Skip to content

fix: remove shared secrets #177

fix: remove shared secrets

fix: remove shared secrets #177

Workflow file for this run

################################################
# GITHUB ACTION WORKFLOW NAME
################################################
name: Deploy to p2-sandbox environment
################################################
# GITHUB ACTION EVENT TRIGGER
################################################
on:
workflow_dispatch:
push:
branches: [ 'develop' ]
################################################
# GITHUB ACTION JOBS
################################################
jobs:
deploy-p2-sandbox:
name: deploy-p2-sandbox
runs-on: ubuntu-latest
# environment: p2-sandbox
permissions: write-all
timeout-minutes: 15
################################################
# GITHUB ACTIONS GLOBAL ENV VARIABLES
################################################
env:
REGION : ap-southeast-2
ENV : dev # Valid values are dev,test,live only
STACK_NAME: p2-sandbox # Valid values are au,us,uk,p2,lf,nu,p1-sandbox,p1-stage,p2-sandbox,shared only
ROOTSTACK: cutie-app
CFNS3BucketName: devops-cfn-templates
PRIVATES3BucketName: devops-shared-private
PUBLICZONENAME: p2-sandbox.practera.com
BUILD_CONFIG: custom
STATUSREPORTS3Bucket: deployment-status.practera.com
STATUS: DEPLOYED
REQUESTOR: ${{ github.event.inputs.REQUESTOR }}
REASON: ${{ github.event.inputs.REASON }}
ENDPOINT: cutie-app.p2-sandbox.practera.com
BRANCH_TAG_NAME: develop
AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
################################################
# GITHUB REPO CHECKOUT
################################################
steps:
- uses: actions/checkout@v2
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
################################################
# NODE ENV
################################################
- name: Setup Node.js environment
uses: actions/setup-node@v2
with:
node-version: '14'
################################################
# NODE MODULES CACHE
################################################
- name: Cache node modules
uses: actions/cache@v2
id: cache-node-modules
env:
cache-name: cache
with:
# npm cache files are stored in `~/.npm` on Linux/macOS
path: |
~/.npm
node_modules
*/*/node_modules
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package.json') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
${{ runner.os }}-
################################################
# NODE MODULES INSTALL
################################################
- name: Install dependencies
if: steps.cache-node-modules.outputs.cache-hit != 'true'
run: npm install
################################################
# SEGMENT ENV VARIABLE SUBSTITUION - INDEX.HTML
################################################
- name: Segment env variable substitution for index.html file
run: |
LOCALSEGMENT_KEY=$(jq -r .localsegment package.json)
[[ ! -z "$LOCALSEGMENT_KEY" ]] && echo Local SEGMENT_KEY exist || SEGMENT_KEY=$SEGMENT_KEY
sed -i -e "s/<SEGMENT_KEY>/$SEGMENT_KEY/g" ./src/index.html
sed -i -e "s/$LOCALSEGMENT_KEY/$SEGMENT_KEY/g" ./src/index.html
cat ./src/index.html
env:
SEGMENT_KEY: AsLmvmyUc9LdCxFn0xqQhVz9CL2KCFc1
################################################
# GET P2 SANDBOX AWS ORGANIZATION NUMBER
################################################
- name: Get AWS Organization Number
id: AWS_ORG
run: |
P2SANDBOX=$(echo $AWS_ACCOUNT_ID | jq -r .P2SANDBOX)
echo "::add-mask::$P2SANDBOX"
echo "P2SANDBOX=$P2SANDBOX" >> $GITHUB_OUTPUT
################################################
# AWS CLI CONFIGURATION - P2SANDBOX ACCOUNT
################################################
- name: Configure AWS Credentials from P2SANDBOX Account
uses: ./.github/actions/aws-oidc
with:
role-to-assume: arn:aws:iam::${{ steps.AWS_ORG.outputs.P2SANDBOX }}:role/github-restricted-role-to-assume
region: ${{ env.REGION }}
##########################################################
# AWS S3 SYNC - SERVERLESS TEMPLATES
##########################################################
- name: AWS S3 Sync operation
run: |
aws s3 cp serverless.yml s3://$CFNS3BucketName/$STACK_NAME/$REGION/$ROOTSTACK/sls-templates/serverless.yml
##########################################################
# CLOUDFORMATION EXPORT VARIABLES
##########################################################
- name: Cloudformation Export variables
run: |
cat >> .env <<EOF
CDNSharedACMCertificateArn=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CDNSharedACMCertificateArn-$ENV\`].Value" --no-paginate --output text)
ChatBotSNSTopicARN=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-ChatBotSNSTopicARN-$ENV\`].Value" --no-paginate --output text)
EOF
###############################################################
# SERVERLESS DEPLOYMENT
##############################################################
- name: Serverless deployment
run: |
echo "Serverless Deploying"
node_modules/.bin/serverless deploy
rm serverless.yml
env:
CUTIES3BUCKET: cutie-app.${{ env.PUBLICZONENAME }}
S3VERSIONING: true
NONCURRENTVERSION_EXPIREINDAYS: 30
# DEFAULT_EXPIREINDAYS: 0 # Mandatory to disable
###############################################################
# ANGULAR ENVIRONMENT CREATION
##############################################################
