Use secrets from secret manager #158
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Workflow references https://stackoverflow.com/questions/59166099/github-action-aws-cli, | |
| # https://stackoverflow.com/questions/51028677/create-aws-ecr-repository-if-it-doesnt-exist, | |
| # https://github.com/aws-actions/amazon-ecr-login and | |
| # https://medium.com/@octavio/ecs-deployments-with-github-actions-dd34beed6528 | |
| # https://stackoverflow.com/questions/75546117/github-action-how-to-edit-a-json-objects-with-github-repository-secrets | |
| name: Run Tests and Deploy to AWS | |
| on: | |
| pull_request: # run the workflow on PRs to any branches | |
| push: # run the workflow on any push to any branches | |
| workflow_dispatch: # allow workflow to be executed manually on the GitHub UI | |
| fork: # run the workflow if forks are made | |
| env: | |
| PYTHON_VERSION: "3.12" | |
| AWS_REGION: "ap-southeast-1" | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| jobs: | |
| # automated testing will run on both prod and dev | |
| test: | |
| strategy: | |
| matrix: | |
| os: [ ubuntu-latest, windows-latest, macOS-latest ] | |
| name: Test on ${{ matrix.os }} | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Python ${{ env.PYTHON_VERSION }} | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: ${{ env.PYTHON_VERSION }} | |
| cache: "pip" | |
| - name: Install dependencies | |
| working-directory: ./SSG-API-Testing-Application-v2/app | |
| run: pip install -r requirements.txt | |
| - name: Run tests | |
| working-directory: ./SSG-API-Testing-Application-v2/app | |
| run: python test_runner.py | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@v4.0.1 | |
| with: | |
| files: ./SSG-API-Testing-Application-v2/app/coverage.xml | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| # scanning should run on both prod and dev | |
| terrascan: | |
| runs-on: ubuntu-latest | |
| name: Scan Terraform Scripts | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Scan Terraform Script | |
| id: terrascan | |
| uses: tenable/terrascan-action@main | |
| with: | |
| iac_type: "terraform" | |
| iac_version: "v14" | |
| policy_type: "aws" | |
| only_warn: true | |
| sarif_upload: true | |
| iac_dir: "./SSG-API-Testing-Application-v2/deploy" # this will discover and scan both dev and prod | |
| - name: Upload SARIF to CodeQL | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: terrascan.sarif | |
| setup: | |
| # prod setup should only occur on the prod repo | |
| if: github.repository == 'ssg-wsg/Sample-Codes' | |
| environment: production | |
| needs: | |
| - test | |
| runs-on: ubuntu-latest | |
| name: Setup Terraform Backend (prod) | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Verify Terraform Script | |
| id: create-backend-verify | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-backend | |
| run: | | |
| terraform fmt | |
| terraform fmt -check | |
| - name: Initialise Backend | |
| id: init-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-backend | |
| run: terraform init | |
| - name: Validate Terraform Script | |
| id: create-backend-validate | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-backend | |
| run: terraform validate | |
| - name: View Backend Plan | |
| id: plan-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-backend | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform plan | |
| - name: Apply Terraform Plan | |
| id: apply-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-backend | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform apply -auto-approve | |
| continue-on-error: true # possible errors are to do with the presence of the bucket | |
| setup-dev: | |
| # dev setup should occur outside the prod repo | |
| if: github.repository != 'ssg-wsg/Sample-Codes' | |
| environment: dev | |
| needs: | |
| - test | |
| runs-on: ubuntu-latest | |
| name: Setup Terraform Backend (dev) | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Verify Terraform Script | |
| id: create-backend-verify | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-backend | |
| run: | | |
| terraform fmt | |
| terraform fmt -check | |
| - name: Initialise Backend | |
| id: init-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-backend | |
| run: terraform init | |
| - name: Validate Terraform Script | |
| id: create-backend-validate | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-backend | |
| run: terraform validate | |
| - name: View Backend Plan | |
| id: plan-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-backend | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform plan | |
| - name: Apply Terraform Plan | |
| id: apply-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-backend | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform apply -auto-approve | |
| continue-on-error: true # possible errors are to do with the presence of the bucket | |
| ecr: | |
| # prod setup of ECR should occur within the prod repo | |
| if: github.repository == 'ssg-wsg/Sample-Codes' | |
| needs: | |
| - setup | |
| runs-on: ubuntu-latest | |
| name: Setup ECR Repository | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Verify Terraform Script | |
| id: create-backend-verify | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-ecr | |
| run: | | |
| terraform fmt | |
| terraform fmt -check | |
| - name: Initialise Backend | |
| id: init-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-ecr | |
| run: terraform init | |
| - name: Validate Terraform Script | |
| id: create-backend-validate | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-ecr | |
| run: terraform validate | |
| - name: View Backend Plan | |
| id: plan-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-ecr | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform plan | |
| - name: Apply Terraform Plan | |
| id: apply-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/create-ecr | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform apply -auto-approve | |
| continue-on-error: true # possible errors are to do with the presence of the repo | |
| ecr-dev: | |
| # dev setup of ECR should occur outside the prod repo | |
| if: github.repository != 'ssg-wsg/Sample-Codes' | |
| needs: | |
| - setup-dev | |
| runs-on: ubuntu-latest | |
| name: Setup ECR Repository | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Verify Terraform Script | |
| id: create-backend-verify | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-ecr | |
| run: | | |
| terraform fmt | |
| terraform fmt -check | |
| - name: Initialise Backend | |
| id: init-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-ecr | |
| run: terraform init | |
| - name: Validate Terraform Script | |
| id: create-backend-validate | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-ecr | |
| run: terraform validate | |
| - name: View Backend Plan | |
| id: plan-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-ecr | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform plan | |
| - name: Apply Terraform Plan | |
| id: apply-backend | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/create-ecr | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform apply -auto-approve | |
| continue-on-error: true # possible errors are to do with the presence of the repo | |
| main-infra: | |
| # setting up prod infrastructure should be done on prod only | |
| if: github.repository == 'ssg-wsg/Sample-Codes' | |
| environment: production | |
| needs: | |
| - ecr | |
| runs-on: ubuntu-latest | |
| name: Create/Maintain Main Infrastructure | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Verify Terraform Script | |
| id: create-main-verify | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/main-infrastructure | |
| run: | | |
| terraform fmt | |
| terraform fmt -check | |
| - name: Initialise Main Infrastructure | |
| id: init-main | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/main-infrastructure | |
| run: | | |
| terraform init -backend-config="access_key=$AWS_ACCESS_KEY_ID" -backend-config="secret_key=$AWS_SECRET_ACCESS_KEY" | |
| - name: Validate Terraform Script | |
| id: create-main-validate | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/main-infrastructure | |
| run: terraform validate | |
| - name: View Main Infrastructure Plan | |
| id: plan-main | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/main-infrastructure | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform plan | |
| - name: Apply Terraform Plan | |
| id: apply-main | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/prod/main-infrastructure | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform apply -auto-approve | |
| main-infra-dev: | |
| # setting up prod infrastructure should be done on prod only | |
| if: github.repository != 'ssg-wsg/Sample-Codes' | |
| environment: dev | |
| needs: | |
| - ecr-dev | |
| runs-on: ubuntu-latest | |
| name: Create/Maintain Main Infrastructure | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Verify Terraform Script | |
| id: create-main-verify | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/main-infrastructure | |
| run: | | |
| terraform fmt | |
| terraform fmt -check | |
| - name: Initialise Main Infrastructure | |
| id: init-main | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/main-infrastructure | |
| run: | | |
| terraform init -backend-config="access_key=$AWS_ACCESS_KEY_ID" -backend-config="secret_key=$AWS_SECRET_ACCESS_KEY" | |
| - name: Validate Terraform Script | |
| id: create-main-validate | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/main-infrastructure | |
| run: terraform validate | |
| - name: View Main Infrastructure Plan | |
| id: plan-main | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/main-infrastructure | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform plan | |
| - name: Apply Terraform Plan | |
| id: apply-main | |
| working-directory: ./SSG-API-Testing-Application-v2/deploy/dev/main-infrastructure | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| AWS_REGION: ${{ env.AWS_REGION }} | |
| run: terraform apply -auto-approve |