Skip to content

Commit

Permalink
deploy github action testing
Browse files Browse the repository at this point in the history
  • Loading branch information
RMcVelia committed Nov 1, 2024
1 parent 77d56e7 commit 570892c
Show file tree
Hide file tree
Showing 6 changed files with 104 additions and 156 deletions.
3 changes: 0 additions & 3 deletions .github/actions/deploy/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,6 @@ inputs:
slack-webhook:
required: false

outputs:
deploy-url:
value: ${{ steps.set_env_var.outputs.deploy_url }}

runs:
using: composite
Expand Down
211 changes: 67 additions & 144 deletions .github/workflows/build-and-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,177 +16,100 @@ permissions:
packages: write
pull-requests: write

env:
TF_PATH: terraform/aks

jobs:
build:
name: Build
env:
DOCKER_IMAGE: ghcr.io/dfe-digital/international-teacher-relocation-payment
outputs:
docker_image: ${{ env.DOCKER_IMAGE }}
image_tag: ${{ env.IMAGE_TAG }}
docker-image-tag: ${{ steps.build-image.outputs.tag }}
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v4
name: Checkout

- name: Set environment variables (push)
if: github.event_name == 'push'
run: |
GIT_BRANCH=${GITHUB_REF##*/}
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main
echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV
- name: Set environment variables (pull_request)
if: github.event_name == 'pull_request'
run: |
GIT_BRANCH=${GITHUB_HEAD_REF##*/}
echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
- name: Set KV environment variables
if: github.actor != 'dependabot[bot]'
run: |
# tag build to the review env for vars and secrets
tf_vars_file=terraform/aks/config/review.tfvars.json
echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: azure/login@v2
if: github.actor != 'dependabot[bot]'
with:
creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}

- uses: DFE-Digital/keyvault-yaml-secret@v1
if: github.actor != 'dependabot[bot]'
id: get-secret
with:
keyvault: ${{ env.KEY_VAULT_NAME }}
secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }}
key: SNYK_TOKEN

- name: Build Docker Image
uses: docker/build-push-action@v6
- name: Build and push docker image
id: build-image
uses: DFE-Digital/github-actions/build-docker-image@2088-create-github-workflow-templates
with:
tags: |
${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
push: false
load: true
cache-to: type=inline
cache-from: |
type=registry,ref=${{env.DOCKER_IMAGE}}:main
type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
build-args: |
COMMIT_SHA=${{ env.IMAGE_TAG }}
GOVUK_NOTIFY_API_KEY=${{ secrets.GOVUK_NOTIFY_API_KEY }}
GOVUK_NOTIFY_GENERIC_EMAIL_TEMPLATE_ID=${{ secrets.GOVUK_NOTIFY_GENERIC_EMAIL_TEMPLATE_ID }}
- name: Push ${{ env.DOCKER_IMAGE }} images for review
if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}

- name: Run Snyk to check Docker image for vulnerabilities
if: github.actor != 'dependabot[bot]'
uses: snyk/actions/docker@master
env:
SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }}
with:
image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}
args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns

- name: Push ${{ env.DOCKER_IMAGE }} images
if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }}
run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}
github-token: ${{ secrets.GITHUB_TOKEN }}
context: .
docker-repository: ${{ env.DOCKER_IMAGE }}
max-cache: true
reuse-cache: true
# snyk-token: ${{ secrets.SNYK_TOKEN }}

deploy-review-app:
name: Deployment To Review
concurrency: deploy_review_${{ github.event.pull_request.number }}
if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Start review-${{ github.event.pull_request.number }} Deployment
uses: bobheadxi/deployments@v1
id: deployment
with:
env: review-${{ github.event.pull_request.number }}
ref: ${{ github.head_ref }}
step: start
token: ${{ secrets.GITHUB_TOKEN }}
environment:
name: review
url: ${{ steps.deploy_review.outputs.environment_url }}

