name : AWS Deployment
on :
workflow_call :
inputs :
aws_account_id :
required : true
type : string
aws_role_prefix :
required : true
type : string
aws_task_prefix :
required : true
type : string
concurrency_tag :
required : false
type : string
default : ""
environment :
required : true
type : string
release_tag :
required : false
type : string
concurrency :
group : deploy-${{ inputs.environment }}${{ inputs.concurrency_tag }}
cancel-in-progress : true
env :
app_repo_role : arn:aws:iam::815624722760:role/core-application-repo
aws_region : eu-west-2
repository : core
jobs :
push_docker_image :
name : Push docker image to AWS
runs-on : ubuntu-latest
permissions :
id-token : write
steps :
- name : Checkout code
uses : actions/checkout@v4
- name : Configure AWS credentials
uses : aws-actions/configure-aws-credentials@v4
with :
aws-region : ${{ env.aws_region }}
role-to-assume : ${{ env.app_repo_role }}
- name : Login to Amazon ECR
id : ecr-login
uses : aws-actions/amazon-ecr-login@v2
- name : Check if image with tag already exists
run : |
echo "image-exists=$(if aws ecr list-images --repository-name=$repository --query "imageIds[*].imageTag" | grep -q ${{ github.sha }}; then echo true; else echo false; fi)" >> $GITHUB_ENV
- name : Build, tag, and push docker image to ECR if there is no image, failing for releases
id : build-image
if : ${{ env.image-exists == 'false' }}
env :
registry : ${{ steps.ecr-login.outputs.registry }}
commit_tag : ${{ github.sha }}
run : |
if [[ ${{ inputs.environment }} == 'production' ]]; then
echo "Error: Deployment to production environment is not allowed as there is no docker image (i.e. the AWS deploy on staging was unsuccessful for this commit)."
exit 1
fi
docker build -t $registry/$repository:$commit_tag . --target=production
docker push $registry/$repository:$commit_tag
deploy :
name : Deploy image
runs-on : ubuntu-latest
environment : ${{ inputs.environment }}
needs : push_docker_image
steps :
- name : Configure AWS credentials
uses : aws-actions/configure-aws-credentials@v4
with :
aws-region : ${{ env.aws_region }}
role-to-assume : ${{ env.app_repo_role }}
- name : Login to Amazon ECR
id : ecr-login
uses : aws-actions/amazon-ecr-login@v2
- name : Get timestamp
id : timestamp
run : echo "timestamp=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV
- name : Get additional tag
run : |
echo "additional-tag=$(if [[ ${{ inputs.environment }} == 'production' ]]; then echo ${{ inputs.release_tag }}-${{ env.timestamp }}; else echo ${{ env.timestamp }}; fi)" >> $GITHUB_ENV
- name : Add environment tag to existing image
id : update-image-tags
env :
registry : ${{ steps.ecr-login.outputs.registry }}
commit_tag : ${{ github.sha }}
readable_tag : ${{ inputs.environment }}-${{ env.additional-tag }}
run : |
manifest=$(aws ecr batch-get-image --repository-name $repository --image-ids imageTag=$commit_tag --output text --query images[].imageManifest)
aws ecr put-image --repository-name $repository --image-tag $readable_tag --image-manifest "$manifest"
echo "image=$registry/$repository:$readable_tag" >> $GITHUB_ENV
- name : Configure AWS credentials for environment
uses : aws-actions/configure-aws-credentials@v4
with :
aws-region : ${{ env.aws_region }}
role-to-assume : arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ inputs.aws_role_prefix }}-deployment
role-chaining : true
- name : Download ad hoc task definition
env :
ad_hoc_task_definition : ${{ inputs.aws_task_prefix }}-ad-hoc
run : |
aws ecs describe-task-definition --task-definition $ad_hoc_task_definition --query taskDefinition > ad-hoc-task-definition.json
- name : Update image ID
id : ad-hoc-task-def
uses : aws-actions/amazon-ecs-render-task-definition@v1
with :
task-definition : ad-hoc-task-definition.json
