From 9ec879ab444eeb40b39075d3129f130c0080020c Mon Sep 17 00:00:00 2001 From: Peeter Tomberg Date: Tue, 15 Aug 2023 16:51:14 +0300 Subject: [PATCH] chore: working secrets being setup properly --- .github/workflows/deploy.yml | 46 +++- .github/workflows/initialize.yml | 4 +- .github/workflows/main.yml | 221 ------------------ .github/workflows/prod-deploy.yml | 182 --------------- apps/graphql-gateway/src/app.module.ts | 4 +- apps/web/app/_lib/apolloClient.tsx | 2 +- .../configure-terraform-bucket-locally.ts | 1 - .../infra/configure-terraform-vars-locally.ts | 1 - 8 files changed, 49 insertions(+), 412 deletions(-) delete mode 100644 .github/workflows/main.yml delete mode 100644 .github/workflows/prod-deploy.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 50933680..2d8c281a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -16,9 +16,9 @@ jobs: build-staging: needs: prebuild + if: ${{ github.ref == 'refs/heads/develop' }} runs-on: ubuntu-latest strategy: - fail-fast: false matrix: ${{ fromJSON(needs.prebuild.outputs.matrix) }} steps: - uses: "actions/checkout@v3" @@ -39,6 +39,7 @@ jobs: deploy-staging: needs: build-staging + if: ${{ github.ref == 'refs/heads/develop' }} runs-on: ubuntu-latest steps: - uses: "actions/checkout@v3" @@ -55,3 +56,46 @@ jobs: region: ${{ vars.FVST_PROJECT_REGION }} prefix: ${{ vars.FVST_PROJECT_PREFIX }} docker-tag: ${{ env.DOCKER_TAG }} + + build-production: + needs: prebuild + if: ${{ github.ref == 'refs/heads/main' }} + runs-on: ubuntu-latest + strategy: + matrix: ${{ fromJSON(needs.prebuild.outputs.matrix) }} + steps: + - uses: "actions/checkout@v3" + - name: "Configure env variables" + run: | + project="${{ vars.FVST_PROJECT_PREFIX }}-fvst-production" + registry="us-docker.pkg.dev/$project/registry" + echo "project=$project" >> $GITHUB_ENV + echo "registry=$registry" >> $GITHUB_ENV + - uses: ./.github/actions/build-docker-container + with: + google_cloud_token: ${{ secrets.GOOGLE_CLOUD_TOKEN_PRODUCTION }} + turborepo_cache_bucket: ${{ vars.FVST_PROJECT_TURBOREPO_BUCKET_PRODUCTION }} + registry: ${{ env.registry }} + service: ${{ matrix.service }} + dockerfile: ${{ matrix.dockerfile }} + tag: ${{ env.DOCKER_TAG }} + + deploy-production: + needs: build-production + if: ${{ github.ref == 'refs/heads/main' }} + runs-on: ubuntu-latest + steps: + - uses: "actions/checkout@v3" + + - uses: ./.github/actions/setup-google-cloud-auth + id: "auth" + with: + google_cloud_token: ${{ secrets.GOOGLE_CLOUD_TOKEN_PRODUCTION }} + + - uses: ./.github/actions/terraform-apply + with: + environment: "production" + terraform-bucket: ${{ vars.FVST_PROJECT_TF_STATE_BUCKET_PRODUCTION }} + region: ${{ vars.FVST_PROJECT_REGION }} + prefix: ${{ vars.FVST_PROJECT_PREFIX }} + docker-tag: ${{ env.DOCKER_TAG }} diff --git a/.github/workflows/initialize.yml b/.github/workflows/initialize.yml index acdafc3a..e839602a 100644 --- a/.github/workflows/initialize.yml +++ b/.github/workflows/initialize.yml @@ -1,4 +1,4 @@ -name: Initialize environment +name: Initialize environments on: [workflow_dispatch] env: DOCKER_TAG: initialize-run-${{ github.run_number }} @@ -17,7 +17,6 @@ jobs: needs: prebuild runs-on: ubuntu-latest strategy: - fail-fast: false matrix: ${{ fromJSON(needs.prebuild.outputs.matrix) }} steps: - uses: "actions/checkout@v3" @@ -59,7 +58,6 @@ jobs: needs: prebuild runs-on: ubuntu-latest strategy: - fail-fast: false matrix: ${{ fromJSON(needs.prebuild.outputs.matrix) }} steps: - uses: "actions/checkout@v3" diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml deleted file mode 100644 index e6174aa3..00000000 --- a/.github/workflows/main.yml +++ /dev/null @@ -1,221 +0,0 @@ -name: Main branch deploy to stg - -on: - push: - branches: [main] - -env: - PROJECT: ${{ github.event.repository.name }}-stg-5 - DOCKER_TAG: v0.0.${{ github.run_number }} - DB_INSTANCE: fvst-primary-db - -jobs: - verify: - runs-on: ubuntu-latest - strategy: - matrix: - service: ["blog-graphql", "demo-worker", "user-graphql", "todo-graphql"] - steps: - - uses: "actions/checkout@v3" - - - name: "Unpack Key" - id: "google-key" - run: | - GOOGLE_CLOUD_TOKEN=$(echo ${{secrets.GOOGLE_CLOUD_TOKEN}} | base64 --decode) - echo "GOOGLE_CLOUD_TOKEN=$GOOGLE_CLOUD_TOKEN" >> $GITHUB_OUTPUT - - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - credentials_json: ${{steps.google-key.outputs.GOOGLE_CLOUD_TOKEN}} - - - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v1" - with: - version: ">= 417.0.0" - - - name: Info - run: | - gcloud info - - - name: Login to artifact repository - run: gcloud --project $PROJECT auth configure-docker - - - name: Update OS - run: sudo apt-get -qy update && sudo apt-get -qy install openssl - - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - - name: Restore node_modules - uses: actions/cache@v3 - with: - path: | - **/node_modules - key: ${{ runner.os }}-node_modules-${{ hashFiles('**/package-lock.json') }} - - - name: Install dependencies - run: npm install - - - name: Lint - run: npm run lint - - - name: Test - run: npm test - - - name: Build - run: npm run build - env: - NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.CLERK_PUBLISHABLE_KEY }} - - - name: Build Docker - run: | - docker build -f apps/${{matrix.service}}/Dockerfile . -t gcr.io/$PROJECT/fvst-monorepo-${{matrix.service}}:$DOCKER_TAG - - - name: Push to repo - run: docker push gcr.io/$PROJECT/fvst-monorepo-${{matrix.service}}:$DOCKER_TAG - - - name: Deploy - run: | - gcloud --project $PROJECT run deploy ${{matrix.service}} --image gcr.io/$PROJECT/fvst-monorepo-${{matrix.service}}:$DOCKER_TAG --add-cloudsql-instances $DB_INSTANCE --region ${{secrets.GOOGLE_CLOUD_REGION}} --set-env-vars DATABASE_URL="postgresql://fvst:${{secrets.DATABASE_PASSWORD}}@localhost/fvst?host=/cloudsql/$PROJECT:${{secrets.GOOGLE_CLOUD_REGION}}:$DB_INSTANCE" --set-env-vars NODE_ENV=development --set-env-vars CLERK_JWSK_URL=${{secrets.CLERK_JWSK_URL}} --set-env-vars CLERK_ISSUER=${{secrets.CLERK_ISSUER}} --allow-unauthenticated - - deploy-web: - runs-on: ubuntu-latest - steps: - - uses: "actions/checkout@v3" - - - name: "Unpack Key" - id: "google-key" - run: | - GOOGLE_CLOUD_TOKEN=$(echo ${{secrets.GOOGLE_CLOUD_TOKEN}} | base64 --decode) - echo "GOOGLE_CLOUD_TOKEN=$GOOGLE_CLOUD_TOKEN" >> $GITHUB_OUTPUT - - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - credentials_json: ${{steps.google-key.outputs.GOOGLE_CLOUD_TOKEN}} - - - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v1" - with: - version: ">= 417.0.0" - - - name: Info - run: | - gcloud info - - - name: Login to artifact repository - run: gcloud --project $PROJECT auth configure-docker - - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - - name: Restore node_modules - uses: actions/cache@v3 - with: - path: | - **/node_modules - key: ${{ runner.os }}-node_modules-${{ hashFiles('**/package-lock.json') }} - - - name: Install dependencies - run: npm install - - - name: Lint - run: npm run lint - - - name: Test - run: npm test - - - name: Build - run: npm run build - env: - NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.CLERK_PUBLISHABLE_KEY }} - - - name: Build Docker - run: | - docker build --build-arg NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=${{secrets.CLERK_PUBLISHABLE_KEY}} --build-arg NEXT_PUBLIC_GRAPHQL_API_URI=https://graphql-gateway-qng4lozp3a-lz.a.run.app/graphql -f apps/web/Dockerfile . -t gcr.io/$PROJECT/fvst-monorepo-web:$DOCKER_TAG - - name: Push to repo - run: docker push gcr.io/$PROJECT/fvst-monorepo-web:$DOCKER_TAG - - - name: Deploy - run: | - gcloud --project $PROJECT run deploy web --image gcr.io/$PROJECT/fvst-monorepo-web:$DOCKER_TAG --add-cloudsql-instances $DB_INSTANCE --region ${{secrets.GOOGLE_CLOUD_REGION}} --set-env-vars DATABASE_URL="postgresql://fvst:${{secrets.DATABASE_PASSWORD}}@localhost/fvst?host=/cloudsql/$PROJECT:${{secrets.GOOGLE_CLOUD_REGION}}:$DB_INSTANCE" --set-env-vars NODE_ENV=development --allow-unauthenticated --set-env-vars CLERK_PUBLISHABLE_KEY=${{secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY}} - env: - CLERK_JWSK_URL: ${{ secrets.CLERK_JWSK_URL }} - CLERK_ISSUER: ${{ secrets.CLERK_ISSUER }} - - deploy-gateway: - runs-on: ubuntu-latest - needs: [verify, deploy-web] - steps: - - uses: "actions/checkout@v3" - - - name: "Unpack Key" - id: "google-key" - run: | - GOOGLE_CLOUD_TOKEN=$(echo ${{secrets.GOOGLE_CLOUD_TOKEN}} | base64 --decode) - echo "GOOGLE_CLOUD_TOKEN=$GOOGLE_CLOUD_TOKEN" >> $GITHUB_OUTPUT - - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - credentials_json: ${{steps.google-key.outputs.GOOGLE_CLOUD_TOKEN}} - - - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v1" - with: - version: ">= 417.0.0" - - - name: Info - run: | - gcloud info - - - name: Login to artifact repository - run: gcloud --project $PROJECT auth configure-docker - - - name: Update OS - run: sudo apt-get -qy update && sudo apt-get -qy install openssl - - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - - name: Restore node_modules - uses: actions/cache@v3 - with: - path: | - **/node_modules - key: ${{ runner.os }}-node_modules-${{ hashFiles('**/package-lock.json') }} - - - name: Install dependencies - run: npm install - - - name: Lint - run: npm run lint - - - name: Test - run: npm test - - - name: Build - run: npm run build - env: - NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.CLERK_PUBLISHABLE_KEY }} - - - name: Build Docker - run: | - docker build -f apps/graphql-gateway/Dockerfile . -t gcr.io/$PROJECT/fvst-monorepo-graphql-gateway:$DOCKER_TAG - - - name: Push to repo - run: docker push gcr.io/$PROJECT/fvst-monorepo-graphql-gateway:$DOCKER_TAG - - - name: Deploy - run: | - gcloud --project $PROJECT run deploy graphql-gateway --image gcr.io/$PROJECT/fvst-monorepo-graphql-gateway:$DOCKER_TAG --region ${{secrets.GOOGLE_CLOUD_REGION}} --set-env-vars NODE_ENV=development --set-env-vars TODO_SERVICE_URL=https://todo-graphql-qng4lozp3a-lz.a.run.app/graphql --set-env-vars BLOG_SERVICE_URL=https://blog-graphql-qng4lozp3a-lz.a.run.app/graphql --set-env-vars USER_SERVICE_URL=https://user-graphql-qng4lozp3a-lz.a.run.app/graphql --allow-unauthenticated diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml deleted file mode 100644 index 2f0b97fe..00000000 --- a/.github/workflows/prod-deploy.yml +++ /dev/null @@ -1,182 +0,0 @@ -name: Google Branch - -on: - push: - branches: [prod] - -env: - PROJECT: ${{ github.event.repository.name }}-stg-5 - DOCKER_TAG: v0.0.${{ github.run_number }} - DB_INSTANCE: fvst-primary-db - -jobs: - verify: - runs-on: ubuntu-latest - strategy: - matrix: - service: ["blog-graphql", "demo-worker", "todo-graphql", "user-graphql"] - steps: - - uses: "actions/checkout@v3" - - - name: "Unpack Key" - id: "google-key" - run: | - GOOGLE_CLOUD_TOKEN=$(echo ${{secrets.GOOGLE_CLOUD_TOKEN}} | base64 --decode) - echo "GOOGLE_CLOUD_TOKEN=$GOOGLE_CLOUD_TOKEN" >> $GITHUB_OUTPUT - - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - credentials_json: ${{steps.google-key.outputs.GOOGLE_CLOUD_TOKEN}} - - - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v1" - with: - version: ">= 417.0.0" - - - name: Info - run: | - gcloud info - - - name: Login to artifact repository - run: gcloud --project $PROJECT auth configure-docker - - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - - name: Restore node_modules - uses: actions/cache@v3 - with: - path: | - **/node_modules - key: ${{ runner.os }}-node_modules-${{ hashFiles('**/package-lock.json') }} - - - name: Install dependencies - run: npm install - - - name: Build - run: npm run build - - - name: Build Docker - run: | - docker build -f apps/${{matrix.service}}/Dockerfile . -t gcr.io/$PROJECT/fvst-monorepo-${{matrix.service}}:$DOCKER_TAG - - - name: Push to repo - run: docker push gcr.io/$PROJECT/fvst-monorepo-${{matrix.service}}:$DOCKER_TAG - - - name: Deploy - run: | - gcloud --project $PROJECT run deploy ${{matrix.service}} --image gcr.io/$PROJECT/fvst-monorepo-${{matrix.service}}:$DOCKER_TAG --add-cloudsql-instances $DB_INSTANCE --region ${{secrets.GOOGLE_CLOUD_REGION}} --set-env-vars DATABASE_URL="postgresql://fvst:${{secrets.DATABASE_PASSWORD}}@localhost/fvst?host=/cloudsql/$PROJECT:${{secrets.GOOGLE_CLOUD_REGION}}:$DB_INSTANCE" --set-env-vars NODE_ENV=development --allow-unauthenticated - - deploy-web: - runs-on: ubuntu-latest - steps: - - uses: "actions/checkout@v3" - - - name: "Unpack Key" - id: "google-key" - run: | - GOOGLE_CLOUD_TOKEN=$(echo ${{secrets.GOOGLE_CLOUD_TOKEN}} | base64 --decode) - echo "GOOGLE_CLOUD_TOKEN=$GOOGLE_CLOUD_TOKEN" >> $GITHUB_OUTPUT - - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - credentials_json: ${{steps.google-key.outputs.GOOGLE_CLOUD_TOKEN}} - - - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v1" - with: - version: ">= 417.0.0" - - - name: Info - run: | - gcloud info - - - name: Login to artifact repository - run: gcloud --project $PROJECT auth configure-docker - - - name: Use Node.js - uses: actions/setup-node@v3 - with: - node-version: 18 - cache: npm - - - name: Restore node_modules - uses: actions/cache@v3 - with: - path: | - **/node_modules - key: ${{ runner.os }}-node_modules-${{ hashFiles('**/package-lock.json') }} - - - name: Install dependencies - run: npm install - - - name: Build - run: npm run build - env: - NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY: ${{ secrets.CLERK_PUBLISHABLE_KEY }} - - name: Build Docker - run: | - docker build -f apps/web/Dockerfile . -t gcr.io/$PROJECT/fvst-monorepo-web:$DOCKER_TAG - - - name: Push to repo - run: docker push gcr.io/$PROJECT/fvst-monorepo-web:$DOCKER_TAG - - - name: Deploy - run: | - gcloud --project $PROJECT run deploy web --image gcr.io/$PROJECT/fvst-monorepo-web:$DOCKER_TAG --add-cloudsql-instances $DB_INSTANCE --region ${{secrets.GOOGLE_CLOUD_REGION}} --set-env-vars DATABASE_URL="postgresql://fvst:${{secrets.DATABASE_PASSWORD}}@localhost/fvst?host=/cloudsql/$PROJECT:${{secrets.GOOGLE_CLOUD_REGION}}:$DB_INSTANCE" --set-env-vars NODE_ENV=development --allow-unauthenticated --set-env-vars GRAPH_QL_GATEWAY_URL=https://auth-lcfoiwapda-lz.a.run.app --set-env-vars NEXTAUTH_SECRET=YdnqQ48QfA6xJ6ey4kQEYIr+ayf2jKnuqGSsNdITA6c --set-env-vars NEXTAUTH_URL=https://web-lcfoiwapda-lz.a.run.app --set-env-vars CLERK_PUBLISHABLE_KEY=${{secrets.