Skip to content

Deploy

Deploy #59

Workflow file for this run

# AUTOMATICALLY GENERATED FILE, DO NOT EDIT MANUALLY.
# Generated by AWS CDK and [cdk-pipelines-github](https://github.com/cdklabs/cdk-pipelines-github)
name: Deploy
on:
workflow_call:
inputs:
runner:
type: string
default: ubuntu-latest
description: Runner to use.
required: false
environments:
type: string
description: Environments to deploy.
default: development,staging
required: false
workflow_dispatch:
inputs:
runner:
type: choice
description: Runner to use.
options:
- ubuntu-latest
- self-hosted
default: ubuntu-latest
environments:
type: choice
description: Environments to deploy.
options:
- development
- staging
- production
- development,staging
- development,staging,production
default: development,staging
jobs:
build-crisiscleanup-infra-pipeline-synth:
name: Synthesize
permissions:
contents: read
id-token: write
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
needs: []
env:
CI: "true"
NX_NON_NATIVE_HASHER: "true"
NX_BRANCH: ${{github.event.number}}
NX_RUN_GROUP: ${{github.run_id}}
NX_CLOUD_ACCESS_TOKEN: ${{secrets.NX_CLOUD_ACCESS_TOKEN}}
GIGET_AUTH: ${{secrets.GH_CONFIGS_RO_PAT}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Checkout
uses: actions/checkout@v3
with:
repository: CrisisCleanup/infrastructure
ref: main
- name: Install Helm
uses: azure/setup-helm@v3
with:
version: 3.12.2
- name: Install AWS CLI
uses: unfor19/install-aws-cli-action@v1
if: inputs.runner == 'self-hosted'
with:
arch: arm64
- name: Install SOPs
uses: CrisisCleanup/mozilla-sops-action@main
with:
version: 3.7.3
- name: Setup PNPM
uses: pnpm/[email protected]
- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: "18"
cache: pnpm
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Pull cdk.context.json
continue-on-error: true
env:
S3_SOURCE: s3://crisiscleanup-pipeline-assets/cdk-assets/deploy/cdk.context.json
S3_DESTINATION: packages/stacks/api/cdk.context.json
run: aws s3 cp ${{env.S3_SOURCE}} ${{env.S3_DESTINATION}}
- name: Install
run: pnpm install
- name: Build
run: |-
pnpm build
pnpm -F 'stacks.api' run synth:silent
cp -r packages/stacks/api/cdk.out ./cdk.out
- name: Push cdk.context.json
continue-on-error: true
env:
S3_SOURCE: packages/stacks/api/cdk.context.json
S3_DESTINATION: s3://crisiscleanup-pipeline-assets/cdk-assets/deploy/cdk.context.json
run: aws s3 cp ${{env.S3_SOURCE}} ${{env.S3_DESTINATION}}
- name: Push cdk.out
env:
S3_SOURCE: cdk.out
S3_DESTINATION: s3://crisiscleanup-pipeline-assets/cdk-assets/deploy/${{github.run_id}}-${{github.run_attempt}}/cdk.out
run: aws s3 sync ${{env.S3_SOURCE}} ${{env.S3_DESTINATION}}
publish:
name: Publish Assets
permissions:
contents: read
id-token: write
outputs:
asset-hash1: ${{steps.publish.outputs.asset-hash1}}
asset-hash10: ${{steps.publish.outputs.asset-hash10}}
asset-hash11: ${{steps.publish.outputs.asset-hash11}}
asset-hash12: ${{steps.publish.outputs.asset-hash12}}
asset-hash13: ${{steps.publish.outputs.asset-hash13}}
asset-hash14: ${{steps.publish.outputs.asset-hash14}}
asset-hash15: ${{steps.publish.outputs.asset-hash15}}
asset-hash16: ${{steps.publish.outputs.asset-hash16}}
asset-hash17: ${{steps.publish.outputs.asset-hash17}}
asset-hash18: ${{steps.publish.outputs.asset-hash18}}
asset-hash19: ${{steps.publish.outputs.asset-hash19}}
asset-hash2: ${{steps.publish.outputs.asset-hash2}}
asset-hash20: ${{steps.publish.outputs.asset-hash20}}
asset-hash21: ${{steps.publish.outputs.asset-hash21}}
asset-hash22: ${{steps.publish.outputs.asset-hash22}}
asset-hash23: ${{steps.publish.outputs.asset-hash23}}
asset-hash24: ${{steps.publish.outputs.asset-hash24}}
asset-hash25: ${{steps.publish.outputs.asset-hash25}}
asset-hash26: ${{steps.publish.outputs.asset-hash26}}
asset-hash27: ${{steps.publish.outputs.asset-hash27}}
asset-hash28: ${{steps.publish.outputs.asset-hash28}}
asset-hash3: ${{steps.publish.outputs.asset-hash3}}
asset-hash4: ${{steps.publish.outputs.asset-hash4}}
asset-hash5: ${{steps.publish.outputs.asset-hash5}}
asset-hash6: ${{steps.publish.outputs.asset-hash6}}
asset-hash7: ${{steps.publish.outputs.asset-hash7}}
asset-hash8: ${{steps.publish.outputs.asset-hash8}}
asset-hash9: ${{steps.publish.outputs.asset-hash9}}
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
needs:
- Build-crisiscleanup-infra-pipeline-synth
strategy:
fail-fast: true
