-
Notifications
You must be signed in to change notification settings - Fork 4
156 lines (139 loc) · 5.56 KB
/
ecs_terraform.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
name: Terraform Plan & Terraform Apply
run-name: Terraform plan & apply ${{ inputs.workspace }} by @${{ github.actor }}
on:
workflow_run:
workflows: [CD, Build Keycloak]
types:
- completed
merge_group:
types:
- checks_requested
workflow_dispatch:
inputs:
workspace:
description: "Choose terraform workspace for deployment"
required: true
type: choice
options:
- dev
- demo
default: dev
concurrency:
group: ${{ github.event.inputs.workspace }}-terraform
cancel-in-progress: false
permissions:
id-token: write
contents: read
jobs:
check-dependencies:
runs-on: ubuntu-latest
outputs:
source_a_status: ${{ steps.check_a_status.outputs.status }}
source_b_status: ${{ steps.check_b_status.outputs.status }}
steps:
- name: Check out the repository
uses: actions/checkout@v4
- name: Check CD Status
id: check_a_status
env:
GH_TOKEN: ${{ github.token }}
run: |
echo "Checking if CD has ran."
response=$(gh run list --workflow "CD" --branch $GITHUB_REF_NAME --json status --jq '.[0]')
if [ "$response" = "failure" ] || [ "$response" = "cancelled" ]; then
echo "CD workflow failed or was cancelled."
exit 1
fi
echo "CD workflow completed successfully."
- name: Check Keycloak Status
id: check_b_status
env:
GH_TOKEN: ${{ github.token }}
run: |
echo "Checking if Keycloak has ran."
response=$(gh run list --workflow "Build Keycloak" --branch $GITHUB_REF_NAME --json status --jq '.[0]')
if [ "$response" = "failure" ] || [ "$response" = "cancelled" ]; then
echo "Building Keycloak workflow failed or was cancelled."
exit 1
fi
echo "Building Keycloak workflow status is $response."
terraform:
needs: check-dependencies
runs-on: ubuntu-latest
outputs:
workspace: ${{ steps.set-workspace.outputs.workspace }}
defaults:
run:
shell: bash
working-directory: ./terraform/implementation/ecs
if: needs.check-dependencies.outputs.source_a_status != 'failure' && needs.check-dependencies.outputs.source_b_status != 'failure'
steps:
- name: Check Out Changes
uses: actions/checkout@v4
- name: Setup Terraform
uses: hashicorp/[email protected]
with:
terraform_version: "1.9.8"
- name: configure aws credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
aws-region: ${{ secrets.AWS_REGION }}
- name: Set workspace
id: set-workspace
run: |-
echo "workspace=$(
if [[ "${{ github.event.inputs.workspace }}" != "" ]]; then
echo ${{ github.event.inputs.workspace}}
else
echo dev
fi
)" >> $GITHUB_OUTPUT
- name: Set URL format
id: set-url-format
run: |
if [[ "${{ steps.set-workspace.outputs.workspace }}" == "dev" ]]; then
echo "base_url=https://${{ secrets.ECS_HOSTNAME }}" >> $GITHUB_OUTPUT
else
echo "base_url=https://${{ steps.set-workspace.outputs.workspace }}.${{ secrets.ECS_HOSTNAME }}" >> $GITHUB_OUTPUT
fi
- name: Terraform
env:
BUCKET: ${{ secrets.TFSTATE_BUCKET }}
DYNAMODB_TABLE: ${{ secrets.TFSTATE_DYNAMODB_TABLE }}
REGION: ${{ vars.region }}
WORKSPACE: ${{ steps.set-workspace.outputs.workspace }}
TF_VAR_umls_api_key: ${{ secrets.UMLS_API_KEY }}
TF_VAR_ersd_api_key: ${{ secrets.ERSD_API_KEY}}
TF_VAR_qc_tls_cert: ${{ secrets.TLS_CERT}}
TF_VAR_qc_tls_key: ${{ secrets.TLS_KEY}}
TF_VAR_auth_secret: ${{ secrets.AUTH_SECRET }}
TF_VAR_keycloak_client_id: ${{ secrets.KEYCLOAK_CLIENT_ID }}
TF_VAR_keycloak_client_secret: ${{ secrets.KEYCLOAK_CLIENT_SECRET }}
TF_VAR_auth_keycloak_issuer: ${{ steps.set-url-format.outputs.base_url }}/keycloak
TF_VAR_auth_url: ${{ steps.set-url-format.outputs.base_url }}
TF_VAR_aidbox_base_url: ${{ steps.set-url-format.outputs.base_url }}/aidboxone
TF_VAR_aidbox_client_secret: ${{ secrets.AIDBOX_CLIENT_SECRET }}
TF_VAR_aidbox_admin_password: ${{ secrets.AIDBOX_ADMIN_PASSWORD }}
TF_VAR_aidbox_license: ${{ secrets.AIDBOX_LICENSE }}
TF_VAR_bastion_public_key: ${{ secrets.BASTION_PUBLIC_KEY }}
TF_VAR_bastion_private_key: ${{ secrets.BASTION_PRIVATE_KEY }}
TF_VAR_bastion_allowed_ips: ${{ secrets.BASTION_ALLOWED_IPS }}
shell: bash
run: |
rm -rf .terraform .terraform.lock.hcl
terraform init \
-var-file="$WORKSPACE.tfvars" \
-backend-config "bucket=$BUCKET" \
-backend-config "dynamodb_table=$DYNAMODB_TABLE" \
-backend-config "region=$REGION" \
|| (echo "terraform init failed, exiting..." && exit 1)
terraform workspace select "$WORKSPACE"
terraform apply -auto-approve -target=aws_acm_certificate.cloudflare_cert \
-var-file="$WORKSPACE.tfvars"
terraform plan \
-var-file="$WORKSPACE.tfvars"
terraform apply -auto-approve \
-replace="module.ecs.dockerless_remote_image.dibbs[\"query-connector\"]" \
-replace="module.ecs.dockerless_remote_image.dibbs[\"keycloak\"]" \
-var-file="$WORKSPACE.tfvars"