Skip to content

Merge pull request #415 from NEU-DSG/enable-auto-db-backups #665

Merge pull request #415 from NEU-DSG/enable-auto-db-backups

Merge pull request #415 from NEU-DSG/enable-auto-db-backups #665

Workflow file for this run

name: Infrastructure Deployment
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the main branch
on:
release:
types: [released, prereleased]
push:
branches: [main]
paths-ignore:
- "**/README.md"
- "**/readme.md"
- "doc/**/*.md"
concurrency:
group: infra-${{ github.ref }}
# Cancelling terraform deployments will screw up terraform's own locking mechanism
cancel-in-progress: false
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
build:
runs-on: ubuntu-20.04
environment: ${{ github.event_name == 'release' && ( github.event.action == 'released' && 'Production' || 'Development') || 'Development' }}
env:
DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }}
AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }}
AWS_ZONE_PRIMARY: ${{ secrets.AWS_ZONE_PRIMARY }}
AWS_SUBNET_SECONDARY0: ${{ secrets.AWS_SUBNET_SECONDARY0 }}
AWS_ZONE_SECONDARY0: ${{ secrets.AWS_ZONE_SECONDARY0 }}
AWS_SUBNET_SECONDARY1: ${{ secrets.AWS_SUBNET_SECONDARY1 }}
AWS_ZONE_SECONDARY1: ${{ secrets.AWS_ZONE_SECONDARY1 }}
AWS_SSH_KEY: ${{ secrets.AWS_SSH_KEY }}
GIT_REPOSITORY_URL: https://github.com/neu-dsg/dailp-encoding
OAUTH_TOKEN: ${{ secrets.OAUTH_TOKEN }}
RUST_LOG: info
# Stage is Development if not based on a release event, is Staging/UAT if event action is prereleased, is Production if event action is released
TF_STAGE: ${{ github.event_name == 'release' && ( github.event.action == 'prereleased' && 'uat' || 'prod') || 'dev' }}
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Push to release branch
if: ${{ github.event_name == 'release' }}
uses: ad-m/github-push-action@master
with:
branch: ${{ github.event.action == 'prereleased' && 'uat' || 'release' }}
force: true
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: dorny/paths-filter@v2
id: filter
with:
base: ${{ github.ref }}
filters: |
backend:
- 'types/**'
- 'graphql/**'
- 'flake.nix'
- 'flake.lock'
- 'terraform/**'
data:
- 'types/**'
- 'migration/**'
- 'graphql/**'
rust:
- '**/*.rs'
- 'Cargo.lock'
- name: Install Nix
uses: cachix/install-nix-action@v20
with:
nix_path: nixpkgs=channel:nixos-21.11
- name: Use binary cache for nix store
uses: cachix/cachix-action@v12
with:
name: dailp
# If you chose API tokens for write access OR if you have a private cache
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
pushFilter: "(-dailp$|-dailp-|-terraform-config$|-source$|\\.tar\\.gz$|-output$|-plan$|-apply-now$|-apply$)"
- name: Build and test project
# nix -L argument shows the full build log and --impure allows it to access environment variables.
run: |
nix build --impure -L
- name: Deploy back-end to AWS via terraform
run: |
nix run --impure -L .#tf-apply-now
SECURITY_GROUP_ID=$(nix run --impure .#tf-output access_security_group_id)
echo "ACCESS_SECURITY_GROUP=$SECURITY_GROUP_ID" >> $GITHUB_ENV
# - name: Validate spreadsheets
# env:
# RUST_LOG: warn
# run: nix run --impure -L .#validate-data
- name: Allow SSH access to bastion host
uses: sohelamin/aws-security-group-add-ip-action@master
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
aws-security-group-id: ${{ env.ACCESS_SECURITY_GROUP }}
port: 22
to-port: 22
protocol: tcp
- name: Encode documents as TEI and database entries
# Sets up port forwarding to remote database on port 5432
run: |
echo "Creating SSH key file..."
echo "${{secrets.AWS_BASTION_SSH_KEY}}" > dailp-deployment-key.pem
chmod 400 ./dailp-deployment-key.pem
echo "Retrieving terraform outputs..."
BASTION_IP=$(nix run --impure .#tf-output bastion_ip)
DATABASE_ENDPOINT=$(nix run --impure .#tf-output database_endpoint)
echo "Configuring SSH client..."
mkdir -p ~/.ssh
echo "Still configuring SSH client..."
ssh-keyscan -H $BASTION_IP >> ~/.ssh/known_hosts
echo "Forwarding port 5432 to remote database $DATABASE_ENDPOINT through $BASTION_IP"
ssh -i ./dailp-deployment-key.pem -f -N -L 5432:$DATABASE_ENDPOINT ec2-user@$BASTION_IP
export DAILP_API_URL=$(nix run --impure .#tf-output functions_url)
export DATABASE_URL=postgres://dailp:$DATABASE_PASSWORD@localhost:5432/dailp
nix run --impure .#migrate-schema
export CF_URL=$(nix run --impure .#tf-output cloudfront_distro_url)
nix run --impure .#migrate-data
- name: Publish website
run: |
curl -X POST -d {} "$(nix run --impure .#tf-output amplify_webhook)" -H "Content-Type:application/json"