Merge pull request #137 from communitiesuk/FS-3718

FS-3718 - Amend workflow to deploy automatically
communitiesuk · Nov 3, 2023 · 7dfe337 · 7dfe337
2 parents c3f754e + ba8155c
commit 7dfe337
Show file tree

Hide file tree

Showing 4 changed files with 166 additions and 71 deletions.
diff --git a/.github/workflows/copilot_deploy.yml b/.github/workflows/copilot_deploy.yml
@@ -0,0 +1,112 @@
+name: Deploy to AWS
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description:  Which AWS Account to use
+        type: choice
+        required: true
+        options:
+        - dev
+        - test
+        - uat
+        - production
+      run_performance_tests:
+        required: false
+        default: false
+        type: boolean
+        description: Run performance tests
+      run_e2e_tests:
+        required: false
+        default: true
+        type: boolean
+        description: Run e2e tests
+  push:
+    # Ignore README markdown
+    # Only automatically deploy when something in the app or tests folder has changed
+    paths:
+      - '!**/README.md'
+      - 'app/**'
+      - 'tests/**'
+
+jobs:
+  paketo_build:
+    permissions:
+      packages: write
+    uses: communitiesuk/funding-service-design-workflows/.github/workflows/package.yml@main
+    with:
+      version_to_build: $(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+      owner: ${{ github.repository_owner }}
+      application: funding-service-design-account-store
+  pre_deploy_tests:
+    secrets:
+      E2E_PAT: ${{secrets.E2E_PAT}}
+    uses: communitiesuk/funding-service-design-workflows/.github/workflows/pre-deploy.yml@main
+    with:
+      # Note - no db-name, so defaults to postgres_db
+      postgres_unit_testing: true
+
+  dev_copilot_deploy:
+    if: inputs.environment == 'dev' || inputs.environment == ''
+    needs: [pre_deploy_tests, paketo_build]
+    concurrency: deploy-dev
+    secrets:
+      AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
+    uses: ./.github/workflows/environment.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    with:
+      workspace: 'dev'
+
+  test_copilot_deploy:
+    if: inputs.environment == 'test' || inputs.environment == ''
+    needs: [pre_deploy_tests, paketo_build]
+    concurrency: deploy-test
+    secrets:
+      AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
+    uses: ./.github/workflows/environment.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    with:
+      workspace: 'test'
+
+  # Allow the capability to override UAT with another branch, but ideally uat and production should be in sync as much as possible
+  uat_copilot_deploy:
+    if: inputs.environment == 'uat' || inputs.environment == ''
+    needs: [pre_deploy_tests, paketo_build]
+    concurrency: deploy-uat
+    secrets:
+      AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
+    uses: ./.github/workflows/environment.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    with:
+      workspace: 'uat'
+
+  # Only run this if the branch being deployed is main
+  production_copilot_deploy:
+    if: (inputs.environment == 'production' || inputs.environment == '') && github.ref == 'refs/heads/main'
+    needs: [pre_deploy_tests, paketo_build]
+    concurrency: deploy-production
+    secrets:
+      AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }}
+    uses: ./.github/workflows/environment.yml
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    with:
+      workspace: 'production'
+
+  # Can we realistically run E2E at this stage, or just plump for application on the grounds it checks account-store is operational?
+  post_deploy_tests:
+      needs: test_copilot_deploy
+      secrets:
+        E2E_PAT: ${{secrets.E2E_PAT}}
+      uses: communitiesuk/funding-service-design-workflows/.github/workflows/post-deploy.yml@main
+      with:
+        run_performance_tests: ${{ inputs.run_performance_tests }}
+        run_e2e_tests: ${{ inputs.run_e2e_tests }}
+        app_name: application
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -3,18 +3,6 @@ name: Deploy to Gov PaaS
 on:
   workflow_dispatch:
     inputs:
-      environment:
-        description:  Which AWS Account to use
-        type: choice
-        required: true
-        options:
-        - test
-        - uat
-      copilot:
-        description: Whether to deploy to AWS?
-        type: boolean
-        required: false
-        default: false
       deploy_to_dev:
         required: false
         default: false
@@ -26,7 +14,7 @@ on:
 
