Merge pull request #21 from liatrio/demo-oidc #2
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy | |
on: | |
push: | |
branches: | |
- demo | |
permissions: | |
id-token: write # Needed to modify JWT token for OIDC | |
contents: read # Needed for actions/checkout | |
jobs: | |
run: | |
name: run | |
runs-on: ubuntu-latest | |
environment: demo | |
steps: | |
# Checkout this repo to the ephemeral runner | |
- uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
# Install the terraform and terragrunt | |
- uses: alexellis/setup-arkade@fd34ea3b1f8fa1a6e7e3c1a3b015aa81b95ea9cb # v1 | |
- uses: alexellis/arkade-get@c53b95fac52d9a11069a76e1bc45e40a0b22d3e4 # tested sha off master | |
with: | |
terraform: latest | |
terragrunt: latest | |
# Authenticate with AWS and install AWS cli | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@50ac8dd1e1b10d09dac7b8727528b91bed831ac0 # v3 | |
with: | |
# aws-access-key-id: ${{ secrets.PERSONAL_ACCESS_KEY }} | |
# aws-secret-access-key: ${{ secrets.PERSONAL_SECRET_ACCESS_KEY }} | |
# role-to-assume: ${{ secrets.ROLE_TO_ASSUME }} | |
role-to-assume: ${{ vars.OIDC_ROLE }} | |
aws-region: ${{ vars.AWS_REGION }} | |
role-skip-session-tagging: true | |
# Display IAM Identity | |
- name: Display IAM Identity | |
run: | | |
aws sts get-caller-identity | |
# Install tool for parsing JSON on the command-line | |
- name: Install jq | |
run: | | |
sudo apt install jq tree | |
# Fetch output from terraform | |
- name: Pull Terraform output into GitHub Action ENV | |
run: | | |
terragrunt output --json > tmp_output.json | |
echo "ecr_repository_url=$(jq .ecr_repository_url.value -r < tmp_output.json)" >> $GITHUB_ENV | |
echo "ecs_task_arn=$(jq .ecs_task_arn.value -r < tmp_output.json)" >> $GITHUB_ENV | |
echo "ecs_service_arn=$(jq .ecs_service_arn.value -r < tmp_output.json)" >> $GITHUB_ENV | |
echo "ecs_cluster_arn=$(jq .ecs_cluster_arn.value -r < tmp_output.json)" >> $GITHUB_ENV | |
rm tmp_output.json | |
working-directory: terraform | |
# Build docker image | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2 | |
- name: Login to Amazon ECR | |
id: login-ecr | |
uses: aws-actions/amazon-ecr-login@2fc7aceee09e9e4a7105c0d060c656fad0b4f63d # v1 | |
- name: Build and push | |
uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 # v4 | |
with: | |
push: true | |
tags: ${{ env.ecr_repository_url }}:latest , ${{ env.ecr_repository_url }}:${{ github.sha }} | |
# Fetch ECS task definition to update the running container | |
- name: Pull task-definition.json to update ECS cluster | |
id: pull-ecs-task-definition | |
run: | | |
aws ecs describe-task-definition --task-definition ${{ env.ecs_task_arn }} --region ${{ env.AWS_REGION }} --output json | jq .taskDefinition >> task-definition.json | |
# Update the task definition to point to newly built image | |
- name: Render Amazon ECS task definition | |
id: render-web-container | |
uses: aws-actions/amazon-ecs-render-task-definition@61b0c00c3743b70987a73a1faf577f0d167d1574 # v1 | |
with: | |
task-definition: task-definition.json | |
container-name: knowledgeshare-ui | |
image: ${{ env.ecr_repository_url }}:${{ github.sha }} | |
environment-variables: "LOG_LEVEL=info" | |
# Deploy the updated task-definition | |
- name: Deploy to Amazon ECS service | |
uses: aws-actions/amazon-ecs-deploy-task-definition@df9643053eda01f169e64a0e60233aacca83799a # v1 | |
with: | |
task-definition: ${{ steps.render-web-container.outputs.task-definition }} | |
service: ${{ env.ecs_service_arn }} | |
cluster: ${{ env.ecs_cluster_arn }} | |
force-new-deployment: true # Forces ECS to only have a single running task |