first_ideas

Author: TheOneFromNorway

.github/workflows/deploy-mavis.yml

@@ -0,0 +1,243 @@
+name: Deploy Mavis
+run-name: Deploy Mavis to ${{ inputs.environment }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Deployment environment
+        required: true
+        type: choice
+        options:
+          - qa
+          - test
+          - preview
+          - training
+          - production
+          - sandbox-alpha
+          - sandbox-beta
+      server_types:
+        description: Server types to deploy
+        required: true
+        type: choice
+        options:
+          - all
+          - web
+          - good-job
+        default: all
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+      server_types:
+        required: true
+        type: string
+      git_sha_to_deploy:
+        description: The git commit SHA to deploy.
+        required: true
+        type: string
+
+permissions: { }
+
+concurrency:
+  group: deploy-mavis-${{ inputs.environment }}
+
+env:
+  aws-role: ${{ inputs.environment == 'production'
+    && 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
+    || 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
+  web_codedeploy_application: mavis-${{ inputs.environment }}
+  web_codedeploy_group: blue-green-group-${{ inputs.environment }}
+  web_task_definition: mavis-web-task-definition-${{ inputs.environment }}
+  cluster_name: mavis-${{ inputs.environment }}
+  good_job_service: mavis-${{ inputs.environment }}-good-job
+  good_job_task_definition: mavis-good-job-task-definition-${{ inputs.environment }}
+
+jobs:
+  prepare-web-deployment:
+    name: Prepare web service deployment
+    runs-on: ubuntu-latest
+    if: inputs.server_types == 'web' || inputs.server_types == 'all'
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+    outputs:
+      task-definition-arn: ${{ steps.update-task-definition.outputs.task-definition-arn }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_sha_to_deploy || github.sha }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws-role }}
+          aws-region: eu-west-2
+      - name: Get image digest from ECR
+        id: get-image-digest
+        run: |
+          # Get AWS account ID and construct repository URI
+          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          REPOSITORY_URI="${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/mavis"
+
+          # Get the image digest for the git SHA
+          IMAGE_DIGEST=$(aws ecr describe-images \
+            --repository-name mavis \
+            --image-ids imageTag=${{ inputs.git_sha_to_deploy || github.sha }} \
+            --query 'imageDetails[0].imageDigest' \
+            --output text)
+
+          NEW_IMAGE_URI="${REPOSITORY_URI}@${IMAGE_DIGEST}"
+          echo "new-image-uri=${NEW_IMAGE_URI}" >> $GITHUB_OUTPUT
+          echo "New image URI: ${NEW_IMAGE_URI}"
+      - name: Update task definition with new image
+        id: update-task-definition
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: config/task-definitions/web-task-definition.json
+          container-name: web
+          image: ${{ steps.get-image-digest.outputs.new-image-uri }}
+      - name: Create appspec.yml from template
+        run: |
+          # Read the template and substitute variables
+          TASK_DEFINITION_ARN="${{ steps.update-task-definition.outputs.task-definition-arn }}"
+          CONTAINER_NAME="web"
+          CONTAINER_PORT="4000"
+
+          # Create appspec.yml by substituting template variables
+          sed -e "s|\${task_definition_arn}|${TASK_DEFINITION_ARN}|g" \
+              -e "s|\${container_name}|${CONTAINER_NAME}|g" \
+              -e "s|\${container_port}|${CONTAINER_PORT}|g" \
+              terraform/app/templates/appspec.yaml.tpl > appspec.yml
+
+          echo "Generated appspec.yml:"
+          cat appspec.yml
+      - name: Upload deployment artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: web-deployment-artifacts-${{ inputs.environment }}
+          path: |
+            task-definition.json
+            appspec.yml
+
+
+  deploy-web:
+    name: Deploy web service via CodeDeploy
+    runs-on: ubuntu-latest
+    needs: prepare-web-deployment
+    if: inputs.server_types == 'web' || inputs.server_types == 'all'
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Download deployment artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: web-deployment-artifacts-${{ inputs.environment }}
+          path: ${{ runner.temp }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws-role }}
+          aws-region: eu-west-2
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.11.4
+      - name: Get terraform output for S3 bucket
+        id: terraform-output
+        working-directory: terraform/app
+        run: |
+          set -e
+          terraform init -backend-config=env/${{ inputs.environment }}-backend.hcl -reconfigure
+          S3_BUCKET=$(terraform output -raw s3_bucket)
+          echo "s3-bucket=${S3_BUCKET}" >> $GITHUB_OUTPUT
+          echo "S3 bucket: ${S3_BUCKET}"
+      - name: Register new task definition
+        run: |
+          aws ecs register-task-definition \
+            --cli-input-json file://${{ runner.temp }}/task-definition.json
+      - name: Create CodeDeploy deployment
+        id: create-deployment
+        run: |
+          # Create a deployment bundle with appspec.yml
+          cd ${{ runner.temp }}
+          zip -r deployment-bundle.zip appspec.yml
+
+          # Upload to S3 using bucket from Terraform outputs
+          TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+          S3_KEY="deployments/mavis-${{ inputs.environment }}-${TIMESTAMP}.zip"
+          S3_BUCKET="${{ steps.terraform-output.outputs.s3-bucket }}"
+
+          aws s3 cp deployment-bundle.zip s3://${S3_BUCKET}/${S3_KEY}
+
+          # Create CodeDeploy deployment
+          DEPLOYMENT_ID=$(aws deploy create-deployment \
+            --application-name ${{ env.web_codedeploy_application }} \
+            --deployment-group-name ${{ env.web_codedeploy_group }} \
+            --s3-location bucket=${S3_BUCKET},key=${S3_KEY},bundleType=zip \
+            --query 'deploymentId' \
+            --output text)
+
+          echo "deployment-id=${DEPLOYMENT_ID}" >> $GITHUB_OUTPUT
+          echo "CodeDeploy deployment started: ${DEPLOYMENT_ID}"
+      - name: Wait for deployment to complete
+        run: |
+          echo "Waiting for deployment ${{ steps.create-deployment.outputs.deployment-id }} to complete..."
+          aws deploy wait deployment-successful \
+            --deployment-id ${{ steps.create-deployment.outputs.deployment-id }}
+          echo "Deployment completed successfully!"
+
+
+  deploy-good-job-service:
+    name: Deploy good-job service via ECS
+    runs-on: ubuntu-latest
+    if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.git_sha_to_deploy || github.sha }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws-role }}
+          aws-region: eu-west-2
+      - name: Load task definition template
+        run: |
+          cp config/task-definitions/good-job-task-definition.json current-task-definition.json
+      - name: Get image digest from ECR
+        id: get-image-digest
+        run: |
+          # Get AWS account ID and construct repository URI
+          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          REPOSITORY_URI="${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/mavis"
+
+          # Get the image digest for the git SHA
+          IMAGE_DIGEST=$(aws ecr describe-images \
+            --repository-name mavis \
+            --image-ids imageTag=${{ inputs.git_sha_to_deploy || github.sha }} \
+            --query 'imageDetails[0].imageDigest' \
+            --output text)
+
+          NEW_IMAGE_URI="${REPOSITORY_URI}@${IMAGE_DIGEST}"
+          echo "new-image-uri=${NEW_IMAGE_URI}" >> $GITHUB_OUTPUT
+          echo "New image URI: ${NEW_IMAGE_URI}"
+      - name: Update task definition with new image
+        id: update-task-definition
+        uses: aws-actions/amazon-ecs-render-task-definition@v1
+        with:
+          task-definition: current-task-definition.json
+          container-name: good-job
+          image: ${{ steps.get-image-digest.outputs.new-image-uri }}
+      - name: Deploy to ECS
+        uses: aws-actions/amazon-ecs-deploy-task-definition@v1
+        with:
+          task-definition: ${{ steps.update-task-definition.outputs.task-definition }}
+          service: ${{ env.good_job_service }}
+          cluster: ${{ env.cluster_name }}
+          wait-for-service-stability: true

