Improve new flow

- Replace complicated bash script with python script
  - Better tooling
  - Python chosen as the same script can be used for different services
    with only minor tweaks
    - Ruby is specific to this repository
- Handle any changes in environment variables without needing to modify
  script
  - Also use a version-controlled yml file to persist variables
  - This removes the use of parameter groups for changing variables
    wihtout code changes
  - Changing variables in a running system requires in any case a full
    approval flow
- Add singel approval step for all deployments

Author: TheOneFromNorway

.github/workflows/deploy-application.yml

@@ -61,7 +61,6 @@ jobs:
   prepare-deployment:
     name: Prepare deployment
     runs-on: ubuntu-latest
-    environment: ${{ inputs.environment }}
     permissions:
       id-token: write
     steps:
@@ -72,37 +71,27 @@ jobs:
         with:
           role-to-assume: ${{ env.aws-role }}
           aws-region: eu-west-2
-      - name: Get image digest from ECR
-        id: get-image-digest
-        run: |
-          # Get AWS account ID and construct repository URI
-          AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
-          REPOSITORY_URI="${AWS_ACCOUNT_ID}.dkr.ecr.eu-west-2.amazonaws.com/mavis/webapp"
-
-          # Get the image digest for the git SHA
-          IMAGE_DIGEST=$(aws ecr describe-images \
-            --repository-name mavis/webapp \
-            --image-ids imageTag=${{ inputs.git_sha_to_deploy || github.sha }} \
-            --query 'imageDetails[0].imageDigest' \
-            --output text)
-
-          NEW_IMAGE_URI="${REPOSITORY_URI}@${IMAGE_DIGEST}"
-          echo "new-image-uri=${NEW_IMAGE_URI}" >> $GITHUB_OUTPUT
-          echo "New image URI: ${NEW_IMAGE_URI}"
+      - name: Setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.12.3
+          cache: pip
+      - name: Install Python dependencies
+        run: python3 -m pip install -r script/requirements.txt
       - name: Populate web task definition
         if: inputs.server_types == 'web' || inputs.server_types == 'all'
         id: render-web-task-definition
         run: |
-          ./script/populate_task_definition.sh ${{ inputs.environment }} web \
-            -i "${{ steps.get-image-digest.outputs.new-image-uri }}" \
+          python3 script/populate_task_definition.py ${{ inputs.environment }} web \
+            -i "${{ inputs.git_sha_to_deploy || github.sha }}" \
             -o web-task-definition.json
           cat web-task-definition.json
       - name: Populate good-job task definition
         if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
         id: render-good-job-task-definition
         run: |
-          ./script/populate_task_definition.sh ${{ inputs.environment }} good-job \
-            -i "${{ steps.get-image-digest.outputs.new-image-uri }}" \
+          python3 script/populate_task_definition.py ${{ inputs.environment }} good-job \
+            -i "${{ inputs.git_sha_to_deploy || github.sha }}" \
             -o good-job-task-definition.json
           cat good-job-task-definition.json
       - name: Make artifact for web task definition
@@ -118,12 +107,19 @@ jobs:
     outputs:
       new-image-uri: ${{ steps.get-image-digest.outputs.new-image-uri }}
 
+  approve-deployments:
+    name: Approve deployments
+    runs-on: ubuntu-latest
+    needs: prepare-deployment
+    environment: ${{ inputs.environment }}
+    steps:
+      - run: echo "Proceeding with deployment to ${{ inputs.environment }} environment"
+
   deploy-web:
     name: Deploy web service
     runs-on: ubuntu-latest
     if: inputs.server_types == 'web' || inputs.server_types == 'all'
-    needs: prepare-deployment
-    environment: ${{ inputs.environment }}
+    needs: [ prepare-deployment, approve-deployments ]
     permissions:
       id-token: write
     steps:
@@ -167,8 +163,7 @@ jobs:
     name: Deploy good-job service
     runs-on: ubuntu-latest
     if: inputs.server_types == 'good-job' || inputs.server_types == 'all'
-    needs: prepare-deployment
-    environment: ${{ inputs.environment }}
+    needs: [ prepare-deployment, approve-deployments ]
     permissions:
       id-token: write
     steps:

.github/workflows/deploy-mavis.yml

@@ -6,3 +6,4 @@ terraform   1.11.4
 tflint      0.55.1
 pkl         0.28.1
 hk          1.1.2
+python      3.12.3