-
Notifications
You must be signed in to change notification settings - Fork 46
138 lines (125 loc) · 6.06 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
# The aws security group ssh enable/revoke comes from https://stackoverflow.com/questions/63642807/how-can-i -find-the-right-inbound-rule-for-my-github-action-to-deploy-on-my-aws-e
# Deploy the latest version of the code to all our Elastic Beanstalk environments
name: Deploy
on:
push:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- environment: PROD_DEPLOYMENT
aws_access_key_id: PROD_AWS_ACCESS_KEY_ID
# trunk-ignore(checkov/CKV_SECRET_6)
aws_secret_access_key: PROD_AWS_SECRET_ACCESS_KEY
aws_region: PROD_AWS_REGION
application_name: PROD_APPLICATION_NAME
environment_name: PROD_ENVIRONMENT_NAME
worker_hostname: PROD_WORKER_HOSTNAME
worker_security_group: PROD_WORKER_SECURITY_GROUP
ssh_key: PROD_SSH_KEY
- environment: NHS_DEPLOYMENT
aws_access_key_id: NHS_AWS_ACCESS_KEY_ID
# trunk-ignore(checkov/CKV_SECRET_6)
aws_secret_access_key: NHS_AWS_SECRET_ACCESS_KEY
aws_region: NHS_AWS_REGION
application_name: NHS_APPLICATION_NAME
environment_name: NHS_ENVIRONMENT_NAME
worker_hostname: NHS_WORKER_HOSTNAME
worker_security_group: NHS_WORKER_SECURITY_GROUP
ssh_key: NHS_SSH_KEY
- environment: EU_DEPLOYMENT
aws_access_key_id: EU_AWS_ACCESS_KEY_ID
# trunk-ignore(checkov/CKV_SECRET_6)
aws_secret_access_key: EU_AWS_SECRET_ACCESS_KEY
aws_region: EU_AWS_REGION
application_name: EU_APPLICATION_NAME
environment_name: EU_ENVIRONMENT_NAME
worker_hostname: EU_WORKER_HOSTNAME
worker_security_group: EU_WORKER_SECURITY_GROUP
ssh_key: EU_SSH_KEY
env:
AWS_ACCESS_KEY_ID: ${{ secrets[matrix.aws_access_key_id] }}
AWS_SECRET_ACCESS_KEY: ${{ secrets[matrix.aws_secret_access_key] }}
AWS_REGION: ${{ secrets[matrix.aws_region] }}
APPLICATION_NAME: ${{ secrets[matrix.application_name] }}
ENVIRONMENT_NAME: ${{ secrets[matrix.environment_name] }}
WORKER_HOSTNAME: ${{ secrets[matrix.worker_hostname] }}
WORKER_SECURITY_GROUP: ${{ secrets[matrix.worker_security_group] }}
SSH_KEY: ${{ secrets[matrix.ssh_key] }}
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Do The GitHub Git Operation Thing
uses: actions/checkout@v2
- name: get runner ip address
id: ip
uses: haythem/[email protected]
- name: setup aws security group
uses: aws-actions/configure-aws-credentials@v1
with:
# these variable names differ from the second with block - sure hope you can have two of those
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: whitelist runner ip address
run: |
aws ec2 authorize-security-group-ingress \
--group-id $WORKER_SECURITY_GROUP \
--protocol tcp \
--port 22 \
--cidr ${{ steps.ip.outputs.ipv4 }}/32
- name: Create the deployment package
run: zip -r deploy.zip . -x '*.git*'
- name: Get version label and description
run: |
echo "VERSION_LABEL=$(git rev-parse --short HEAD)_$(date '+%Y-%m-%dT%H:%M:%S')" >> $GITHUB_ENV
echo "VERSION_DESCRIPTION=$(git log -1 --pretty=format:%h\ %as\ %cn\:\ %s HEAD)" >> $GITHUB_ENV
- name: Deploy to Elastic Beanstalk
uses: einaregilsson/beanstalk-deploy@v18
with:
aws_access_key: ${{ env.AWS_ACCESS_KEY_ID }}
aws_secret_key: ${{ env.AWS_SECRET_ACCESS_KEY }}
application_name: ${{ env.APPLICATION_NAME }}
environment_name: ${{ env.ENVIRONMENT_NAME }}
version_label: ${{ env.VERSION_LABEL }}
version_description: ${{ env.VERSION_DESCRIPTION }}
region: ${{ env.AWS_REGION }}
deployment_package: deploy.zip
- name: Deploy to worker server a.k.a. data processing server
run: |
echo ${{ matrix.node }}
mkdir -p ~/.ssh/
echo "$SSH_KEY" > ~/.ssh/staging.key
chmod 600 ~/.ssh/staging.key
# SSH into the remote server, cd into beiwe-backend, run git pull, then restart supervisord.
# If `git pull` fails, exit the SSH session, and percolate that up into killing this script.
if ! ssh -i ~/.ssh/staging.key -o StrictHostKeyChecking=no ubuntu@"$WORKER_HOSTNAME" \
'cd beiwe-backend; \
if ! git pull; \
then exit 1; \
fi; \
# update the profile for any future ssh sessions updates: \
cp /home/ubuntu/beiwe-backend/cluster_management/pushed_files/bash_profile.sh /home/ubuntu/.profile \
# need to install forest, update existing requirements, update data processing requirements \
# (we have to uninstall forest because pointing at a new commit will not force updated \
# subrequirements, for some reason.). Also update pip and friends.
/home/ubuntu/.pyenv/versions/beiwe/bin/python -m pip uninstall forest -y; \
/home/ubuntu/.pyenv/versions/beiwe/bin/python -m pip install --upgrade pip setuptools wheel; \
/home/ubuntu/.pyenv/versions/beiwe/bin/python -m pip install -r requirements.txt; \
sudo pkill -HUP supervisord;'; \
then \
exit 1; \
fi
- name: revoke runner ip address from the security group
run: |
aws ec2 revoke-security-group-ingress \
--group-id $WORKER_SECURITY_GROUP \
--protocol tcp \
--port 22 \
--cidr ${{ steps.ip.outputs.ipv4 }}/32