Skip to content
Deploy

Deploy #14

Sign in to view logs

Deploy

Deploy #14

Workflow file for this run

.github/workflows/cd.yml at 1d2fe68
name: 'Deploy'
# Trigger on CI workflow completion
on:
workflow_run:
workflows: ["CI"]
types:
- completed
env:
AWS_REGION: us-east-1 # set this to your preferred AWS region, e.g. us-west-1
ECR_REPOSITORY_ECS: ecs-repo # set this to your Amazon ECR repository name
ECS_SERVICE: bedrock-qa-rag-service-tf # set this to your Amazon ECS service name
ECS_CLUSTER: bedrock-qa-rag-cluster-tf # set this to your Amazon ECS cluster name
ECS_TASK_DEFINITION: .aws/task-definition-actions.json # set this to the path to your Amazon ECS task definition file, e.g. .aws/task-definition.json
CONTAINER_NAME: bedrock-qa-rag-service-tf # set this to the name of the container in the containerDefinitions section of your task definition
LOGS_GROUP_NAME: "/aws/ecs/question-answer-app"
ECS_TASK_FAMILY_NAME: bedrock-qa-rag-task-tf
ECS_EXECUTION_ROLE_NAME: bedrock-qa-rag-ecs-execution-role-tf
ECS_TASK_ROLE_NAME: bedrock-qa-rag-ecs-task-role-tf
QDRANT_URL: ${{ secrets.QDRANT_URL }}
QDRANT_API_KEY: ${{ secrets.QDRANT_API_KEY }}
ECR_REPOSITORY_LAMBDA: lambda-repo
permissions:
contents: read
jobs:
deploy-lambda:
name: Deploy (Amazon ECR - Lambda Functions)
runs-on: ubuntu-latest
environment: production
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Create ECR repository
run: |
AWS_ECR_REPOSITORY_NAME=${{ env.ECR_REPOSITORY_LAMBDA }}
if ! aws ecr describe-repositories --repository-names $AWS_ECR_REPOSITORY_NAME > /dev/null 2>&1; then
aws ecr create-repository --repository-name $AWS_ECR_REPOSITORY_NAME --image-scanning-configuration scanOnPush=true
fi
- name: Build, tag, and push image to Amazon ECR (Lambda Functions)
id: build-image
uses: docker/build-push-action@v2
with:
context: .
file: ./lambda_functions/docker/Dockerfile
push: true
tags: ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY_LAMBDA}}:${{ github.sha }}
terraform:
name: 'Terraform (IaC)'
needs: deploy-lambda
runs-on: ubuntu-latest
environment: production
defaults:
run:
shell: bash
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v3
# Configure AWS credentials for the AWS CLI
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v1
with:
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
# Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.
- name: Terraform Init
run: |
AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text) && \
cd terraform && terraform init \
-backend-config="region=$AWS_REGION" \
-backend-config='assume_role={"role_arn":"arn:aws:iam::'$AWS_ACCOUNT_ID':role/terraform_state_role"}'
# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
run: make tf-fmt
# Generates an execution plan for Terraform
- name: Terraform Plan
run: make tf-plan
# On push to "main", build or change infrastructure according to Terraform configuration files
# Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
- name: Terraform Apply
# if: github.ref == 'refs/heads/"main"' && github.event_name == 'push'
run: make tf-deploy
deploy-secrets:
name: Deploy (Amazon ECR - ECS)
needs: [terraform, deploy-lambda]
runs-on: ubuntu-latest
environment: production
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Upload Qdrant secrets to AWS Secrets Manager
env:
QDRANT_URL: ${{ secrets.QDRANT_URL }}
QDRANT_API_KEY: ${{ secrets.QDRANT_API_KEY }}
run: |
aws secretsmanager put-secret-value --secret-id prod/qdrant_url --secret-string $QDRANT_URL
aws secretsmanager put-secret-value --secret-id prod/qdrant_api_key --secret-string $QDRANT_API_KEY
deploy-ecs:
name: Deploy (Amazon ECR - ECS)
needs: [terraform, deploy-lambda, deploy-secrets]
runs-on: ubuntu-latest
environment: production
defaults:
run:
shell: bash
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
id: build-image
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and
# push it to ECR so that it can
# be deployed to ECS.
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG
echo "image=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Pass values to .aws/task-definition-actions.json placeholders
env:
image: ${{ steps.build-image.outputs.image }}
run: |
sed -i "s|{tag}|$image|g" .aws/task-definition-actions.json
sed -i "s|{name}|${{ env.CONTAINER_NAME }}|g" .aws/task-definition-actions.json
sed -i "s|{region}|${{ env.AWS_REGION }}|g" .aws/task-definition-actions.json
sed -i "s|{ecr}|${{ env.ECR_REPOSITORY_ECS }}|g" .aws/task-definition-actions.json
sed -i "s|{account_id}|${{ secrets.AWS_ACCOUNT_ID }}|g" .aws/task-definition-actions.json
sed -i "s|{logs_group_name}|${{ env.LOGS_GROUP_NAME }}|g" .aws/task-definition-actions.json
sed -i "s|{ecs_task_family_name}|${{ env.ECS_TASK_FAMILY_NAME }}|g" .aws/task-definition-actions.json
sed -i "s|{ecs_execution_role_name}|${{ env.ECS_EXECUTION_ROLE_NAME }}|g" .aws/task-definition-actions.json
sed -i "s|{ecs_task_role_name}|${{ env.ECS_TASK_ROLE_NAME }}|g" .aws/task-definition-actions.json
- name: Fill in the new image ID in the Amazon ECS task definition
id: task-def
uses: aws-actions/amazon-ecs-render-task-definition@v1
with:
task-definition: ${{ env.ECS_TASK_DEFINITION }}
container-name: ${{ env.CONTAINER_NAME }}
image: ${{ steps.build-image.outputs.image }}
- name: Deploy Amazon ECS task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@v1
with:
task-definition: ${{ steps.task-def.outputs.task-definition }}
service: ${{ env.ECS_SERVICE }}
cluster: ${{ env.ECS_CLUSTER }}
wait-for-service-stability: true