fix: remove shared secrets #177
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
################################################ | |
# GITHUB ACTION WORKFLOW NAME | |
################################################ | |
name: Deploy to p2-sandbox environment | |
################################################ | |
# GITHUB ACTION EVENT TRIGGER | |
################################################ | |
on: | |
workflow_dispatch: | |
push: | |
branches: [ 'develop' ] | |
################################################ | |
# GITHUB ACTION JOBS | |
################################################ | |
jobs: | |
deploy-p2-sandbox: | |
name: deploy-p2-sandbox | |
runs-on: ubuntu-latest | |
# environment: p2-sandbox | |
permissions: write-all | |
timeout-minutes: 15 | |
################################################ | |
# GITHUB ACTIONS GLOBAL ENV VARIABLES | |
################################################ | |
env: | |
REGION : ap-southeast-2 | |
ENV : dev # Valid values are dev,test,live only | |
STACK_NAME: p2-sandbox # Valid values are au,us,uk,p2,lf,nu,p1-sandbox,p1-stage,p2-sandbox,shared only | |
ROOTSTACK: cutie-app | |
CFNS3BucketName: devops-cfn-templates | |
PRIVATES3BucketName: devops-shared-private | |
PUBLICZONENAME: p2-sandbox.practera.com | |
BUILD_CONFIG: custom | |
STATUSREPORTS3Bucket: deployment-status.practera.com | |
STATUS: DEPLOYED | |
REQUESTOR: ${{ github.event.inputs.REQUESTOR }} | |
REASON: ${{ github.event.inputs.REASON }} | |
ENDPOINT: cutie-app.p2-sandbox.practera.com | |
BRANCH_TAG_NAME: develop | |
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
################################################ | |
# GITHUB REPO CHECKOUT | |
################################################ | |
steps: | |
- uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
################################################ | |
# NODE ENV | |
################################################ | |
- name: Setup Node.js environment | |
uses: actions/setup-node@v2 | |
with: | |
node-version: '14' | |
################################################ | |
# NODE MODULES CACHE | |
################################################ | |
- name: Cache node modules | |
uses: actions/cache@v2 | |
id: cache-node-modules | |
env: | |
cache-name: cache | |
with: | |
# npm cache files are stored in `~/.npm` on Linux/macOS | |
path: | | |
~/.npm | |
node_modules | |
*/*/node_modules | |
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package.json') }} | |
restore-keys: | | |
${{ runner.os }}-build-${{ env.cache-name }}- | |
${{ runner.os }}-build- | |
${{ runner.os }}- | |
################################################ | |
# NODE MODULES INSTALL | |
################################################ | |
- name: Install dependencies | |
if: steps.cache-node-modules.outputs.cache-hit != 'true' | |
run: npm install | |
################################################ | |
# SEGMENT ENV VARIABLE SUBSTITUION - INDEX.HTML | |
################################################ | |
- name: Segment env variable substitution for index.html file | |
run: | | |
LOCALSEGMENT_KEY=$(jq -r .localsegment package.json) | |
[[ ! -z "$LOCALSEGMENT_KEY" ]] && echo Local SEGMENT_KEY exist || SEGMENT_KEY=$SEGMENT_KEY | |
sed -i -e "s/<SEGMENT_KEY>/$SEGMENT_KEY/g" ./src/index.html | |
sed -i -e "s/$LOCALSEGMENT_KEY/$SEGMENT_KEY/g" ./src/index.html | |
cat ./src/index.html | |
env: | |
SEGMENT_KEY: AsLmvmyUc9LdCxFn0xqQhVz9CL2KCFc1 | |
################################################ | |
# GET P2 SANDBOX AWS ORGANIZATION NUMBER | |
################################################ | |
- name: Get AWS Organization Number | |
id: AWS_ORG | |
run: | | |
P2SANDBOX=$(echo $AWS_ACCOUNT_ID | jq -r .P2SANDBOX) | |
