deploy-gf dev #49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy contracts GF | |
| run-name: deploy-gf ${{ inputs.environment }} | |
| on: | |
| workflow_call: | |
| inputs: | |
| environment: | |
| required: true | |
| type: string | |
| tag_suffix: | |
| required: true | |
| type: string | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: AB2D environment | |
| required: true | |
| type: choice | |
| options: | |
| - dev | |
| - test | |
| - sandbox | |
| - prod | |
| image_tag_suffix: | |
| description: Image tag suffix | |
| required: false | |
| type: string | |
| jobs: | |
| apply_tofu: | |
| permissions: | |
| contents: read | |
| id-token: write | |
| uses: cmsgov/ab2d/.github/workflows/terraform-microservices-gf.yml@more-workflows-gf # TODO set to main | |
| with: | |
| environment: ${{ inputs.environment }} | |
| contracts_service_image: contracts-service-${{ inputs.image_tag_suffix || github.ref }} | |
| apply: true | |
| ref: main | |
| runner: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}} | |
| secrets: | |
| aws_account: ${{contains(fromJSON('["dev", "test"]'), inputs.environment) && secrets.GF_NON_PROD_ACCOUNT || secrets.GF_PROD_ACCOUNT}} | |
| deploy: | |
| needs: apply_tofu | |
| permissions: | |
| contents: read | |
| id-token: write | |
| runs-on: codebuild-ab2d-contracts-${{github.run_id}}-${{github.run_attempt}} | |
| env: | |
| AWS_ACCOUNT: ${{contains(fromJSON('["dev", "test"]'), inputs.environment) && secrets.GF_NON_PROD_ACCOUNT || secrets.GF_PROD_ACCOUNT}} | |
| AB2D_ENV: ${{ inputs.environment }} | |
| steps: | |
| - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| aws-region: ${{ vars.AWS_REGION }} | |
| role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT }}:role/delegatedadmin/developer/ab2d-${{ env.AB2D_ENV }}-github-actions | |
| - name: Inspect task definition, extract image, deploy | |
| env: | |
| CLUSTER: ab2d-${{ env.AB2D_ENV }}-microservices | |
| ECS_FAMILY_PREFIX: ab2d-${{ env.AB2D_ENV }}-contracts | |
| ECS_SERVICE: ab2d-${{ env.AB2D_ENV }}-contracts | |
| ECR_REPO: ab2d-contracts | |
| IMAGE_TAG: contracts-service-${{ inputs.image_tag_suffix }} | |
| run: | | |
| set -e | |
| # Query the latest task definition (created by the tofu job above) and extract ECR image digest | |
| TASK_DEF=$(aws ecs list-task-definitions --status ACTIVE --family-prefix $ECS_FAMILY_PREFIX --query "taskDefinitionArns[0]" | tr -d '"') | |
| TASK_DEF_IMA`GE=$(aws ecs describe-task-definition --task-definition $TASK_DEF --query "taskDefinition.containerDefinitions[0].image") | |
| TASK_DEF_IMAGE_DIGEST=$(echo $TASK_DEF_IMAGE | cut -d "@" -f2 | tr -d '"') | |
| # Query ECR for image matching $IMAGE_TAG (there should be only one) and verify digests match | |
| ECR_IMAGE_DIGEST=$(aws ecr describe-images --repository-name $ECR_REPO --image-ids imageTag=$IMAGE_TAG | jq '.imageDetails[0].imageDigest' | tr -d '"') | |
| if [[ "$ECR_IMAGE_DIGEST" != "$TASK_DEF_IMAGE_DIGEST" ]]; then | |
| echo "Image digests do not match" | |
| echo "TASK_DEF_IMAGE_DIGEST=$TASK_DEF_IMAGE_DIGEST" | |
| echo "ECR_IMAGE_DIGEST=$ECR_IMAGE_DIGEST" | |
| exit 1 | |
| fi | |
| echo "Deploying $TASK_DEF" | |
| aws ecs update-service --cluster "$CLUSTER" --service $ECS_SERVICE --task-definition $TASK_DEF --force-new-deployment >/dev/null | |
| aws ecs wait services-stable --cluster "$CLUSTER" --services $ECS_SERVICE | |
| echo "Deployed `$TASK_DEF` to **$AB2D_ENV**" >> $GITHUB_STEP_SUMMARY |