Deploy Production #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| release: | |
| types: | |
| - published | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| production_deploy_plan: | |
| runs-on: ubuntu-latest | |
| environment: production | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| audience: sts.amazonaws.com | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| - name: Get Image Metadata from Release | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: metadata.json | |
| - name: Set Image Digest from Metadata | |
| id: set_image_digest | |
| run: | | |
| image_digest=$(cat metadata.json | jq -r '."containerimage.digest"') | |
| echo "image_digest=$image_digest" >> $GITHUB_OUTPUT | |
| - name: Export shared infrastructure SSM parameter values to auto.tfvars.json files | |
| env: | |
| deploy_path: ./deploy/tg/ecs | |
| environment: ${{ vars.ENVIRONMENT }} | |
| run: | | |
| params=( apps/alb/${{ vars.ALB }} apps/ecr/${{ vars.ECR_REPOSITORY }} core rds/${{ vars.RDS_DB }} ) | |
| for param in ${params[@]}; do | |
| filename="$environment.${param//\//-}.auto.tfvars.json" | |
| aws ssm get-parameters-by-path \ | |
| --path "/$param/" \ | |
| --recursive \ | |
| --output json \ | |
| --query 'Parameters[*]' \ | |
| | jq '. |= map({ (.Name | split("/")[-1]): .Value }) | add' \ | |
| > "$deploy_path/$filename" | |
| done | |
| - name: Expose github environment as shell variables | |
| env: | |
| SECRETS_CONTEXT: ${{ toJson(secrets) }} | |
| VARS_CONTEXT: ${{ toJson(vars) }} | |
| run: | | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; } | |
| echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV | |
| echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV | |
| - name: Terragrunt Plan | |
| id: terragrunt_plan | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| tf_version: '1.5.7' | |
| tg_version: '0.51.0' | |
| tg_dir: './deploy/tg' | |
| tg_command: 'run-all plan' | |
| env: | |
| TF_INPUT: 0 | |
| TF_IN_AUTOMATION: true | |
| # get the image digest from the build job with optional override from vars context | |
| TF_VAR_image: ${{ vars.IMAGE || steps.set_image_digest.outputs.image_digest }} | |
| production_deploy_apply: | |
| runs-on: ubuntu-latest | |
| environment: staging | |
| needs: [production_deploy_plan] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| audience: sts.amazonaws.com | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| - name: Get Image Metadata from Release | |
| uses: dsaltares/fetch-gh-release-asset@master | |
| with: | |
| version: ${{ github.event.release.id }} | |
| file: metadata.json | |
| - name: Set Image Digest from Metadata | |
| id: set_image_digest | |
| run: | | |
| image_digest=$(cat /tmp/metadata.json | jq -r '."containerimage.digest"') | |
| echo "image_digest=$image_digest" >> $GITHUB_OUTPUT | |
| - name: Export shared infrastructure SSM parameter values to auto.tfvars.json files | |
| env: | |
| deploy_path: ./deploy/tg/ecs | |
| environment: ${{ vars.ENVIRONMENT }} | |
| run: | | |
| params=( apps/alb/${{ vars.ALB }} apps/ecr/${{ vars.ECR_REPOSITORY }} core rds/${{ vars.RDS_DB }} ) | |
| for param in ${params[@]}; do | |
| filename="$environment.${param//\//-}.auto.tfvars.json" | |
| aws ssm get-parameters-by-path \ | |
| --path "/$param/" \ | |
| --recursive \ | |
| --output json \ | |
| --query 'Parameters[*]' \ | |
| | jq '. |= map({ (.Name | split("/")[-1]): .Value }) | add' \ | |
| > "$deploy_path/$filename" | |
| done | |
| - name: Expose github environment as shell variables | |
| env: | |
| SECRETS_CONTEXT: ${{ toJson(secrets) }} | |
| VARS_CONTEXT: ${{ toJson(vars) }} | |
| run: | | |
| EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) | |
| to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; } | |
| echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV | |
| echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV | |
| - name: Terragrunt Apply | |
| id: terragrunt_plan | |
| uses: gruntwork-io/[email protected] | |
| with: | |
| tf_version: '1.5.7' | |
| tg_version: '0.51.0' | |
| tg_dir: './deploy/tg' | |
| tg_command: 'run-all apply' | |
| env: | |
| TF_INPUT: 0 | |
| TF_IN_AUTOMATION: true | |
| # get the image digest from the build job with optional override from vars context | |
| TF_VAR_image: ${{ vars.IMAGE || steps.set_image_digest.outputs.image_digest }} |