-
Notifications
You must be signed in to change notification settings - Fork 2
177 lines (147 loc) · 6.32 KB
/
merge_to_main_production.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
name: "Merge to main (Production)"
on:
push:
branches:
- main
paths:
- "VERSION"
env:
PRIVATE_ECR: ${{ secrets.PRODUCTION_AWS_ACCOUNT }}.dkr.ecr.ca-central-1.amazonaws.com/notify
API_LAMBDA_IMAGE: api-lambda:b175bed
HEARTBEAT_IMAGE: heartbeat:5c8da95
SYSTEM_STATUS_IMAGE: system_status:078cf82
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.PRODUCTION_OP_SERVICE_ACCOUNT_TOKEN }}
defaults:
run:
shell: bash
jobs:
kubectl-apply:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Set Prod Version
run: |
TARGET_VERSION=`cat VERSION`
echo "TARGET_VERSION=$TARGET_VERSION" >> $GITHUB_ENV
- name: Checkout target Prod version
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
with:
ref: ${{ env.TARGET_VERSION }}
- name: Inject token authentication
run: |
git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
with:
aws-access-key-id: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
aws-region: ca-central-1
- name: Install OpenVPN
run: |
sudo apt update
sudo apt install -y openvpn openvpn-systemd-resolved
- name: Setup Terraform tools
uses: cds-snc/terraform-tools-setup@v1
env: # In case you want to override default versions
CONFTEST_VERSION: 0.30.0
TERRAFORM_VERSION: 1.9.5
TERRAGRUNT_VERSION: 0.66.9
TF_SUMMARIZE_VERSION: 0.2.3
- name: Install 1Pass CLI
run: |
curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
sudo dpkg -i 1pass.deb
- name: Retrieve VPN Config
run: |
scripts/createVPNConfig.sh production 2> /dev/null
- name: Connect to VPN
uses: "kota65535/github-openvpn-connect-action@cd2ed8a90cc7b060dc4e001143e811b5f7ea0af5" # v3.1.0
with:
config_file: /var/tmp/production.ovpn
echo_config: false
# We are using this to install kubectl in this case
- name: Setup helmfile
uses: mamezou-tech/setup-helmfile@03233e1cd9b19b2ba320e431f7bcc0618db4248d # v2.0.0
with:
install-kubectl: yes
install-helm: yes
- name: Run manifest build
run: |
cp env.example env/production/.env
make production-debug > /dev/null 2>&1
- name: Decrypt production env
run: |
make decrypt-production
- name: Configure kubeconfig
run: |
aws eks update-kubeconfig --name notification-canada-ca-production-eks-cluster
- name: Apply changes
run: |
./scripts/applyKube.sh env/production --kubeconfig=/home/runner/.kube/config
- name: Check for env changes
working-directory: env/production
run: |
aws ssm get-parameters --region ca-central-1 --with-decryption --names ENVIRONMENT_VARIABLES --query 'Parameters[*].Value' --output text > .previous.env
DIFF="$(set +o pipefail && diff -B .env .previous.env | wc -l)"
echo "::add-mask::$DIFF"
echo "ENV_DIFF=$DIFF" >> $GITHUB_ENV
- name: Update parameter store environment variable
if: env.ENV_DIFF != '0' # Only update secrets when changes detected
working-directory: env/production
run: |
aws ssm put-parameter --region ca-central-1 --name ENVIRONMENT_VARIABLES --type SecureString --key-id alias/aws/ssm --value file://.env --tier "Intelligent-Tiering" --overwrite
- name: Deploy lambda
uses: ./.github/actions/update-lambda-function
with:
alias-name: latest
function-name: api-lambda
image-uri: $PRIVATE_ECR/$API_LAMBDA_IMAGE
- name: Deploy Heartbeat lambda
uses: ./.github/actions/update-lambda-function
with:
alias-name: latest
function-name: heartbeat
image-uri: $PRIVATE_ECR/$HEARTBEAT_IMAGE
- name: Deploy System Status lambda
uses: ./.github/actions/update-lambda-function
with:
alias-name: latest
function-name: system_status
image-uri: $PRIVATE_ECR/$SYSTEM_STATUS_IMAGE
- name: Add deployment to New Relic
run: |
for application_id in 283469061 283468826 283468685; do
curl -X POST "https://api.newrelic.com/v2/applications/$application_id/deployments.json" \
-H "X-Api-Key:$NEW_RELIC_API_KEY" -i \
-H 'Content-Type: application/json' \
-d \
'{
"deployment": {
"revision": "'$GITHUB_SHA'"
}
}'
done
env:
NEW_RELIC_API_KEY: ${{ secrets.PRODUCTION_NEW_RELIC_API_KEY }}
- name: Report deployment to Sentinel
uses: cds-snc/sentinel-forward-data-action@main
with:
input_data: '{"product": "notify", "sha": "${{ github.sha }}", "version": "${{ env.TARGET_VERSION }}", "repository": "${{ github.repository }}", "environment": "production"}'
log_type: CDS_Product_Deployment_Data
log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
- name: Notify Slack channel if this job failed
if: ${{ failure() }}
run: |
json="{'text':'<!here> CI is failing in <https://github.com/cds-snc/notification-manifests/|notification-manifests> !'}"
curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.SLACK_WEBHOOK }}
clear-cache:
needs: kubectl-apply
uses: ./.github/workflows/clear-notify-cache.yaml
with:
environment: production
secrets:
CACHE_CLEAR_USER_NAME: ${{ secrets.PRODUCTION_CACHE_CLEAR_USER_NAME }}
CACHE_CLEAR_CLIENT_SECRET: ${{ secrets.PRODUCTION_CACHE_CLEAR_CLIENT_SECRET }}
API_URL: ${{ secrets.PRODUCTION_API_URL }}