Forcing RDS master password secret destruction by default #154

Workflow file for this run

	name: Build & Deploy

	on:
	push:
	branches:
	- dev
	- main
	- prod

	env:
	COMMIT_DEPLOYMENT: "false"

	jobs:
	PrepareEnvironment:
	if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
	name: Prepare Environment
	runs-on: ubuntu-latest
	outputs:
	environment: ${{ steps.set_env.outputs.environment }}
	environment_json: ${{ steps.set_env.outputs.environment_json }}
	branch_promoting_to: ${{ steps.set_env.outputs.branch_promoting_to }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Set Environment Name
	id: set_env
	working-directory: ./iac/scripts
	run: \|
	# Install jq
	sudo apt-get install -y jq
	chmod +x get-branch-environment.sh

	# Call the script and save the output to a variable
	environment_name=$(./get-branch-environment.sh \
	../../.github/branch-environment-map.json \
	)

	# Check if environment name exists for this branch, otherwise fail the pipeline
	if [ -z "$environment_name" ]; then
	echo "Environment not found for this branch" >> $GITHUB_STEP_SUMMARY
	exit 1
	fi

	environment_json="[\"$environment_name\"]"

	# Set the output
	echo "environment=$environment_name" >> $GITHUB_OUTPUT
	echo "environment_json=$environment_json" >> $GITHUB_OUTPUT

	echo "Getting promotion path..."
	chmod +x get-branch-promotions.sh
	branch_promoting_to=$(
	./get-branch-promotions.sh \
	../../.github/branch-promotion-map.json \
	)

	echo "branch_promoting_to=$branch_promoting_to" >> $GITHUB_OUTPUT

	- name: Print environment output
	run: \|
	echo "Environment: ${{ steps.set_env.outputs.environment }}" >> $GITHUB_STEP_SUMMARY
	echo "Environment JSON: ${{ steps.set_env.outputs.environment_json }}" >> $GITHUB_STEP_SUMMARY
	echo "Branch promoting to: ${{ steps.set_env.outputs.branch_promoting_to }}" >> $GITHUB_STEP_SUMMARY

	BuildAndPush:
	# Debugging
	name: Build and Push Docker Image
	needs:
	- PrepareEnvironment
	runs-on: ubuntu-latest
	strategy:
	matrix:
	environment: ${{fromJson(needs.PrepareEnvironment.outputs.environment_json)}}
	environment: ${{ matrix.environment }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Build and Push Docker Image
	uses: ./.github/actions/container-build
	with:
	aws_region: ${{ vars.AWS_REGION }}
	aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	ecr_url: ${{ vars.ECR_URL }}

	- name: Print environment output
	run: \|
	echo "Environment: ${{ needs.PrepareEnvironment.outputs.environment }}"
	echo "Environment JSON: ${{ needs.PrepareEnvironment.outputs.environment_json }}"
	echo "Branch promoting to: ${{ needs.PrepareEnvironment.outputs.branch_promoting_to }}"

	RunTerraform:
	name: Run Terraform
	needs:
	- PrepareEnvironment
	- BuildAndPush
	runs-on: ubuntu-latest
	strategy:
	matrix:
	environment: ${{fromJson(needs.PrepareEnvironment.outputs.environment_json)}}
	environment: ${{ matrix.environment }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	#TODO: Add dynamic action outputs to be able
	# to get values from terraform output so that we can present
	# them in the summary
	- name: Run Terraform Action
	id: terraform_action
	uses: ./.github/actions/run-terraform
	with:
	# AWS
	aws_region: ${{ vars.AWS_REGION }}
	aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

	# Terraform
	terraform_dir: ./iac/terraform/app

	init_options: \|
	-backend-config="backend-${{ matrix.environment }}.hcl"

	# TODO: Add reusable input for plan_and_apply_options
	plan_options: \|
	-var="environment=${{ matrix.environment }}" \
	-var="app_version=${{ github.sha }}" \
	-var="container_image=${{ vars.ECR_URL }}:${{ github.sha }}" \
	-var="database_password=${{ secrets.RDS_MASTER_PASSWORD }}"

	apply_options: \|
	-var="environment=${{ matrix.environment }}" \
	-var="app_version=${{ github.sha }}" \
	-var="container_image=${{ vars.ECR_URL }}:${{ github.sha }}" \
	-var="database_password=${{ secrets.RDS_MASTER_PASSWORD }}" \
	-auto-approve

