chore: update staging deployment workflow (#847)

* chore: update staging deploy with the required env vars

* chore: add deploy commands for various envs

* chore: add docs

* chore: add isomer migrators

* chore: add rds passwrod for dd

* chore: update role

Author: seaerchin

.github/workflows/aws_deploy.yml

@@ -206,6 +206,7 @@ jobs:
           sed -i 's/<CPU>/${{ inputs.environment == 'production' && 1024 || 512 }}/g' ${{ inputs.ecs-task-definition-path }}
           sed -i 's/<MEMORY>/${{ inputs.environment == 'production' && 2048 || 1024 }}/g' ${{ inputs.ecs-task-definition-path }}
           sed -i 's/<RDS_READER_ENDPOINT>/${{ secrets.RDS_READER_ENDPOINT }}/g' ${{ inputs.ecs-task-definition-path }}
+          sed -i 's/<RDS_DATADOG_PASSWORD>/${{ secrets.RDS_DATADOG_PASSWORD}}/g' ${{ inputs.ecs-task-definition-path }}
           sed -i 's/<DD_COMMIT_SHA>/${{ github.sha }}/g' ${{ inputs.ecs-task-definition-path }}
           sed -i 's/<ECS_TASK_ROLE>/${{ inputs.ecs-task-role }}/g' ${{ inputs.ecs-task-definition-path }}
           sed -i 's/<ECS_TASK_EXEC_ROLE>/${{ inputs.ecs-task-exec-role }}/g' ${{ inputs.ecs-task-definition-path }}

.github/workflows/deploy_staging.yml

@@ -18,20 +18,27 @@ jobs:
     with:
       aws-region: "ap-southeast-1"
       aws-account-id: "058264420411"
-      cicd-role: "arn:aws:iam::058264420411:role/isomer-next-infra-github-oidc-role-b58f3de"
+      cicd-role: "arn:aws:iam::058264420411:role/isomer-next-infra-github-oidc-role-aaefdfd"
       ecr-repository: "isomer-next-infra-stg-ecr"
-      ecs-cluster-name: "isomer-next-infra-ecs"
-      ecs-service-name: "isomer-next-infra-ecs-service"
+      ecs-cluster-name: "studio-staging-ecs"
+      ecs-service-name: "studio-staging-ecs-service"
       ecs-container-name: "studio"
       ecs-container-port: 3000
       environment: "staging"
       shortEnv: "stg"
       codedeploy-appspec-path: .aws/deploy/appspec.json
       ecs-task-definition-path: .aws/deploy/task-definition.json
-      codedeploy-application: "isomer-next-infra-ecs-app"
-      codedeploy-deployment-group: "isomer-next-infra-ecs-dg"
-      ecs-task-role: isomer-next-infra-ecs-task-role
-      ecs-task-exec-role: isomer-next-infra-ecs-task-exec-role
+      codedeploy-application: "studio-staging-ecs-app"
+      codedeploy-deployment-group: "studio-staging-ecs-dg"
+      ecs-task-role: studio-staging-ecs-task-role
+      ecs-task-exec-role: studio-staging-ecs-task-exec-role
+      app-url: "https://staging-studio.isomer.gov.sg"
+      app-name: "Isomer Studio (Staging)"
+      app-version: ${{ github.sha }}
+      app-enable-sgid: false
+      app-s3-region: "ap-southeast-1"
+      app-s3-assets-bucket-name: "isomer-next-infra-stg-assets-private-61710b8"
+      app-s3-assets-domain-name: "isomer-user-content-stg.by.gov.sg"
 
     secrets:
       DD_API_KEY: ${{ secrets.DD_API_KEY_GITHUB_ACTIONS }}

README.md

@@ -28,6 +28,32 @@ There are a few steps to getting started:
 4. Add the user to the `isomerpages` organisation by adding them to the file [here](https://github.com/opengovsg/isomer-infra/blob/main/src/github/constants.ts)
 5. Add the user to the relevant github teams [here](https://github.com/orgs/opengovsg/teams?query=isomer) by asking the maintainer
 
