K8s Apply #53
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: K8s Apply | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: 'Environment' | |
| required: true | |
| type: environment | |
| force_restart: | |
| description: 'Force Deployment Rollout Restart' | |
| required: true | |
| default: false | |
| type: boolean | |
| run_k8s_workflow: | |
| description: 'Run K8s workflow' | |
| required: true | |
| default: true | |
| type: boolean | |
| run_tf_workflow: | |
| description: 'Run TF workflow' | |
| required: true | |
| default: true | |
| type: boolean | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| print_inputs: | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Print Inputs | |
| id: print_inputs | |
| run: | | |
| echo "- environment: \`${{ inputs.environment }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- ref: \`${{ github.ref }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- force_restart: \`${{ inputs.force_restart }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- run_k8s_workflow: \`${{ inputs.run_k8s_workflow }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "- run_tf_workflow: \`${{ inputs.run_tf_workflow }}\`" >> $GITHUB_STEP_SUMMARY | |
| initChecks: | |
| runs-on: ubuntu-22.04 | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Check user is a ${{ vars.ALLOWED_DEPLOY_GH_TEAMS }} team member | |
| id: checkUserPermissions | |
| if: ${{ inputs.environment != 'dev' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.BOT_TEAMS_RO_PAT }} | |
| ORG: ${{ github.repository_owner }} | |
| TEAMS: ${{ vars.ALLOWED_DEPLOY_GH_TEAMS }} | |
| USER: ${{ github.triggering_actor }} | |
| run: | | |
| set -euo pipefail | |
| TEAMS_LIST=$(echo $TEAMS | tr "," "\n") | |
| CHECK_SUCCESS=0 | |
| for TEAM in $TEAMS_LIST; do | |
| set +e | |
| # Check current user membership with gh api | |
| echo "Check if user is member of $TEAM" | |
| GH_TEAM_MEMBERSHIP_RESPONSE=$(gh api -i --method GET -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" \/orgs/$ORG/teams/$TEAM/memberships/$USER) | |
| set -e | |
| # Extract the HTTP status code | |
| HTTP_CODE=$(echo $GH_TEAM_MEMBERSHIP_RESPONSE | head -n 1 | cut -d' ' -f 2) | |
| if [[ $HTTP_CODE -eq 200 ]]; then | |
| echo "User is member of $TEAM" | |
| CHECK_SUCCESS=1 | |
| break | |
| else | |
| echo "User is NOT member of $TEAM" | |
| fi | |
| done | |
| if [[ $CHECK_SUCCESS -eq 0 ]]; then | |
| echo "::error:: Resource not found. Please check the organization ($ORG), team ($TEAMS), and username ($USER). $USER is not memeber of specified teams." | |
| exit 1 | |
| fi | |
| echo "$USER has the correct permissions to execute the workflow." | |
| create_runner: | |
| name: Create Self-Hosted Runner | |
| runs-on: ubuntu-22.04 | |
| if: ${{ inputs.run_k8s_workflow }} | |
| environment: ${{ inputs.environment }} | |
| needs: [ initChecks ] | |
| outputs: | |
| ecs_task_id: ${{ steps.start_runner.outputs.ecs_task_id }} | |
| strategy: | |
| matrix: | |
| index: [1,2,3,4,5,6,7,8,9,10] | |
| fail-fast: false | |
| steps: | |
| - name: Start GitHub Runner | |
| id: start_runner | |
| uses: pagopa/interop-github-runner-aws-create-action@main | |
| with: | |
| aws_region: ${{ secrets.AWS_REGION }} | |
| iam_role_arn: ${{ secrets.ECS_IAM_ROLE_ARN }} | |
| ecs_cluster_name: ${{ secrets.ECS_CLUSTER_NAME }} | |
| ecs_task_definition: ${{ secrets.ECS_TASK_DEFINITION }} | |
| ecs_task_cpu: ${{ vars.ECS_TASK_CPU }} | |
| ecs_task_memory: ${{ vars.ECS_TASK_MEMORY }} | |
| ecs_container_name: ${{ vars.ECS_TASK_CONTAINER_NAME }} | |
| ecs_task_subnet_id: ${{ secrets.SUBNET_ID }} | |
| ecs_task_sec_group: ${{ secrets.SEC_GROUP_ID }} | |
| ecs_task_max_duration_seconds: ${{ vars.ECS_TASK_MAX_DURATION_SECONDS }} | |
| pat_token: ${{ secrets.BOT_TOKEN }} | |
| environment: ${{ inputs.environment }} | |
| deploy: | |
| needs: [ create_runner ] | |
| secrets: inherit | |
| if: ${{ inputs.run_k8s_workflow }} | |
| uses: ./.github/workflows/k8s-apply-sub.yaml | |
| with: | |
| environment: ${{ inputs.environment }} | |
| timeout_seconds: 180 | |
| delete_runner: | |
| name: Delete Self-Hosted Runner | |
| needs: [create_runner, deploy] | |
| if: ${{ always() && inputs.run_k8s_workflow }} | |
| runs-on: ubuntu-22.04 | |
| environment: ${{ inputs.environment }} | |
| strategy: | |
| matrix: | |
| index: [1,2,3,4,5,6,7,8,9,10] | |
| fail-fast: false | |
| steps: | |
| - name: Stop Github Runner | |
| id: stop_runner | |
| uses: pagopa/interop-github-runner-aws-cleanup-action@main | |
| with: | |
| aws_region: ${{ secrets.AWS_REGION }} | |
| iam_role_arn: ${{ secrets.ECS_IAM_ROLE_ARN }} | |
| ecs_cluster_name: ${{ secrets.ECS_CLUSTER_NAME }} | |
| pat_token: ${{ secrets.BOT_TOKEN }} | |
| environment: ${{ inputs.environment }} | |
| tf_apply: | |
| needs: [ initChecks ] | |
| secrets: inherit | |
| if: ${{ inputs.run_tf_workflow }} | |
| uses: ./.github/workflows/tf-apply.yaml | |
| with: | |
| environment: ${{ inputs.environment }} | |
| timeout_seconds: 300 |