generated from CDCgov/template
-
Notifications
You must be signed in to change notification settings - Fork 10
132 lines (116 loc) · 4.61 KB
/
terraform-deploy_reusable.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Terraform Deploy
on:
workflow_call:
inputs:
ENVIRONMENT:
required: true
type: string
TERRAFORM_DIRECTORY:
type: string
required: true
TERRAFORM_INIT_PARAMETERS:
type: string
required: false
default: ""
secrets:
AZURE_CLIENT_ID:
required: true
AZURE_TENANT_ID:
required: true
AZURE_SUBSCRIPTION_ID:
required: true
VPN_TLS_KEY:
required: false
VPN_CA_CERTIFICATE:
required: false
VPN_GITHUB_CERTIFICATE:
required: false
VPN_GITHUB_SECRET_KEY:
required: false
TERRAFORM_APPLY_PARAMETERS:
required: false
outputs:
REGISTRY:
description: The container registry
value: ${{ jobs.terraform-deploy.outputs.REGISTRY }}
APP:
description: The web application's name
value: ${{ jobs.terraform-deploy.outputs.APP }}
jobs:
terraform-deploy:
name: Terraform Deploy
environment:
name: ${{ inputs.ENVIRONMENT }}
runs-on: ubuntu-latest
env:
ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
ARM_USE_OIDC: true
permissions:
id-token: write
contents: read
defaults:
run:
working-directory: ${{ inputs.TERRAFORM_DIRECTORY }}
outputs:
REGISTRY: ${{ steps.export-terraform-output.outputs.REGISTRY }}
APP: ${{ steps.export-terraform-output.outputs.APP }}
steps:
- uses: actions/checkout@v4
- name: Terraform Init
id: init
run: terraform init ${{ inputs.TERRAFORM_INIT_PARAMETERS }}
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Apply
run: terraform apply -auto-approve -input=false ${{ secrets.TERRAFORM_APPLY_PARAMETERS }}
- name: Login via Azure CLI
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Extract database hostname and password into GitHub Env
run: |
DATABASE_HOSTNAME=$(terraform output -raw database_hostname)
DATABASE_PASSWORD=$(az account get-access-token --resource-type oss-rdbms --query "[accessToken]" -o tsv)
echo "::add-mask::$DATABASE_HOSTNAME"
echo "::add-mask::$DATABASE_PASSWORD"
echo "DATABASE_HOSTNAME=$DATABASE_HOSTNAME" >> "$GITHUB_ENV"
echo "DATABASE_PASSWORD=$DATABASE_PASSWORD" >> "$GITHUB_ENV"
- name: Connect to VPN
uses: josiahsiegel/[email protected]
id: connect_vpn
if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr'
with:
PING_URL: ${{ env.DATABASE_HOSTNAME }}
FILE_OVPN: ./operations/vpn/${{ inputs.ENVIRONMENT }}.ovpn
TLS_KEY: ${{ secrets.VPN_TLS_KEY }}
env:
CA_CRT: ${{ secrets.VPN_CA_CERTIFICATE }}
USER_CRT: ${{ secrets.VPN_GITHUB_CERTIFICATE }}
USER_KEY: ${{ secrets.VPN_GITHUB_SECRET_KEY }}
- name: Fail if VPN isn't Connected
if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' && steps.connect_vpn.outputs.STATUS != 'true'
run: |
echo 'VPN connected: ${{ steps.connect_vpn.outputs.STATUS }}'
exit 1
- name: Install Liquibase
run: |
wget -O- https://repo.liquibase.com/liquibase.asc | gpg --dearmor > liquibase-keyring.gpg && \cat liquibase-keyring.gpg | sudo tee /usr/share/keyrings/liquibase-keyring.gpg > /dev/null && \echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/liquibase-keyring.gpg] https://repo.liquibase.com stable main' | sudo tee /etc/apt/sources.list.d/liquibase.list
sudo apt-get update
sudo apt-get install liquibase
liquibase -v
- name: Run Db migration
working-directory: ./
run: liquibase update --changelog-file ./etor/databaseMigrations/root.yml --url 'jdbc:postgresql://${{ env.DATABASE_HOSTNAME }}:5432/postgres' --username cdcti-github --password '${{ env.DATABASE_PASSWORD }}'
- name: Disconnect VPN
if: inputs.ENVIRONMENT != 'internal' && inputs.ENVIRONMENT != 'pr' && always()
run: sudo killall openvpn
- id: export-terraform-output
name: Export Terraform Output
run: |
echo "REGISTRY=$(terraform output -raw registry)" >> "$GITHUB_OUTPUT"
echo "APP=$(terraform output -raw publish_app)" >> "$GITHUB_OUTPUT"