- name: Angular Environment creation
run: |
printf "Creating required secret variables for angular environment variable creation\n\n"
export CUSTOM_APPKEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-AppKeySecret-$ENV| jq --raw-output '.SecretString' | jq -r .appkey)
export CUSTOM_FILESTACK_SIGNATURE=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .signature)
export CUSTOM_FILESTACK_VIRUS_DETECTION=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .virusdetection)
export CUSTOM_FILESTACK_KEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .apikey)
export CUSTOM_FILESTACK_POLICY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-FilestackSecret-$ENV| jq --raw-output '.SecretString' | jq -r .policy)
export CUSTOM_PUSHER_APPID=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .app_id)
export CUSTOM_PUSHERKEY=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .key)
export CUSTOM_PUSHER_SECRET=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .secret)
export CUSTOM_PUSHER_CLUSTER=$(aws secretsmanager get-secret-value --secret-id $STACK_NAME-PusherSecret-$ENV| jq --raw-output '.SecretString' | jq -r .cluster)
printf "Angular environment variable creation complete\n\n"
printf "Executing env.sh script\n\n"
chmod +x env.sh && ./env.sh
env:
CUSTOM_APPENV: ${{ env.ENV }}
CUSTOM_AWS_REGION_CHINA: ap-northeast-2 #TODO CHECK
CUSTOM_S3_BUCKET_CHINA: practera-seoul-1 #TODO CHECK
CUSTOM_CHATGEAPHQLENDPOINT: https://chat-api.${{ env.PUBLICZONENAME }}/
CUSTOM_PATH_IMAGE: /cutie/image/uploads/
CUSTOM_AWS_REGION: ${{ env.REGION }}
CUSTOM_PATH_ANY: /cutie/any/uploads/
CUSTOM_S3_BUCKET: files.${{ env.PUBLICZONENAME }}
CUSTOM_APIENDPOINT: https://cutie-api.${{ env.PUBLICZONENAME }}/
CUSTOM_APIENDPOINTOLD: https://admin.${{ env.PUBLICZONENAME }}/
CUSTOM_PRACTERCORE: https://admin.${{ env.PUBLICZONENAME }}/
CUSTOM_PATH_VIDEO: /cutie/video/uploads/
CUSTOM_GEAPHQLENDPOINT: https://core-graphql-api.${{ env.PUBLICZONENAME }}/
CUSTOM_ONBOARDING_PORTAL_ID: 20987346
CUSTOM_ONBOARDING_FINAL_FORM_ID: 67a53834-ffac-4ebc-81cd-39f9e77167d8
CUSTOM_ONBOARDING_FINAL_FORM_HIDDEN_FIELD_NAME: TICKET.content
CUSTOM_ONBOARDING_FORM_IN_RAW_HTML: 0
CUSTOM_ONBOARDING_POPUP_FORM_ID: 67a53834-ffac-4ebc-81cd-39f9e77167d8
###############################################################
# BUILD WEB PACKAGES
##############################################################
- name: Build Web Packages
run: |
printf '' > src/environments/environment.ts
node_modules/.bin/ng build --configuration=${{ env.BUILD_CONFIG }}
##########################################################
# AWS S3 SYNC OPERATIONS
##########################################################
- name: AWS S3 Sync Operations
run: |
CUTIEAPPS3=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CUTIES3BUCKET-$ENV\`].Value" --no-paginate --output text)
aws s3 sync www/ s3://$CUTIEAPPS3 --delete
##########################################################
# AWS CDN CACHE INVALIDATION
##########################################################
- name: AWS Cloudfront Cache invalidation
run: |
CUTIEAPPCDN=$(aws cloudformation list-exports --query "Exports[?Name==\`$STACK_NAME-CutieCloudFrontDistributionID-$ENV\`].Value" --no-paginate --output text)
for i in $CUTIEAPPCDN;do aws cloudfront create-invalidation --distribution-id $i --paths "/*";done
##########################################################
# SLACK NOTIFICATION
##########################################################
- name: Slack Notification
if: always() # Pick up events even if the job fails or is canceled.
uses: 8398a7/action-slack@v3
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
MATRIX_CONTEXT: ${{ toJson(matrix) }} # required
with:
status: ${{ job.status }}
author_name: ${{ env.BRANCH_TAG_NAME }} - ${{ env.ROOTSTACK }} deployed to ${{ env.ENV }} environemnt in ${{ env.STACK_NAME }} AWS account
mention: 'here'
if_mention: failure,cancelled
job_name: deploy-p2-sandbox # Match the name above.
fields: repo,commit,eventName,ref,workflow,message,author,job,took
custom_payload: |
{
username: 'GitHub Action CI WorkFlow',
icon_emoji: ':github:',
attachments: [{
color: '${{ job.status }}' === 'success' ? 'good' : ${{ job.status }}' === 'failure' ? 'danger' : 'warning',
text:
`${process.env.AS_REPO}\n
${process.env.AS_COMMIT}\n
${process.env.AS_EVENT_NAME}\n
@${process.env.AS_REF}\n
@${process.env.AS_WORKFLOW}\n
${process.env.AS_MESSAGE}\n
${process.env.AS_AUTHOR}\n
${process.env.AS_JOB}\n
${process.env.AS_TOOK}`,
}]
}
# ################################################
# # STATUS VARIABLE UPDATE
# ################################################
- name: Deployment status variable update
if: ${{ failure() }}
run: |
echo "STATUS=FAILURE" >> $GITHUB_ENV
# ################################################
# # DEVOPS-DEPLOYMENT REPORT
# ################################################
- name: DevOps Deployment Reporting
if: always()
run: |
pip install --upgrade pip
pip install --upgrade csvtotable
aws s3 cp s3://$STATUSREPORTS3Bucket/deploy-reporting.sh deploy-reporting.sh
chmod +x deploy-reporting.sh && ./deploy-reporting.sh
echo "LINK="${GITHUB_REPOSITORY##*/}.html >> $GITHUB_ENV