+### Cutting a release
+
+We run releases via the `publish` event. Hence, in order to cut a release, we have to go through the following steps:
+
+1. first, select the release commit
+2. generate a tag for the release commit from the previous tag as follows:
+   - if you're making a hotfix, add a 0.0.1 to the previous version
+   - if you're making a minor upgrade, add a 0.1 to the previous version.
+   - for all purposes, all our releases are minor upgrades so we will not be incrementing the major version number
+3. push the tag to the remote origin
+4. go to github and click on `Tags`
+5. next, click on releases and draft a new release
+6. choose the tag you have previously created
+7. generate release notes (this can be done automatically via the button)
+8. publish the release
+
+### Running database migrations
+
+1. first, add the relevant `.pem` file to the `apps/studio/ssh` folder
+   - this can be found by searching for `AWS Isomer Next <env> Bastion SSH Key` in your 1Password vault
+2. Next, duplicate the `.env.example` in `apps/studio` to `.ssh/.env.<env>`
+3. Fill in the relevant information by searching for `Isomer Next <env> Database` inside 1password
+4. Next, run `npm run jump:<env>` from within the `apps/studio` folder
+5. Next, run `npm run migrate:<env>` from within the `apps/studio` folder
+6. (Optional) If you need to run a seed, run `npm run db:seed`
+
 ### Extra tools
 
 1. Vercel

apps/studio/.env.example

@@ -0,0 +1,3 @@
+DB_HOST=
+SSH_USER=ec2-user
+SSH_HOST=

apps/studio/package.json

@@ -41,7 +41,9 @@
     "clean": "git clean -xdf .next .turbo node_modules build",
     "jump:vapt": "source .ssh/.env.vapt && ssh -L 5433:$DB_HOST:5432 $SSH_USER@$SSH_HOST -i .ssh/studio-vapt-bastion.pem",
     "migrate:vapt": "source .ssh/.env.vapt && npx prisma migrate deploy",
-    "jump": "source .ssh/.env.prod && ssh -L 5433:$DB_HOST:5432 $SSH_USER@$SSH_HOST -i .ssh/studio-prod-bastion.pem"
+    "jump": "source .ssh/.env.prod && ssh -L 5433:$DB_HOST:5432 $SSH_USER@$SSH_HOST -i .ssh/studio-prod-bastion.pem",
+    "jump:staging": "source .ssh/.env.staging && ssh -L 5433:$DB_HOST:5432 $SSH_USER@$SSH_HOST -i .ssh/studio-staging-bastion.pem",
+    "migrate:staging": "source .ssh/.env.staging && npx prisma migrate deploy"
   },
   "prisma": {
     "seed": "tsx prisma/seed.ts"

apps/studio/prisma/seed.ts

@@ -23,6 +23,18 @@ const ISOMER_ADMINS = [
   "adriangoh",
 ]
 
+const ISOMER_MIGRATORS = [
+  "tingshian",
+  "hakeem",
+  "elora",
+  "jinhui",
+  "junxiang",
+  "rayyan",
+  "yongteng",
+  "huaying",
+  "weiping",
+]
+
 const EDITOR_USER = "editor"
 const PUBLISHER_USER = "publisher"
 
@@ -248,37 +260,40 @@ async function main() {
     .executeTakeFirstOrThrow()
 
   await Promise.all(
-    [...ISOMER_ADMINS, EDITOR_USER, PUBLISHER_USER].map(async (name) => {
-      const user = await db
-        .insertInto("User")
-        .values({
-          id: cuid2.createId(),
-          name,
-          email: `${name}@open.gov.sg`,
-          phone: MOCK_PHONE_NUMBER,
-        })
-        .onConflict((oc) =>
-          oc
-            .column("email")
-            .doUpdateSet((eb) => ({ email: eb.ref("excluded.email") })),
-        )
-        .returning(["id", "name"])
-        .executeTakeFirstOrThrow()
-      const role = ISOMER_ADMINS.includes(user.name)
-        ? RoleType.Admin
-        : user.name === EDITOR_USER
-          ? RoleType.Editor
-          : RoleType.Publisher
+    [...ISOMER_ADMINS, ...ISOMER_MIGRATORS, EDITOR_USER, PUBLISHER_USER].map(
+      async (name) => {
+        const user = await db
+          .insertInto("User")
+          .values({
+            id: cuid2.createId(),
+            name,
+            email: `${name}@open.gov.sg`,
+            phone: MOCK_PHONE_NUMBER,
+          })
+          .onConflict((oc) =>
+            oc
+              .column("email")
+              .doUpdateSet((eb) => ({ email: eb.ref("excluded.email") })),
+          )
+          .returning(["id", "name"])
+          .executeTakeFirstOrThrow()
 
-      await db
-        .insertInto("ResourcePermission")
-        .values({
-          userId: user.id,
-          siteId,
-          role,
-        })
-        .execute()
-    }),
+        const role = [...ISOMER_ADMINS, ...ISOMER_MIGRATORS].includes(user.name)
+          ? RoleType.Admin
+          : user.name === EDITOR_USER
+            ? RoleType.Editor
+            : RoleType.Publisher
+
+        await db
+          .insertInto("ResourcePermission")
+          .values({
+            userId: user.id,
+            siteId,
+            role,
+          })
+          .execute()
+      },
+    ),
   )
 }