container-name : app
image : ${{ env.image }}
- name : Update ad hoc task definition
uses : aws-actions/amazon-ecs-deploy-task-definition@v2
with :
task-definition : ${{ steps.ad-hoc-task-def.outputs.task-definition }}
- name : Setup Database
if : ${{ inputs.environment == 'review' }}
env :
ad_hoc_task_definition : ${{ inputs.aws_task_prefix }}-ad-hoc
cluster : ${{ inputs.aws_task_prefix }}-app
service : ${{ inputs.aws_task_prefix }}-app
run : |
network=$(aws ecs describe-services --cluster $cluster --services $service --query services[0].networkConfiguration)
overrides='{ "containerOverrides" : [{ "name" : "app", "command" : ["bundle", "exec", "rake", "db:prepare"]}]}'
arn=$(aws ecs run-task --cluster $cluster --task-definition $ad_hoc_task_definition --network-configuration "$network" --overrides "$overrides" --group migrations --launch-type FARGATE --query tasks[0].taskArn)
echo "Waiting for db prepare task to complete"
temp=${arn##*/}
id=${temp%*\"}
aws ecs wait tasks-stopped --cluster $cluster --tasks $id
succeeded=$(aws ecs describe-tasks --cluster $cluster --tasks $id --query "tasks[0].stopCode == 'EssentialContainerExited' && to_string(tasks[0].containers[0].exitCode) == '0'")
if [ $succeeded == true ]; then exit 0; else exit 1; fi
- name : Run migrations task
env :
ad_hoc_task_definition : ${{ inputs.aws_task_prefix }}-ad-hoc
cluster : ${{ inputs.aws_task_prefix }}-app
service : ${{ inputs.aws_task_prefix }}-app
run : |
network=$(aws ecs describe-services --cluster $cluster --services $service --query services[0].networkConfiguration)
overrides='{ "containerOverrides" : [{ "name" : "app", "command" : ["bundle", "exec", "rake", "db:migrate"]}]}'
arn=$(aws ecs run-task --cluster $cluster --task-definition $ad_hoc_task_definition --network-configuration "$network" --overrides "$overrides" --group migrations --launch-type FARGATE --query tasks[0].taskArn)
echo "Waiting for migration task to complete"
temp=${arn##*/}
id=${temp%*\"}
aws ecs wait tasks-stopped --cluster $cluster --tasks $id
succeeded=$(aws ecs describe-tasks --cluster $cluster --tasks $id --query "tasks[0].stopCode == 'EssentialContainerExited' && to_string(tasks[0].containers[0].exitCode) == '0'")
if [ $succeeded == true ]; then exit 0; else exit 1; fi
- name : Download app service task definition
env :
app_task_definition : ${{ inputs.aws_task_prefix }}-app
run : |
aws ecs describe-task-definition --task-definition $app_task_definition --query taskDefinition > app-task-definition.json
- name : Update app image ID
id : app-task-def
uses : aws-actions/amazon-ecs-render-task-definition@v1
with :
task-definition : app-task-definition.json
container-name : app
image : ${{ env.image }}
- name : Deploy updated application
uses : aws-actions/amazon-ecs-deploy-task-definition@v2
with :
cluster : ${{ inputs.aws_task_prefix }}-app
service : ${{ inputs.aws_task_prefix }}-app
task-definition : ${{ steps.app-task-def.outputs.task-definition }}
wait-for-service-stability : true
- name : Download sidekiq service task definition
env :
sidekiq_task_definition : ${{ inputs.aws_task_prefix }}-sidekiq
run : |
aws ecs describe-task-definition --task-definition $sidekiq_task_definition --query taskDefinition > sidekiq-task-definition.json
- name : Update sidekiq image ID
id : sidekiq-task-def
uses : aws-actions/amazon-ecs-render-task-definition@v1
with :
task-definition : sidekiq-task-definition.json
container-name : sidekiq
image : ${{ env.image }}
- name : Deploy updated sidekiq
uses : aws-actions/amazon-ecs-deploy-task-definition@v2
with :
cluster : ${{ inputs.aws_task_prefix }}-app
service : ${{ inputs.aws_task_prefix }}-sidekiq
task-definition : ${{ steps.sidekiq-task-def.outputs.task-definition }}
wait-for-service-stability : true