Merge pull request #87 from docwho2/dependabot/maven/org.junit.platfo… #135
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy CDK Stack | |
| on: | |
| schedule: | |
| # By scheduling the workflow you get an updated image with the latest virus definitions | |
| - cron: '0 10 * * 1' # Run Every Monday at 10:00 UTC | |
| push: | |
| branches: [ "main" ] | |
| paths-ignore: | |
| - '**.png' | |
| - '**.md' | |
| - '**.sh' | |
| - '**dependabot.yml' | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| concurrency: deploy | |
| jobs: | |
| deploy: | |
| strategy: | |
| matrix: | |
| # Define which environments you want to deploy | |
| # Environments are setup in GutHub | |
| environment: [ stage-us-east, prod-us-east ] | |
| runs-on: ubuntu-latest | |
| environment: ${{ matrix.environment }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| # Required to build arm64 images on x86 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| # Required to build arm64 images on x86 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Use AWS Java to build | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@v4 | |
| with: | |
| java-version: '21' | |
| distribution: 'corretto' | |
| cache: maven | |
| - name: Install the latest AWS CDK | |
| run: | | |
| npm install -g aws-cdk | |
| echo "Node Version: $(node -v)" | |
| echo "CDK Version: $(cdk version)" | |
| - name: Setup AWS Credentials | |
| id: aws-creds | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: ${{ vars.AWS_REGION || 'us-east-1' }} | |
| # The full role ARN if you are using OIDC | |
| # https://github.com/aws-actions/configure-aws-credentials#oidc | |
| role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} | |
| # Set up the below secrets if you are not using OIDC and want to use regular keys (best practive is to use just role above with OIDC provider) | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| mask-aws-account-id: true | |
| - name: Debug OIDC Token | |
| if: ${{ vars.DEBUG_OIDC == 'true' }} # Set DEBUG_OIDC=true as a GitHub Actions variable to enable this step | |
| shell: bash | |
| run: | | |
| echo "Fetching OIDC token..." | |
| token=$(curl -s -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL") | |
| echo "$token" | cut -d '.' -f2 | base64 -d | jq | |
| - name: Add AWS_ACCOUNT_ID to Environment | |
| run: echo "AWS_ACCOUNT_ID=${{ steps.aws-creds.outputs.aws-account-id }}" >> $GITHUB_ENV | |
| - name: Build top level project which will have lambda jar ready for CDK build | |
| run: > | |
| mvn install -DskipTests | |
| --no-transfer-progress --quiet | |
| - name: Construct bucketNames Context adding Validation Bucket for test if defined | |
| id: construct-buckets | |
| run: | | |
| BUCKETS="${{ vars.S3_BUCKET_NAMES }}" | |
| if [ -n "${{ vars.VALIDATION_BUCKET }}" ]; then | |
| BUCKETS="${BUCKETS},${{ vars.VALIDATION_BUCKET }}" | |
| fi | |
| echo "BUCKET_NAMES=$BUCKETS" >> $GITHUB_ENV | |
| echo "Final list of bucket names to deploy against: $BUCKETS" | |
| - name: Ensure CDK is bootstraped and up to date | |
| working-directory: ./cdk | |
| run: cdk bootstrap --ci=true aws://${AWS_ACCOUNT_ID}/${{ vars.AWS_REGION || 'us-east-1' }} | |
| - name: Deploy CDK Stack | |
| working-directory: ./cdk | |
| env: | |
| ONLY_TAG_INFECTED: ${{ vars.ONLY_TAG_INFECTED }} | |
| VALIDATION_BUCKET: ${{ vars.VALIDATION_BUCKET }} | |
| run: > | |
| cdk deploy --require-approval=never --ci=true | |
| --context bucketNames="${{ env.BUCKET_NAMES }}" | |
| --context addBucketPolicy="${{ vars.ADD_BUCKET_POLICY || 'false' }}" | |
| - name: Run Virus Scan Integration Tests (if VALIDATION_BUCKET is set) | |
| if: ${{ vars.VALIDATION_BUCKET != '' }} | |
| id: scan-tests | |
| working-directory: ./integration-test | |
| env: | |
| VALIDATION_BUCKET: ${{ vars.VALIDATION_BUCKET }} | |
| ONLY_TAG_INFECTED: ${{ vars.ONLY_TAG_INFECTED }} | |
| run: | | |
| echo "Waiting 30 seconds to allow Lambda to finish deploying..." | |
| sleep 30 | |
| echo "Running Virus Scan Validation Tests..." | |
| mvn --batch-mode --no-transfer-progress exec:java | |
| - name: Rollback Lambda Alias if Tests Fail | |
| if: failure() && steps.scan-tests.outcome == 'failure' | |
| run: | | |
| echo "Rolling back Lambda alias to previous version..." | |
| FUNCTION_NAME=$(cd shared-model; mvn --quiet exec:java -Dexec.args=LAMBDA_NAME) | |
| ALIAS_NAME=$(cd shared-model; mvn --quiet exec:java -Dexec.args=LAMBDA_ALIAS_NAME) | |
| # Get previous version (second to last version) | |
| PREV_VERSION=$(aws lambda list-versions-by-function \ | |
| --function-name "$FUNCTION_NAME" \ | |
| --query 'Versions[-2].Version' \ | |
| --output text) | |
| echo "Repointing alias $ALIAS_NAME to version $PREV_VERSION" | |
| aws lambda update-alias \ | |
| --function-name "$FUNCTION_NAME" \ | |
| --name "$ALIAS_NAME" \ | |
| --function-version "$PREV_VERSION" |