Skip to content

Commit ae513e7

Browse files
author
Colby Swandale
committed
update Github actions with new steps to deploy to AWS
1 parent d25e689 commit ae513e7

File tree

1 file changed

+208
-69
lines changed

1 file changed

+208
-69
lines changed

.github/workflows/main.yml

+208-69
Original file line numberDiff line numberDiff line change
@@ -1,99 +1,238 @@
1-
name: AWS SAM
1+
name: Pipeline
22

33
on:
44
push:
5-
paths-ignore:
6-
- '**.md'
7-
pull_request:
8-
types:
9-
- opened
10-
- synchronize
11-
paths-ignore:
12-
- '**.md'
5+
branches:
6+
- 'main'
7+
- 'feature**'
8+
delete:
9+
branches:
10+
- 'feature**'
1311

1412
env:
15-
SAM_CLI_TELEMETRY: 0
13+
PIPELINE_USER_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
14+
PIPELINE_USER_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
15+
SAM_TEMPLATE: template.yaml
16+
TESTING_STACK_NAME: rubyapi-repl
17+
TESTING_PIPELINE_EXECUTION_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}}:role/aws-sam-cli-managed-producti-PipelineExecutionRole-19EJVKIEN2Z43
18+
TESTING_CLOUDFORMATION_EXECUTION_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}}:role/aws-sam-cli-managed-produ-CloudFormationExecutionR-H2PJX1UFBDQM
19+
TESTING_ARTIFACTS_BUCKET: aws-sam-cli-managed-production-pi-artifactsbucket-1l0386xhkl01
20+
TESTING_IMAGE_REPOSITORY: ${{ secrets.AWS_ACCOUNT_ID }}}.dkr.ecr.us-east-1.amazonaws.com/aws-sam-cli-managed-production-pipeline-resources-imagerepository-s94pcktcq5pm
21+
TESTING_REGION: us-east-1
22+
PROD_STACK_NAME: rubyapi-repl
23+
PROD_PIPELINE_EXECUTION_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}}:role/aws-sam-cli-managed-testing-PipelineExecutionRole-1WOSCFHR2FWS0
24+
PROD_CLOUDFORMATION_EXECUTION_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}}:role/aws-sam-cli-managed-testi-CloudFormationExecutionR-11JVO15KUR9H2
25+
PROD_ARTIFACTS_BUCKET: aws-sam-cli-managed-testing-pipel-artifactsbucket-dlg2plvboj3d
26+
PROD_IMAGE_REPOSITORY: ${{ secrets.AWS_ACCOUNT_ID }}}.dkr.ecr.us-east-1.amazonaws.com/aws-sam-cli-managed-testing-pipeline-resources-imagerepository-0wc1uydygpow
27+
PROD_REGION: us-east-1
1628

