Merge pull request #20 from Bahmni/BAH-4126 #292
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Validate and Deploy to AWS | |
on: | |
push: | |
branches: [ main ] | |
paths-ignore: | |
- 'README.md' | |
- '.github/workflows/start_scheduler.yml' | |
- '.github/workflows/stop_scheduler.yml' | |
env: | |
TERRAFORM_VERSION: 1.3.0 | |
jobs: | |
terrascan: | |
name: Terrascan | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{env.TERRAFORM_VERSION}} | |
- name: Terrascan scan and validate | |
run: ./terrascan/terrascan.sh | |
tflint: | |
name: TFLint | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{env.TERRAFORM_VERSION}} | |
- name: Install TFLint | |
run: curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash | |
- name: TFLint | |
run: ./tflint/tflint.sh | |
tfsec: | |
name: TFSec | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{env.TERRAFORM_VERSION}} | |
- name: Install tfsec | |
run: curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash | |
- name: tfsec | |
run: ./tfsec/tfsec.sh | |
tfvalidate: | |
name: Terraform Validate | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{env.TERRAFORM_VERSION}} | |
- name: Terraform Validate | |
run: ./terraform/tf-validate.sh | |
provision-resources: | |
name: Provision Resources | |
needs: [ terrascan, tflint, tfsec, tfvalidate ] | |
if: ${{ (needs.terrascan.result == 'success') && (needs.tflint.result == 'success') && (needs.tfvalidate.result == 'success') && (needs.tfsec.result == 'success') }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
- uses: hashicorp/setup-terraform@v3 | |
with: | |
terraform_version: ${{env.TERRAFORM_VERSION}} | |
terraform_wrapper: false | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }} | |
aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }} | |
aws-region: ap-south-1 | |
role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }} | |
role-duration-seconds: 1200 # 20 mins | |
role-session-name: BahmniInfraAdminSession | |
- name: Provision resources for nonprod | |
env: | |
TF_VAR_hosted_zone_id: Z08282853KUE36WP4UDPI | |
TF_VAR_domain_name: mybahmni.in | |
run: | | |
cd terraform/ | |
terraform init -backend-config=config.s3.tfbackend -backend-config='key=nonprod/terraform.tfstate' | |
terraform apply -var-file=nonprod.tfvars -auto-approve | |
echo "CLUSTER_NAME=$(terraform output -raw eks_cluster_name)" >> $GITHUB_ENV | |
- name: Setup Amazon EFS driver and StorageClass | |
run: | | |
export fileSystemId=$(aws ssm get-parameter --with-decryption --name "/nonprod/efs/file_system_id" --query "Parameter.Value" --output text) | |
aws eks update-kubeconfig --name $CLUSTER_NAME | |
kubectl kustomize \ | |
"github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.5" > public-ecr-driver.yaml | |
curl -o storageclass.yaml \ | |
https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/v1.6.0/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml | |
kubectl delete deployment efs-csi-controller -n kube-system || echo "Creating the deployment..." | |
kubectl delete daemonset efs-csi-node -n kube-system || echo "Creating the daemonset..." | |
yq -i e '.metadata.name |= "bahmni-efs-sc"' storageclass.yaml | |
yq -i e '.parameters.fileSystemId |= env(fileSystemId)' storageclass.yaml | |
yq -i e '.parameters.directoryPerms |= "770"' storageclass.yaml | |
kubectl apply -f public-ecr-driver.yaml | |
kubectl apply -f storageclass.yaml | |
slack-workflow-status: | |
name: Notify on Slack | |
if: ${{ always() }} | |
needs: [ provision-resources ] | |
runs-on: ubuntu-latest | |
env: | |
STATUS: ${{ (needs.provision-resources.result == 'success') && 'success' || 'failure' }} | |
steps: | |
- name: Slack notification | |
uses: 8398a7/action-slack@v3 | |
with: | |
status: ${{ env.STATUS }} | |
fields: message,author,workflow,repo | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |