-
Notifications
You must be signed in to change notification settings - Fork 3
135 lines (130 loc) · 5.67 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Infrastructure Deployment
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the main branch
on:
release:
types: [released, prereleased]
push:
branches: [main]
paths-ignore:
- "**/README.md"
- "**/readme.md"
- "doc/**/*.md"
concurrency:
group: infra-${{ github.ref }}
# Cancelling terraform deployments will screw up terraform's own locking mechanism
cancel-in-progress: false
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
build:
runs-on: ubuntu-20.04
environment: ${{ github.event_name == 'release' && ( github.event.action == 'released' && 'Production' || 'Development') || 'Development' }}
env:
DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }}
GOOGLE_API_KEY: ${{ secrets.GOOGLE_API_KEY }}
AWS_VPC_ID: ${{ secrets.AWS_VPC_ID }}
AWS_SUBNET_PRIMARY: ${{ secrets.AWS_SUBNET_PRIMARY }}
AWS_ZONE_PRIMARY: ${{ secrets.AWS_ZONE_PRIMARY }}
AWS_SUBNET_SECONDARY0: ${{ secrets.AWS_SUBNET_SECONDARY0 }}
AWS_ZONE_SECONDARY0: ${{ secrets.AWS_ZONE_SECONDARY0 }}
AWS_SUBNET_SECONDARY1: ${{ secrets.AWS_SUBNET_SECONDARY1 }}
AWS_ZONE_SECONDARY1: ${{ secrets.AWS_ZONE_SECONDARY1 }}
AWS_SSH_KEY: ${{ secrets.AWS_SSH_KEY }}
GIT_REPOSITORY_URL: https://github.com/neu-dsg/dailp-encoding
OAUTH_TOKEN: ${{ secrets.OAUTH_TOKEN }}
RUST_LOG: info
# Stage is Development if not based on a release event, is Staging/UAT if event action is prereleased, is Production if event action is released
TF_STAGE: ${{ github.event_name == 'release' && ( github.event.action == 'prereleased' && 'uat' || 'prod') || 'dev' }}
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Push to release branch
if: ${{ github.event_name == 'release' }}
uses: ad-m/github-push-action@master
with:
branch: ${{ github.event.action == 'prereleased' && 'uat' || 'release' }}
force: true
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: dorny/paths-filter@v2
id: filter
with:
base: ${{ github.ref }}
filters: |
backend:
- 'types/**'
- 'graphql/**'
- 'flake.nix'
- 'flake.lock'
- 'terraform/**'
data:
- 'types/**'
- 'migration/**'
- 'graphql/**'
rust:
- '**/*.rs'
- 'Cargo.lock'
- name: Install Nix
uses: cachix/install-nix-action@v20
with:
nix_path: nixpkgs=channel:nixos-21.11
- name: Use binary cache for nix store
uses: cachix/cachix-action@v12
with:
name: dailp
# If you chose API tokens for write access OR if you have a private cache
authToken: "${{ secrets.CACHIX_AUTH_TOKEN }}"
pushFilter: "(-dailp$|-dailp-|-terraform-config$|-source$|\\.tar\\.gz$|-output$|-plan$|-apply-now$|-apply$)"
- name: Build and test project
# nix -L argument shows the full build log and --impure allows it to access environment variables.
run: |
nix build --impure -L
- name: Deploy back-end to AWS via terraform
run: |
nix run --impure -L .#tf-apply-now
SECURITY_GROUP_ID=$(nix run --impure .#tf-output access_security_group_id)
echo "ACCESS_SECURITY_GROUP=$SECURITY_GROUP_ID" >> $GITHUB_ENV
# - name: Validate spreadsheets
# env:
# RUST_LOG: warn
# run: nix run --impure -L .#validate-data
- name: Allow SSH access to bastion host
uses: sohelamin/aws-security-group-add-ip-action@master
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
aws-security-group-id: ${{ env.ACCESS_SECURITY_GROUP }}
port: 22
to-port: 22
protocol: tcp
- name: Encode documents as TEI and database entries
# Sets up port forwarding to remote database on port 5432
run: |
echo "Creating SSH key file..."
echo "${{secrets.AWS_BASTION_SSH_KEY}}" > dailp-deployment-key.pem
chmod 400 ./dailp-deployment-key.pem
echo "Retrieving terraform outputs..."
BASTION_IP=$(nix run --impure .#tf-output bastion_ip)
DATABASE_ENDPOINT=$(nix run --impure .#tf-output database_endpoint)
echo "Configuring SSH client..."
mkdir -p ~/.ssh
echo "Still configuring SSH client..."
ssh-keyscan -H $BASTION_IP >> ~/.ssh/known_hosts
echo "Forwarding port 5432 to remote database $DATABASE_ENDPOINT through $BASTION_IP"
ssh -i ./dailp-deployment-key.pem -f -N -L 5432:$DATABASE_ENDPOINT ec2-user@$BASTION_IP
export DAILP_API_URL=$(nix run --impure .#tf-output functions_url)
export DATABASE_URL=postgres://dailp:$DATABASE_PASSWORD@localhost:5432/dailp
nix run --impure .#migrate-schema
export CF_URL=$(nix run --impure .#tf-output cloudfront_distro_url)
nix run --impure .#migrate-data
- name: Publish website
run: |
curl -X POST -d {} "$(nix run --impure .#tf-output amplify_webhook)" -H "Content-Type:application/json"