1729
jobs:
18-
build:
19-
name: Build
30+
test:
31+
if: github.event_name == 'push'
2032
runs-on: ubuntu-latest
2133
steps:
2234
- uses: actions/checkout@v2
23-
- name: Configure AWS credentials
24-
id: creds
35+
- run: |
36+
# trigger the tests here
37+
38+
delete-feature:
39+
if: startsWith(github.event.ref, 'feature') && github.event_name == 'delete'
40+
runs-on: ubuntu-latest
41+
steps:
42+
- uses: actions/checkout@v2
43+
- uses: actions/setup-python@v2
44+
- uses: aws-actions/setup-sam@v1
45+
46+
- name: Assume the testing pipeline user role
2547
uses: aws-actions/configure-aws-credentials@v1
2648
with:
27-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
28-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
29-
aws-region: ${{ secrets.AWS_REGION }}
30-
- name: Setup Ruby
31-
uses: ruby/setup-ruby@v1
32-
with:
33-
bundler-cache: true
34-
- name: SAM Validate
35-
run: |
36-
sam validate
37-
- name: Run Tests
38-
run: |
39-
bundle exec rake test
40-
- name: SAM Build
41-
run: |
42-
sam build
43-
- name: Package SAM Build
49+
aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
50+
aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
51+
aws-region: ${{ env.TESTING_REGION }}
52+
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
53+
role-session-name: testing-packaging
54+
role-duration-seconds: 3600
55+
role-skip-session-tagging: true
56+
57+
- name: Delete feature branch stack
58+
env:
59+
FEATURE_BRANCH_NAME: ${{ github.event.ref }}
4460
run: |
45-
tar -cvf sam-build.tar .aws-sam
46-
- name: Upload SAM Build
47-
uses: actions/upload-artifact@v2
61+
sam delete \
62+
--stack-name $(echo ${FEATURE_BRANCH_NAME##*/} | tr -cd '[a-zA-Z0-9-]') \
63+
--region ${TESTING_REGION} \
64+
--no-prompts
65+
66+
build-and-deploy-feature:
67+
# this stage is triggered only for feature branches (feature*),
68+
# which will build the stack and deploy to a stack named with branch name.
69+
if: startsWith(github.ref, 'refs/heads/feature')
70+
needs: [test]
71+
runs-on: ubuntu-latest
72+
steps:
73+
- uses: actions/checkout@v2
74+
- uses: actions/setup-python@v2
75+
- uses: aws-actions/setup-sam@v1
76+
- run: sam build --template ${SAM_TEMPLATE} --use-container
77+
78+
- name: Assume the testing pipeline user role
79+
uses: aws-actions/configure-aws-credentials@v1
4880
with:
49-
name: sam-build
50-
retention-days: 7
51-
path: sam-build.tar
52-
53-
deployStaging:
54-
name: Deploy to Staging
81+
aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
82+
aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
83+
aws-region: ${{ env.TESTING_REGION }}
84+
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
85+
role-session-name: feature-deployment
86+
role-duration-seconds: 3600
87+
role-skip-session-tagging: true
88+
89+
- name: Deploy to feature stack in the testing account
90+
shell: bash
91+
run: |
92+
sam deploy --stack-name $(echo ${GITHUB_REF##*/} | tr -cd '[a-zA-Z0-9-]') \
93+
--capabilities CAPABILITY_IAM \
94+
--region ${TESTING_REGION} \
95+
--s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
96+
--image-repository ${TESTING_IMAGE_REPOSITORY} \
97+
--no-fail-on-empty-changeset \
98+
--role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}
99+
100+
build-and-package:
101+
if: github.ref == 'refs/heads/main'
102+
needs: [test]
55103
runs-on: ubuntu-latest
56-
needs: build
57-
environment:
58-
name: Staging
59104
steps:
60105
- uses: actions/checkout@v2
61-
- name: Configure AWS credentials
62-
id: creds
106+
- uses: actions/setup-python@v2
107+
- uses: aws-actions/setup-sam@v1
108+
109+
- name: Build resources
110+
run: sam build --template ${SAM_TEMPLATE} --use-container
111+
112+
- name: Assume the testing pipeline user role
63113
uses: aws-actions/configure-aws-credentials@v1
64114
with:
65-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
66-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
67-
aws-region: ${{ secrets.AWS_REGION }}
68-
- uses: actions/download-artifact@v2
115+
aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
116+
aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
117+
aws-region: ${{ env.TESTING_REGION }}
118+
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
119+
role-session-name: testing-packaging
120+
role-duration-seconds: 3600
121+
role-skip-session-tagging: true
122+
123+
- name: Upload artifacts to testing artifact buckets
124+
run: |
125+
sam package \
126+
--s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
127+
--image-repository ${TESTING_IMAGE_REPOSITORY} \
128+
--region ${TESTING_REGION} \
129+
--output-template-file packaged-testing.yaml
130+
131+
- uses: actions/upload-artifact@v2
132+
with:
133+
name: packaged-testing.yaml
134+
path: packaged-testing.yaml
135+
136+
- name: Assume the prod pipeline user role
137+
uses: aws-actions/configure-aws-credentials@v1
69138
with:
70-
name: sam-build
71-
- name: Unpack SAM Build
72-
run: tar -xvf sam-build.tar
73-
- name: SAM Deploy
139+
aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
140+
aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
141+
aws-region: ${{ env.PROD_REGION }}
142+
role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }}
143+
role-session-name: prod-packaging
144+
role-duration-seconds: 3600
145+
role-skip-session-tagging: true
146+
147+
- name: Upload artifacts to production artifact buckets
74148
run: |
75-
sam deploy --region ${{ secrets.AWS_REGION }} --stack-name ${{ secrets.AWS_STACK_NAME }} --capabilities CAPABILITY_NAMED_IAM --s3-bucket ${{ secrets.AWS_S3_BUCKET }} --role-arn ${{ secrets.AWS_ROLE_ARN }} --s3-prefix ${{ secrets.AWS_S3_PREFIX }} --no-confirm-changeset --tags "environment=staging"
149+
sam package \
150+
--s3-bucket ${PROD_ARTIFACTS_BUCKET} \
151+
--image-repository ${PROD_IMAGE_REPOSITORY} \
152+
--region ${PROD_REGION} \
153+
--output-template-file packaged-prod.yaml
154+
155+
- uses: actions/upload-artifact@v2
156+
with:
157+
name: packaged-prod.yaml
158+
path: packaged-prod.yaml
76159