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Deploy App to Review
id: deploy_review
uses: ./.github/actions/deploy/
uses: DFE-Digital/github-actions/deploy-to-aks@2088-create-github-workflow-templates
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
environment: review
github-token: ${{ secrets.GITHUB_TOKEN }}
pr-number: ${{ github.event.pull_request.number }}
sha: ${{ needs.build.outputs.IMAGE_TAG }}

- name: Update review-${{ github.event.pull_request.number }} status
if: always()
uses: bobheadxi/deployments@v1
with:
env: review-${{ github.event.pull_request.number }}
ref: ${{ github.head_ref }}
step: finish
token: ${{ secrets.GITHUB_TOKEN }}
status: ${{ job.status }}
deployment_id: ${{ steps.deployment.outputs.deployment_id }}
env_url: ${{ steps.deploy_review.outputs.deploy-url }}

deploy-before-production:
name: Parallel deployment before production
environment:
name: ${{ matrix.environment }}
url: ${{ steps.deploy_app_before_production.outputs.deploy-url }}
if: ${{ success() && github.ref == 'refs/heads/main' }}
needs: [build]
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
environment: [qa,staging]
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Deploy app to ${{ matrix.environment }}
id: deploy_app_before_production
uses: ./.github/actions/deploy/
with:
azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }}
environment: ${{ matrix.environment }}
sha: ${{ github.sha }}

deploy-production:
name: Production deployment
environment:
name: production
url: ${{ steps.deploy_production.outputs.deploy-url }}
if: ${{ success() && github.ref == 'refs/heads/main' }}
needs: [deploy-before-production]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Deploy app to production
id: deploy_production
uses: ./.github/actions/deploy/
with:
azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION }}
environment: production
sha: ${{ github.sha }}
sha: ${{ needs.build.outputs.docker-image-tag }}
terraform-base: ${{ env.TF_PATH }}
healthcheck: 'healthcheck/all'
# db-seed: true

# deploy-before-production:
# name: Parallel deployment before production
# environment:
# name: ${{ matrix.environment }}
# url: ${{ steps.deploy_app_before_production.outputs.deploy-url }}
# if: ${{ success() && github.ref == 'refs/heads/main' }}
# needs: [build]
# runs-on: ubuntu-latest
# strategy:
# fail-fast: false
# matrix:
# environment: [qa,staging]
# steps:
# - name: Checkout
# uses: actions/checkout@v4

# - name: Deploy app to ${{ matrix.environment }}
# id: deploy_app_before_production
# uses: ./.github/actions/deploy/
# with:
# azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }}
# environment: ${{ matrix.environment }}
# sha: ${{ github.sha }}

# deploy-production:
# name: Production deployment
# environment:
# name: production
# url: ${{ steps.deploy_production.outputs.deploy-url }}
# if: ${{ success() && github.ref == 'refs/heads/main' }}
# needs: [deploy-before-production]
# runs-on: ubuntu-latest
# steps:
# - name: Checkout
# uses: actions/checkout@v4

# - name: Deploy app to production
# id: deploy_production
# uses: ./.github/actions/deploy/
# with:
# azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION }}
# environment: production
# sha: ${{ github.sha }}
4 changes: 2 additions & 2 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,8 +63,8 @@ jobs:
ruby-version: 3.2.3
bundler-cache: true
# Add or replace any other lints here
- name: Security audit dependencies
run: bin/bundler-audit --update
# - name: Security audit dependencies
# run: bin/bundler-audit --update
- name: Security audit application code
run: bin/brakeman -q -w2
- name: Lint Ruby files
Expand Down
21 changes: 18 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,10 @@ install-fetch-config:
|| true

review:
$(if $(APP_NAME), , $(error Missing environment variable "APP_NAME", Please specify a pr number for your review app))
$(if $(PR_NUMBER), , $(error Missing environment variable "PR_NUMBER", Please specify a pr number for your review app))
$(eval include global_config/review.sh)
$(eval DEPLOY_ENV=review)
$(eval APP_NAME=pr-${PR_NUMBER})
$(eval export TF_VAR_app_name=$(APP_NAME))
echo https://teacher-relocation-payment-$(APP_NAME).test.teacherservices.cloud will be created in aks

