-
Notifications
You must be signed in to change notification settings - Fork 16
124 lines (117 loc) · 4.67 KB
/
validate-deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
name: Validate and Deploy to AWS
on:
push:
branches: [ main ]
paths-ignore:
- 'README.md'
env:
TERRAFORM_VERSION: 1.3.0
jobs:
terrascan:
name: Terrascan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{env.TERRAFORM_VERSION}}
- name: Terrascan scan and validate
run: ./terrascan/terrascan.sh
tflint:
name: TFLint
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{env.TERRAFORM_VERSION}}
- name: Install TFLint
run: curl -s https://raw.githubusercontent.com/terraform-linters/tflint/master/install_linux.sh | bash
- name: TFLint
run: ./tflint/tflint.sh
tfsec:
name: TFSec
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{env.TERRAFORM_VERSION}}
- name: Install tfsec
run: curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
- name: tfsec
run: ./tfsec/tfsec.sh
tfvalidate:
name: Terraform Validate
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{env.TERRAFORM_VERSION}}
- name: Terraform Validate
run: ./terraform/tf-validate.sh
provision-resources:
name: Provision Resources
needs: [ terrascan, tflint, tfsec, tfvalidate ]
if: ${{ (needs.terrascan.result == 'success') && (needs.tflint.result == 'success') && (needs.tfvalidate.result == 'success') && (needs.tfsec.result == 'success') }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: ${{env.TERRAFORM_VERSION}}
terraform_wrapper: false
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.BAHMNI_AWS_ID }}
aws-secret-access-key: ${{ secrets.BAHMNI_AWS_SECRET }}
aws-region: ap-south-1
role-to-assume: ${{ secrets.BAHMNI_INFRA_ADMIN_ROLE }}
role-duration-seconds: 1200 # 20 mins
role-session-name: BahmniInfraAdminSession
- name: Provision resources for nonprod
env:
TF_VAR_hosted_zone_id: Z08282853KUE36WP4UDPI
TF_VAR_domain_name: mybahmni.in
run: |
cd terraform/
terraform init -backend-config=config.s3.tfbackend -backend-config='key=nonprod/terraform.tfstate'
terraform apply -var-file=nonprod.tfvars -auto-approve
echo "CLUSTER_NAME=$(terraform output -raw eks_cluster_name)" >> $GITHUB_ENV
- name: Setup Amazon EFS driver and StorageClass
run: |
export fileSystemId=$(aws ssm get-parameter --with-decryption --name "/nonprod/efs/file_system_id" --query "Parameter.Value" --output text)
aws eks update-kubeconfig --name $CLUSTER_NAME
kubectl kustomize \
"github.com/kubernetes-sigs/aws-efs-csi-driver/deploy/kubernetes/overlays/stable/?ref=release-1.5" > public-ecr-driver.yaml
curl -o storageclass.yaml \
https://raw.githubusercontent.com/kubernetes-sigs/aws-efs-csi-driver/v1.6.0/examples/kubernetes/dynamic_provisioning/specs/storageclass.yaml
kubectl delete deployment efs-csi-controller -n kube-system || echo "Creating the deployment..."
kubectl delete daemonset efs-csi-node -n kube-system || echo "Creating the daemonset..."
yq -i e '.metadata.name |= "bahmni-efs-sc"' storageclass.yaml
yq -i e '.parameters.fileSystemId |= env(fileSystemId)' storageclass.yaml
yq -i e '.parameters.directoryPerms |= "770"' storageclass.yaml
kubectl apply -f public-ecr-driver.yaml
kubectl apply -f storageclass.yaml
slack-workflow-status:
name: Notify on Slack
if: ${{ always() }}
needs: [ provision-resources ]
runs-on: ubuntu-latest
env:
STATUS: ${{ (needs.provision-resources.result == 'success') && 'success' || 'failure' }}
steps:
- name: Slack notification
uses: 8398a7/action-slack@v3
with:
status: ${{ env.STATUS }}
fields: message,author,workflow,repo
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}