echo "::add-mask::$P2SANDBOX" | |
echo "P2SANDBOX=$P2SANDBOX" >> $GITHUB_OUTPUT | |
################################################ | |
# AWS CLI CONFIGURATION - P2SANDBOX ACCOUNT | |
################################################ | |
- name: Configure AWS Credentials from P2SANDBOX Account | |
uses: ./.github/actions/aws-oidc | |
with: | |
role-to-assume: arn:aws:iam::${{ steps.AWS_ORG.outputs.P2SANDBOX }}:role/github-restricted-role-to-assume | |
region: ${{ env.REGION }} | |
########################################################## | |
# AWS S3 SYNC - SERVERLESS TEMPLATES | |
########################################################## | |
- name: AWS S3 Sync operation | |
run: | | |
aws s3 cp serverless.yml s3://$CFNS3BucketName/$STACK_NAME/$REGION/$ROOTSTACK/sls-templates/serverless.yml | |
########################################################## | |
# CLOUDFORMATION EXPORT VARIABLES | |
########################################################## | |
- name: Cloudformation Export variables | |
run: | | |
cat >> .env <<EOF | |
CDNSharedACMCertificateArn=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CDNSharedACMCertificateArn-$ENV\`].Value" --no-paginate --output text) | |
ChatBotSNSTopicARN=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-ChatBotSNSTopicARN-$ENV\`].Value" --no-paginate --output text) | |
EOF | |
############################################################### | |
# SERVERLESS DEPLOYMENT | |
############################################################## | |
- name: Serverless deployment | |
run: | | |
echo "Serverless Deploying" | |
node_modules/.bin/serverless deploy | |
rm serverless.yml | |
env: | |
CUTIES3BUCKET: cutie-app.${{ env.PUBLICZONENAME }} | |
S3VERSIONING: true | |
NONCURRENTVERSION_EXPIREINDAYS: 30 | |
# DEFAULT_EXPIREINDAYS: 0 # Mandatory to disable | |
############################################################### | |
# ANGULAR ENVIRONMENT CREATION | |
############################################################## | |
- name: Angular Environment creation | |
run: | | |
printf "Creating required secret variables for angular environment variable creation\n\n" | |
export CUSTOM_APPKEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-AppKeySecret-$ENV| jq --raw-output '.SecretString' | jq -r .appkey) | |
export CUSTOM_FILESTACK_SIGNATURE=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .signature) | |
export CUSTOM_FILESTACK_VIRUS_DETECTION=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .virusdetection) | |
export CUSTOM_FILESTACK_KEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .apikey) | |
export CUSTOM_FILESTACK_POLICY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .policy) | |
export CUSTOM_PUSHER_APPID=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .app_id) | |
export CUSTOM_PUSHERKEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .key) | |
export CUSTOM_PUSHER_SECRET=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .secret) | |
export CUSTOM_PUSHER_CLUSTER=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .cluster) | |
printf "Angular environment variable creation complete\n\n" | |
printf "Executing env.sh script\n\n" | |
chmod +x env.sh && ./env.sh | |
env: | |
CUSTOM_APPENV: ${{ env.ENV }} | |
CUSTOM_AWS_REGION_CHINA: ap-northeast-2 #TODO CHECK | |
CUSTOM_S3_BUCKET_CHINA: practera-seoul-1 #TODO CHECK | |
CUSTOM_CHATGEAPHQLENDPOINT: https://chat-api.${{ env.PUBLICZONENAME }}/ | |
CUSTOM_PATH_IMAGE: /cutie/image/uploads/ | |
CUSTOM_AWS_REGION: ${{ env.REGION }} | |
CUSTOM_PATH_ANY: /cutie/any/uploads/ | |
CUSTOM_S3_BUCKET: files.${{ env.PUBLICZONENAME }} | |
CUSTOM_APIENDPOINT: https://cutie-api.${{ env.PUBLICZONENAME }}/ | |
