diff --git a/.github/workflows/copilot_deploy.yml b/.github/workflows/copilot_deploy.yml new file mode 100644 index 0000000..c2e43fb --- /dev/null +++ b/.github/workflows/copilot_deploy.yml @@ -0,0 +1,112 @@ +name: Deploy to AWS +on: + workflow_dispatch: + inputs: + environment: + description: Which AWS Account to use + type: choice + required: true + options: + - dev + - test + - uat + - production + run_performance_tests: + required: false + default: false + type: boolean + description: Run performance tests + run_e2e_tests: + required: false + default: true + type: boolean + description: Run e2e tests + push: + # Ignore README markdown + # Only automatically deploy when something in the app or tests folder has changed + paths: + - '!**/README.md' + - 'app/**' + - 'tests/**' + +jobs: + paketo_build: + permissions: + packages: write + uses: communitiesuk/funding-service-design-workflows/.github/workflows/package.yml@main + with: + version_to_build: $(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') + owner: ${{ github.repository_owner }} + application: funding-service-design-account-store + pre_deploy_tests: + secrets: + E2E_PAT: ${{secrets.E2E_PAT}} + uses: communitiesuk/funding-service-design-workflows/.github/workflows/pre-deploy.yml@main + with: + # Note - no db-name, so defaults to postgres_db + postgres_unit_testing: true + + dev_copilot_deploy: + if: inputs.environment == 'dev' || inputs.environment == '' + needs: [pre_deploy_tests, paketo_build] + concurrency: deploy-dev + secrets: + AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} + uses: ./.github/workflows/environment.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + with: + workspace: 'dev' + + test_copilot_deploy: + if: inputs.environment == 'test' || inputs.environment == '' + needs: [pre_deploy_tests, paketo_build] + concurrency: deploy-test + secrets: + AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} + uses: ./.github/workflows/environment.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + with: + workspace: 'test' + + # Allow the capability to override UAT with another branch, but ideally uat and production should be in sync as much as possible + uat_copilot_deploy: + if: inputs.environment == 'uat' || inputs.environment == '' + needs: [pre_deploy_tests, paketo_build] + concurrency: deploy-uat + secrets: + AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} + uses: ./.github/workflows/environment.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + with: + workspace: 'uat' + + # Only run this if the branch being deployed is main + production_copilot_deploy: + if: (inputs.environment == 'production' || inputs.environment == '') && github.ref == 'refs/heads/main' + needs: [pre_deploy_tests, paketo_build] + concurrency: deploy-production + secrets: + AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} + uses: ./.github/workflows/environment.yml + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + with: + workspace: 'production' + + # Can we realistically run E2E at this stage, or just plump for application on the grounds it checks account-store is operational? + post_deploy_tests: + needs: test_copilot_deploy + secrets: + E2E_PAT: ${{secrets.E2E_PAT}} + uses: communitiesuk/funding-service-design-workflows/.github/workflows/post-deploy.yml@main + with: + run_performance_tests: ${{ inputs.run_performance_tests }} + run_e2e_tests: ${{ inputs.run_e2e_tests }} + app_name: application diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index f70f1fd..c2a2cfb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -3,18 +3,6 @@ name: Deploy to Gov PaaS on: workflow_dispatch: inputs: - environment: - description: Which AWS Account to use - type: choice - required: true - options: - - test - - uat - copilot: - description: Whether to deploy to AWS? - type: boolean - required: false - default: false deploy_to_dev: required: false default: false @@ -26,7 +14,7 @@ on: jobs: test_and_deploy: - if: ${{ github.actor != 'dependabot[bot]' && !github.event.inputs.copilot }} + if: ${{ github.actor != 'dependabot[bot]' }} uses: communitiesuk/funding-service-design-workflows/.github/workflows/deploy.yml@main with: app_name: ${{ github.event.repository.name }} @@ -43,61 +31,3 @@ jobs: CF_USER: ${{secrets.CF_USERNAME}} CF_PASSWORD: ${{secrets.CF_PASSWORD}} E2E_PAT: ${{secrets.E2E_PAT}} - paketo_build: - permissions: - packages: write - uses: communitiesuk/funding-service-design-workflows/.github/workflows/package.yml@main - with: - version_to_build: $(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,') - owner: ${{ github.repository_owner }} - application: funding-service-design-account-store - pre_deploy_tests: - if: ${{ github.event.inputs.copilot }} - secrets: - E2E_PAT: ${{secrets.E2E_PAT}} - uses: communitiesuk/funding-service-design-workflows/.github/workflows/pre-deploy.yml@main - with: - db_name: fsd_account_store_test - postgres_unit_testing: true - copilot_build: - if: ${{ github.event.inputs.copilot }} - needs: [pre_deploy_tests, paketo_build] - concurrency: deploy-${{ inputs.environment || 'test' }} - permissions: - id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout - runs-on: ubuntu-latest - environment: ${{ inputs.environment || 'test' }} - steps: - - name: Git clone the repository - uses: actions/checkout@v3 - - - name: Get current date - id: currentdatetime - run: echo "datetime=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT - - - name: configure aws credentials - uses: aws-actions/configure-aws-credentials@v2 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/GithubCopilotDeploy - role-session-name: ACCOUNT_STORE_COPILOT_${{ steps.currentdatetime.outputs.datetime }} - aws-region: eu-west-2 - - - name: Install AWS Copilot CLI - run: | - curl -Lo aws-copilot https://github.com/aws/copilot-cli/releases/latest/download/copilot-linux && chmod +x aws-copilot && sudo mv aws-copilot /usr/local/bin/copilot - - - name: Inject Git SHA into manifest - run: | - yq -i '.variables.GITHUB_SHA = "${{ github.sha }}"' copilot/fsd-account-store/manifest.yml - - - name: Inject replacement image into manifest - run: | - yq -i '.image.location = "ghcr.io/communitiesuk/funding-service-design-account-store:${{ github.ref_name == 'main' && 'latest' || github.ref_name }}"' copilot/fsd-account-store/manifest.yml - - - name: Run database migrations - run: scripts/migration-task-script.py ${{ inputs.environment || 'test' }} - - - name: Copilot deploy - run: | - copilot deploy --env ${{ inputs.environment || 'test' }} diff --git a/.github/workflows/environment.yml b/.github/workflows/environment.yml new file mode 100644 index 0000000..b8f31c8 --- /dev/null +++ b/.github/workflows/environment.yml @@ -0,0 +1,49 @@ +name: Environment Deployment +on: + workflow_call: + inputs: + workspace: + required: true + type: string + secrets: + AWS_ACCOUNT: + required: true + +jobs: + copilot_deploy: + permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + runs-on: ubuntu-latest + environment: ${{ inputs.workspace }} + steps: + - name: Git clone the repository + uses: actions/checkout@v3 + + - name: Get current date + id: currentdatetime + run: echo "datetime=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT + + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@v2 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/GithubCopilotDeploy + role-session-name: ACCOUNT_STORE_${{ inputs.workspace }}_COPILOT_${{ steps.currentdatetime.outputs.datetime }} + aws-region: eu-west-2 + + - name: Install AWS Copilot CLI + run: | + curl -Lo aws-copilot https://github.com/aws/copilot-cli/releases/latest/download/copilot-linux && chmod +x aws-copilot && sudo mv aws-copilot /usr/local/bin/copilot + + - name: Inject Git SHA into manifest + run: | + yq -i '.variables.GITHUB_SHA = "${{ github.sha }}"' copilot/fsd-account-store/manifest.yml + + - name: Inject replacement image into manifest + run: | + yq -i '.image.location = "ghcr.io/communitiesuk/funding-service-design-account-store:${{ github.ref_name == 'main' && 'latest' || github.ref_name }}"' copilot/fsd-account-store/manifest.yml + + - name: Copilot ${{ inputs.workspace }} deploy + id: deploy_build + run: | + copilot svc deploy --env ${{ inputs.workspace }} diff --git a/copilot/fsd-account-store/addons/fsd-account-store-cluster.yml b/copilot/fsd-account-store/addons/fsd-account-store-cluster.yml index f9b2114..b5bf660 100644 --- a/copilot/fsd-account-store/addons/fsd-account-store-cluster.yml +++ b/copilot/fsd-account-store/addons/fsd-account-store-cluster.yml @@ -21,8 +21,12 @@ Mappings: "DBMinCapacity": 0.5 # AllowedValues: from 0.5 through 128 "DBMaxCapacity": 8 # AllowedValues: from 0.5 through 128 BastionMap: + dev: + "SecurityGroup": "sg-0b6c7aabb95bf14a9" test: "SecurityGroup": "sg-0cf75a004dbade7b8" + uat: + "SecurityGroup": "sg-04017abfef2079894" Resources: fsdaccountstoreclusterDBSubnetGroup: