Deploy to AWS #316
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
| name: Deploy to AWS | |
| on: | |
| push: | |
| branches: [ "main", "dev" ] | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| type: choice | |
| description: Environment | |
| required: true | |
| options: | |
| - staging | |
| - prod | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| determine_environment: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| env_name: ${{ steps.set_env.outputs.environment_name }} | |
| ssm_param: ${{ steps.set_env.outputs.ssm_parameter }} | |
| steps: | |
| - name: Set environment name | |
| id: set_env | |
| run: | | |
| # Set environment based on branch or workflow_dispatch selection. | |
| if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then | |
| env_name="${{ github.event.inputs.environment }}" | |
| elif [[ "${{ github.ref }}" == "refs/heads/main" ]]; then | |
| env_name="prod" | |
| elif [[ "${{ github.ref }}" == "refs/heads/dev" ]]; then | |
| env_name="staging" | |
| else | |
| echo "Unsupported branch for deployment: ${{ github.ref }}" | |
| exit 1 | |
| fi | |
| echo "environment_name=$env_name" >> "$GITHUB_OUTPUT" | |
| deploy: | |
| needs: [ determine_environment ] | |
| runs-on: ubuntu-latest | |
| environment: | |
| name: ${{ needs.determine_environment.outputs.env_name }} | |
| steps: | |
| - name: Deploy to environment | |
| run: echo "Deploying to ${{ needs.determine_environment.outputs.env_name }}" | |
| - name: Checkout | |
| uses: actions/checkout@v5 | |
| - name: Debug OIDC claims | |
| run: | | |
| echo "GitHub repository: ${{ github.repository }}" | |
| echo "GitHub ref: ${{ github.ref }}" | |
| echo "GitHub SHA: ${{ github.sha }}" | |
| echo "Actor: ${{ github.actor }}" | |
| echo "Event name: ${{ github.event_name }}" | |
| echo "Workflow ref: ${{ github.workflow_ref }}" | |
| echo "Environment: ${{ github.environment }}" | |
| echo "Job: ${{ github.job }}" | |
| - name: Debug AWS role | |
| run: | | |
| echo "Attempting to assume role with:" | |
| echo "Repository: repo:${{ github.repository }}:*" | |
| echo "Repository ref: repo:${{ github.repository }}:ref:${{ github.ref }}" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: ${{ vars.AWS_ROLE_ARN }} | |
| aws-region: ${{ vars.AWS_REGION }} | |
| audience: "sts.amazonaws.com" | |
| role-session-name: "GitHubActions-${{ github.run_id }}" | |
| mask-aws-account-id: false | |
| role-duration-seconds: 900 # 15 minutes | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Build, tag, and push Document Inference Lambda image to ECR | |
| id: build-document-inference-image | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY_LAMBDA_DOCUMENT_INFERENCE }} | |
| IMAGE_TAG: ${{ github.sha }} | |
| AWS_ENV: ${{ needs.determine_environment.outputs.env_name }} | |
| run: | | |
| docker build --build-arg AWS_ENV=$AWS_ENV -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG -t $ECR_REGISTRY/$ECR_REPOSITORY:latest python_components/document_inference/. | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
| echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Update Document Inference Lambda | |
| id: update-document-inference-lambda | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY_LAMBDA_DOCUMENT_INFERENCE }} | |
| IMAGE_TAG: ${{ github.sha }} | |
| FUNCTION_NAME: ${{ vars.FUNCTION_NAME_LAMBDA_DOCUMENT_INFERENCE }} | |
| run: | | |
| aws lambda update-function-code \ | |
| --function-name $FUNCTION_NAME \ | |
| --image-uri $ECR_REGISTRY/$ECR_REPOSITORY:latest | |
| - name: Build, tag, and push Rails App image to Amazon ECR | |
| id: build-image | |
| env: | |
| ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} | |
| ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY_RAILS_APP }} | |
| IMAGE_TAG: ${{ github.sha }} | |
| run: | | |
| docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG . | |
| docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG | |
| echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Update SSM Version Parameter | |
| env: | |
| IMAGE_TAG: ${{ github.sha }} | |
| AWS_ENV: ${{ needs.determine_environment.outputs.env_name }} | |
| run: | | |
| echo "tag:$IMAGE_TAG" | |
| aws ssm put-parameter \ | |
| --name "/asap-pdf/$AWS_ENV/app/version" \ | |
| --value "$IMAGE_TAG" \ | |
| --overwrite | |
| - name: Setup OpenTofu | |
| uses: opentofu/setup-opentofu@v1 | |
| - name: Initialize OpenTofu | |
| working-directory: ./terraform/config/${{ needs.determine_environment.outputs.env_name }} | |
| run: tofu init | |
| - name: Apply changes | |
| working-directory: ./terraform/config/${{ needs.determine_environment.outputs.env_name }} | |
| run: tofu apply --auto-approve | |
| - name: Debug deployment failure | |
| if: failure() && steps.deploy.outcome == 'failure' | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: ${{ vars.AWS_ROLE_ARN }} | |
| aws-region: ${{ vars.AWS_REGION }} | |
| audience: "sts.amazonaws.com" | |
| role-session-name: "GitHubActions-Debug-${{ github.run_id }}" | |
| mask-aws-account-id: false | |
| role-duration-seconds: 900 |