quickstart-aws-sql/.github/workflows/.deploy_stack.yml at main · bcgov/quickstart-aws-sql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
name: .Deploy Stack

on:
  workflow_call:
    inputs:
      ### Required
      environment_name:
        description: 'The name of the environment to deploy to'
        required: true
        default: 'dev'
        type: string
      command:
        description: 'The terragrunt command to run'
        required: true
        default: 'apply'
        type: string
      tag:
        description: 'The tag of the containers to deploy'
        default: 'latest'
        type: string
        required: false
      app_env:
        required: false
        type: string
        description: 'The APP env separates between AWS ENV and Actual APP, since AWS dev is where PR, and TEST is deployed'
    outputs:
      API_GW_URL:
        value: ${{ jobs.deploy.outputs.API_GW_URL }}
      S3_BUCKET_ARN:
        value: ${{ jobs.deploy.outputs.S3_BUCKET_ARN }}
      S3_BUCKET_NAME:
        value: ${{ jobs.deploy.outputs.S3_BUCKET_NAME }}
      CF_DOMAIN:
        value: ${{ jobs.deploy.outputs.CF_DOMAIN }}
      CF_DISTRIBUTION_ID:
        value: ${{ jobs.deploy.outputs.CF_DISTRIBUTION_ID }}
env:
    AWS_REGION: ca-central-1
permissions:
  id-token: write # This is required for requesting the JWT
  contents: write # This is required for actions/checkout
jobs:

  ecr:
    name:  ECR
    runs-on: ubuntu-24.04
    environment: ${{ inputs.environment_name }}
    strategy:
      matrix:
        package: [backend,migrations]
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
        with:
          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
          role-session-name: gha-ecr-push
          aws-region: ca-central-1

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull, tag and push image to ECR
        env:
          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
          GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ inputs.tag }}
        run: |
          # Check if command is apply and validate image exists
          if [ "${{ inputs.command }}" == "apply" ]; then
            docker manifest inspect $GHCR_IMAGE > /dev/null 2>&1 || { echo "Error: Image $GHCR_IMAGE does not exist and command is apply"; exit 1; }
            docker pull $GHCR_IMAGE || { echo "Error: Failed to pull image $GHCR_IMAGE"; exit 1; }

            # Tag for ECR
            ECR_IMAGE=$ECR_REGISTRY/${{ github.repository }}:${{ matrix.package }}-${{ inputs.tag }}
            docker tag $GHCR_IMAGE $ECR_IMAGE

            # Push to ECR
            docker push $ECR_IMAGE
          else
            echo "Command is not apply, continuing"
            exit 0;
          fi

  stack-prefix:
    name: Stack Prefix
    needs: ecr
    uses: ./.github/workflows/.stack-prefix.yml
  deploy:
    name: Deploys
    needs: [stack-prefix]
    uses: ./.github/workflows/.deployer.yml
    with:
      environment_name: ${{ inputs.environment_name }}
      command: ${{ inputs.command }}
      app_env: ${{ inputs.app_env }}
      stack_prefix: ${{ needs.stack-prefix.outputs.stack_prefix }}
      tag: ${{ inputs.tag }}
    secrets: inherit

  build-ui:
    name: Build And upload UI to s3 ${{ inputs.environment_name }}
    environment: ${{ inputs.environment_name }}
    if: (inputs.command == 'apply')
    needs: [deploy]
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: setup node
        uses: actions/setup-node@v6
        with:
          node-version: '24'
          cache: 'npm'
          cache-dependency-path: frontend/package-lock.json
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6
        with:
            role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
            aws-region: ${{ env.AWS_REGION }}
      - name: Build And Update UI (CF)
        working-directory: frontend
        env:
          VITE_API_BASE_URL: ${{ needs.deploy.outputs.API_GW_URL }}/api
          S3_BUCKET_ARN: ${{ needs.deploy.outputs.S3_BUCKET_ARN }}
          CF_DISTRIBUTION_ID: ${{ needs.deploy.outputs.CF_DISTRIBUTION_ID }}
        run: |
          BUCKET=$(echo "$S3_BUCKET_ARN" | cut -d: -f6)
          npm run deploy
          aws s3 cp ./dist/index.html s3://$BUCKET/index.html \
            --cache-control "no-cache, must-revalidate" \
            --content-type "text/html"
          aws s3 sync ./dist s3://$BUCKET \
            --exclude "index.html" \
            --cache-control "public, max-age=31536000, immutable" \
            --delete
          aws cloudfront create-invalidation --distribution-id $CF_DISTRIBUTION_ID --paths "/*"