77-
deployProduction:
78-
name: Deploy to Production
160+
deploy-testing:
161+
if: github.ref == 'refs/heads/main'
162+
needs: [build-and-package]
79163
runs-on: ubuntu-latest
80-
needs: deployStaging
81-
environment:
82-
name: Production
83164
steps:
84165
- uses: actions/checkout@v2
85-
- name: Configure AWS credentials
86-
id: creds
166+
- uses: actions/setup-python@v2
167+
- uses: aws-actions/setup-sam@v1
168+
- uses: actions/download-artifact@v2
169+
with:
170+
name: packaged-testing.yaml
171+
172+
- name: Assume the testing pipeline user role
87173
uses: aws-actions/configure-aws-credentials@v1
88174
with:
89-
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
90-
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
91-
aws-region: ${{ secrets.AWS_REGION }}
175+
aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
176+
aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
177+
aws-region: ${{ env.TESTING_REGION }}
178+
role-to-assume: ${{ env.TESTING_PIPELINE_EXECUTION_ROLE }}
179+
role-session-name: testing-deployment
180+
role-duration-seconds: 3600
181+
role-skip-session-tagging: true
182+
183+
- name: Deploy to testing account
184+
run: |
185+
sam deploy --stack-name ${TESTING_STACK_NAME} \
186+
--template packaged-testing.yaml \
187+
--capabilities CAPABILITY_IAM \
188+
--region ${TESTING_REGION} \
189+
--s3-bucket ${TESTING_ARTIFACTS_BUCKET} \
190+
--image-repository ${TESTING_IMAGE_REPOSITORY} \
191+
--no-fail-on-empty-changeset \
192+
--role-arn ${TESTING_CLOUDFORMATION_EXECUTION_ROLE}
193+
194+
integration-test:
195+
if: github.ref == 'refs/heads/main'
196+
needs: [deploy-testing]
197+
runs-on: ubuntu-latest
198+
steps:
199+
- uses: actions/checkout@v2
200+
- run: |
201+
# trigger the integration tests here
202+
203+
deploy-prod:
204+
if: github.ref == 'refs/heads/main'
205+
needs: [integration-test]
206+
runs-on: ubuntu-latest
207+
# Configure GitHub Action Environment to have a manual approval step before deployment to production
208+
# https://docs.github.com/en/actions/reference/environments
209+
# environment: <configured-environment>
210+
steps:
211+
- uses: actions/checkout@v2
212+
- uses: actions/setup-python@v2
213+
- uses: aws-actions/setup-sam@v1
92214
- uses: actions/download-artifact@v2
93215
with:
94-
name: sam-build
95-
- name: Unpack SAM Build
96-
run: tar -xvf sam-build.tar
97-
- name: SAM Deploy
216+
name: packaged-prod.yaml
217+
218+
- name: Assume the prod pipeline user role
219+
uses: aws-actions/configure-aws-credentials@v1
220+
with:
221+
aws-access-key-id: ${{ env.PIPELINE_USER_ACCESS_KEY_ID }}
222+
aws-secret-access-key: ${{ env.PIPELINE_USER_SECRET_ACCESS_KEY }}
223+
aws-region: ${{ env.PROD_REGION }}
224+
role-to-assume: ${{ env.PROD_PIPELINE_EXECUTION_ROLE }}
225+
role-session-name: prod-deployment
226+
role-duration-seconds: 3600
227+
role-skip-session-tagging: true
228+
229+
- name: Deploy to production account
98230
run: |
99-
sam deploy --region ${{ secrets.AWS_REGION }} --stack-name ${{ secrets.AWS_STACK_NAME }} --capabilities CAPABILITY_NAMED_IAM --s3-bucket ${{ secrets.AWS_S3_BUCKET }} --role-arn ${{ secrets.AWS_ROLE_ARN }} --s3-prefix ${{ secrets.AWS_S3_PREFIX }} --no-confirm-changeset --tags "environment=production"
231+
sam deploy --stack-name ${PROD_STACK_NAME} \
232+
--template packaged-prod.yaml \
233+
--capabilities CAPABILITY_IAM \
234+
--region ${PROD_REGION} \
235+
--s3-bucket ${PROD_ARTIFACTS_BUCKET} \
236+
--image-repository ${PROD_IMAGE_REPOSITORY} \
237+
--no-fail-on-empty-changeset \
238+
--role-arn ${PROD_CLOUDFORMATION_EXECUTION_ROLE}

0 commit comments

Comments
 (0)