Docker deploy Staging #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker deploy Staging | |
| on: | |
| workflow_run: | |
| workflows: ["Docker build and push Staging"] | |
| types: | |
| - completed | |
| env: | |
| AWS_REGION: ca-central-1 | |
| ECS_CLUSTER: superset | |
| REGISTRY: ${{ vars.STAGING_AWS_ACCOUNT_ID }}.dkr.ecr.ca-central-1.amazonaws.com/superset | |
| GITHUB_SHA: ${{ github.sha }} | |
| permissions: | |
| id-token: write | |
| jobs: | |
| docker-deploy: | |
| if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| service: | |
| - superset | |
| - celery-worker | |
| - celery-beat | |
| steps: | |
| - name: Audit DNS requests | |
| uses: cds-snc/dns-proxy-action@main | |
| env: | |
| DNS_PROXY_FORWARDTOSENTINEL: "true" | |
| DNS_PROXY_LOGANALYTICSWORKSPACEID: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} | |
| DNS_PROXY_LOGANALYTICSSHAREDKEY: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} | |
| # TODO: Replace with a locked down IAM role | |
| - name: configure aws credentials using OIDC | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ vars.STAGING_AWS_ACCOUNT_ID }}:role/cds-superset-apply | |
| role-session-name: DeployContainer | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Download ECS task definition | |
| run: | | |
| aws ecs describe-task-definition \ | |
| --task-definition ${{ matrix.service }} \ | |
| --query taskDefinition > task-definition.json | |
| - name: Update ECS task image | |
| id: task-def | |
| uses: aws-actions/amazon-ecs-render-task-definition@f87d1f66e0c6e10caeeb51f8344a0d25c899c533 # v1.6.2 | |
| with: | |
| task-definition: task-definition.json | |
| container-name: ${{ matrix.service }} | |
| image: ${{ env.REGISTRY }}:sha-${{ env.GITHUB_SHA }} | |
| - name: Deploy updated ECS task | |
| uses: aws-actions/amazon-ecs-deploy-task-definition@0e82244a9c6dac43d70151a94c67ebc4bab18fc5 # v2.2.0 | |
| with: | |
| task-definition: ${{ steps.task-def.outputs.task-definition }} | |
| service: ${{ matrix.service }} | |
| cluster: ${{ env.ECS_CLUSTER }} | |
| wait-for-service-stability: true | |
| - name: Run Superset database upgrade | |
| if: ${{ matrix.service == 'superset' }} | |
| run: | | |
| aws ecs run-task \ | |
| --cluster ${{ env.ECS_CLUSTER }} \ | |
| --task-definition superset-upgrade \ | |
| --launch-type FARGATE \ | |
| --count 1 \ | |
| --network-configuration "awsvpcConfiguration={subnets=[${{ secrets.STAGING_SUPERSET_PRIVATE_SUBNET_IDS }}],securityGroups=[${{ secrets.STAGING_SUPERSET_ECS_TASK_SECURITY_GROUP_ID }}],assignPublicIp=DISABLED}" |