-
Notifications
You must be signed in to change notification settings - Fork 0
100 lines (89 loc) · 3.23 KB
/
deploy-production.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
name: Deploy Production
on:
release:
types:
- published
workflow_dispatch:
inputs:
image_digest:
description: The sha256 digest of the docker image to use
required: true
type: string
permissions:
id-token: write
contents: read
jobs:
get_image_metadata:
runs-on: ubuntu-latest
environment: production
if: github.event != 'workflow_dispatch'
outputs:
image_digest: ${{ steps.set_image_digest.outputs.image_digest }}
steps:
- name: Get Image Metadata from Release
uses: dsaltares/fetch-gh-release-asset@master
with:
version: ${{ github.event.release.id || }}
file: metadata.json
- name: Set Image Digest from Metadata
id: set_image_digest
run: |
image_digest=$(cat metadata.json | jq -r '."containerimage.digest"')
echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
production_deploy:
runs-on: ubuntu-latest
environment: production
env:
tf_version: '1.5.7'
tg_version: '0.54.0'
tg_dir: './deploy/tg'
needs: [get_image_metadata]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
audience: sts.amazonaws.com
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
- name: Expose github environment as shell variables
env:
SECRETS_CONTEXT: ${{ toJson(secrets) }}
VARS_CONTEXT: ${{ toJson(vars) }}
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; }
echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV
echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{ env.tf_version }}
- name: Setup Terragrunt
id: setup_terragrunt
run: |
wget https://github.com/gruntwork-io/terragrunt/releases/download/v${terragrunt_version}/terragrunt_linux_amd64 \
&& mv terragrunt_linux_amd64 terragrunt \
&& chmod +x terragrunt \
&& mv terragrunt /usr/local/bin/terragrunt
env:
terragrunt_version: ${{ env.tg_version }}
- name: Terragrunt Plan
id: terragrunt_plan
run: terragrunt plan -out=tf.plan
working-directory: ${{ env.tg_dir }}
env:
TF_INPUT: 0
TF_IN_AUTOMATION: true
# get the image digest from the build job with optional override from vars context
TF_VAR_image: ${{ vars.IMAGE || needs.get_image_metadata.outputs.image_digest || inputs.image_digest }}
- name: Terragrunt Apply
id: terragrunt_apply
run: terragrunt apply -auto-approve tf.plan
working-directory: ${{ env.tg_dir }}
env:
TF_INPUT: 0
TF_IN_AUTOMATION: true
# get the image digest from the build job with optional override from vars context
TF_VAR_image: ${{ vars.IMAGE || needs.get_image_metadata.outputs.image_digest || inputs.image_digest }}