Merge pull request #26 from gregcube/main

Improve workflows and add AWS integration.
lfai · Oct 13, 2024 · 6cf4c8b · 6cf4c8b
2 parents 6ece587 + bb4b688
commit 6cf4c8b
Show file tree

Hide file tree

Showing 5 changed files with 193 additions and 75 deletions.
diff --git a/.github/actions/authorize-ip/action.yml b/.github/actions/authorize-ip/action.yml
@@ -0,0 +1,22 @@
+name: Authorize IP
+description: 'Add IP to AWS security group'
+
+inputs:
+  ip:
+    description: 'IP address to authorize'
+    required: true
+  sgid:
+    description: 'AWS security group id'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Authorize IP address
+      shell: bash
+      run: |
+        aws ec2 authorize-security-group-ingress \
+          --group-id ${{ inputs.sgid }} \
+          --protocol tcp \
+          --port 22 \
+          --cidr ${{ inputs.ip }}/32
diff --git a/.github/actions/revoke-ip/action.yml b/.github/actions/revoke-ip/action.yml
@@ -0,0 +1,22 @@
+name: Revoke IP
+description: 'Revoke IP from AWS security group'
+
+inputs:
+  ip:
+    description: 'IP address to revoke'
+    required: true
+  sgid:
+    description: 'AWS security group id'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Revoke IP address
+      shell: bash
+      run: |
+        aws ec2 revoke-security-group-ingress \
+          --group-id ${{ inputs.sgid }} \
+          --protocol tcp \
+          --port 22 \
+          --cidr ${{ inputs.ip }}/32
diff --git a/.github/actions/setup-check/action.yml b/.github/actions/setup-check/action.yml
@@ -0,0 +1,59 @@
+name: Setup check
+description: 'Check if required secrets and environments are configured'
+
+inputs:
+  deploy_host:
+    description: 'Deploy host'
+    required: true
+  deploy_user:
+    description: 'Deploy user'
+    required: true
+  deploy_path:
+    description: 'Deploy path'
+    required: true
+  deploy_key:
+    description: 'Deploy key'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Check DEPLOY_HOST
+      shell: bash
+      env:
+        INPUT_DEPLOY_HOST: ${{ inputs.deploy_host }}
+      run: |
+        if [ -z "${INPUT_DEPLOY_HOST}" ]; then
+          echo "DEPLOY_HOST is not set."
+          exit 1
+        fi
+
+    - name: Check DEPLOY_USER
+      shell: bash
+      env:
+        INPUT_DEPLOY_USER: ${{ inputs.deploy_user }}
+      run: |
+        if [ -z "${INPUT_DEPLOY_USER}" ]; then
+          echo "DEPLOY_USER is not set."
+          exit 1
+        fi
+
+    - name: Check DEPLOY_PATH
+      shell: bash
+      env:
+        INPUT_DEPLOY_PATH: ${{ inputs.DEPLOY_PATH }}
+      run: |
+        if [ -z "${INPUT_DEPLOY_PATH}" ]; then
+          echo "DEPLOY_PATH is not set."
+          exit 1
+        fi
+
+    - name: Check DEPLOY_KEY
+      shell: bash
+      env:
+        INPUT_DEPLOY_KEY: ${{ inputs.deploy_key }}
+      run: |
+        if [ -z "${INPUT_DEPLOY_KEY}" ]; then
+          echo "DEPLOY_KEY is not set."
+          exit 1
+        fi
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -15,62 +15,61 @@ on:
         default: 'Stage'
 
 jobs:
-  secrets-check:
+  setup-check:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment || 'Production' }}
     steps:
-      - name: Check DEPLOY_HOST
-        env:
-          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
-        run: |
-          if [ -z "$DEPLOY_HOST" ]; then
-            echo "DEPLOY_HOST is not set."
-            exit 1
-          fi
-
-      - name: Check DEPLOY_USER
-        env:
-          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
-        run: |
-          if [ -z "$DEPLOY_USER" ]; then
-            echo "DEPLOY_USER is not set."
-            exit 1
-          fi
-
-      - name: Check DEPLOY_PATH
-        env:
-          DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
-        run: |
-          if [ -z "$DEPLOY_PATH" ]; then
-            echo "DEPLOY_PATH is not set."
-            exit 1
-          fi
+      - name: Checkout code
+        uses: actions/checkout@v4
 
-      - name: Check DEPLOY_KEY
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
-        run: |
-          if [ -z "$DEPLOY_KEY" ]; then
-            echo "DEPLOY_KEY is not set"
-            exit 1
-          fi
+      - name: Check environment variables
+        uses: ./.github/actions/setup-check
+        with:
+          deploy_host: ${{ secrets.DEPLOY_HOST }}
+          deploy_user: ${{ secrets.DEPLOY_USER }}
+          deploy_path: ${{ secrets.DEPLOY_PATH }}
+          deploy_key: ${{ secrets.DEPLOY_KEY }}
 
   deploy:
     runs-on: ubuntu-latest
-    needs: secrets-check
+    needs: setup-check
     environment: ${{ inputs.environment || 'Production' }}
-    if: ${{ github.event.workflow_run.conclusion == 'success' ||
-            github.event_name == 'workflow_dispatch' }}
+    if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
+
+    permissions:
+      id-token: write
+      contents: read
 
