Skip to content
deploy

Upload initial files (WIP) #1

Sign in to view logs

Upload initial files (WIP)

Upload initial files (WIP) #1

Workflow file for this run

.github/workflows/deploy.yml at 2cfda9d
name: deploy
on:
push:
branches: ["main", "feature/**"]
env:
AWS_DEFAULT_REGION: us-east-1
AWS_DEFAULT_OUTPUT: json
jobs:
code-quality:
name: Check coding standards
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: echo "Job triggered by ${{ github.event_name }} event."
- run: echo "Job running on a ${{ runner.os }} server hosted by GitHub."
- run: echo "Branch name is ${{ github.ref }} and repository is ${{ github.repository }}."
- uses: actions/setup-python@v4
with:
python-version: 3.11
- name: Install Poetry
uses: snok/install-poetry@v1
with:
virtualenvs-create: true
virtualenvs-in-project: true
installer-parallel: true
- name: Install Poetry dependencies
run: poetry install --no-interaction
- name: Check code formatting
run: poetry run poe black-check
cdk-synth:
name: CDK Synth
runs-on: ubuntu-latest
needs: code-quality
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: 3.11
- name: Install Poetry
uses: snok/install-poetry@v1
with:
virtualenvs-create: true
virtualenvs-in-project: true
installer-parallel: true
- name: Install Poetry dependencies
run: poetry install --no-interaction
- name: Set up NodeJs
uses: actions/setup-node@v3
with:
node-version: "20"
- name: Install CDK
run: |
npm install -g aws-cdk
# # MY OLD AUTH CONFIG (NOW WITH GITHUB OIDC TOKEN)
# - name: Configure AWS credentials
# uses: aws-actions/configure-aws-credentials@master
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
# aws-region: "us-east-1"
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: myGitHubActions
- name: Synth CDK to CloudFormation Template
run: |
source .venv/bin/activate
cdk synth
- name: Archive CDK Synth results (no assets)
uses: actions/upload-artifact@v3
with:
name: cdk-synth-folder
path: |
./cdk.out
!./cdk.out/asset.*
retention-days: 1
iac-checkov:
name: IaC Checkov Validations
runs-on: ubuntu-latest
needs: cdk-synth
steps:
- uses: actions/checkout@v3
- name: Dowload CDK Synth results
uses: actions/download-artifact@v3
with:
name: cdk-synth-folder
path: ./cdk-synth-output-folder
- name: Display files in the output folder
run: ls -lrta
working-directory: ./cdk-synth-output-folder
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@v12
with:
directory: cdk-synth-output-folder/
framework: cloudformation
soft_fail: true # optional: do not return an error code if there are failed checks
skip_check: CKV_AWS_2 # optional: skip a specific check_id. can be comma separated list
quiet: true # optional: display only failed checks
log_level: WARNING # optional: set log level. Default WARNING
cdk-deploy:
name: Deploy CDK
runs-on: ubuntu-latest
needs: iac-checkov
if: github.ref == 'refs/heads/main'
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: 3.11
- name: Install Poetry
uses: snok/install-poetry@v1
with:
virtualenvs-create: true
virtualenvs-in-project: true
installer-parallel: true
- name: Install Poetry dependencies
run: poetry install --no-interaction
- name: Set up NodeJs
uses: actions/setup-node@v3
with:
node-version: "20"
- name: Install CDK
run: npm install -g aws-cdk
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_DEFAULT_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_DEPLOY_ROLE }}
role-session-name: myGitHubActions
# NOTE: for now no manual approvals are required
- name: Deploy to AWS
run: |
source .venv/bin/activate
cdk deploy --require-approval=never