Deploy coder #234
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Deploy coder | |
on: | |
workflow_dispatch: | |
pull_request: | |
schedule: | |
- cron: "0 0 * * *" | |
env: | |
PROJECT_ENV: digital-defiance-cloud-infrastructure-prod | |
jobs: | |
start-runner: | |
runs-on: ubuntu-latest | |
environment: production | |
container: | |
image: ghcr.io/digital-defiance/cloud-infrastructure:latest | |
outputs: | |
label: ${{ steps.start-ec2-runner.outputs.label }} | |
ec2-instance-id: ${{ steps.start-ec2-runner.outputs.ec2-instance-id }} | |
db_url: ${{ steps.get-aws-info.outputs.db_url }} | |
steps: | |
- | |
name: Checkout | |
id: checkout | |
uses: actions/checkout@v1 | |
- | |
id: get-aws-info | |
shell: bash | |
env: | |
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
TF_TOKEN_app_terraform_io: "op://${{ env.PROJECT_ENV }}/terraform_credentials/TF_TOKEN_app_terraform_io" | |
SECRET_ARN: ${{ secrets.SECRET_ARN }} | |
run: | | |
cd coder-deployment/terraform_info | |
op run -- terraform init | |
op run -- terraform apply -auto-approve -var="secret_arn=$SECRET_ARN" | |
TERRAFORM_OUTPUT=$( op run -- terraform output -json ) | |
extract_out() { | |
echo "$TERRAFORM_OUTPUT" | jq ".$1.value" | tr -d '"' | |
} | |
save_env(){ | |
echo "$1=$2" >> $GITHUB_ENV | |
} | |
save_env AMI $(extract_out ami) | |
save_env SECURITY_GROUP_ID $(extract_out security_group_id) | |
save_env SUBNET_ID $(extract_out subnet_ids) | |
- | |
name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-south-1 | |
- | |
name: Start EC2 runner | |
id: start-ec2-runner | |
uses: digital-defiance/ec2-github-runner@feature/add-storage-option | |
with: | |
mode: start | |
root-volume-size: 80 | |
ec2-instance-type: t3.small | |
subnet-id: ${{ env.SUBNET_ID }} | |
github-token: ${{ secrets.GH_PAT }} | |
ec2-image-id: ${{ env.AMI }} | |
security-group-id: ${{ env.SECURITY_GROUP_ID }} | |
pre-runner-script: | | |
sudo apt update -y | |
sudo apt -y install docker.io | |
sudo service docker start | |
sudo usermod -a -G docker ubuntu | |
sudo chmod 666 /var/run/docker.sock | |
docker version | |
kubectl: | |
name: Execute kubectl commands | |
environment: production | |
container: | |
image: ghcr.io/digital-defiance/cloud-infrastructure:latest | |
needs: | |
- start-runner | |
runs-on: ${{ needs.start-runner.outputs.label }} | |
steps: | |
- | |
name: Checkout | |
id: checkout | |
uses: actions/checkout@v1 | |
- | |
shell: bash | |
env: | |
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
AWS_SECRET_ACCESS_KEY: "op://${{ env.PROJECT_ENV }}/aws_credentials/AWS_SECRET_ACCESS_KEY" | |
AWS_ACCESS_KEY_ID: "op://${{ env.PROJECT_ENV }}/aws_credentials/AWS_ACCESS_KEY_ID" | |
TF_TOKEN_app_terraform_io: "op://${{ env.PROJECT_ENV }}/terraform_credentials/TF_TOKEN_app_terraform_io" | |
SECRET_ARN: ${{ secrets.SECRET_ARN }} | |
run: | | |
extract_out() { | |
echo "$TERRAFORM_OUTPUT" | jq ".$1.value" | tr -d '"' | |
} | |
cd coder-deployment/terraform_info | |
op run -- terraform init | |
op run -- terraform apply -auto-approve -var="secret_arn=$SECRET_ARN" | |
TERRAFORM_OUTPUT=$( op run -- terraform output -json ) | |
DB_MASTER_USERNAME=$(extract_out db_instance_master_username ) | |
DB_INSTANCE_ENDPOINT=$(extract_out db_instance_endpoint ) | |
DB_PASSWORD=$( extract_out db_instance_password ) | |
DB_PASSWORD_URLENCODED=$(jq -rn --arg x "$DB_PASSWORD" '$x|@uri') | |
export DB_URL="postgresql://$DB_MASTER_USERNAME:$DB_PASSWORD_URLENCODED@$DB_INSTANCE_ENDPOINT/postgres" | |
cd ../../ | |
make kubectl_deploy | |
stop-runner: | |
if: ${{ always() }} | |
runs-on: ubuntu-latest | |
name: "Deprovision infrastructure" | |
environment: production | |
needs: | |
- start-runner | |
- kubectl | |
steps: | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v1 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-south-1 | |
- name: Stop EC2 runner | |
uses: digital-defiance/ec2-github-runner@v2 | |
with: | |
mode: stop | |
github-token: ${{ secrets.GH_PAT }} | |
label: ${{ needs.start-runner.outputs.label }} | |
ec2-instance-id: ${{ needs.start-runner.outputs.ec2-instance-id }} |