     env:
       DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
       DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
       DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
+      AWS_ENABLED: ${{ secrets.AWS_ACCOUNT != '' && secrets.AWS_REGION != '' && secrets.AWS_SECURITY_GROUP != '' }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Configure AWS credentials
+        if: ${{ env.AWS_ENABLED == 'true' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/MOT-SSH
+
+      - name: Get runners public IP address
+        if: ${{ env.AWS_ENABLED == 'true' }}
+        id: ip
+        uses: haythem/[email protected]
+
+      - name: Authorize IP address
+        if: ${{ env.AWS_ENABLED == 'true' }}
+        id: auth-ip
+        uses: ./.github/actions/authorize-ip
+        with:
+          ip: ${{ steps.ip.outputs.ipv4 }}
+          sgid: ${{ secrets.AWS_SECURITY_GROUP }}
+
       - name: Start ssh-agent and add key
         uses: webfactory/[email protected]
         with:
@@ -88,6 +87,8 @@ jobs:
             --exclude 'tests' \
             --exclude 'config' \
             --exclude 'models/' \
+            --exclude 'web/sites/*/files' \
+            --exclude 'web/libraries' \
             ./ $DEPLOY_USER@$DEPLOY_HOST:$DEPLOY_PATH
 
       - name: Post-deploy tasks
@@ -99,3 +100,10 @@ jobs:
             ./vendor/bin/drush cr
             ./vendor/bin/drush updb -y
           EOF
+
+      - name: Revoke IP address
+        if: ${{ steps.auth-ip.outcome == 'success' }}
+        uses: ./.github/actions/revoke-ip
+        with:
+          ip: ${{ steps.ip.outputs.ipv4 }}
+          sgid: ${{ secrets.AWS_SECURITY_GROUP }}
diff --git a/.github/workflows/update_models.yml b/.github/workflows/update_models.yml
@@ -15,62 +15,62 @@ on:
         default: 'Stage'
 
 jobs:
-  secrets-check:
+  setup-check:
     runs-on: ubuntu-latest
     environment: ${{ inputs.environment || 'Production' }}
     steps:
-      - name: Check DEPLOY_HOST
-        env:
-          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
-        run: |
-          if [ -z "$DEPLOY_HOST" ]; then
-            echo "DEPLOY_HOST is not set."
-            exit 1
-          fi
-
-      - name: Check DEPLOY_USER
-        env:
-          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
-        run: |
-          if [ -z "$DEPLOY_USER" ]; then
-            echo "DEPLOY_USER is not set."
-            exit 1
-          fi
-
-      - name: Check DEPLOY_PATH
-        env:
-          DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
-        run: |
-          if [ -z "$DEPLOY_PATH" ]; then
-            echo "DEPLOY_PATH is not set."
-            exit 1
-          fi
-
-      - name: Check DEPLOY_KEY
-        env:
-          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
-        run: |
-          if [ -z "$DEPLOY_KEY" ]; then
-            echo "DEPLOY_KEY is not set"
-            exit 1
-          fi
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Check environment variables
+        uses: ./.github/actions/setup-check
+        with:
+          deploy_host: ${{ secrets.DEPLOY_HOST }}
+          deploy_user: ${{ secrets.DEPLOY_USER }}
+          deploy_path: ${{ secrets.DEPLOY_PATH }}
+          deploy_key: ${{ secrets.DEPLOY_KEY }}
 
   update-models:
     runs-on: ubuntu-latest
-    needs: secrets-check
+    needs: setup-check
     environment: ${{ inputs.environment || 'Production' }}
 
+    permissions:
+      id-token: write
+      contents: read
+
     env:
       DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
       DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
       DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
+      AWS_ENABLED: ${{ secrets.AWS_ACCOUNT != '' && secrets.AWS_REGION != '' && secrets.AWS_SECURITY_GROUP != '' }}
 
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Configure AWS credentials
+        if: ${{ env.AWS_ENABLED == 'true' }}
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ secrets.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT }}:role/MOT-SSH
+
+      - name: Get runners public IP address
+        if: ${{ env.AWS_ENABLED == 'true' }}
+        id: ip
+        uses: haythem/[email protected]
+
+      - name: Authorize IP address
+        if: ${{ env.AWS_ENABLED == 'true' }}
+        id: auth-ip
+        uses: ./.github/actions/authorize-ip
+        with:
+          ip: ${{ steps.ip.outputs.ipv4 }}
+          sgid: ${{ secrets.AWS_SECURITY_GROUP }}
+
       - name: Start ssh-agent and add key
         uses: webfactory/[email protected]
         with:
@@ -126,3 +126,10 @@ jobs:
       - name: No changes
         if: ${{ env.sync == 'false' }}
         run: echo "No model changes detected. Skipping"
+
+      - name: Revoke IP address
+        if: ${{ steps.auth-ip.outcome == 'success' }}
+        uses: ./.github/actions/revoke-ip
+        with:
+          ip: ${{ steps.ip.outputs.ipv4 }}
+          sgid: ${{ secrets.AWS_SECURITY_GROUP }}