matrix:
target:
- Assets-FileAsset1
- Assets-FileAsset10
- Assets-FileAsset11
- Assets-FileAsset12
- Assets-FileAsset13
- Assets-FileAsset14
- Assets-FileAsset15
- Assets-FileAsset16
- Assets-FileAsset17
- Assets-FileAsset18
- Assets-FileAsset19
- Assets-FileAsset2
- Assets-FileAsset20
- Assets-FileAsset21
- Assets-FileAsset22
- Assets-FileAsset23
- Assets-FileAsset24
- Assets-FileAsset25
- Assets-FileAsset26
- Assets-FileAsset27
- Assets-FileAsset28
- Assets-FileAsset3
- Assets-FileAsset4
- Assets-FileAsset5
- Assets-FileAsset6
- Assets-FileAsset7
- Assets-FileAsset8
- Assets-FileAsset9
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Pull cdk.out
env:
S3_SOURCE: s3://crisiscleanup-pipeline-assets/cdk-assets/deploy/${{github.run_id}}-${{github.run_attempt}}/cdk.out
S3_DESTINATION: cdk.out
run: aws s3 sync ${{env.S3_SOURCE}} ${{env.S3_DESTINATION}}
- name: Install cdk-assets
run: npm install --no-save cdk-assets
- name: Publish
id: publish
run: /bin/bash ./cdk.out/publish-${{matrix.target}}-step.sh
deploy-development-development-network-deploy:
name: Deploy crisiscleanupinfrapipelinestackdevelopmentdevelopmentnetwork9BE60577
if: contains((github.event.inputs.environments || inputs.environments),
'development')
permissions:
contents: read
id-token: write
environment:
name: development
url: https://app.dev.crisiscleanup.io
needs:
- Build-crisiscleanup-infra-pipeline-synth
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: development-development-network
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash1 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1
deploy-staging-staging-network-deploy:
name: Deploy crisiscleanupinfrapipelinestackstagingstagingnetworkF6BE5B3F
if: contains((github.event.inputs.environments || inputs.environments),
'staging')
permissions:
contents: read
id-token: write
environment:
name: staging
url: https://app.staging.crisiscleanup.io
needs:
- Build-crisiscleanup-infra-pipeline-synth
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGING}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: staging-staging-network
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash18 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGING}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1
deploy-production-production-network-deploy:
name: Deploy crisiscleanupinfrapipelinestackproductionproductionnetworkACD050B9
if: contains((github.event.inputs.environments || inputs.environments),
'production')
permissions:
contents: read
id-token: write
environment:
name: production
url: https://crisiscleanup.org
needs:
- Build-crisiscleanup-infra-pipeline-synth
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: production-production-network
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash23 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
deploy-development-development-data-deploy:
name: Deploy crisiscleanupinfrapipelinestackdevelopmentdevelopmentdataE98C910D
if: contains((github.event.inputs.environments || inputs.environments),
'development')
permissions:
contents: read
id-token: write
environment:
name: development
url: https://app.dev.crisiscleanup.io
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-development-development-network-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: development-development-data
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash2 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1
deploy-staging-staging-data-deploy:
name: Deploy crisiscleanupinfrapipelinestackstagingstagingdataE88954EF
if: contains((github.event.inputs.environments || inputs.environments),
'staging')
permissions:
contents: read
id-token: write
environment:
name: staging
url: https://app.staging.crisiscleanup.io
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-staging-staging-network-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGING}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: staging-staging-data
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash19 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGING}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1
deploy-production-production-cache-deploy:
name: Deploy crisiscleanupinfrapipelinestackproductionproductioncacheE7EE3824
if: contains((github.event.inputs.environments || inputs.environments),
'production')
permissions:
contents: read
id-token: write
environment:
name: production
url: https://crisiscleanup.org
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-production-production-network-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: production-production-cache
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash24 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
deploy-production-production-data-deploy:
name: Deploy crisiscleanupinfrapipelinestackproductionproductiondataFD607C3D
if: contains((github.event.inputs.environments || inputs.environments),
'production')
permissions:
contents: read
id-token: write
environment:
name: production
url: https://crisiscleanup.org
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-production-production-network-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: production-production-data
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash25 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
deploy-development-development-blueprint-deploy:
name: Deploy
crisiscleanupinfrapipelinestackdevelopmentdevelopmentblueprint44D37614
if: contains((github.event.inputs.environments || inputs.environments),
'development')
permissions:
contents: read
id-token: write
environment:
name: development
url: https://app.dev.crisiscleanup.io
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-development-development-network-Deploy
- deploy-development-development-data-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: development-development-blueprint
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash5 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}-us-east-1
deploy-staging-staging-blueprint-deploy:
name: Deploy crisiscleanupinfrapipelinestackstagingstagingblueprint5D1F778A
if: contains((github.event.inputs.environments || inputs.environments),
'staging')
permissions:
contents: read
id-token: write
environment:
name: staging
url: https://app.staging.crisiscleanup.io
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-staging-staging-network-Deploy
- deploy-staging-staging-data-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGING}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: staging-staging-blueprint
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash20 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_STAGING}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_STAGING}}-us-east-1
deploy-production-production-blueprint-deploy:
name: Deploy crisiscleanupinfrapipelinestackproductionproductionblueprint6F97D85D
if: contains((github.event.inputs.environments || inputs.environments),
'production')
permissions:
contents: read
id-token: write
environment:
name: production
url: https://crisiscleanup.org
needs:
- Build-crisiscleanup-infra-pipeline-synth
- deploy-production-production-network-Deploy
- deploy-production-production-data-Deploy
- publish
runs-on: ${{inputs.runner || 'ubuntu-latest'}}
steps:
- name: Mask values
run: |-
echo ::add-mask::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PIPELINE}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_DEVELOPMENT}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_STAGING}}
echo ::add-mask::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}
- name: Authenticate Via OIDC Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
role-to-assume: arn:aws:iam::${{secrets.AWS_PIPELINE_ACCOUNT_ID}}:role/GitHubActionRole
role-session-name: deploy
- name: Assume CDK Deploy Role
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-duration-seconds: 1800
role-skip-session-tagging: true
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
role-to-assume: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-deploy-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
role-external-id: Pipeline
- id: Deploy
uses: aws-actions/[email protected]
with:
name: production-production-blueprint
template: https://cdk-hnb659fds-assets-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1.s3.us-east-1.amazonaws.com/${{
needs.publish.outputs.asset-hash26 }}.json
no-fail-on-empty-changeset: "1"
capabilities: CAPABILITY_IAM,CAPABILITY_NAMED_IAM
role-arn: arn:aws:iam::${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}:role/cdk-hnb659fds-cfn-exec-role-${{secrets.AWS_ACCOUNT_ID_PRODUCTION}}-us-east-1
concurrency:
group: deploy-infra