name: AWS Deployment on: workflow_call: inputs: aws_account_id: required: true type: string aws_resource_prefix: required: true type: string environment: required: true type: string concurrency: group: deploy-${{ inputs.environment }} cancel-in-progress: true env: app_repo_role: arn:aws:iam::815624722760:role/core-application-repo aws_region: eu-west-2 repository: core REPO_URL: communitiesuk/submit-social-housing-lettings-and-sales-data jobs: push_docker_image: if: inputs.environment != 'production' name: Push docker image to AWS runs-on: ubuntu-latest permissions: id-token: write steps: - name: Checkout code uses: actions/checkout@v3 - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 with: aws-region: ${{ env.aws_region }} role-to-assume: ${{ env.app_repo_role }} - name: Login to Amazon ECR id: ecr-login uses: aws-actions/amazon-ecr-login@v1 with: mask-password: 'true' - name: Build, tag, and push docker image to ECR id: build-image env: registry: ${{ steps.ecr-login.outputs.registry }} commit_tag: ${{ github.sha }} run: | docker build -t $registry/$repository:$commit_tag . --target=production docker push $registry/$repository:$commit_tag deploy: name: Deploy image runs-on: ubuntu-latest environment: ${{ inputs.environment }} needs: push_docker_image if: | always() && (needs.push_docker_image.result == 'success' || needs.push_docker_image.result == 'skipped') steps: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v3 with: aws-region: ${{ env.aws_region }} role-to-assume: ${{ env.app_repo_role }} - name: Login to Amazon ECR id: ecr-login uses: aws-actions/amazon-ecr-login@v1 with: mask-password: 'true' - name: Get timestamp id: timestamp run: echo "timestamp=$(date +%Y%m%d%H%M%S)" >> $GITHUB_ENV - name: Get latest release with tag id: latestrelease if: inputs.environment == 'production' run: | echo "releasetag=$(curl -s https://api.github.com/repos/${REPO_URL}/releases/latest | jq '.tag_name' | sed 's/\"//g')" >> $GITHUB_OUTPUT - name: Confirm release tag if: inputs.environment == 'production' run: | echo ${{ steps.latestrelease.outputs.releasetag }} - name: Checkout tag uses: actions/checkout@v3 if: inputs.environment == 'production' with: ref: ${{ steps.latestrelease.outputs.releasetag }} - name: Get tags id: tags run: | echo "commit-tag=$(if [[ ${{ inputs.environment == 'production' }} ]]; then echo $(git log -1 '--format=format:%H'); else echo ${{ github.sha }}; fi)" >> $GITHUB_OUTPUT echo "additional-tag=$(if [[ ${{ inputs.environment == 'production' }} ]]; then echo ${{ steps.latestrelease.outputs.releasetag }}; else echo ${{ env.timestamp }}; fi)" >> $GITHUB_OUTPUT - name: Add environment tag to existing image env: registry: ${{ steps.ecr-login.outputs.registry }} commit_tag: ${{ steps.tags.outputs.commit-tag }} readable_tag: ${{ inputs.environment }}-${{ steps.tags.outputs.additional-tag }}-${{ env.timestamp }} run: | manifest=$(aws ecr batch-get-image --repository-name $repository --image-ids imageTag=$commit_tag --output text --query images[].imageManifest) aws ecr put-image --repository-name $repository --image-tag $readable_tag --image-manifest "$manifest" echo "image=$registry/$repository:$readable_tag" >> $GITHUB_ENV # manifest=$(aws ecr batch-get-image --repository-name $repository --image-ids imageTag=$commit_tag --output text --query images[].imageManifest) # aws ecr put-image --repository-name $repository --image-tag $readable_tag --image-manifest "$manifest" # echo "image=$registry/$repository:$readable_tag" >> $GITHUB_ENV - name: Configure AWS credentials for environment uses: aws-actions/configure-aws-credentials@v3 with: aws-region: ${{ env.aws_region }} role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/${{ inputs.aws_resource_prefix }}-deployment role-chaining: true - name: Download ad hoc task definition env: ad_hoc_task_definition: ${{ inputs.aws_resource_prefix }}-ad-hoc run: | aws ecs describe-task-definition --task-definition $ad_hoc_task_definition --query taskDefinition > ad-hoc-task-definition.json - name: Update image ID id: ad-hoc-task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: task-definition: ad-hoc-task-definition.json container-name: app image: ${{ env.image }} - name: Update ad hoc task definition uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: task-definition: ${{ steps.ad-hoc-task-def.outputs.task-definition }} - name: Run migrations task env: ad_hoc_task_definition: ${{ inputs.aws_resource_prefix }}-ad-hoc cluster: ${{ inputs.aws_resource_prefix }}-app service: ${{ inputs.aws_resource_prefix }}-app run: | network=$(aws ecs describe-services --cluster $cluster --services $service --query services[0].networkConfiguration) overrides='{ "containerOverrides" : [{ "name" : "app", "command" : ["bundle", "exec", "rake", "db:migrate"]}]}' arn=$(aws ecs run-task --cluster $cluster --task-definition $ad_hoc_task_definition --network-configuration "$network" --overrides "$overrides" --group migrations --launch-type FARGATE --query tasks[0].taskArn) echo "Waiting for migration task to complete" temp=${arn##*/} id=${temp%*\"} aws ecs wait tasks-stopped --cluster $cluster --tasks $id succeeded=$(aws ecs describe-tasks --cluster $cluster --tasks $id --query "tasks[0].stopCode == 'EssentialContainerExited' && to_string(tasks[0].containers[0].exitCode) == '0'") if [ $succeeded == true ]; then exit 0; else exit 1; fi - name: Download app service task definition env: app_task_definition: ${{ inputs.aws_resource_prefix }}-app run: | aws ecs describe-task-definition --task-definition $app_task_definition --query taskDefinition > app-task-definition.json - name: Update app image ID id: app-task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: task-definition: app-task-definition.json container-name: app image: ${{ env.image }} - name: Deploy updated application uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: cluster: ${{ inputs.aws_resource_prefix }}-app service: ${{ inputs.aws_resource_prefix }}-app task-definition: ${{ steps.app-task-def.outputs.task-definition }} wait-for-service-stability: true - name: Download sidekiq service task definition env: sidekiq_task_definition: ${{ inputs.aws_resource_prefix }}-sidekiq run: | aws ecs describe-task-definition --task-definition $sidekiq_task_definition --query taskDefinition > sidekiq-task-definition.json - name: Update sidekiq image ID id: sidekiq-task-def uses: aws-actions/amazon-ecs-render-task-definition@v1 with: task-definition: sidekiq-task-definition.json container-name: sidekiq image: ${{ env.image }} - name: Deploy updated sidekiq uses: aws-actions/amazon-ecs-deploy-task-definition@v1 with: cluster: ${{ inputs.aws_resource_prefix }}-app service: ${{ inputs.aws_resource_prefix }}-sidekiq task-definition: ${{ steps.sidekiq-task-def.outputs.task-definition }} wait-for-service-stability: true