.github/workflows/tf-deploy.yml

---
name: Deploy Terraform
on:
    workflow_dispatch:
    push:
        paths-ignore:
            - '**md'
    pull_request:
        branches:
            - main
        paths-ignore:
            - '**md'

env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    AWS_DEFAULT_REGION: eu-west-1
    AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
    AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
    S3_BUCKET_NAME: simple-test-versioned-bucket
    ECR_REPO_NAME: db-data-import-ecr
    CI_VERSION: snapshot.${{github.sha}}

jobs:
    Deploy:
        name: Deploy
        runs-on: ubuntu-latest
        if: ${{ github.actor != 'dependabot[bot]' }}
        steps:
            - name: Checkout Repo
              uses: actions/checkout@v3
            - uses: actions/setup-python@v4
              id: setup-python
              with:
                  python-version: '3.10'
            - name: Install Poetry
              uses: snok/install-poetry@v1
              with:
                  virtualenvs-create: true
                  virtualenvs-in-project: true
                  installer-parallel: true
            - name: Load cached venv
              id: cached-dependencies
              uses: actions/cache@v3
              with:
                  path: |
                      .venv
                      ~/.cache/pre-commit
                      ci/cache/docker/python-image
                  key: venv-${{ runner.os }}-${{ steps.setup-python.outputs.python-version }}-${{ hashFiles('**/poetry.lock') }}pre-commit|${{ env.PY }}|${{
                      hashFiles('.pre-commit-config.yaml') }}cache-docker-python
            - name: Install dependencies
              if: steps.cached-dependencies.outputs.cache-hit != 'true'
              run: poetry install --no-interaction --no-root
            - name: Install pre-commit hooks
              if: steps.cached-dependencies.outputs.cache-hit != 'true'
              run: |
                  source .venv/bin/activate
                  pre-commit install-hooks
            - name: Run pre-commit
              run: |
                  source .venv/bin/activate
                  SKIP=terraform_tflint pre-commit run --all-files

            - name: Create lambda layer
              run: |
                  poetry export -f requirements.txt --output requirements.txt --only lambda
                  mkdir python/lib/python3.9/site-packages

            - name: Pull Docker image for layer zip creation
              run: |
                  docker pull public.ecr.aws/sam/build-python3.9:1.81.0 && mkdir -p ci/cache/docker/python-image && docker image save public.ecr.aws/sam/build-python3.9:1.81.0 --output ./ci/cache/docker/python-image/build-python3.9-1.81.0.tar

            - name: Populate dependencies
              if: steps.cached-dependencies.outputs.cache-hit != 'true'
              run: |
                  docker image load --input ./ci/cache/docker/python-image/build-python3.9-1.81.0.tar
                  docker run -v "$PWD":/var/task "public.ecr.aws/sam/build-python3.9" /bin/sh -c "pip install -r requirements.txt -t python/lib/python3.9/site-packages/; exit"
                  zip -r terraform/src/mypythonlibs.zip python > /dev/null

            - name: Initialize Terraform
              run: |
                  cd terraform/src
                  terraform init -backend-config=backend.hcl

            - name: Terraform Plan
              run: |
                  cd terraform/src
                  terraform plan \
                  -var 'db_username=${{ secrets.DB_USERNAME }}' \
                  -var 'db_password=${{ secrets.DB_PASSWORD }}' \
                  -var 'my_ip_addresses=${{ secrets.IP_ADDRESSES }}' \
                  -out=terraform.plan

            - name: Terraform Apply
              run: |
                  cd terraform/src &&
                  terraform apply terraform.plan

            # Expose useful environment variables to the action such as env.CI_ACTION_REF_NAME_SLUG and env.CI_SHA_SHORT
            - uses: FranzDiebold/github-env-vars-action@v2

            - name: Configure AWS credentials
              uses: aws-actions/configure-aws-credentials@v2   # More information on this action can be found below in the 'AWS Credentials' section
              with:
                  aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
                  aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                  aws-region: ${{ env.AWS_DEFAULT_REGION }}

            - name: Login to Amazon ECR
              id: login-ecr
              uses: aws-actions/amazon-ecr-login@v1

            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@v2

            - name: Cache Docker layers
              uses: actions/cache@v3
              with:
                  path: /tmp/.buildx-cache
                  key: ${{ runner.os }}-buildx-${{ github.sha }}
                  restore-keys: |
                      ${{ runner.os }}-buildx-

            - name: Build docker
              uses: docker/build-push-action@v4
              with:
                  context: .
                  file: Dockerfile
                  push: true
                  build-args: |
                      USER=${{ secrets.DB_USERNAME }}
                      PASSWORD=${{ secrets.DB_PASSWORD }}
                      DATABASE=mydb
                      HOST=my-sql-demo-db.cbppkiwouxgk.eu-west-1.rds.amazonaws.com
                      PORT=3306
                      FILE=hero_attribute.csv
                      TABLE=hero_attribute
                  tags: |
                      ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPO_NAME }}:${{ env.CI_ACTION_REF_NAME_SLUG }}.${{ env.CI_SHA_SHORT }}
                      ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPO_NAME }}:latest
                  labels: repository=${{ github.repository }} gh_job=${{ github.job }}
                  cache-from: type=local,src=/tmp/.buildx-cache
                  cache-to: type=local,dest=/tmp/.buildx-cache

    s3_sync:
        name: Sync Data in S3
        runs-on: ubuntu-latest
        needs: [Deploy]
        if: ${{ github.actor != 'dependabot[bot]' }}
        steps:
            - name: Checkout Repo
              uses: actions/checkout@v3
            - name: Set up Python
              uses: actions/setup-python@v4
              with:
                  python-version: '3.10'
            - name: Install AWS CLI
              run: |
                  python -m pip install --upgrade pip setuptools wheel
                  pip install awscli
            - name: Sync Data in S3
              run: |
                  echo "S3_BUCKET_NAME=${S3_BUCKET_NAME}" >> $GITHUB_ENV
                  echo "s3://${{ env.S3_BUCKET_NAME }}"
                  aws s3 sync test-bucket-data 's3://${{ env.S3_BUCKET_NAME }}' --delete