-
Notifications
You must be signed in to change notification settings - Fork 3
187 lines (167 loc) · 8.5 KB
/
hrm-lambda-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Copyright (C) 2021-2023 Technology Matters
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see https://www.gnu.org/licenses/.
name: 'Deploy HRM Lambda'
on:
workflow_dispatch:
inputs:
environment:
description: HRM environment to deploy.
default: development
required: true
type: choice
options:
- development
- staging
- production
lambda_name:
description: 'HRM lambda name'
required: true
default: contact-retrieve-transcript
type: choice
options:
- contact-retrieve-transcript
- resources-import-consumer
- resources-import-producer
- resources-search-index
- job-complete
workflow_call:
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
inputs:
environment:
description: HRM environment to deploy. E.G = development, staging, production (must match with the AWS environment value). Default value = development
type: string
default: development
required: true
lambda_name:
description: 'hrm lambda name'
required: true
type: string
send-slack-message:
description: 'Specifies if should send a Slack message at the end of successful run. Defaults to true'
required: false
default: 'true'
type: string
env:
ECR_REPOSITORY: ${{ inputs.environment }}/hrm-${{ inputs.lambda_name }}
# if anything is set as a secret, it can't be used in outputs. So we need to set it as an env var
PRIMARY_AWS_REGION: us-east-1
jobs:
build_lambda:
name: Build Lambda Image
runs-on: ubuntu-latest
outputs:
matrix_json: ${{ steps.generate-output.outputs.matrix_json }}
docker_image: ${{ steps.generate-output.outputs.docker_image}}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
# this plugin sets the AWS account ID to a secret which is not allowed in outputs
# we have to disable that so repo output will work
mask-aws-account-id: 'no'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build and Push Docker Image
uses: docker/build-push-action@v4
with:
context: ./
file: ./jobs/Dockerfile
build-args: |
lambda_name=${{ inputs.lambda_name }}
lambda_dir=${{ (startsWith(inputs.lambda_name, 'job') && 'jobs') || (startsWith(inputs.lambda_name, 'resources') && 'resources-domain') || 'hrm-domain' }}
push: true
tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:live,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}
# The matrix build supports `lambda-groups` defined in the environment-region-map.json file
# This allows us to deploy multiple lambdas to specific env/region combos that use a common docker image
# That is some pretty intense JQ, but it works.
# The current behavior is: If a key that matches the lambda name is found in the lambda-groups object, then
# created separate entries for each region/lambda combo. Otherwise, just use the lambda name and deploy to all
# regions that exist for that environment.
# matrices don't support complex object structures, so we generate a flat array of objects that contain the
# region and lambda name. If there are multiple lambdas, the region will be repeated for each lambda.
- name: Generate output
id: generate-output
run: |
# output to logs
jq -c --arg lambda_name "${{ inputs.lambda_name }}" --arg env "${{ inputs.environment }}" '[.[$env] | to_entries[] | . as $region_entry | if $region_entry.value["lambda-groups"][$lambda_name] then $region_entry.value["lambda-groups"][$lambda_name][] else $lambda_name end | {region: $region_entry.key, lambda: .}]' ./.github/workflows/config/environment-region-map.json
matrix_json=$(jq -c --arg lambda_name "${{ inputs.lambda_name }}" --arg env "${{ inputs.environment }}" '[.[$env] | to_entries[] | . as $region_entry | if $region_entry.value["lambda-groups"][$lambda_name] then $region_entry.value["lambda-groups"][$lambda_name][] else $lambda_name end | {region: $region_entry.key, lambda: .}]' ./.github/workflows/config/environment-region-map.json)
echo "matrix_json=$matrix_json" >> $GITHUB_OUTPUT
echo "docker_image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ github.sha }}" >> $GITHUB_OUTPUT
deploy_lambdas:
needs: build_lambda
name: Deploy to Amazon ECS
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include: ${{ fromJson(needs.build_lambda.outputs.matrix_json) }}
env:
DOCKER_IMAGE: ${{ needs.build_lambda.outputs.docker_image }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ matrix.region }}
# this plugin sets the AWS account ID to a secret which is not allowed in outputs
# we have to disable that so repo output will work
mask-aws-account-id: 'no'
# The search and replace is kinda ugly but works. We need to replace the primary region with the region we're deploying to.
# because lambdas don't support ECR images in different regions. We use cross region replication in ECR to make the image
# that is pushed in the primary region available in all other regions.
- name: Update Lambda and Publish
run: |
DOCKER_IMAGE=$(echo "${{ env.DOCKER_IMAGE }}" | sed -r 's/${{ env.PRIMARY_AWS_REGION }}/${{ matrix.region }}/g')
aws lambda update-function-code --function-name ${{ inputs.environment }}-hrm-${{ matrix.lambda }} --image-uri "$DOCKER_IMAGE" --publish
# reconfigure AWS credentials to use the default region for SSM Parameter Store.
# aws-actions/configure-aws-credentials@v2 overrides env.AWS_DEFAULT_REGION, so
# we name our env var PRIMARY_AWS_REGION to avoid that.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
# Set any env vars needed from Parameter Store here
- name: Set GITHUB_ACTIONS_SLACK_BOT_TOKEN
uses: 'marvinpinto/action-inject-ssm-secrets@latest'
with:
ssm_parameter: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN'
env_variable_name: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN'
- name: Set ASELO_DEPLOYS_CHANNEL_ID
uses: 'marvinpinto/action-inject-ssm-secrets@latest'
with:
ssm_parameter: 'ASELO_DEPLOYS_CHANNEL_ID'
env_variable_name: 'ASELO_DEPLOYS_CHANNEL_ID'
# Send Slack notifying success
- name: Slack Aselo channel
id: slack
uses: slackapi/[email protected]
with:
channel-id: ${{ env.ASELO_DEPLOYS_CHANNEL_ID }}
slack-message: '`[HRM lambdas - ${{ matrix.lambda }}]` Deployment of ${{ github.ref_type }} `${{ github.ref_name }}` requested by `${{ github.triggering_actor }}` completed with SHA ${{ github.sha }} to region `${{ matrix.region }}`, environment `${{ inputs.environment }}` :rocket:.'
env:
SLACK_BOT_TOKEN: ${{ env.GITHUB_ACTIONS_SLACK_BOT_TOKEN }}
if: ${{ inputs.send-slack-message != 'false' }}