 jobs:
   test_and_deploy:
-    if: ${{ github.actor != 'dependabot[bot]' && !github.event.inputs.copilot }}
+    if: ${{ github.actor != 'dependabot[bot]' }}
     uses: communitiesuk/funding-service-design-workflows/.github/workflows/deploy.yml@main
     with:
       app_name: ${{ github.event.repository.name }}
@@ -43,61 +31,3 @@ jobs:
       CF_USER: ${{secrets.CF_USERNAME}}
       CF_PASSWORD: ${{secrets.CF_PASSWORD}}
       E2E_PAT: ${{secrets.E2E_PAT}}
-  paketo_build:
-    permissions:
-      packages: write
-    uses: communitiesuk/funding-service-design-workflows/.github/workflows/package.yml@main
-    with:
-      version_to_build: $(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
-      owner: ${{ github.repository_owner }}
-      application: funding-service-design-account-store
-  pre_deploy_tests:
-    if: ${{ github.event.inputs.copilot }}
-    secrets:
-      E2E_PAT: ${{secrets.E2E_PAT}}
-    uses: communitiesuk/funding-service-design-workflows/.github/workflows/pre-deploy.yml@main
-    with:
-      db_name: fsd_account_store_test
-      postgres_unit_testing: true
-  copilot_build:
-    if: ${{ github.event.inputs.copilot }}
-    needs: [pre_deploy_tests, paketo_build]
-    concurrency: deploy-${{ inputs.environment || 'test' }}
-    permissions:
-      id-token: write # This is required for requesting the JWT
-      contents: read  # This is required for actions/checkout
-    runs-on: ubuntu-latest
-    environment: ${{ inputs.environment || 'test' }}
-    steps:
-    - name: Git clone the repository
-      uses: actions/checkout@v3
-
-    - name: Get current date
-      id: currentdatetime
-      run: echo "datetime=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
-
-    - name: configure aws credentials
-      uses: aws-actions/configure-aws-credentials@v2
-      with:
-        role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/GithubCopilotDeploy
-        role-session-name: ACCOUNT_STORE_COPILOT_${{ steps.currentdatetime.outputs.datetime }}
-        aws-region: eu-west-2
-
-    - name: Install AWS Copilot CLI
-      run: |
-        curl -Lo aws-copilot https://github.com/aws/copilot-cli/releases/latest/download/copilot-linux && chmod +x aws-copilot && sudo mv aws-copilot /usr/local/bin/copilot
-
-    - name: Inject Git SHA into manifest
-      run: |
-        yq -i '.variables.GITHUB_SHA = "${{ github.sha }}"'  copilot/fsd-account-store/manifest.yml
-
-    - name: Inject replacement image into manifest
-      run: |
-        yq -i '.image.location = "ghcr.io/communitiesuk/funding-service-design-account-store:${{ github.ref_name == 'main' && 'latest' || github.ref_name }}"'  copilot/fsd-account-store/manifest.yml
-
-    - name: Run database migrations
-      run: scripts/migration-task-script.py ${{ inputs.environment || 'test' }}
-
-    - name: Copilot deploy
-      run: |
-        copilot deploy --env ${{ inputs.environment || 'test' }}
diff --git a/.github/workflows/environment.yml b/.github/workflows/environment.yml
@@ -0,0 +1,49 @@
+name: Environment Deployment
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        required: true
+        type: string
+    secrets:
+      AWS_ACCOUNT:
+        required: true
+
+jobs:
+  copilot_deploy:
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read  # This is required for actions/checkout
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.workspace }}
+    steps:
+    - name: Git clone the repository
+      uses: actions/checkout@v3
+
+    - name: Get current date
+      id: currentdatetime
+      run: echo "datetime=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+
+    - name: configure aws credentials
+      uses: aws-actions/configure-aws-credentials@v2
+      with:
+        role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/GithubCopilotDeploy
+        role-session-name: ACCOUNT_STORE_${{ inputs.workspace }}_COPILOT_${{ steps.currentdatetime.outputs.datetime }}
+        aws-region: eu-west-2
+
+    - name: Install AWS Copilot CLI
+      run: |
+        curl -Lo aws-copilot https://github.com/aws/copilot-cli/releases/latest/download/copilot-linux && chmod +x aws-copilot && sudo mv aws-copilot /usr/local/bin/copilot
+
+    - name: Inject Git SHA into manifest
+      run: |
+        yq -i '.variables.GITHUB_SHA = "${{ github.sha }}"'  copilot/fsd-account-store/manifest.yml
+
+    - name: Inject replacement image into manifest
+      run: |
+        yq -i '.image.location = "ghcr.io/communitiesuk/funding-service-design-account-store:${{ github.ref_name == 'main' && 'latest' || github.ref_name }}"'  copilot/fsd-account-store/manifest.yml
+
+    - name: Copilot ${{ inputs.workspace }} deploy
+      id: deploy_build
+      run: |
+        copilot svc deploy --env ${{ inputs.workspace }}
diff --git a/copilot/fsd-account-store/addons/fsd-account-store-cluster.yml b/copilot/fsd-account-store/addons/fsd-account-store-cluster.yml
@@ -21,8 +21,12 @@ Mappings:
       "DBMinCapacity": 0.5 # AllowedValues: from 0.5 through 128
       "DBMaxCapacity": 8   # AllowedValues: from 0.5 through 128
   BastionMap:
+    dev:
+      "SecurityGroup": "sg-0b6c7aabb95bf14a9"
     test:
       "SecurityGroup": "sg-0cf75a004dbade7b8"
+    uat:
+      "SecurityGroup": "sg-04017abfef2079894"
 
 Resources:
   fsdaccountstoreclusterDBSubnetGroup: