Skip to content

env vars updated

env vars updated #147

# This is a basic workflow to help you get started with Actions
name: Connect to an AWS role from a GitHub repository
# Controls when the action will run. Invokes the workflow on push events but only for the main branch
on:
push:
branches: [5165-cicd]
pull_request:
branches: [main]
env:
ENVIRONMENT: development
ECR_REPOSITORY: test # set this to your Amazon ECR repository name
ECS_SERVICE: ogcapi-java-service # set this to your Amazon ECS service name
ECS_CLUSTER: aodn-imos-v2 # set this to your Amazon ECS cluster name
ECS_TASK_DEFINITION: ./ogcapi-java-dev-td.json #MY_ECS_TASK_DEFINITION # set this to the path to your Amazon ECS task definition
CONTAINER_NAME: aodn-dev-container # set this to the name of the container in the
CA_DOMAIN: test
CA_DOMAIN_OWNER: test
CA_REPO: test
CA_PACKAGE: test
CA_NAMESPACE: test
# Permission can be added at job level or workflow level
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
AWS-ECR-ECS-Deploy:
runs-on: ubuntu-latest
environment: development
steps:
- name: Git clone the repository
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.ROLE_ARN }}
role-session-name: GitHub_to_AWS_via_FederatedOIDC
aws-region: ${{ vars.AWS_REGION }}
# Hello from AWS: WhoAmI
- name: Sts GetCallerIdentity
run: |
aws sts get-caller-identity
- name: Install jq
run: sudo apt-get update && sudo apt-get install -y jq
- name: Retrieve Parameters - ssm parameter store
id: getParameters
run: |
# Replace '--path' with your specific path from Parameter Store
parameters=$(aws ssm get-parameters-by-path --path "/core/ogcapi/dev_ecr_ecs_config/" --recursive --query 'Parameters[*].[Name,Value]' --output json)
echo "$parameters" > parameters.json
echo "::set-output name=parameters_json::$parameters"
- name: Process Parameters - ssm parameter store
run: |
parameters=$(cat parameters.json)
# Loop through the JSON array of parameters using jq
for row in $(echo "${parameters}" | jq -r '.[] | @base64'); do
_jq() {
echo "${row}" | base64 --decode | jq -r "${1}"
}
name=$(_jq '.[0]')
value=$(_jq '.[1]')
echo "Name: $name, Value: $value"
# Perform actions using parameter values here
# For example, set environment variables
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ecr_repo" ]; then
echo "ECR_REPOSITORY=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ecs_cluster" ]; then
echo "ECS_CLUSTER=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ecs_service" ]; then
echo "ECS_SERVICE=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/container_name" ]; then
echo "CONTAINER_NAME=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ca_domain" ]; then
echo "CA_DOMAIN=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ca_domain_owner" ]; then
echo "CA_DOMAIN_OWNER=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ca_repo" ]; then
echo "CA_REPO=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ca_package" ]; then
echo "CA_PACKAGE=$value" >> "$GITHUB_ENV"
fi
if [ "$name" = "/core/ogcapi/dev_ecr_ecs_config/ca_namespace" ]; then
echo "CA_NAMESPACE=$value" >> "$GITHUB_ENV"
fi
done
- name: Prepare Build-ID
id: prep
run: |
BRANCH=${GITHUB_REF##*/}
TS=$(date +%s)
REVISION=${GITHUB_SHA::8}
BUILD_ID="${BRANCH}-${REVISION}-${TS}"
LATEST_ID=canary
if [[ $GITHUB_REF == refs/tags/* ]]; then
BUILD_ID=${GITHUB_REF/refs\/tags\//}
LATEST_ID=latest
fi
echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')"
echo "LATEST_ID=$LATEST_ID"
echo "BUILD_ID=$BUILD_ID" >> $GITHUB_OUTPUT
- name: Checkout
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
cache: 'maven'
- name: Build with Maven
run: |
mvn -B package --file pom.xml
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: Build and tag image
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ steps.prep.outputs.BUILD_ID }}
run: |
# build a docker container to be deployed to ecr-ecs.
docker build -t $ECR_REPOSITORY:$IMAGE_TAG .
echo "image=$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner in docker mode
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.build-image.outputs.image }}
format: 'table'
severity: 'HIGH,CRITICAL'
vuln-type: 'os,library'
exit-code: 1
ignore-unfixed: true
continue-on-error: true
- name: Push image to Amazon ECR
id: push-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ steps.prep.outputs.BUILD_ID }}
run: |
# push image to aws ecr
docker push $ECR_REPOSITORY:$IMAGE_TAG
echo "image=$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ env.ECS_TASK_DEFINITION }}
container-name: ${{ env.CONTAINER_NAME }}
image: ${{ steps.push-image.outputs.image }}
environment-variables: |
ENVIRONMENT=${{ env.ENVIRONMENT }}
HOST=${{ vars.HOST }}
PORT=${{ vars.PORT }}
ELASTIC_URL=${{ vars.ELASTIC_URL }}
ELASTIC_KEY=${{ secrets.ELASTIC_KEY }}
IMAGE=${{ steps.push-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
id: ecs-deploy
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ env.ECS_SERVICE }}
cluster: ${{ env.ECS_CLUSTER }}
wait-for-service-stability: true
- name: Check if deployment was successful
id: check-deployment
run: |
CURRENT_TASK_DEF_ARN=$(aws ecs describe-services --cluster ${{ env.ECS_CLUSTER }} --services ${{ env.ECS_SERVICE }} --query services[0].deployments[0].taskDefinition | jq -r ".")
NEW_TASK_DEF_ARN=${{ steps.ecs-deploy.outputs.task-definition-arn }}
REVISION=${GITHUB_SHA::8}
echo "Current task arn: $CURRENT_TASK_DEF_ARN"
echo "New task arn: $NEW_TASK_DEF_ARN"
echo "Latest revision: $REVISION"
if [ "$CURRENT_TASK_DEF_ARN" != "$NEW_TASK_DEF_ARN" ]; then
echo "Deployment failed with latest code revision."
exit 1
else
echo "Deployment successfull."
fi
- name: Get and calculate latest package version - AWS CodeArtifact
id: ca-getversion
env:
BUILD_ID: ${{ steps.prep.outputs.BUILD_ID }}
run: |
FLAG_INITIAL=false
CURRENT_VERSION=$(aws codeartifact list-package-versions --domain $CA_DOMAIN --repository $CA_REPO --format generic --package $CA_PACKAGE --namespace $CA_NAMESPACE --query defaultDisplayVersion | jq -r ".")
echo "current version: $CURRENT_VERSION"
if [ -z "$CURRENT_VERSION" ]; then
CURRENT_VERSION="1.0.0"
FLAG_INITIAL=true
fi
IFS='.' read -ra version_parts <<< "$CURRENT_VERSION"
MAJOR=${version_parts[0]}
MINOR=${version_parts[1]}
NEW_MINOR=$((MINOR + 1))
if [ "$FLAG_INITIAL" == "true" ]; then
NEW_MINOR="0"
fi
#version format[major.minor.build_number]
#build_number format{BRANCH}-${REVISION}-${TS}
echo "latest_version=$MAJOR.$NEW_MINOR.${{ env.BUILD_ID }}" >> $GITHUB_OUTPUT
- name: Publish JAR file - AWS CodeArtifact
id: ca-deploy
env:
CA_VERSION: ${{ steps.ca-getversion.outputs.latest_version }}
run: |
export ASSET_SHA256=$(sha256sum ${{ vars.CA_SOURCE_PATH }} | awk '{print $1;}')
#ASSET_SHA256:- This value is used as an integrity check to verify that the assetContent has not changed after it was originally sent or published.
aws codeartifact publish-package-version \
--repository $CA_REPO \
--domain $CA_DOMAIN \
--domain-owner $CA_DOMAIN_OWNER \
--format generic \
--package $CA_PACKAGE \
--asset-content ${{ vars.CA_SOURCE_PATH }} \
--package-version ${{ env.CA_VERSION }} \
--asset-name $CA_PACKAGE \
--asset-sha256 $ASSET_SHA256 \
--namespace $CA_NAMESPACE \
--output text