config/task-definitions/good-job-task-definition.json

@@ -0,0 +1,30 @@
+{
+  "family": "mavis-good-job-task-definition",
+  "networkMode": "awsvpc",
+  "requiresCompatibilities": ["FARGATE"],
+  "cpu": "256",
+  "memory": "512",
+  "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
+  "taskRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskRole",
+  "containerDefinitions": [
+    {
+      "name": "good-job",
+      "image": "REPOSITORY_URI:latest",
+      "essential": true,
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "/ecs/mavis-good-job",
+          "awslogs-region": "eu-west-2",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "environment": [
+        {
+          "name": "RAILS_ENV",
+          "value": "production"
+        }
+      ]
+    }
+  ]
+}

config/task-definitions/web-task-definition.json

@@ -0,0 +1,50 @@
+{
+  "family": "mavis-web-task-definition",
+  "networkMode": "awsvpc",
+  "requiresCompatibilities": ["FARGATE"],
+  "cpu": "256",
+  "memory": "512",
+  "executionRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskExecutionRole",
+  "taskRoleArn": "arn:aws:iam::ACCOUNT_ID:role/ecsTaskRole",
+  "containerDefinitions": [
+    {
+      "name": "web",
+      "image": "REPOSITORY_URI",
+      "portMappings": [
+        {
+          "containerPort": 4000,
+          "protocol": "tcp"
+        }
+      ],
+      "essential": true,
+      "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-group": "/ecs/mavis-web",
+          "awslogs-region": "eu-west-2",
+          "awslogs-stream-prefix": "ecs"
+        }
+      },
+      "environment": [
+        {
+          "name": "RAILS_ENV",
+          "value": "production"
+        }
+      ],
+      "secrets": [
+        {
+          "name": "DATABASE_URL",
+          "valueFrom": "arn:aws:ssm:eu-west-2:ACCOUNT_ID:parameter/mavis/database_url"
+        },
+        {
+          "name": "REDIS_URL",
+          "valueFrom": "arn:aws:ssm:eu-west-2:ACCOUNT_ID:parameter/mavis/redis_url"
+        },
+        {
+          "name": "SECRET_KEY_BASE",
+          "valueFrom": "arn:aws:ssm:eu-west-2:ACCOUNT_ID:parameter/mavis/secret_key_base"
+        }
+      ]
+    }
+  ]
+}

terraform/app/codedeploy.tf

@@ -111,17 +111,17 @@ resource "aws_s3_bucket_public_access_block" "s3_bucket_access" {
   restrict_public_buckets = true
 }
 
-resource "aws_s3_object" "appspec_object" {
-  bucket = aws_s3_bucket.code_deploy_bucket.bucket
-  key    = "appspec.yaml"
-  acl    = "private"
-  content = templatefile("templates/appspec.yaml.tpl", {
-    task_definition_arn = module.web_service.task_definition.arn
-    container_name      = module.web_service.task_definition.container_name
-    container_port      = aws_lb_target_group.blue.port
-  })
-
-  tags = {
-    UseWithCodeDeploy = true
-  }
-}
+# resource "aws_s3_object" "appspec_object" {
+#   bucket = aws_s3_bucket.code_deploy_bucket.bucket
+#   key    = "appspec.yaml"
+#   acl    = "private"
+#   content = templatefile("templates/appspec.yaml.tpl", {
+#     task_definition_arn = module.web_service.task_definition.arn
+#     container_name      = module.web_service.task_definition.container_name
+#     container_port      = aws_lb_target_group.blue.port
+#   })
+#
+#   tags = {
+#     UseWithCodeDeploy = true
+#   }
+# }

terraform/app/outputs.tf

@@ -1,17 +1,17 @@
-output "s3_uri" {
-  description = "S3 uri for appspec.yaml needed for CodeDeploy"
-  value       = "s3://${aws_s3_bucket.code_deploy_bucket.bucket}/${aws_s3_object.appspec_object.key}"
-}
-
-output "s3_bucket" {
-  description = "The name of the S3 bucket that stores the appspec.yaml for CodeDeploy"
-  value       = aws_s3_bucket.code_deploy_bucket.bucket
-}
-
-output "s3_key" {
-  description = "The key of the S3 CodeDeploy appspec object"
-  value       = aws_s3_object.appspec_object.key
-}
+# output "s3_uri" {
+#   description = "S3 uri for appspec.yaml needed for CodeDeploy"
+#   value       = "s3://${aws_s3_bucket.code_deploy_bucket.bucket}/${aws_s3_object.appspec_object.key}"
+# }
+#
+# output "s3_bucket" {
+#   description = "The name of the S3 bucket that stores the appspec.yaml for CodeDeploy"
+#   value       = aws_s3_bucket.code_deploy_bucket.bucket
+# }
+#
+# output "s3_key" {
+#   description = "The key of the S3 CodeDeploy appspec object"
+#   value       = aws_s3_object.appspec_object.key
+# }
 
 output "codedeploy_application_name" {
   description = "The name of the CodeDeploy application"