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY}} - - deploy-gateway: - runs-on: ubuntu-latest - needs: [verify, deploy-web] - - steps: - - uses: "actions/checkout@v3" - - - name: "Unpack Key" - id: "google-key" - run: | - GOOGLE_CLOUD_TOKEN=$(echo ${{secrets.GOOGLE_CLOUD_TOKEN}} | base64 --decode) - echo "GOOGLE_CLOUD_TOKEN=$GOOGLE_CLOUD_TOKEN" >> $GITHUB_OUTPUT - - - name: "Authenticate to Google Cloud" - uses: "google-github-actions/auth@v1" - with: - credentials_json: ${{steps.google-key.outputs.GOOGLE_CLOUD_TOKEN}} - - - name: "Set up Cloud SDK" - uses: "google-github-actions/setup-gcloud@v1" - with: - version: ">= 417.0.0" - - - name: Info - run: | - gcloud info - - - name: Login to artifact repository - run: gcloud --project $PROJECT auth configure-docker - - # - name: Build gateway - # run: docker build -f apps/apollo-gateway/Dockerfile -t gcr.io/$PROJECT/fvst-monorepo-gateway:$DOCKER_TAG . - - - name: Push to repo - run: docker push gcr.io/$PROJECT/fvst-monorepo-gateway:$DOCKER_TAG - - - name: Install rover - run: curl -sSL https://rover.apollo.dev/nix/latest | sh - - # - name: Sync schema - # run: | - # chmod +x apps/apollo-gateway/publish_ci_schema_updates.sh - # export APOLLO_KEY=${{secrets.APOLLO_STUDIO_KEY}} - # export APOLLO_GRAPH_REF=${{secrets.APOLLO_STUDIO_GRAPH}}@${GITHUB_REF##*/} - # ./apps/apollo-gateway/publish_ci_schema_updates.sh - - # - name: Deploy - # run: | - # export APOLLO_GRAPH_REF="${{secrets.APOLLO_STUDIO_GRAPH}}@${GITHUB_REF##*/}" - # gcloud --project $PROJECT run deploy gateway --image gcr.io/$PROJECT/fvst-monorepo-gateway:$DOCKER_TAG --port 4000 --region ${{secrets.GOOGLE_CLOUD_REGION}} --set-env-vars APOLLO_KEY=${{secrets.APOLLO_STUDIO_KEY}} --set-env-vars APOLLO_GRAPH_REF=$APOLLO_GRAPH_REF --allow-unauthenticated diff --git a/apps/graphql-gateway/src/app.module.ts b/apps/graphql-gateway/src/app.module.ts index ca487f1f..ed111cfb 100644 --- a/apps/graphql-gateway/src/app.module.ts +++ b/apps/graphql-gateway/src/app.module.ts @@ -29,11 +29,11 @@ const getGoogleCloudToken = async (url: string) => { return null; } }; - +// eslint-disable-next-line @typescript-eslint/no-explicit-any const fetcher = async (url: string, init: FetcherRequestInit | undefined): Promise => { const token = await getGoogleCloudToken(url); if (token) { - console.log('Applying security token', token); + console.log('Applying security token'); const customInit = { ...init, headers: { diff --git a/apps/web/app/_lib/apolloClient.tsx b/apps/web/app/_lib/apolloClient.tsx index a46a2fe6..639d5244 100644 --- a/apps/web/app/_lib/apolloClient.tsx +++ b/apps/web/app/_lib/apolloClient.tsx @@ -26,7 +26,7 @@ export const ApolloProviderWrapper = ({ children, gateway }: PropsWithChildren<{ link: from([authMiddleware, httpLink]), cache: new InMemoryCache(), }); - }, [getToken]); + }, [getToken, httpLink]); return {children}; }; diff --git a/packages/cli/src/commands/infra/configure-terraform-bucket-locally.ts b/packages/cli/src/commands/infra/configure-terraform-bucket-locally.ts index 78f7cce8..4ea0b8f6 100644 --- a/packages/cli/src/commands/infra/configure-terraform-bucket-locally.ts +++ b/packages/cli/src/commands/infra/configure-terraform-bucket-locally.ts @@ -1,4 +1,3 @@ -import { safeExec } from '../../utils/safeExec'; import { createIamArgument } from './arguments/createIamArgument'; import { Argument, Command } from '@commander-js/extra-typings'; import fs from 'node:fs'; diff --git a/packages/cli/src/commands/infra/configure-terraform-vars-locally.ts b/packages/cli/src/commands/infra/configure-terraform-vars-locally.ts index 3c7cae21..38d5006a 100644 --- a/packages/cli/src/commands/infra/configure-terraform-vars-locally.ts +++ b/packages/cli/src/commands/infra/configure-terraform-vars-locally.ts @@ -1,4 +1,3 @@ -import { safeExec } from '../../utils/safeExec'; import { createIamArgument } from './arguments/createIamArgument'; import { Argument, Command } from '@commander-js/extra-typings'; import fs from 'node:fs';