diff --git a/.github/workflows/cicd.yml b/.github/workflows/cicd.yml index 6f87a837..d8e27982 100644 --- a/.github/workflows/cicd.yml +++ b/.github/workflows/cicd.yml @@ -34,15 +34,6 @@ jobs: uses: "./.github/workflows/deploy.yml" secrets: inherit # pass all secrets - with: - role-to-assume: "arn:aws:iam::854573354511:role/admg-ci-role" - role-session-name: "admg-backend-github-staging-deployment" - environment: "dev" - aws-region: "us-west-2" - vpc-id: "vpc-0caf6f6042c6f2b7c" - domain-name: "admgstaging.nasa-impact.net" - django-debug: false - alb-listener-arn: "arn:aws:elasticloadbalancing:us-west-2:854573354511:loadbalancer/app/admg-backend-loadbalancer/076ac577e623b5be" deploy-to-production: needs: run-linters @@ -51,15 +42,6 @@ jobs: uses: "./.github/workflows/deploy.yml" secrets: inherit # pass all secrets - with: - role-to-assume: "arn:aws:iam::854573354511:role/admg-ci-role" - role-session-name: "admg-backend-github-production-deployment" - environment: "prod" - aws-region: "us-west-2" - vpc-id: "vpc-0108360d661166fc3" - domain-name: "admg.nasa-impact.net" - django-debug: false - alb-listener-arn: "arn:aws:elasticloadbalancing:us-west-2:854573354511:loadbalancer/app/admg-production-loadbalancer/441052bf67cffa76" notify-slack-staging: needs: deploy-to-staging diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index ba93ec75..0a862f6d 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -4,51 +4,16 @@ permissions: id-token: write contents: read -on: - workflow_call: - inputs: - role-to-assume: - type: string - required: true - role-session-name: - type: string - required: false - default: github-actions-deployment - environment: - type: string - required: true - aws-region: - type: string - required: false - default: us-west-2 - vpc-id: - description: ID of AWS VPC. - type: string - required: true - domain-name: - description: Name of the domain from which the application is served. - type: string - required: true - alb-listener-arn: - description: ARN of Application Load Balancer listener. - type: string - required: true - django-debug: - description: Enable DEBUG mode in Django. - type: boolean - required: false - default: false - jobs: build-and-deploy: runs-on: ubuntu-latest - environment: ${{ inputs.environment }} + environment: ${{ vars.environment }} env: - VPC_ID: ${{ inputs.vpc-id }} - DOMAIN_NAME: ${{ inputs.domain-name }} - ALB_LISTENER_ARN: ${{ inputs.alb-listener-arn }} + VPC_ID: ${{ vars.VPCID }} + DOMAIN_NAME: ${{ vars.domain-name }} + ALB_LISTENER_ARN: ${{ vars.alb-listener-arn }} # Django Settings - DJANGO_DEBUG: ${{ inputs.django-debug }} + DJANGO_DEBUG: ${{ vars.django-debug }} DJANGO_ADMIN_URL: ${{ secrets.DJANGO_ADMIN_URL }} DJANGO_ALLOWED_HOSTS: ${{ secrets.DJANGO_ALLOWED_HOSTS }} DJANGO_SECRET_KEY: ${{ secrets.DJANGO_SECRET_KEY }} @@ -85,9 +50,9 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v1 with: - role-to-assume: ${{ inputs.role-to-assume }} + role-to-assume: ${{ vars.ROLETOASSUME }} role-session-name: ${{ github.actor }} - aws-region: ${{ inputs.aws-region }} + aws-region: ${{ vars.aws-region }} - name: Install dependencies run: | diff --git a/deploy/deploy_stacks/app_stack.py b/deploy/deploy_stacks/app_stack.py index 1a1fd1b5..496ce091 100644 --- a/deploy/deploy_stacks/app_stack.py +++ b/deploy/deploy_stacks/app_stack.py @@ -59,12 +59,12 @@ def __init__( # to be set when deploying other stacks. deployment_settings = DeploymentSettings( _env_file=( # pyright: ignore NOTE: https://github.com/blakeNaccarato/pydantic/blob/c5a29ef77374d4fda85e8f5eb2016951d23dac33/docs/visual_studio_code.md?plain=1#L260-L272 - {"dev": ".env.staging", "prod": ".env.production"}.get(stage, "development") + {"dev": ".env.staging", "prod": ".env.production"}.get(stage, ".env.development") ), ) app_env_settings = AppEnvSettings( _env_file=( # pyright: ignore NOTE: https://github.com/blakeNaccarato/pydantic/blob/c5a29ef77374d4fda85e8f5eb2016951d23dac33/docs/visual_studio_code.md?plain=1#L260-L272 - {"dev": ".env.staging", "prod": ".env.production"}.get(stage, "development") + {"dev": ".env.staging", "prod": ".env.production"}.get(stage, ".env.development") ), ) @@ -81,10 +81,7 @@ def __init__( app_service = patterns.ApplicationLoadBalancedFargateService( self, - { - "dev": "admg-backend-fargate-service", - "prod": "admg-production-fargate-service", - }.get(stage, "development"), + f"admg-{stage}-fargate-service", cluster=cluster, memory_limit_mib=1024, desired_count=1, @@ -96,9 +93,7 @@ def __init__( "AWS_S3_REGION_NAME": Stack.of(self).region, "AWS_STORAGE_BUCKET_NAME": assets_bucket.bucket_name, "DJANGO_SETTINGS_MODULE": "config.settings.production", - "SENTRY_ENV": {"dev": "staging", "prod": "production"}.get( - stage, "development" - ), + "SENTRY_ENV": stage, "CELERY_BROKER_URL": "sqs://", "CELERY_TASK_DEFAULT_QUEUE": queue.queue_name, "AWS_QUEUE_REGION_NAME": Stack.of(self).region, @@ -111,10 +106,7 @@ def __init__( }, ), task_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PRIVATE_WITH_EGRESS), - load_balancer_name={ - "dev": 'admg-backend-loadbalancer', - "prod": 'admg-production-loadbalancer', - }.get(stage, "development"), + load_balancer_name=f'admg-{stage}-loadbalancer', certificate=certmgr.Certificate( self, id="cert", @@ -139,7 +131,7 @@ def __init__( "AWS_S3_REGION_NAME": Stack.of(self).region, "AWS_STORAGE_BUCKET_NAME": assets_bucket.bucket_name, "DJANGO_SETTINGS_MODULE": "config.settings.production", - "SENTRY_ENV": {"dev": "staging", "prod": "production"}.get(stage, "development"), + "SENTRY_ENV": stage, "CELERY_BROKER_URL": "sqs://@", "AWS_QUEUE_REGION_NAME": Stack.of(self).region, "CELERY_TASK_DEFAULT_QUEUE": queue.queue_name, diff --git a/deploy/deploy_stacks/infra_stack.py b/deploy/deploy_stacks/infra_stack.py index 1db8a886..8fd2b0de 100644 --- a/deploy/deploy_stacks/infra_stack.py +++ b/deploy/deploy_stacks/infra_stack.py @@ -32,9 +32,7 @@ def __init__(self, app: App, stack_id: str, stage: str, **kwargs) -> None: } }, ), - role_name={"dev": "admg-ci-role", "prod": "admg-production-ci-role"}.get( - stage, "development" - ), + role_name={f"admg-ci-{stage}-role"}, inline_policies={ "cdk_permissions": iam.PolicyDocument( statements=[ @@ -48,7 +46,7 @@ def __init__(self, app: App, stack_id: str, stage: str, **kwargs) -> None: statements=[ iam.PolicyStatement( actions=["s3:PutObject"], - resources=["arn:aws:s3:::assets-bucket/*"], + resources=[f"arn:aws:s3:::admg-{stage}-assets/*"], ) ] ), @@ -57,6 +55,7 @@ def __init__(self, app: App, stack_id: str, stage: str, **kwargs) -> None: deployment_settings = DeploymentSettings( _env_file=( # pyright: ignore NOTE: https://github.com/blakeNaccarato/pydantic/blob/c5a29ef77374d4fda85e8f5eb2016951d23dac33/docs/visual_studio_code.md?plain=1#L260-L272 + # TODO get from env variable {"dev": ".env.staging", "prod": ".env.production"}.get(stage, "development") ), ) @@ -66,6 +65,7 @@ def __init__(self, app: App, stack_id: str, stage: str, **kwargs) -> None: self.bucket: s3.Bucket = s3.Bucket( self, "assets-bucket", + # TODO pull from env bucket_name=generate_name("assets", stage=stage).replace("_", "-"), access_control=s3.BucketAccessControl.BUCKET_OWNER_FULL_CONTROL, ) diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml deleted file mode 100644 index da6c2bdb..00000000 --- a/docker-compose.prod.yml +++ /dev/null @@ -1,59 +0,0 @@ -version: "3.7" - -services: - web: - build: - context: ./ - dockerfile: Dockerfile.prod - command: gunicorn config.wsgi:application --bind 0.0.0.0:8000 -w 4 --timeout 300 --worker-tmp-dir /dev/shm - volumes: - - static_volume:/app/home/app/web/staticfiles - - media_volume:/app/home/app/web/media - expose: - - 8000 - env_file: - - .env.web - - .env.production - environment: - - MIGRATE=true - - nginx-proxy: - container_name: nginx-proxy - build: nginx - restart: always - ports: - - 443:443 - - 80:80 - environment: - - RESOLVERS=127.0.0.11 - volumes: - - static_volume:/app/home/app/web/staticfiles - - media_volume:/app/home/app/web/media - - morecerts:/etc/acme.sh - - certs:/etc/nginx/certs - - html:/usr/share/nginx/html - - ./nginx/vhost.d:/etc/nginx/vhost.d - - /var/run/docker.sock:/tmp/docker.sock:ro - depends_on: - - web - - nginx-proxy-letsencrypt: - image: nginxproxy/acme-companion:latest - env_file: - - .env.production - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - morecerts:/etc/acme.sh - - certs:/etc/nginx/certs - - html:/usr/share/nginx/html - - ./nginx/vhost.d:/etc/nginx/vhost.d - depends_on: - - nginx-proxy - -volumes: - postgres_data: - static_volume: - media_volume: - morecerts: - certs: - html: diff --git a/docker-compose.staging.yml b/docker-compose.staging.yml deleted file mode 100644 index cb989536..00000000 --- a/docker-compose.staging.yml +++ /dev/null @@ -1,59 +0,0 @@ -version: "3.7" - -services: - web: - build: - context: ./ - dockerfile: Dockerfile.prod - command: gunicorn config.wsgi:application --bind 0.0.0.0:8000 -w 4 --timeout 300 --worker-tmp-dir /dev/shm - volumes: - - static_volume:/app/home/app/web/staticfiles - - media_volume:/app/home/app/web/media - expose: - - 8000 - env_file: - - .env.web - - .env.staging - environment: - - MIGRATE=true - - nginx-proxy: - container_name: nginx-proxy - build: nginx - restart: always - ports: - - 443:443 - - 80:80 - environment: - - RESOLVERS=127.0.0.11 - volumes: - - static_volume:/app/home/app/web/staticfiles - - media_volume:/app/home/app/web/media - - morecerts:/etc/acme.sh - - certs:/etc/nginx/certs - - html:/usr/share/nginx/html - - ./nginx/vhost.d:/etc/nginx/vhost.d - - /var/run/docker.sock:/tmp/docker.sock:ro - depends_on: - - web - - nginx-proxy-letsencrypt: - image: nginxproxy/acme-companion:latest - env_file: - - .env - volumes: - - /var/run/docker.sock:/var/run/docker.sock:ro - - morecerts:/etc/acme.sh - - certs:/etc/nginx/certs - - html:/usr/share/nginx/html - - ./nginx/vhost.d:/etc/nginx/vhost.d - depends_on: - - nginx-proxy - -volumes: - postgres_data: - static_volume: - media_volume: - morecerts: - certs: - html: