From 65a597331a5a527ee6afcda3a97c5b0f22c153fa Mon Sep 17 00:00:00 2001 From: freddieptf Date: Thu, 14 Nov 2024 20:26:25 +0300 Subject: [PATCH 1/6] deploy.yml --- .github/workflows/deploy.yml | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 .github/workflows/deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 00000000..4fefc1be --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,44 @@ +name: Deploy + +on: + # workflow_run: + # workflows: [Docker build and publish] + # types: + # - completed + workflow_dispatch: +env: + AWS_ACCESS_KEY_ID: ${{ secrets.DEPLOY_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.DEPLOY_ACCESS_KEY }} + +jobs: + deploy: + runs-on: ubuntu-latest + # if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - name: install oathtool + run: sudo apt-get install -y oathtool jq + + - name: Authenticate to STS + run: | + mfa_serial="arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:mfa/gh-action" + mfa_code=$(oathtool -b --totp ${{secrets.MFA_KEY}}) + + STS=$(aws sts get-session-token --region "eu-west-2" --serial-number "$mfa_serial" --token-code "$mfa_code") + aws configure set aws_access_key_id $(echo "$STS" | jq -r '.Credentials.AccessKeyId') --profile "${{vars.AWS_USER}}" + aws configure set aws_secret_access_key $(echo "$STS" | jq -r '.Credentials.SecretAccessKey') --profile "${{vars.AWS_USER}}" + aws configure set aws_session_token $(echo "$STS" | jq -r '.Credentials.SessionToken') --profile "${{vars.AWS_USER}}" + + - name: Assume role + run: | + EKS=$(aws sts assume-role --region "eu-west-2" --role-arn "arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:role/eks-${{vars.AWS_USER}}" --role-session-name="${{vars.AWS_USER}}-ghaction" --profile "${{vars.AWS_USER}}") + aws configure set aws_access_key_id $(echo "$EKS" | jq -r '.Credentials.AccessKeyId') --profile "${{vars.AWS_USER}}" + aws configure set aws_secret_access_key $(echo "$EKS" | jq -r '.Credentials.SecretAccessKey') --profile "${{vars.AWS_USER}}" + aws configure set aws_session_token $(echo "$EKS" | jq -r '.Credentials.SessionToken') --profile "${{vars.AWS_USER}}" + + - uses: actions/checkout@v2 + + - name: Helm upgrade + run: | + aws eks update-kubeconfig --name prod-cht-eks --region "eu-west-2" + helm repo add medic https://docs.communityhealthtoolkit.org/helm-charts + helm upgrade --namespace users-chis-prod --values scripts/deploy/values/users-chis-civ.yaml users-chis-civ medic/cht-user-management From 109ede418682b8eba45787f017f1589e1854822f Mon Sep 17 00:00:00 2001 From: freddieptf Date: Fri, 15 Nov 2024 20:42:26 +0300 Subject: [PATCH 2/6] wait --- .github/workflows/deploy.yml | 34 +++++++++++++++++++--------------- 1 file changed, 19 insertions(+), 15 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4fefc1be..7e20f348 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -6,15 +6,19 @@ on: # types: # - completed workflow_dispatch: -env: - AWS_ACCESS_KEY_ID: ${{ secrets.DEPLOY_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.DEPLOY_ACCESS_KEY }} jobs: deploy: runs-on: ubuntu-latest # if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: + - name: "Configure" + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{vars.AWS_REGION}} + aws-access-key-id: ${{ secrets.DEPLOY_KEY_ID }} + aws-secret-access-key: ${{ secrets.DEPLOY_ACCESS_KEY }} + - name: install oathtool run: sudo apt-get install -y oathtool jq @@ -22,23 +26,23 @@ jobs: run: | mfa_serial="arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:mfa/gh-action" mfa_code=$(oathtool -b --totp ${{secrets.MFA_KEY}}) - - STS=$(aws sts get-session-token --region "eu-west-2" --serial-number "$mfa_serial" --token-code "$mfa_code") - aws configure set aws_access_key_id $(echo "$STS" | jq -r '.Credentials.AccessKeyId') --profile "${{vars.AWS_USER}}" - aws configure set aws_secret_access_key $(echo "$STS" | jq -r '.Credentials.SecretAccessKey') --profile "${{vars.AWS_USER}}" - aws configure set aws_session_token $(echo "$STS" | jq -r '.Credentials.SessionToken') --profile "${{vars.AWS_USER}}" + STS=$(aws sts get-session-token --region "${{vars.AWS_REGION}}" --serial-number "$mfa_serial" --token-code "$mfa_code") + eval `echo $STS | (jq -r '"AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"AWS_SESSION_TOKEN="+.Credentials.SessionToken' >> $GITHUB_ENV)` - name: Assume role - run: | - EKS=$(aws sts assume-role --region "eu-west-2" --role-arn "arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:role/eks-${{vars.AWS_USER}}" --role-session-name="${{vars.AWS_USER}}-ghaction" --profile "${{vars.AWS_USER}}") - aws configure set aws_access_key_id $(echo "$EKS" | jq -r '.Credentials.AccessKeyId') --profile "${{vars.AWS_USER}}" - aws configure set aws_secret_access_key $(echo "$EKS" | jq -r '.Credentials.SecretAccessKey') --profile "${{vars.AWS_USER}}" - aws configure set aws_session_token $(echo "$EKS" | jq -r '.Credentials.SessionToken') --profile "${{vars.AWS_USER}}" + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: ${{vars.AWS_REGION}} + aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} + aws-session-token: ${{ env.AWS_SESSION_TOKEN }} + role-skip-session-tagging: true + role-to-assume: "arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:role/eks-${{vars.AWS_USER}}" - uses: actions/checkout@v2 - name: Helm upgrade run: | - aws eks update-kubeconfig --name prod-cht-eks --region "eu-west-2" + aws eks update-kubeconfig --name ${{vars.CLUSTER}} --region ${{vars.AWS_REGION}} helm repo add medic https://docs.communityhealthtoolkit.org/helm-charts - helm upgrade --namespace users-chis-prod --values scripts/deploy/values/users-chis-civ.yaml users-chis-civ medic/cht-user-management + helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-civ.yaml users-chis-civ medic/cht-user-management From e6805295f930acae3dfa3be7126570c594c9ad47 Mon Sep 17 00:00:00 2001 From: freddieptf Date: Fri, 15 Nov 2024 22:03:34 +0300 Subject: [PATCH 3/6] hide --- .github/workflows/deploy.yml | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 7e20f348..b17e5289 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -22,20 +22,31 @@ jobs: - name: install oathtool run: sudo apt-get install -y oathtool jq - - name: Authenticate to STS + - id: auth + name: Authenticate to STS run: | mfa_serial="arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:mfa/gh-action" mfa_code=$(oathtool -b --totp ${{secrets.MFA_KEY}}) STS=$(aws sts get-session-token --region "${{vars.AWS_REGION}}" --serial-number "$mfa_serial" --token-code "$mfa_code") - eval `echo $STS | (jq -r '"AWS_ACCESS_KEY_ID="+.Credentials.AccessKeyId,"AWS_SECRET_ACCESS_KEY="+.Credentials.SecretAccessKey,"AWS_SESSION_TOKEN="+.Credentials.SessionToken' >> $GITHUB_ENV)` + + aws_access_key_id=$(echo "$STS" | jq -r '.Credentials.AccessKeyId') + echo "::add-mask::$aws_access_key_id" + aws_secret_access_key=$(echo "$STS" | jq -r '.Credentials.SecretAccessKey') + echo "::add-mask::$aws_secret_access_key" + aws_session_token=$(echo "$STS" | jq -r '.Credentials.SessionToken') + echo "::add-mask::$aws_session_token" + + echo "AWS_ACCESS_KEY_ID=$aws_access_key_id" >> "$GITHUB_OUTPUT" + echo "AWS_SECRET_ACCESS_KEY=$aws_secret_access_key" >> "$GITHUB_OUTPUT" + echo "AWS_SESSION_TOKEN=$aws_session_token" >> "$GITHUB_OUTPUT" - name: Assume role uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{vars.AWS_REGION}} - aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }} - aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }} - aws-session-token: ${{ env.AWS_SESSION_TOKEN }} + aws-access-key-id: ${{ steps.auth.outputs.