	# Artifact
	artifact_name: environment-tfvars-json
	artifact_relative_path: "terraform-${{ matrix.environment }}.tfvars.json"

	- name: Tag the deployment
	working-directory: ./iac/scripts
	run: \|
	# Tag deployed commit
	chmod +x ./deployment-tagger.sh
	./deployment-tagger.sh tag \
	--current \
	--date

	- name: Deployment summary
	shell: bash
	run: \|
	terraform_output='${{ steps.terraform_action.outputs.terraform_output }}'
	lb_url=$(echo "$terraform_output" \| jq -r '.lb_url.value')

	echo "LB URL: $lb_url"
	echo "🌐 [Application URL]($lb_url/metadata)" >> $GITHUB_STEP_SUMMARY

	if [ -z "${{ needs.PrepareEnvironment.outputs.branch_promoting_to }}" ]; then
	echo "🏁🔚 This is the final stage of the pipeline 🎉" >> $GITHUB_STEP_SUMMARY
	fi



	PromotionPR:
	if: ${{ needs.PrepareEnvironment.outputs.branch_promoting_to != '' }}
	name: Create promotion PR
	needs:
	- PrepareEnvironment
	- RunTerraform
	runs-on: ubuntu-latest
	strategy:
	matrix:
	environment: ${{fromJson(needs.PrepareEnvironment.outputs.environment_json)}}
	environment: ${{ matrix.environment }}

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Download environment tfvars
	uses: actions/download-artifact@v4
	with:
	name: environment-tfvars-json
	path: "./iac/terraform/app"

	- name: Create promotion PR
	working-directory: ./iac/scripts
	env:
	GH_TOKEN: ${{ github.token }}
	run: \|
	# Configuring git author
	git config --global user.email "[email protected]"
	git config --global user.name "GitHub Actions"

	if [ "${{env.COMMIT_DEPLOYMENT}}" == "true" ]; then
	echo "Commiting environment tfvars" >> $GITHUB_STEP_SUMMARY

	# Forcefully add the file to git's staging area
	# for the merge commit from the PR but
	# keep ignoring changes to the file
	environment_tfvars_json="terraform-${{ matrix.environment }}.tfvars.json"

	git add --force "../terraform/app/$environment_tfvars_json"
	git commit -m "[skip ci] Committing $environment_tfvars_json@${{ github.sha }}"
	git push
	fi


	chmod +x get-branch-promotions.sh

	# Check if the command was successful
	echo "Getting promotion path..."
	branch_promoting_to=$(
	./get-branch-promotions.sh \
	../../.github/branch-promotion-map.json \
	)
	# Check if the command was successful
	if [ $? -ne 0 ]; then
	echo "No branch to promote. Exiting gracefully."
	exit 0
	fi

	current_branch=$(git rev-parse --abbrev-ref HEAD)
	echo "Current branch: $current_branch"

	echo "Checking if the PR already exists for branch: ${branch_promoting_to}"
	pr_number=$(gh pr list --base "$branch_promoting_to" --json number --jq '.[0].number')
	echo "PR number: $pr_number"

	if [ -n "$pr_number" ]; then
	# Checkout the PR branch and update it if the PR already exists
	echo "Updating the existing PR ($pr_number)"

	gh pr checkout "$pr_number"
	git merge "$current_branch" --no-edit
	git push
	else
	# Create a new PR if it doesn't exist
	echo "Creating a new PR..."

	echo "Creating PR..."
	gh pr \
	create \
	--title "Merge $current_branch into $branch_promoting_to" \
	--body "Changes bellow:" \
	--head "$current_branch" \
	--base "$branch_promoting_to"

	echo "PR created"
	fi

	pr_number=$(gh pr list --base "$branch_promoting_to" --json number --jq '.[0].number')
	pr_url="https://github.com/${{ github.repository }}/pull/${pr_number}"
	pr_md_link="[Promote these changes to $branch_promoting_to]($pr_url)"

	echo "🚀 $pr_md_link" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Forcing RDS master password secret destruction by default #154

Workflow file

Forcing RDS master password secret destruction by default #154

Jobs

Run details

Workflow file for this run