CUSTOM_APIENDPOINTOLD: https://admin.${{ env.PUBLICZONENAME }}/ | |
CUSTOM_PRACTERCORE: https://admin.${{ env.PUBLICZONENAME }}/ | |
CUSTOM_PATH_VIDEO: /cutie/video/uploads/ | |
CUSTOM_GEAPHQLENDPOINT: https://core-graphql-api.${{ env.PUBLICZONENAME }}/ | |
CUSTOM_ONBOARDING_PORTAL_ID: 20987346 | |
CUSTOM_ONBOARDING_FINAL_FORM_ID: 67a53834-ffac-4ebc-81cd-39f9e77167d8 | |
CUSTOM_ONBOARDING_FINAL_FORM_HIDDEN_FIELD_NAME: TICKET.content | |
CUSTOM_ONBOARDING_FORM_IN_RAW_HTML: 0 | |
CUSTOM_ONBOARDING_POPUP_FORM_ID: 67a53834-ffac-4ebc-81cd-39f9e77167d8 | |
############################################################### | |
# BUILD WEB PACKAGES | |
############################################################## | |
- name: Build Web Packages | |
run: | | |
printf '' > src/environments/environment.ts | |
node_modules/.bin/ng build --configuration=${{ env.BUILD_CONFIG }} | |
########################################################## | |
# AWS S3 SYNC OPERATIONS | |
########################################################## | |
- name: AWS S3 Sync Operations | |
run: | | |
CUTIEAPPS3=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CUTIES3BUCKET-$ENV\`].Value" --no-paginate --output text) | |
aws s3 sync www/ s3://$CUTIEAPPS3 --delete | |
########################################################## | |
# AWS CDN CACHE INVALIDATION | |
########################################################## | |
- name: AWS Cloudfront Cache invalidation | |
run: | | |
CUTIEAPPCDN=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CutieCloudFrontDistributionID-$ENV\`].Value" --no-paginate --output text) | |
for i in $CUTIEAPPCDN;do aws cloudfront create-invalidation --distribution-id $i --paths "/*";done | |
########################################################## | |
# SLACK NOTIFICATION | |
########################################################## | |
- name: Slack Notification | |
if: always() # Pick up events even if the job fails or is canceled. | |
uses: 8398a7/action-slack@v3 | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
MATRIX_CONTEXT: ${{ toJson(matrix) }} # required | |
with: | |
status: ${{ job.status }} | |
author_name: ${{ env.BRANCH_TAG_NAME }} - ${{ env.ROOTSTACK }} deployed to ${{ env.ENV }} environemnt in ${{ env.STACK_NAME }} AWS account | |
mention: 'here' | |
if_mention: failure,cancelled | |
job_name: deploy-p2-sandbox # Match the name above. | |
fields: repo,commit,eventName,ref,workflow,message,author,job,took | |
custom_payload: | | |
{ | |
username: 'GitHub Action CI WorkFlow', | |
icon_emoji: ':github:', | |
attachments: [{ | |
color: '${{ job.status }}' === 'success' ? 'good' : ${{ job.status }}' === 'failure' ? 'danger' : 'warning', | |
text: | |
`${process.env.AS_REPO}\n | |
${process.env.AS_COMMIT}\n | |
${process.env.AS_EVENT_NAME}\n | |
@${process.env.AS_REF}\n | |
@${process.env.AS_WORKFLOW}\n | |
${process.env.AS_MESSAGE}\n | |
${process.env.AS_AUTHOR}\n | |
${process.env.AS_JOB}\n | |
${process.env.AS_TOOK}`, | |
}] | |
} | |
# ################################################ | |
# # STATUS VARIABLE UPDATE | |
# ################################################ | |
- name: Deployment status variable update | |
if: ${{ failure() }} | |
run: | | |
echo "STATUS=FAILURE" >> $GITHUB_ENV | |
# ################################################ | |
# # DEVOPS-DEPLOYMENT REPORT | |
# ################################################ | |
- name: DevOps Deployment Reporting | |
if: always() | |
run: | | |
pip install --upgrade pip | |
pip install --upgrade csvtotable | |
aws s3 cp s3://$STATUSREPORTS3Bucket/deploy-reporting.sh deploy-reporting.sh | |
chmod +x deploy-reporting.sh && ./deploy-reporting.sh | |
echo "LINK="${GITHUB_REPOSITORY##*/}.html >> $GITHUB_ENV |