Deploy infrastructure changes #56
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy infrastructure changes | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| config: | |
| description: OpenTofu configuration to deploy. | |
| default: service | |
| required: true | |
| type: choice | |
| options: | |
| - foundation | |
| - networking | |
| - service | |
| environment: | |
| description: Environment to deploy to. | |
| default: development | |
| required: true | |
| type: environment | |
| image_tag: | |
| description: (Optional) Image tag to use for the OpenTofu containers. Defaults to latest SHA. | |
| required: false | |
| type: string | |
| permissions: | |
| contents: read | |
| id-token: write | |
| # TODO: Add an approval step between plan and deploy. | |
| jobs: | |
| plan: | |
| uses: ./.github/workflows/plan.yaml | |
| permissions: | |
| contents: read | |
| id-token: write | |
| with: | |
| environment: ${{ inputs.environment }} | |
| config: ${{ inputs.config }} | |
| image_tag: ${{ inputs.image_tag || github.sha }} | |
| secrets: | |
| AWS_REGION: ${{ secrets.AWS_REGION }} | |
| AWS_ROLE_ARN: ${{ secrets.AWS_ROLE_ARN }} | |
| TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }} | |
| TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }} | |
| TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }} | |
| TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }} | |
| TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }} | |
| TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }} | |
| TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }} | |
| TF_VAR_ENVIRONMENT: ${{ secrets.TF_VAR_ENVIRONMENT }} | |
| TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }} | |
| TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }} | |
| TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }} | |
| TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }} | |
| TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }} | |
| TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }} | |
| TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }} | |
| TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }} | |
| TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }} | |
| TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }} | |
| deploy: | |
| name: Deploy changes to ${{ inputs.environment || 'development' }} | |
| runs-on: ubuntu-latest | |
| needs: plan | |
| environment: ${{ inputs.environment || 'development' }} | |
| env: | |
| TF_VAR_image_tag: ${{ inputs.image_tag || github.sha }} | |
| # Set required variables. | |
| TF_VAR_repo_oidc_arn: ${{ secrets.TF_VAR_REPO_OIDC_ARN }} | |
| TF_VAR_vpc_cidr: ${{ secrets.TF_VAR_VPC_CIDR }} | |
| TF_VAR_vpc_private_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }} | |
| TF_VAR_vpc_public_subnet_cidrs: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ secrets.AWS_REGION || 'us-west-1' }} | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN }} | |
| role-session-name: GitHub_to_AWS_via_FederatedOIDC | |
| - name: Download plan file | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ inputs.config }}-tfplan | |
| path: ./tofu/config/${{ inputs.config }} | |
| - name: Setup OpenTofu | |
| uses: ./.github/actions/setup-opentofu | |
| env: | |
| TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY: ${{ secrets.TF_VAR_APPLY_DATABASE_UPDATES_IMMEDIATELY }} | |
| TF_VAR_CONSUMER_CONTAINER_COUNT: ${{ secrets.TF_VAR_CONSUMER_CONTAINER_COUNT }} | |
| TF_VAR_CONSUMER_CPU: ${{ secrets.TF_VAR_CONSUMER_CPU }} | |
| TF_VAR_CONSUMER_MEMORY: ${{ secrets.TF_VAR_CONSUMER_MEMORY }} | |
| TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT: ${{ secrets.TF_VAR_DATABASE_SKIP_FINAL_SNAPSHOT }} | |
| TF_VAR_DATABASE_INSTANCE_COUNT: ${{ secrets.TF_VAR_DATABASE_INSTANCE_COUNT }} | |
| TF_VAR_DELETION_PROTECTION: ${{ secrets.TF_VAR_DELETION_PROTECTION }} | |
| TF_VAR_DEPLOYMENT_ENVIRONMENTS: ${{ secrets.TF_VAR_DEPLOYMENT_ENVIRONMENTS }} | |
| TF_VAR_ENVIRONMENT: ${{ inputs.environment }} | |
| TF_VAR_EXPORT_EXPIRATION: ${{ secrets.TF_VAR_EXPORT_EXPIRATION }} | |
| TF_VAR_IMAGE_TAGS_MUTABLE: ${{ secrets.TF_VAR_IMAGE_TAGS_MUTABLE }} | |
| TF_VAR_KEY_RECOVERY_PERIOD: ${{ secrets.TF_VAR_KEY_RECOVERY_PERIOD }} | |
| TF_VAR_PROJECT: ${{ secrets.TF_VAR_PROJECT }} | |
| TF_VAR_PROGRAM: ${{ secrets.TF_VAR_PROGRAM }} | |
| TF_VAR_REPO_OIDC_ARN: ${{ secrets.TF_VAR_REPO_OIDC_ARN }} | |
| TF_VAR_REPOSITORY: ${{ secrets.TF_VAR_REPOSITORY }} | |
| TF_VAR_VPC_CIDR: ${{ secrets.TF_VAR_VPC_CIDR }} | |
| TF_VAR_VPC_PRIVATE_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PRIVATE_SUBNET_CIDRS }} | |
| TF_VAR_VPC_PUBLIC_SUBNET_CIDRS: ${{ secrets.TF_VAR_VPC_PUBLIC_SUBNET_CIDRS }} | |
| with: | |
| config: ${{ inputs.config }} | |
| - name: Deploy changes | |
| working-directory: ./tofu/config/${{ inputs.config }} | |
| run: tofu apply tfplan |