Improve new flow

- Replace complicated bash script with python script
  - Better tooling
  - Python chosen as the same script can be used for different services
    with only minor tweaks
    - Ruby is specific to this repository
- Handle any changes in environment variables without needing to modify
  script
  - Also use a version-controlled yml file to persist variables
  - This removes the use of parameter groups for changing variables
    wihtout code changes
  - Changing variables in a running system requires in any case a full
    approval flow
- Add singel approval step for all deployments

Author: TheOneFromNorway

.github/workflows/deploy-application.yml

@@ -61,7 +61,6 @@ jobs:
   prepare-deployment:
     name: Prepare deployment
     runs-on: ubuntu-latest
-    environment: ${{ inputs.environment }}
     permissions:
       id-token: write
     steps:
@@ -72,37 +71,27 @@ jobs:
         with:
           role-to-assume: ${{ env.aws-role }}
           aws-region: eu-west-2
-      - name: Get image digest from ECR
-        id: get-image-digest
+      - name: Setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version-file: .tool-versions
+      - name: Install Python dependencies
         run: |
-          # Get AWS account ID and construct repository URI
-          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-          REPOSITORY_URI="${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/mavis/webapp"
-
-          # Get the image digest for the git SHA
-          IMAGE_DIGEST=$(aws ecr describe-images \
-            --repository-name mavis/webapp \
-            --image-ids imageTag=${{ inputs.git_sha_to_deploy || github.sha }} \
-            --query 'imageDetails[0].imageDigest' \
-            --output text)
-
-          NEW_IMAGE_URI="${REPOSITORY_URI}@${IMAGE_DIGEST}"
-          echo "new-image-uri=${NEW_IMAGE_URI}" >> $GITHUB_OUTPUT
-          echo "New image URI: ${NEW_IMAGE_URI}"
+          python3 install scripts/requirements.txt
       - name: Populate web task definition
         if: inputs.server_types == 'web' || inputs.server_types == 'all'
         id: render-web-task-definition
         run: |
-          ./script/populate_task_definition.sh ${{ inputs.environment }} web \
-            -i "${{ steps.get-image-digest.outputs.new-image-uri }}" \
+          python3 script/populate_task_definition.py ${{ inputs.environment }} web \
+            -i "${{ inputs.git_sha_to_deploy || github.sha }}" \
             -o web-task-definition.json
           cat web-task-definition.json
       - name: Populate good-job task definition
         if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
         id: render-good-job-task-definition
         run: |
-          ./script/populate_task_definition.sh ${{ inputs.environment }} good-job \
-            -i "${{ steps.get-image-digest.outputs.new-image-uri }}" \
+          python3 script/populate_task_definition.py ${{ inputs.environment }} good-job \
+            -i "${{ inputs.git_sha_to_deploy || github.sha }}" \
             -o good-job-task-definition.json
           cat good-job-task-definition.json
       - name: Make artifact for web task definition
@@ -118,12 +107,19 @@ jobs:
     outputs:
       new-image-uri: ${{ steps.get-image-digest.outputs.new-image-uri }}
 
+  approve-deployments:
+    name: Approve deployments
+    runs-on: ubuntu-latest
+    needs: prepare-deployment
+    environment: ${{ inputs.environment }}
+    steps:
+      - run: echo "Proceeding with deployment to ${{ inputs.environment }} environment"
+
   deploy-web:
     name: Deploy web service
     runs-on: ubuntu-latest
     if: inputs.server_types == 'web' || inputs.server_types == 'all'
-    needs: prepare-deployment
-    environment: ${{ inputs.environment }}
+    needs: [ prepare-deployment, approve-deployments ]
     permissions:
       id-token: write
     steps:
@@ -167,8 +163,7 @@ jobs:
     name: Deploy good-job service
     runs-on: ubuntu-latest
     if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
-    needs: prepare-deployment
-    environment: ${{ inputs.environment }}
+    needs: [ prepare-deployment, approve-deployments ]
     permissions:
       id-token: write
     steps:

.tool-versions

@@ -6,3 +6,4 @@ terraform   1.11.4
 tflint      0.55.1
 pkl         0.28.1
 hk          1.1.2
+python      3.12.3

config/container_variables.yml

@@ -0,0 +1,67 @@
+# Container Variables Configuration
+# This file specifies environment-specific variables that will be added to or override
+# the environment variables extracted from terraform configuration
+
+environments:
+  production:
+    RAILS_ENV: production
+    SENTRY_ENVIRONMENT: production
+    MAVIS__SPLUNK__ENABLED: true
+    MAVIS__CIS2__ENABLED: true
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: true
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5
+
+  qa:
+    RAILS_ENV: staging
+    SENTRY_ENVIRONMENT: qa
+    MAVIS__SPLUNK__ENABLED: true
+    MAVIS__CIS2__ENABLED: false
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: false
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5
+
+  test:
+    RAILS_ENV: staging
+    SENTRY_ENVIRONMENT: test
+    MAVIS__SPLUNK__ENABLED: true
+    MAVIS__CIS2__ENABLED: true
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: false
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5
+
+  preview:
+    RAILS_ENV: staging
+    SENTRY_ENVIRONMENT: preview
+    MAVIS__SPLUNK__ENABLED: false
+    MAVIS__CIS2__ENABLED: false
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: false
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5
+
+  training:
+    RAILS_ENV: staging
+    SENTRY_ENVIRONMENT: training
+    MAVIS__SPLUNK__ENABLED: false
+    MAVIS__CIS2__ENABLED: false
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: false
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5
+
+  sandbox-alpha:
+    RAILS_ENV: staging
+    SENTRY_ENVIRONMENT: sandbox-alpha
+    MAVIS__SPLUNK__ENABLED: false
+    MAVIS__CIS2__ENABLED: false
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: false
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5
+
+  sandbox-beta:
+    RAILS_ENV: staging
+    SENTRY_ENVIRONMENT: sandbox-beta
+    MAVIS__SPLUNK__ENABLED: false
+    MAVIS__CIS2__ENABLED: false
+    MAVIS__PDS__ENQUEUE_BULK_UPDATES: false
+    MAVIS__PDS__WAIT_BETWEEN_JOBS: 0.5
+    GOOD_JOB_MAX_THREADS: 5

config/templates/task-definition.json.tpl

@@ -1,9 +1,9 @@
 {
-  "family": "mavis-<SERVER_TYPE>-task-definition-<ENV>",
+  "family": "mavis-<SERVER_TYPE_NAME>-task-definition-<ENV>",
   "containerDefinitions": [
     {
       "name": "application",
-      "image": "REPOSITORY_URI",
+      "image": "<IMAGE_URI>",
       "portMappings": [
         {
           "containerPort": 4000,
@@ -16,83 +16,18 @@
         "options": {
           "awslogs-group": "mavis-<ENV>-ecs",
           "awslogs-region": "eu-west-2",
-          "awslogs-stream-prefix": "<ENV>-<SERVER_TYPE>-logs"
+          "awslogs-stream-prefix": "<SERVER_TYPE_NAME>-logs"
         }
       },
       "healthCheck": {
-        "command": [
-          "CMD-SHELL",
-          "./bin/internal_healthcheck http://localhost:4000<HEALTH_CHECK_PATH>"
-        ],
+        "command": ["CMD-SHELL", "<HEALTH_CHECK>"],
         "interval": 30,
         "timeout": 5,
         "retries": 3,
         "startPeriod": 10
       },
-      "environment": [
-        {
-          "name": "MAVIS__GIVE_OR_REFUSE_CONSENT_HOST",
-          "value": "<MAVIS__GIVE_OR_REFUSE_CONSENT_HOST>"
-        },
-        {
-          "name": "RAILS_ENV",
-          "value": "<RAILS_ENV>"
-        },
-        {
-          "name": "MAVIS__SPLUNK__ENABLED",
-          "value": "<SPLUNK__ENABLED>"
-        },
-        {
-          "name": "MAVIS__HOST",
-          "value": "<MAVIS__HOST>"
-        },
-        {
-          "name": "MAVIS__CIS2__ENABLED",
-          "value": "<CIS2__ENABLED>"
-        },
-        {
-          "name": "SERVER_TYPE",
-          "value": "<SERVER_TYPE>"
-        },
-        {
-          "name": "DB_NAME",
-          "value": "<DB_NAME>"
-        },
-        {
-          "name": "DB_HOST",
-          "value": "<DB_HOST>"
-        },
-        {
-          "name": "SENTRY_ENVIRONMENT",
-          "value": "<ENV>"
-        },
-        {
-          "name": "APP_VERSION",
-          "value": "<APP_VERSION>"
-        }
-      ],
-      "secrets": [
-        {
-          "name": "DB_CREDENTIALS",
-          "valueFrom": "<DB_SECRET_ARN>"
-        },
-        {
-          "name": "RAILS_MASTER_KEY",
-          "valueFrom": "<RAILS_MASTER_KEY_ARN>"
-        },
-        {
-          "name": "GOOD_JOB_MAX_THREADS",
-          "valueFrom": "<GOOD_JOB_MAX_THREADS_ARN>"
-        },
-        {
-          "name": "MAVIS__PDS__ENQUEUE_BULK_UPDATES",
-          "valueFrom": "<MAVIS__PDS__ENQUEUE_BULK_UPDATES_ARN>"
-        },
-        {
-          "name": "MAVIS__PDS__WAIT_BETWEEN_JOBS",
-          "valueFrom": "<MAVIS__PDS__WAIT_BETWEEN_JOBS_ARN>"
-        }
-      ]
+      "environment": <ENVIRONMENT_VARIABLES>,
+      "secrets": <SECRETS>
     }
   ],
   "taskRoleArn": "<TASK_ROLE_ARN>",