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ steps.auth.outputs.AWS_SECRET_ACCESS_KEY }} + aws-session-token: ${{ steps.auth.outputs.AWS_SESSION_TOKEN }} role-skip-session-tagging: true role-to-assume: "arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:role/eks-${{vars.AWS_USER}}" From 2113830e60e94a35b3a330196bd12807efba84e4 Mon Sep 17 00:00:00 2001 From: freddieptf Date: Mon, 18 Nov 2024 19:40:22 +0300 Subject: [PATCH 4/6] matrix --- .github/workflows/deploy.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b17e5289..520ddbba 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -44,7 +44,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{vars.AWS_REGION}} - aws-access-key-id: ${{ steps.auth.outputs.AWS_ACCESS_KEY_ID }} + aws-access-key-id: ${{ steps.auth.outputs.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ steps.auth.outputs.AWS_SECRET_ACCESS_KEY }} aws-session-token: ${{ steps.auth.outputs.AWS_SESSION_TOKEN }} role-skip-session-tagging: true @@ -52,8 +52,19 @@ jobs: - uses: actions/checkout@v2 - - name: Helm upgrade + - name: Update kubeconfig run: | aws eks update-kubeconfig --name ${{vars.CLUSTER}} --region ${{vars.AWS_REGION}} helm repo add medic https://docs.communityhealthtoolkit.org/helm-charts - helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-civ.yaml users-chis-civ medic/cht-user-management + + - name: Upgrade users-chis-civ + run: | + helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-civ.yaml users-chis-civ medic/cht-user-management + + - name: Upgrade users-chis-tg + run: | + helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-tg.yaml users-chis-tg medic/cht-user-management + + - name: Upgrade users-chis-ke + run: | + helm upgrade --namespace ${{vars.NAMESPACE}} --values scripts/deploy/values/users-chis-ke.yaml users-chis-ke medic/cht-user-management From 98dfde7c961d274556615b0a8f951ef8932d2c37 Mon Sep 17 00:00:00 2001 From: freddieptf Date: Mon, 18 Nov 2024 19:43:32 +0300 Subject: [PATCH 5/6] on image publish, deploy --- .github/workflows/deploy.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 520ddbba..4d205149 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,16 +1,15 @@ name: Deploy on: - # workflow_run: - # workflows: [Docker build and publish] - # types: - # - completed - workflow_dispatch: + workflow_run: + workflows: [Docker build and publish] + types: + - completed jobs: deploy: runs-on: ubuntu-latest - # if: ${{ github.event.workflow_run.conclusion == 'success' }} + if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: - name: "Configure" uses: aws-actions/configure-aws-credentials@v4 From 9816b9271ae40a4215c1bf468f07a7eebd444d11 Mon Sep 17 00:00:00 2001 From: freddieptf Date: Wed, 18 Dec 2024 15:38:32 +0300 Subject: [PATCH 6/6] configurable MFA id --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 4d205149..003d8b57 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -24,7 +24,7 @@ jobs: - id: auth name: Authenticate to STS run: | - mfa_serial="arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:mfa/gh-action" + mfa_serial="arn:aws:iam::${{vars.AWS_ACCOUNT_NUMBER}}:mfa/${{vars.MFA_ID}}" mfa_code=$(oathtool -b --totp ${{secrets.MFA_KEY}}) STS=$(aws sts get-session-token --region "${{vars.AWS_REGION}}" --serial-number "$mfa_serial" --token-code "$mfa_code")