ./tofu/environments/prod/data-store/cache | |
| run: | | |
| terragrunt init -upgrade | |
| terragrunt validate | |
| terragrunt plan -out tfplan | |
| terragrunt apply tfplan | |
| - name: database | |
| working-directory: ./tofu/environments/prod/data-store/database | |
| run: | | |
| terragrunt init -upgrade | |
| terragrunt validate | |
| terragrunt plan -out tfplan | |
| terragrunt apply tfplan | |
| - name: frontend-infra | |
| working-directory: ./tofu/environments/prod/services/frontend-infra | |
| run: | | |
| terragrunt init -upgrade | |
| terragrunt validate | |
| terragrunt plan -out tfplan | |
| terragrunt apply tfplan | |
| - name: output-bucket-name | |
| id: output-bucket-name | |
| working-directory: ./tofu/environments/prod/services/frontend-infra | |
| run: | | |
| terragrunt init -upgrade | |
| output=$(terragrunt output bucket_name | tr -d '"') | |
| echo bucket=$output >> $GITHUB_OUTPUT | |
| - name: output-cloudfront-distro | |
| id: output-cloudfront-distro | |
| working-directory: ./tofu/environments/prod/services/frontend-infra | |
| run: | | |
| terragrunt init -upgrade | |
| output=$(terragrunt output cloudfront_id) | |
| echo cloudfront_id=$output >> $GITHUB_OUTPUT | |
| deploy-prod-frontend: | |
| needs: deploy-prod-iac | |
| if: startsWith(github.ref_name, 'r-') # the prefix we have added to the tag | |
| environment: production | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get Artifact from Release | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: frontend.zip | |
| - name: Unzip Artifact | |
| run: unzip frontend.zip | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.IAM_ROLE }} | |
| role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC | |
| aws-region: ${{ vars.AWS_REGION }} | |
| - name: Deploy frontend to S3 | |
| run: aws s3 sync ./dist "s3://${{ needs.deploy-prod-iac.outputs.bucket }}" | |
| - name: Invalidate Cloudfront cache | |
| run: aws cloudfront create-invalidation --distribution-id ${{ needs.deploy-prod-iac.outputs.cloudfront_id }} --paths "/*" | |
| deploy-prod-backend: | |
| needs: deploy-prod-iac | |
| if: startsWith(github.ref_name, 'r-') # the prefix we have added to the tag | |
| environment: production | |
| runs-on: ubuntu-latest | |
| env: | |
| TF_VAR_region: ${{ vars.AWS_REGION }} | |
| TF_VAR_environment: ${{ vars.ENV_SHORT_NAME }} | |
| TF_VAR_name_prefix: "tb-${{ vars.PROJECT_SHORT_NAME }}-${{ vars.ENV_SHORT_NAME }}" | |
| TF_VAR_app_env: ${{ vars.APP_ENV }} | |
| TF_VAR_db_enc_secret: ${{ vars.DB_ENCRYPTED_SECRET }} | |
| TF_VAR_frontend_url: ${{ vars.FRONTEND_URL }} | |
| TF_VAR_fxa_secret: ${{ vars.FXA_SECRET }} | |
| TF_VAR_google_oauth_secret: ${{ vars.GOOGLE_OAUTH_SECRET }} | |
| TF_VAR_log_level: ${{ vars.LOG_LEVEL }} | |
| TF_VAR_short_base_url: ${{ vars.SHORT_BASE_URL }} | |
| TF_VAR_smtp_secret: ${{ vars.SMTP_SECRET }} | |
| TF_VAR_zoom_callback: ${{ vars.ZOOM_CALLBACK }} | |
| TF_VAR_zoom_secret: ${{ vars.zoom_secret }} | |
| TF_VAR_sentry_dsn: ${{ vars.SENTRY_DSN }} | |
| TF_VAR_ssl_cert_arn: ${{ vars.SSL_CERT_ARN }} | |
| steps: | |
| - name: Get IaC from Release | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: iac.zip | |
| - name: Get ECR tag from Release | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: ecr_tag.zip | |
| - name: Unzip IaC | |
| run: unzip iac.zip | |
| - name: Unzip ECR tag | |
| id: get_ecr_tag | |
| run: | | |
| unzip ecr_tag.zip | |
| output=$(cat ecr_tag.txt) | |
| echo ecr_tag=$output >> $GITHUB_OUTPUT | |
| - name: install opentofu | |
| uses: opentofu/setup-opentofu@v1 | |
| with: | |
| tofu_version: ${{ vars.TF_VERSION }} | |
| tofu_wrapper: false | |
| - name: install terragrunt | |
| run: | | |
| sudo wget -q -O /bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${{ vars.TG_VERSION }}/terragrunt_linux_amd64" | |
| sudo chmod +x /bin/terragrunt | |
| terragrunt -v | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.IAM_ROLE }} | |
| role-session-name: Appointment_GitHub_to_AWS_via_FederatedOIDC | |
| aws-region: ${{ vars.AWS_REGION }} | |
| - name: Prepare backend dependencies | |
| run: | | |
| cd tofu/environments/prod/network/vpc | |
| terragrunt init -upgrade | |
| cd ../../data-store/database | |
| terragrunt init -upgrade | |
| cd ../../data-store/cache | |
| terragrunt init -upgrade | |
| cd ../../services/backend-infra | |
| terragrunt init -upgrade | |
| - name: Deploy Backend | |
| working-directory: ./tofu/environments/prod/services/backend-service | |
| run: | | |
| terragrunt init -upgrade | |
| terragrunt validate | |
| terragrunt plan -var "image=${{ steps.get_ecr_tag.outputs.ecr_tag }}" -out tfplan | |
| terragrunt apply tfplan |