CI: add step to deploy to aws-beta #56

Workflow file for this run

	name: Main (Work in Progress)

	on:
	workflow_call:
	secrets:
	DOCKER_PASS:
	required: true
	DOCKER_USER:
	required: true
	KOSLI_API_TOKEN:
	required: true
	SNYK_TOKEN:
	required: true

	inputs:
	KOSLI_HOST:
	required: true
	type: string


	env:
	KOSLI_ORG: cyber-dojo
	KOSLI_FLOW: saver
	KOSLI_API_TOKEN: ${{ secrets.KOSLI_API_TOKEN }}
	KOSLI_HOST: ${{ inputs.KOSLI_HOST }} # https://app.kosli.com
	KOSLI_CLI_VERSION: "2.6.11"
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	AWS_ACCOUNT_ID_BETA: 244531986313
	ECR_REGISTRY_BETA: 244531986313.dkr.ecr.eu-central-1.amazonaws.com
	AWS_ACCOUNT_ID_PROD: 274425519734
	ECR_REGISTRY_PROD: 274425519734.dkr.ecr.eu-central-1.amazonaws.com
	AWS_REGION: eu-central-1
	GH_ACTIONS_IAM_ROLE_NAME: gh_actions_services
	# KOSLI_DRY_RUN: "True"

	jobs:

	build-test-deploy:
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: write
	env:
	DOCKER_PASS: ${{ secrets.DOCKER_PASS }}
	DOCKER_USER: ${{ secrets.DOCKER_USER }}
	steps:
	- uses: actions/checkout@v3
	with:
	fetch-depth: 0 # Get full history for Kosli commit-interval harvesting

	- name: Prepare
	id: prep
	run:
	echo "IMAGE_TAG=$(echo $GITHUB_SHA \| head -c7)" >> ${GITHUB_ENV}

	- name: Build
	run:
	./sh/build.sh

	- name: Setup Kosli CLI
	uses: kosli-dev/setup-cli-action@v2
	with:
	version:
	${{ env.KOSLI_CLI_VERSION }}

	- name: Create Kosli flow
	run:
	kosli create flow ${{ env.KOSLI_FLOW }}
	--description="Group/Kata model+persistence"
	--template=artifact,snyk-scan

	- name: Push image to public registry (dockerhub)
	run: \|
	echo "${DOCKER_PASS}" \| docker login --username "${DOCKER_USER}" --password-stdin
	docker push cyberdojo/saver:${{ env.IMAGE_TAG }}
	docker logout

	- name: Report image to Kosli
	run:
	kosli report artifact cyberdojo/saver:${{ env.IMAGE_TAG }}
	--artifact-type=docker

	# Snyk image scan ------------------
	- name: Setup Snyk
	uses: snyk/actions/setup@master

	- name: Run Snyk to check Docker image for vulnerabilities
	continue-on-error: true
	run:
	snyk container test cyberdojo/saver:${{ env.IMAGE_TAG }}
	--file=Dockerfile
	--json-file-output=snyk.json
	--policy-path=.snyk

	- name: Report Snyk scan results evidence to Kosli
	run:
	kosli report evidence artifact snyk cyberdojo/saver:${{ env.IMAGE_TAG }}
	--artifact-type=docker
	--name=snyk-scan
	--scan-results=snyk.json

	- name: Kosli SDLC gate
	run:
	kosli assert artifact cyberdojo/saver:${{ env.IMAGE_TAG }}
	--artifact-type=docker

	# Deploy to aws-beta ------------------
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@v1-node16
	with:
	aws-region: ${{ env.AWS_REGION }}
	role-duration-seconds: 2400
	role-session-name: ${{ github.event.repository.name }}
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID_BETA }}:role/${{ env.GH_ACTIONS_IAM_ROLE_NAME }}

	- name: Login to Amazon ECR (Elastic Container Registry)
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v1

	- name: Push image to private ECR for beta
	run: \|
	docker tag cyberdojo/saver:${{ env.IMAGE_TAG }} ${{ env.ECR_REGISTRY_BETA }}/saver:${{ env.IMAGE_TAG }}
	docker push ${{ env.ECR_REGISTRY_BETA }}/saver:${{ env.IMAGE_TAG }}
	docker logout

	- name: Report expected aws-beta deployment to Kosli
	run:
	kosli expect deployment cyberdojo/saver:${{ env.IMAGE_TAG }}
	--artifact-type=docker
	--description="Deployed to aws-beta in Github Actions pipeline"
	--environment=aws-beta

	- name: Deploy to aws-beta
	uses: fivexl/gh-workflow-tf-plan-apply/.github/workflows/[email protected]
	with:
	aws_region: ${{ env.AWS_REGION }}
	aws_role_arn: arn:aws:iam::${{ env.AWS_ACCOUNT_ID_BETA }}:role/${{ env.GH_ACTIONS_IAM_ROLE_NAME }}
	aws_default_region: ${{ env.AWS_REGION }}
	aws_role_duration: 900
	working_directory: deployment/terraform/
	tf_apply: 'true'
	tf_version: v1.4.5
	tf_additional_env_vars: '{"TF_VAR_TAGGED_IMAGE": "${{ env.ECR_REGISTRY_BETA }}/saver:${{ env.IMAGE_TAG }}"}'

	# - name: Report expected aws-prod deployment to Kosli
	# run:
	# kosli expect deployment cyberdojo/saver:${{ env.IMAGE_TAG }}
	# --artifact-type=docker
	# --description="Deployed to aws-prod in Github Actions pipeline"
	# --environment=aws-prod

	# - name: Deploy to aws-prod
	# uses: fivexl/gh-workflow-tf-plan-apply/.github/workflows/[email protected]
	# with:
	# aws_region: ${{ env.AWS_REGION }}
	# aws_role_arn: arn:aws:iam::${{ env.AWS_ACCOUNT_ID_PROD }}:role/${{ env.GH_ACTIONS_IAM_ROLE_NAME }}
	# aws_default_region: ${{ env.AWS_REGION }}
	# aws_role_duration: 900
	# working_directory: deployment/terraform/
	# tf_apply: 'true'
	# tf_version: v1.4.5
	# tf_additional_env_vars: '{"TF_VAR_TAGGED_IMAGE": "${{ env.ECR_REGISTRY_PROD }}/saver:${{ env.IMAGE_TAG }}"}'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI: add step to deploy to aws-beta #56

Workflow file

CI: add step to deploy to aws-beta #56

Jobs

Run details

Workflow file for this run