-
Notifications
You must be signed in to change notification settings - Fork 3
232 lines (206 loc) · 10 KB
/
hrm-lambda-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# Copyright (C) 2021-2023 Technology Matters
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see https://www.gnu.org/licenses/.
name: 'Deploy HRM Lambda'
on:
workflow_dispatch:
inputs:
environment:
description: HRM environment to deploy.
default: development
required: true
type: choice
options:
- development
- staging
- production
lambda_path:
description: 'Lambda path'
required: true
type: choice
options:
- hrm-domain/lambdas/files-urls
- hrm-domain/lambdas/contact-retrieve-transcript
- hrm-domain/lambdas/search-index-consumer
- lambdas/job-complete
- resources-domain/lambdas/import-consumer
- resources-domain/lambdas/import-producer
- resources-domain/lambdas/search-index
workflow_call:
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
inputs:
environment:
description: HRM environment to deploy. E.G = development, staging, production (must match with the AWS environment value). Default value = development
type: string
default: development
required: true
lambda_path:
description: 'Lambda path'
required: true
type: string
send-slack-message:
description: 'Specifies if should send a Slack message at the end of successful run. Defaults to true'
required: false
default: 'true'
type: string
env:
# if anything is set as a secret, it can't be used in outputs. So we need to set it as an env var
PRIMARY_AWS_REGION: us-east-1
jobs:
build_lambda:
name: Build Lambda Image
runs-on: ubuntu-latest
outputs:
matrix_json: ${{ steps.generate-output.outputs.matrix_json }}
docker_image: ${{ steps.generate-output.outputs.docker_image}}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
# this plugin sets the AWS account ID to a secret which is not allowed in outputs
# we have to disable that so repo output will work
mask-aws-account-id: 'no'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Set Build Args
run: |
lambda_full_path=${{ inputs.lambda_path }}
# Extracting directory and lambda name from the lambda path
build_lambda_dir=$(dirname $lambda_full_path)
build_lambda_name=$(basename $lambda_full_path)
repo_name="${lambda_full_path//-domain\/lambdas\//-}"
repo_name="${repo_name#hrm-}"
repo_name="${repo_name//lambdas\//}"
repo_name="${repo_name//\//-}"
echo "ecr_repository=${{ inputs.environment }}/hrm-$repo_name" >> $GITHUB_ENV
echo "build_lambda_name=$build_lambda_name" >> $GITHUB_ENV
echo "build_lambda_dir=$build_lambda_dir" >> $GITHUB_ENV
- name: Build and Push Docker Image
uses: docker/build-push-action@v6
with:
context: ./
file: ./lambdas/Dockerfile
build-args: |
lambda_name=${{ env.build_lambda_name }}
lambda_dir=${{ env.build_lambda_dir }}
push: true
tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ecr_repository }}:live,${{ steps.login-ecr.outputs.registry }}/${{ env.ecr_repository }}:${{ github.sha }}
# The matrix build supports `lambda-groups` defined in the environment-region-map.json file
# This allows us to deploy multiple lambdas to specific env/region combos that use a common docker image
# That is some pretty intense JQ, but it works.
# The current behavior is: If a key that matches the lambda name is found in the lambda-groups object, then
# created separate entries for each region/lambda combo. Otherwise, just use the lambda name and deploy to all
# regions that exist for that environment.
# matrices don't support complex object structures, so we generate a flat array of objects that contain the
# region and lambda name. If there are multiple lambdas, the region will be repeated for each lambda.
- name: Generate output
id: generate-output
run: |
# output to logs
matrix_json=$(jq -c --arg env "${{ inputs.environment }}" '[.[$env][] | {region: .}]' ./.github/workflows/config/environment-region-map.json)
echo "matrix_json=$matrix_json" >> $GITHUB_OUTPUT
echo "docker_image=${{ steps.login-ecr.outputs.registry }}/${{ env.ecr_repository }}:${{ github.sha }}" >> $GITHUB_OUTPUT
deploy_lambdas:
needs: build_lambda
name: Deploy to Amazon ECS
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.build_lambda.outputs.matrix_json) }}
env:
DOCKER_IMAGE: ${{ needs.build_lambda.outputs.docker_image }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ matrix.region }}
# this plugin sets the AWS account ID to a secret which is not allowed in outputs
# we have to disable that so repo output will work
mask-aws-account-id: 'no'
# The search and replace is kinda ugly but works. We need to replace the primary region with the region we're deploying to.