Expand All @@ -36,7 +37,10 @@ production:
$(eval DEPLOY_ENV=production)

ci: ## Run in automation environment
$(eval export AUTO_APPROVE=-auto-approve)
$(eval DISABLE_PASSCODE=true)
$(eval AUTO_APPROVE=-auto-approve)
$(eval SP_AUTH=true)
$(eval SKIP_AZURE_LOGIN=true)

install-terrafile: ## Install terrafile to manage terraform modules
[ ! -f bin/terrafile ] \
Expand All @@ -45,7 +49,7 @@ install-terrafile: ## Install terrafile to manage terraform modules
|| true

set-azure-account:
az account set -s ${AZ_SUBSCRIPTION}
[ "${SKIP_AZURE_LOGIN}" != "true" ] && az account set -s ${AZ_SUBSCRIPTION} || true

terraform-init: install-terrafile set-azure-account
$(if $(IMAGE_TAG), , $(eval export IMAGE_TAG=main))
Expand Down Expand Up @@ -163,3 +167,14 @@ domain-azure-resources: set-azure-account
az deployment sub create -l "UK South" --template-uri "https://raw.githubusercontent.com/DFE-Digital/tra-shared-services/${ARM_TEMPLATE_TAG}/azure/resourcedeploy.json" \
--name "${DNS_ZONE}domains-$(shell date +%Y%m%d%H%M%S)" --parameters "resourceGroupName=${RESOURCE_NAME_PREFIX}-${DNS_ZONE}domains-rg" 'tags=${RG_TAGS}' \
"tfStorageAccountName=${RESOURCE_NAME_PREFIX}${DNS_ZONE}domainstf" "tfStorageContainerName=${DNS_ZONE}domains-tf" "keyVaultName=${RESOURCE_NAME_PREFIX}-${DNS_ZONE}domains-kv" ${WHAT_IF}

db-seed: get-cluster-credentials
$(if $(APP_NAME), , $(error can only run with PR_NUMBER))
kubectl -n ${NAMESPACE} exec deployment/teacher-relocation-payment-${APP_NAME} -- /bin/sh -c "cd /app && bundle exec rake db:version"

smoke-test: get-cluster-credentials
$(if $(APP_NAME), $(eval export APP_ID=$(APP_NAME)) , $(eval export APP_ID=$(CONFIG_LONG)))
# kubectl -n ${NAMESPACE} exec deployment/teacher-relocation-payment-${APP_ID} -- /bin/sh -c "RAILS_ENV=${CONFIG} bundle exec rspec spec/smoke"
RAILS_ENV=${CONFIG} bin/rspec spec/requests/healthchecks_spec.rb"

printvar-%: ; @echo $($*)
13 changes: 13 additions & 0 deletions terraform/aks/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
output "url" {
value = [
module.web_application.url,
module.web_application.url
]
}

output "external_urls" {
value = [
module.web_application.url,
module.web_application.url
]
}
8 changes: 4 additions & 4 deletions terraform/aks/terraform.tf
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,10 @@ provider "azurerm" {
features {}

skip_provider_registration = true
subscription_id = try(local.azure_credentials.subscriptionId, null)
client_id = try(local.azure_credentials.clientId, null)
client_secret = try(local.azure_credentials.clientSecret, null)
tenant_id = try(local.azure_credentials.tenantId, null)
# subscription_id = try(local.azure_credentials.subscriptionId, null)
# client_id = try(local.azure_credentials.clientId, null)
# client_secret = try(local.azure_credentials.clientSecret, null)
# tenant_id = try(local.azure_credentials.tenantId, null)
}

provider "kubernetes" {
Expand Down

0 comments on commit 570892c

Please sign in to comment.