deploy-gf dev #39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy contracts GF | |
| run-name: deploy-gf ${{ inputs.environment }} | |
| on: | |
| workflow_call: | |
| inputs: | |
| environment: | |
| required: true | |
| type: string | |
| tag_suffix: | |
| required: true | |
| type: string | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: AB2D environment | |
| required: true | |
| type: choice | |
| options: | |
| - dev | |
| - test | |
| - sandbox | |
| - prod | |
| image_tag_suffix: | |
| description: Image tag suffix | |
| required: true | |
| type: string | |
| jobs: | |
| apply_tofu: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| uses: cmsgov/ab2d/.github/workflows/terraform-microservices-gf.yml@gf-test--burling/ab2d-6692 # TODO use main | |
| with: | |
| environment: ${{ inputs.environment }} | |
| contracts_service_image: contracts-service-${{ inputs.image_tag_suffix }} | |
| apply: true | |
| ref: gf-test--burling/ab2d-6692 # TODO use main | |
| runner: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}} | |
| secrets: | |
| aws_account: ${{contains(fromJSON('["dev", "test"]'), inputs.environment) && secrets.GF_NON_PROD_ACCOUNT || secrets.GF_PROD_ACCOUNT}} | |
| deploy: | |
| needs: apply_tofu | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}} | |
| env: | |
| AWS_ACCOUNT: ${{contains(fromJSON('["dev", "test"]'), inputs.environment) && secrets.GF_NON_PROD_ACCOUNT || secrets.GF_PROD_ACCOUNT}} | |
| AB2D_ENV: ${{ inputs.environment }} | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT }}:role/delegatedadmin/developer/ab2d-${{ env.AB2D_ENV }}-github-actions | |
| - name: Inspect task definition, extract image, deploy | |
| env: | |
| ECS_FAMILY_PREFIX: ab2d-${{ env.AB2D_ENV }}-contracts | |
| ECS_SERVICE: ab2d-${{ env.AB2D_ENV }}-contracts | |
| CLUSTER: ab2d-${{ env.AB2D_ENV }}-microservices | |
| ECR_REPO: ab2d-contracts | |
| IMAGE_TAG: contracts-service-${{ inputs.image_tag_suffix }} | |
| run: | | |
| TASK_DEF=$(aws ecs list-task-definitions --family-prefix $ECS_FAMILY_PREFIX --query "taskDefinitionArns[0]" | tr -d '"') | |
| echo "task definition=$TASK_DEF" | |
| ECR_IMAGE=$(aws ecs describe-task-definition --task-definition $TASK_DEF --query "taskDefinition.containerDefinitions[0].image") | |
| echo "ecr image=$ECR_IMAGE" | |
| ECR_IMAGE_DIGEST=$(echo $ECR_IMAGE | cut -d "@" -f2 | tr -d '"') | |
| echo "ECR_IMAGE_DIGEST=$ECR_IMAGE_DIGEST" | |
| DIGEST=$(aws ecr describe-images --repository-name $ECR_REPO --image-ids imageTag=$IMAGE_TAG | jq '.imageDetails[0]'.imageDigest | tr -d '"') | |
| echo "DIGEST=$DIGEST" | |
| if [[ "$ECR_IMAGE_DIGEST" != "$DIGEST" ]]; then | |
| echo "Image digests do not match" | |
| exit 1 | |
| fi | |
| aws ecs update-service --cluster "$CLUSTER" --service $ECS_SERVICE --task-definition $TASK_DEF --force-new-deployment >/dev/null | |
| aws ecs wait services-stable --cluster "$CLUSTER" --services $ECS_SERVICE | |