feat: 🎸 deploy from github actions

isucon · Oct 5, 2024 · ca72891 · ca72891
1 parent 6c1d0e4
commit ca72891
Show file tree

Hide file tree

Showing 6 changed files with 112 additions and 13 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -0,0 +1,28 @@
+name: deploy benchmarker
+on:
+  push:
+    branches:
+      - feat/deploy.bench 
+  workflow_dispatch:
+    inputs:
+      TAG:
+        description: 'tag'
+        required: true
+jobs:
+  bench:
+    - uses: actions/checkout@v4
+    - name: Configure AWS credentials from IAM Role
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        role-to-assume: ${{ vars.AWS_DEPLOY_ROLE_ARN }}
+        aws-region: ap-northeast-1
+    - uses: kayac/ecspresso@v2
+      with:
+        version: latest 
+    - name: deploy
+      working-directory: ecs
+      run: |
+        ecspresso deploy --config benchmarker.yml
+      env:
+        TAG: ${{ github.event.inputs.TAG || 'latest' }}
+        ENV: stg
diff --git a/.github/workflows/nop.yaml b/.github/workflows/nop.yaml
diff --git a/terraform/modules/github/main.tf b/terraform/modules/github/main.tf
@@ -12,8 +12,8 @@ resource "aws_iam_openid_connect_provider" "github_actions" {
   thumbprint_list = data.tls_certificate.github_actions.certificates[*].sha1_fingerprint
 }
 
-resource "aws_iam_role" "main" {
-  name               = "github-actions-ecr-push-example-role"
+resource "aws_iam_role" "push_image" {
+  name               = "github-actions-ecr-push-role"
   assume_role_policy = data.aws_iam_policy_document.main_assume_role_policy.json
 }
 
@@ -46,7 +46,7 @@ data "aws_iam_policy_document" "main_assume_role_policy" {
 
 resource "aws_iam_role_policy" "main" {
   name   = "allow-ecr-push-image"
-  role   = aws_iam_role.main.name
+  role   = aws_iam_role.push_image.name
   policy = data.aws_iam_policy_document.main_policy.json
 }
 
@@ -73,3 +73,61 @@ data "aws_iam_policy_document" "main_policy" {
     resources = var.ecr_repositories
   }
 }
+
+resource "aws_iam_role" "update_taskdef" {
+  name               = "github-actions-ecs-update-taskdef-role"
+  assume_role_policy = data.aws_iam_policy_document.update_taskdef_assume_role_policy.json
+}
+
+data "aws_iam_policy_document" "update_taskdef_assume_role_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github_actions.arn]
+    }
+
+    condition {
+      test     = "StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    dynamic "condition" {
+      for_each = var.github_repos
+      content {
+        test     = "StringLike"
+        variable = "token.actions.githubusercontent.com:sub"
+        values   = ["repo:isucon/${condition.value}:*"]
+      }
+    }
+  }
+}
+
+resource "aws_iam_role_policy" "update_taskdef" {
+  name   = "allow-ecs-update-taskdef"
+  role   = aws_iam_role.update_taskdef.name
+  policy = data.aws_iam_policy_document.update_taskdef_policy.json
+}
+
+data "aws_iam_policy_document" "update_taskdef_policy" {
+  statement {
+    effect    = "Allow"
+    actions   = ["ecs:RegisterTaskDefinition"]
+    resources = ["*"]
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["iam:PassRole"]
+    resources = var.task_role_arns
+  }
+
+  statement {
+    effect    = "Allow"
+    actions   = ["ecs:UpdateService", "ecs:DescribeServices"]
+    resources = var.service_arns
+  }
+}
diff --git a/terraform/modules/github/variables.tf b/terraform/modules/github/variables.tf
@@ -5,3 +5,11 @@ variable "github_repos" {
 variable "ecr_repositories" {
   type = list(string)
 }
+
+variable "task_role_arns" {
+  type = list(string)
+}
+
+variable "service_arns" {
+  type = list(string)
+}
diff --git a/terraform/modules/isuxportal/output.tf b/terraform/modules/isuxportal/output.tf
@@ -5,3 +5,16 @@ output "ecr_repositories" {
     aws_ecr_repository.benchmarker.arn,
   ]
 }
+
+output "task_role_arns" {
+  value = [
+    aws_iam_role.ecs-task.arn,
+  ]
+}
+
+output "service_arns" {
+  value = [
+    "${aws_ecs_cluster.main.arn}/*",
+    "${aws_ecs_cluster.benchmarker.arn}/*",
+  ]
+}
diff --git a/terraform/stg/main.tf b/terraform/stg/main.tf
@@ -46,6 +46,8 @@ module "github" {
   source           = "../modules/github"
   github_repos     = ["isucon14", "isucon14-portal"]
   ecr_repositories = module.isuxportal.ecr_repositories
+  service_arns     = module.isuxportal.service_arns
+  task_role_arns   = module.isuxportal.task_role_arns
 }
 
 module "ami" {