# because lambdas don't support ECR images in different regions. We use cross region replication in ECR to make the image
# that is pushed in the primary region available in all other regions.
- name: Update Lambda and Publish
run: |
DOCKER_IMAGE=$(echo "${{ env.DOCKER_IMAGE }}" | sed -r 's/${{ env.PRIMARY_AWS_REGION }}/${{ matrix.region }}/g')
DOCKER_IMAGE_BASE=$(echo "$DOCKER_IMAGE" | cut -d':' -f1)
LAMBDA_FUNCTIONS=$(aws lambda list-functions --query "Functions[?contains(Description, 'ecr_image:${DOCKER_IMAGE_BASE}')].FunctionName" --output text)
if [ -z "$LAMBDA_FUNCTIONS" ]; then
echo "Warning: No Lambda functions found for image $DOCKER_IMAGE_BASE"
exit 0
fi
for LAMBDA in $LAMBDA_FUNCTIONS; do
OUTPUT=$(aws lambda update-function-code --function-name $LAMBDA --image-uri "$DOCKER_IMAGE" --publish)
NEW_VERSION=$(echo "$OUTPUT" | jq -r '.Version')
ALIAS_EXISTS=$(aws lambda get-alias --function-name $LAMBDA --name live || echo "not_exists")
if [ "$ALIAS_EXISTS" == "not_exists" ]; then
aws lambda create-alias --function-name $LAMBDA --name live --function-version $NEW_VERSION
else
aws lambda update-alias --function-name $LAMBDA --name live --function-version $NEW_VERSION
fi
done
# reconfigure AWS credentials to use the default region for SSM Parameter Store.
# aws-actions/configure-aws-credentials@v4 overrides env.AWS_DEFAULT_REGION, so
# we name our env var PRIMARY_AWS_REGION to avoid that.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
# Set any env vars needed from Parameter Store here
- name: Set GITHUB_ACTIONS_SLACK_BOT_TOKEN
uses: 'marvinpinto/action-inject-ssm-secrets@latest'
with:
ssm_parameter: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN'
env_variable_name: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN'
- name: Set ASELO_DEPLOYS_CHANNEL_ID
uses: 'marvinpinto/action-inject-ssm-secrets@latest'
with:
ssm_parameter: 'ASELO_DEPLOYS_CHANNEL_ID'
env_variable_name: 'ASELO_DEPLOYS_CHANNEL_ID'
# Send Slack notifying success
- name: Slack Aselo channel
id: slack
uses: slackapi/[email protected]
with:
channel-id: ${{ env.ASELO_DEPLOYS_CHANNEL_ID }}
slack-message: '`[HRM lambdas - ${{ inputs.lambda_path }}]` Deployment of ${{ github.ref_type }} `${{ github.ref_name }}` requested by `${{ github.triggering_actor }}` completed with SHA ${{ github.sha }} to region `${{ matrix.region }}`, environment `${{ inputs.environment }}` :rocket:.'
env:
SLACK_BOT_TOKEN: ${{ env.GITHUB_ACTIONS_SLACK_BOT_TOKEN }}
if: ${{ inputs.send-slack-message != 'false' }}
# Update deployment matrix with region as identifier and lambda path as service repo
- name: Update deployment matrix
id: update-deployment-matrix
uses: techmatters/flex-plugins/.github/actions/deployment-matrix@master
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
identifier: ${{ matrix.region }}
environment: ${{ inputs.environment }}
service_repo: ${{ inputs.lambda_path }}
version_tag: ${{ github.ref_name }}