-
Notifications
You must be signed in to change notification settings - Fork 0
244 lines (232 loc) · 10.3 KB
/
cloud-formation-stack-status.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
name: Fast Deploy and Secure Static Website
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
FAST_JUST_COPY_FILES: ${{ secrets.FAST_JUST_COPY_FILES }}
jobs:
job_1:
name: IF the site is already deployed, update site content
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Load site .env
if: env.FAST_JUST_COPY_FILES == 'true'
shell: bash
run: |
while read line; do
echo "$line" >> $GITHUB_ENV
done < $GITHUB_WORKSPACE/site/.env
- name: Build content site locally and upload files
if: env.FAST_JUST_COPY_FILES == 'true'
shell: bash
run: |
git submodule update --init --recursive
echo "Content of $GITHUB_WORKSPACE/site/.env is:"
echo $GITHUB_WORKSPACE
cat $GITHUB_WORKSPACE/site/.env
echo "The current value of $AAD_SSO__REDIRECT_URI, from which bucket name will be derived, is:"
echo $AAD_SSO__REDIRECT_URI
echo "Building site."
chmod 777 localbuild.sh
./localbuild.sh
cd authenticated-cloud-docs/deployment/S3SyncUp
pwd
touch .env
echo "AWS_ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}" >> .env
echo "AWS_SECRET_ACCESS_KEY=${{ secrets.AWS_SECRET_ACCESS_KEY }}" >> .env
echo "AWS_REGION=us-east-1" >> .env
npm ci
node index.js $GITHUB_WORKSPACE/localhost/tmp/build
- name: Configure AWS Credentials to Invalidate Cache
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Invalidate Cloudfront cache
if: env.FAST_JUST_COPY_FILES == 'true'
run: |
cd .github
#echo 'DISTRIBUTION_ID=$(cat deployed_cloudfront_distribution_id.txt)' >> $GITHUB_ENV
#echo $DISTRIBUTION_ID
#echo 'INVALIDATION_ID=$(aws cloudfront create-invalidation --distribution-id $DISTRIBUTION_ID --paths "/*" | jq -r .Invalidation.Id' >> $GITHUB_ENV
#echo $INVALIDATION_ID
aws cloudfront create-invalidation --distribution-id `cat deployed_cloudfront_distribution_id.txt` --paths "/*"
job_2:
name: Check the current status of the cloud formation stack
runs-on: ubuntu-latest
needs: [job_1]
strategy:
matrix:
node-version: [12.x]
outputs:
envvalue: ${{ steps.setvar.outputs.envvar }}
steps:
- uses: actions/checkout@v2
- name: <-- Cancel CF Status check and site deployment
if: env.FAST_JUST_COPY_FILES == 'true'
uses: andymckay/[email protected]
# run: exit 1
- name: Import environment variables from .env
shell: bash
run: |
pwd && ls -la
git submodule update --init --recursive
cd authenticated-cloud-docs
pwd && ls -a
input="$GITHUB_WORKSPACE/site/.env"
SUB='AUTHENTICATED_CLOUD_DOCS__HOSTED_ZONE_SUBDOMAIN'
while read -r line
do
if [[ "$line" == *"$SUB"* ]]; then
echo "$line" >> $GITHUB_ENV
fi
done < "$input"
- name: Check the CF stack status
if: env.FAST_JUST_COPY_FILES == 'false' || env.FAST_JUST_COPY_FILES == ''
id: cfStatus
env:
ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_REGION: us-east-1
run: |
cd ./authenticated-cloud-docs/deployment/cfStatus
touch .env
echo "ACCESS_KEY_ID=${{ secrets.AWS_ACCESS_KEY_ID }}" >> .env
echo "SECRET_ACCESS_KEY=${{ secrets.SECRET_ACCESS_KEY }}" >> .env
echo "AWS_REGION=us-east-1" >> .env
echo "CF_STACK_NAME=${{ env.AUTHENTICATED_CLOUD_DOCS__HOSTED_ZONE_SUBDOMAIN }}-dev"
npm ci
npm start
echo "::set-output name=envvar::$(npm start)"
job_3:
name: Build and deploy the site dev.
needs: [job_2]
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./authenticated-cloud-docs/
container: jch254/docker-node-serverless
steps:
- name: <-- Cancel (red X) if deploy is already in progress (test3a)
if: ${{ contains(needs.job_1.outputs.envvar, 'IN_PROGRESS') }}
run: exit 1
- name: Obtain latest git for Alpine and other requirements (before checkout).
