-
Notifications
You must be signed in to change notification settings - Fork 3
219 lines (191 loc) · 8.87 KB
/
hrm-transcript-scrubber-ecs-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
# Copyright (C) 2021-2023 Technology Matters
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see https://www.gnu.org/licenses/.
name: 'Deploy Transcript Scrubber to Amazon ECS'
on:
workflow_dispatch:
inputs:
environment:
description: HRM environment to deploy.
default: development
required: true
type: choice
options:
- development
- staging
- production
region:
description: AWS to deploy.
default: us-east-1
required: true
type: choice
options:
- us-east-1
- eu-west-1
- ca-central-1
workflow_call:
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
inputs:
environment:
description: HRM environment to deploy. E.G = development, staging, production (must match with the AWS environment value). Default value = development
type: string
default: development
required: true
region:
description: AWS region to deploy. E.G = us-east-1, eu-west-1, ca-central-1. Default value = us-east-1
type: string
default: us-east-1
required: true
send-slack-message:
description: 'Specifies if should send a Slack message at the end of successful run. Defaults to true'
required: false
default: 'true'
type: string
env:
ECR_REPOSITORY: ${{ inputs.environment }}/hrm-transcript-scrubber
# if anything is set as a secret, it can't be used in outputs. So we need to set it as an env var
AWS_REGION: ${{ inputs.region }}
PRIMARY_AWS_REGION: us-east-1
jobs:
deploy_docker:
name: Build Docker Image and Set regions
runs-on: ubuntu-latest
outputs:
regions: ${{ steps.generate-output.outputs.regions }}
docker_image: ${{ steps.generate-output.outputs.docker_image}}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
# this plugin sets the AWS account ID to a secret which is not allowed in outputs
# we have to disable that so repo output will work
mask-aws-account-id: 'no'
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Add licence
env:
PRODUCTION_PRIVATE_AI_LICENCE: ${{ secrets.PRODUCTION_PRIVATE_AI_LICENCE }}
run: |
touch ./hrm-domain/scheduled-tasks/transcript-scrubber/licence/license.json
echo "$PRODUCTION_PRIVATE_AI_LICENCE" >> ./hrm-domain/scheduled-tasks/transcript-scrubber/licence/license.json
shell: bash
- name: Log in to Private AI Registry
run: docker login -u ${{ secrets.PRODUCTION_PRIVATE_AI_DOCKER_USER }} -p ${{ secrets.PRODUCTION_PRIVATE_AI_DOCKER_PASSWORD }} crprivateaiprod.azurecr.io
- name: Build and Push Docker Image
uses: docker/build-push-action@v6
with:
context: ./
file: ./hrm-domain/scheduled-tasks/transcript-scrubber/Dockerfile
push: true
tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:live,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:latest,${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ inputs.environment }}-hrm-transcript-scrubber-${{ github.sha }}
- id: generate-output
run: |
echo "docker_image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${{ inputs.environment }}/hrm-transcript-scrubber-${{ github.sha }}" >> $GITHUB_OUTPUT
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: workflow-scripts-artifacts
path: .github/workflows/scripts
deploy_ecs:
needs: deploy_docker
name: Deploy to Amazon ECS
runs-on: ubuntu-latest
env:
DOCKER_IMAGE: ${{ needs.deploy_docker.outputs.docker_image }}
steps:
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: workflow-scripts-artifacts
path: .github/workflows/scripts
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ inputs.region }}
# this plugin sets the AWS account ID to a secret which is not allowed in outputs
# we have to disable that so env.DOCKER_IMAGE will work
mask-aws-account-id: 'no'
- name: Download current ECS task definition
run: aws ecs describe-task-definition --task-definition ${{ inputs.environment }}-hrm-transcript-scrubber --query taskDefinition > task-definition-transcript-scrubber.json
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def-transcript-scrubber
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: task-definition-transcript-scrubber.json
# container-name: ${{ inputs.environment }}-hrm-transcript-scrubber
container-name: transcript-scrubber
image: ${{ env.DOCKER_IMAGE }}
- name: Deploy Amazon ECS task definition
id: transcript-scrubber-task-definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v2
with:
task-definition: ${{ steps.task-def-transcript-scrubber.outputs.task-definition }}
cluster: ${{ inputs.environment }}-ecs-cluster
- name: Update EventBridge target
run: |
chmod +x ./.github/workflows/scripts/update-event-bridge-target.sh
./.github/workflows/scripts/update-event-bridge-target.sh "${{ inputs.environment }}-hrm-transcript-scrubber" "${{ steps.transcript-scrubber-task-definition.outputs.task-definition-arn }}"
# reconfigure AWS credentials to use the default region for SSM Parameter Store.
# aws-actions/configure-aws-credentials@v4 overrides env.AWS_DEFAULT_REGION, so
# we name our env var PRIMARY_AWS_REGION to avoid that.
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.PRIMARY_AWS_REGION }}
# Set any env vars needed from Parameter Store here
- name: Set GITHUB_ACTIONS_SLACK_BOT_TOKEN
uses: 'marvinpinto/action-inject-ssm-secrets@latest'
with:
ssm_parameter: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN'
env_variable_name: 'GITHUB_ACTIONS_SLACK_BOT_TOKEN'
- name: Set ASELO_DEPLOYS_CHANNEL_ID
uses: 'marvinpinto/action-inject-ssm-secrets@latest'
with:
ssm_parameter: 'ASELO_DEPLOYS_CHANNEL_ID'
env_variable_name: 'ASELO_DEPLOYS_CHANNEL_ID'
# Send Slack notifying success
- name: Slack Aselo channel
id: slack
uses: slackapi/slack-github-action@v1.26.0
with:
channel-id: ${{ env.ASELO_DEPLOYS_CHANNEL_ID }}
slack-message: '`[HRM Transcript Scrubber]` Deployment of ${{ github.ref_type }} `${{ github.ref_name }}` requested by `${{ github.triggering_actor }}` completed with SHA ${{ github.sha }} to region `${{ matrix.region }}`, environment `${{ inputs.environment }}` :rocket:.'
env:
SLACK_BOT_TOKEN: ${{ env.GITHUB_ACTIONS_SLACK_BOT_TOKEN }}
if: ${{ inputs.send-slack-message != 'false' }}
# # Update deployment matrix
# - name: Update deployment matrix
# id: update-deployment-matrix
# uses: techmatters/flex-plugins/.github/actions/deployment-matrix@master
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: ${{ secrets.AWS_DEFAULT_REGION }}
# identifier: ${{ matrix.region }}
# environment: ${{ inputs.environment }}
# service_repo: 'hrm-transcript-scrubber'
# version_tag: ${{ github.ref_name }}