Add Deployment workflows #519
Conversation
Signed-off-by: Divya Madala <divyaasm@amazon.com>
Divyaasm
requested review from
peterzhuamazon,
gaiksaya,
rishabh6788,
zelinh and
prudhvigodithi
as code owners
.github/workflows/prod-deploy.yml
Outdated
| github.event.issue.pull_request && | ||
| contains(github.event.comment.body, 'Approve Prod Deployment') |
There was a problem hiding this comment.
Can anyone write this line and approve prod?
There was a problem hiding this comment.
Yes Peter, we can control who can approve just by adding their gh alias in the above condition. For example github.actor == 'Divyaasm'.
.github/workflows/prod-deploy.yml
Outdated
| if: >- | ||
| github.event.issue.pull_request && | ||
| contains(github.event.comment.body, 'Approve Prod Deployment') | ||
| name: Get approval for deployment |
There was a problem hiding this comment.
Name should be beta deployment workflow?
There was a problem hiding this comment.
Sure, Will Change to avoid confusion.
.github/workflows/beta-deploy.yml
Outdated
| if: >- | ||
| github.event.issue.pull_request && | ||
| contains(github.event.comment.body, 'Approve Beta Deployment') | ||
| name: Get approval for deployment |
There was a problem hiding this comment.
It would be helpful to see this is action. Maybe you can share something you tried in your fork?
I highly recommend using GitHub environments for deployments https://docs.github.com/en/actions/managing-workflow-runs-and-deployments/managing-deployments/managing-environments-for-deployment
This would also help to keep secrets to different env separate from each other so that blast radius is minimum. Each env can also have approvers that need to approve the workflow before proceeding.
The prod deployment workflow can be an after action and only runs when beta is succeeded.
Another approach to consider: For beta as well as prod deployment, we can get approvals using something like opensearch-project/opensearch-java#1354 with change-set added in the issue body showing what all changes are gonna happen.
.github/workflows/changeset.yml
Outdated
| - name: Create Change Set for Beta | ||
| run: | | ||
| npm run cdk diff -- OpenSearch-CI-Config-Beta -c useSsl=true -c serverAccessType=prefixList -c restrictServerAccessTo=${{ secrets.PREFIX_LIST }} | ||
| npm run cdk diff -- OpenSearch-CI-Beta -c useSsl=true -c authType=github -c dataRetention=true -c macAgent=true -c useProdAgents=true -c enableViews=true -c ignoreResourcesFailures=false -c serverAccessType=prefixList -c restrictServerAccessTo=${{secrets.PREFIX_LIST}} | ||
|
|
||
| - name: Assume IAM Role for Prod | ||
| uses: aws-actions/configure-aws-credentials@v4.0.2 | ||
| with: | ||
| role-to-assume: ${{ secrets.PROD_DEPLOYMENT_ROLE }} | ||
| aws-region: us-east-1 | ||
|
|
||
| - name: Create Change Set for Prod | ||
| run: | | ||
| npm run cdk diff -- OpenSearch-CI-Config-Prod -c useSsl=true -c serverAccessType=prefixList -c restrictServerAccessTo=${{ secrets.INTERNET_ACCESS }} | ||
| npm run cdk diff -- OpenSearch-CI-Prod -c useSsl=true -c authType=github -c dataRetention=true -c macAgent=true -c useProdAgents=true -c enableViews=true -c ignoreResourcesFailures=false -c serverAccessType=prefixList -c restrictServerAccessTo=${{secrets.PREFIX_LIST}} |
There was a problem hiding this comment.
What is the point of change sets here?
Just to see the diff? IF yes, maybe we should comment on the PR causing the workflow to run?
There was a problem hiding this comment.
Yes just to see the changesets involved. It's triggered when a PR is raised. Should it be only trigerred if required through comment action?
.github/workflows/beta-deploy.yml
Outdated
| on: | ||
| issue_comment: | ||
| types: [created] |
There was a problem hiding this comment.
We want to deploy on merge from main or dispatch action. Can you please elaborate on this trigger?
There was a problem hiding this comment.
The point of approval workflow is to add a manual step between PR merge and Deployment of the changes from the PR to Beta followed by Prod.
The changes in the current PR will
- Trigger a changeset workflow to review the resources that changed/added/deleted in both beta and prod environments.
- After the PR is merged, folks from the team would again confirm the changeset and comment "Approve ...." sequentially to proceed beta and prod deployment.
.github/workflows/beta-deploy.yml
Outdated
| COMMAND_OUTPUT=$(npm run cdk diff -- OpenSearch-CI-Config-Beta -c useSsl=true -c serverAccessType=prefixList -c restrictServerAccessTo=${{secrets.PREFIX_LIST}}) | ||
| echo "$COMMAND_OUTPUT" | grep -q "Number of stacks with differences: 0" | ||
| if [ $? -eq 0 ]; then | ||
| echo "No stack changes involved" | ||
| else | ||
| npm run cdk deploy -- OpenSearch-CI-Config-Beta -c useSsl=true -c serverAccessType=prefixList -c restrictServerAccessTo=${{secrets.PREFIX_LIST}} | ||
| npm run cdk deploy -- OpenSearch-CI-Beta -c useSsl=true -c authType=github -c dataRetention=true -c macAgent=true -c useProdAgents=true -c enableViews=true -c ignoreResourcesFailures=false -c serverAccessType=prefixList -c restrictServerAccessTo=${{secrets.PREFIX_LIST}} |
There was a problem hiding this comment.
Can we create a deployment folder in this repo that would have cdk.context.json for these values?
I believe we would have more values coming up. For easy readability and maintenance as well as review we having a context.json file should help for each env. Both BETA and PROD.
There was a problem hiding this comment.
Yeah Sayali, that's on my to-do list. Can we take this as further enhancement?
You can check sample action runs here Sayali |
Signed-off-by: Divya Madala <divyaasm@amazon.com>
| echo "## CI-Config Stack Changeset" >> $GITHUB_OUTPUT | ||
| npm run cdk diff -- OpenSearch-CI-Config-${{ matrix.environment }} -c useSsl=true -c serverAccessType=prefixList -c restrictServerAccessTo=${{ secrets.PREFIX_LIST }} | sed -E 's/[0-9]{12}/[MASKED]/g' >> $GITHUB_OUTPUT | ||
|
|
||
| echo "" >> $GITHUB_OUTPUT | ||
| echo "## CI Stack ChangeSet ${{ matrix.environment }}" >> $GITHUB_OUTPUT | ||
| npm run cdk diff -- OpenSearch-CI-${{ matrix.environment }} -c useSsl=true -c authType=github -c dataRetention=true -c macAgent=true -c useProdAgents=true -c enableViews=true -c ignoreResourcesFailures=false -c serverAccessType=prefixList -c restrictServerAccessTo=${{secrets.PREFIX_LIST}} | sed -E 's/[0-9]{12}/[MASKED]/g' >> $GITHUB_OUTPUT |
There was a problem hiding this comment.
Lets not use context variables. Maybe create a new PR with properties set as desired?
Lets get that PR in first which will simply the deployment and diff commands significantly.
| role-to-assume: ${{ secrets.CHANGESET_ROLE }} | ||
| aws-region: us-east-1 | ||
|
|
||
| - name: Create Change Set for Beta |
There was a problem hiding this comment.
| - name: Create Change Set for Beta | |
| - name: Create Change Set for ${{matrix.environment}} |
Description
Adds changeset and deployment workflows to deploy infra stacks changes with every Pull request
Issues Resolved
#517
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.