run: apk add git zip gettext jq openssh-keygen openssl curl --update-cache
working-directory: ./
- uses: actions/checkout@v2
- name: Install git and update/init submodules
run: git submodule update --init --recursive
working-directory: ./
- name: Import environment variables from .env
id: import-env
shell: bash
run: |
while read line; do
echo "$line" >> $GITHUB_ENV
done < $GITHUB_WORKSPACE/site/.env
echo 'PULL_NUMBER=$(jq --raw-output .pull_request.number "$GITHUB_EVENT_PATH")' >> $GITHUB_ENV
echo $AAD_SSO__REDIRECT_URI
- name: Install docusaurus
run: |
cd ./deployment
npx @docusaurus/init@latest init tmp classic
- name: Configure and build docusaurus site
run: |
cd ./deployment
cat $GITHUB_WORKSPACE/site/config/docusaurus/docusaurus.config.js.template | envsubst > ./tmp/docusaurus.config.js
cp -r ../dmgt-symlinks-plugin ./tmp
cd ./tmp
rm -rf docs src static # Remove default content including conflicting ./src/pages/index.js
cp -r $GITHUB_WORKSPACE/site/content/* . # Get docs, sidebars.js, src, and static from our content directory
npm run build
- name: "Configure AWS Credentials"
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-2
- name: Patch cloudfront-auth to allow non-interative (CLI) use
run: |
cd ./deployment/cloudfront-auth
sed -i"" "s/^prompt.start/prompt.override=require('minimist')(process.argv.slice(2), opts={boolean:true, string:['method', 'AUTHZ']});prompt.start/" build/build.js
- name: Check if private/public keys are set in secrets.
id: secrets_check
run: echo '::set-output name=found_secret::${{secrets.AAD_SSO__ID_RSA}}'
- name: Install provided id_rsa key (from manual run of cloudfront-auth)
if: ${{ contains(steps.secrets_check.outputs.found_secret, 'KEY') }}
run: |
cd ./deployment/cloudfront-auth
mkdir -p distributions/$AAD_SSO__RESULT_NAME/
echo "${{ secrets.AAD_SSO__ID_RSA }}" > distributions/$AAD_SSO__RESULT_NAME/id_rsa
echo "${{ secrets.AAD_SSO__ID_RSA_PUB }}" > distributions/$AAD_SSO__RESULT_NAME/id_rsa.pub
- name: Did not find id_rsa keys in secret to install (cloudfront-auth will generate one)
if: ${{ !contains(steps.secrets_check.outputs.found_secret, 'KEY') }}
run: echo "Not creating id_rsa and id_rsa.pub from secrets, as they're not set"
- name: Run cloudfront-auth to generate AWS CloudFront Lambda@Edge function (Microsoft Azure AD)
run: |
cd ./deployment/cloudfront-auth
npm run-script build -- --SESSION_DURATION=$AAD_SSO__SESSION_DURATION --method=2 --AUTHZ=1 --distribution=$AAD_SSO__RESULT_NAME --trailing_slash_redirects_enabled --simple_urls_enabled --TENANT=$AAD_SSO__TENANT --CLIENT_ID=$AAD_SSO__CLIENT_ID --CLIENT_SECRET=${{ secrets.AAD_SSO__CLIENT_SECRET }} --REDIRECT_URI=$AAD_SSO__REDIRECT_URI
- name: Copy AAD SSO lambda function zip to deployment dir
run: |
cd ./deployment/
mkdir -p resources/lambda/
cp cloudfront-auth/distributions/$AAD_SSO__RESULT_NAME/$AAD_SSO__RESULT_NAME.zip resources/lambda/
- name: Prepare Lambda Edge function zip to deployment dir
run: |
cd ./deployment/src/
zip -j redirectLambda.zip redirectLambda/*
cd ..
cp src/redirectLambda.zip resources/lambda/
- name: Build the CDK App
run: cd deployment; npm ci && npm run build
- name: <-- Cancel (red X) if deploy is already in progress (test3a)
if: ${{ contains(needs.job_1.outputs.envvar, 'IN_PROGRESS') }}
run: exit 1
- name: Substitute .env vars into CDK configuration and deploy the CDK App
run: |
cd ./deployment
echo "Pull request number is $PULL_NUMBER"
echo "(Pull request should be visible above or 'null' if we're not in a pull request)"
cat cdk.json.template | envsubst > cdk.json
cat cdk.json
cat cdk.context.json.template | envsubst > cdk.context.json
cat cdk.context.json
npm run cdk deploy -- --require-approval never
echo "Published to: `cat published_domain_name.txt`"
echo "Cloudfront Distribution ID: `cat deployed_cloudfront_distribution_id.txt`"
- name: Commit files back to branch
run: |
pwd # Not from ./deployment subdir as that may belong to another repo (submodule)
aws cloudformation describe-stacks --region us-east-1 --stack-name ${AUTHENTICATED_CLOUD_DOCS__HOSTED_ZONE_SUBDOMAIN}-dev --query "Stacks[0].Outputs[?contains(OutputKey,'DistributionId')].OutputValue" | jq -r ".[]" > deployed_cloudfront_distribution_id.txt
mv deployed_cloudfront_distribution_id.txt $GITHUB_WORKSPACE/.github/
cd $GITHUB_WORKSPACE
git fetch
git branch -a
git stash
git checkout main
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
git branch
git add $GITHUB_WORKSPACE/.github/deployed_cloudfront_distribution_id.txt
git commit -m "Committing result of Distribution Id" || true
git pull
git push || true # There may be no changes to the cloudfront ID, but that's not an error
- name: Comment on the PR with the full published domain
env:
URL: ${{ github.event.issue.comments_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: ${{ github.event_name == 'pull_request' }}
run: |
echo "print pr number"
echo ${{ github.event.number }}
cd ./deployment
curl \
-X POST \
${{ github.event.pull_request.comments_url }} \
-H "Content-Type: application/json" \
-H "Authorization: token $GITHUB_TOKEN" \
--data '{ "body": "The site has been deployed to https://'`cat published_domain_name.txt`'" }'