FlipsideCrypto · jbdevprimary · May 4, 2022
diff --git a/.github/actions/application-deploy/action.yml b/.github/actions/application-deploy/action.yml
@@ -0,0 +1,57 @@
+name: 'application-deploy'
+description: 'Application deployment'
+inputs:
+  manifest-file:
+    description: 'Manifest file'
+    required: true
+  digest:
+    description: 'Repository image digest'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Application deployment
+      run: |
+        set -eo pipefail
+
+        MANIFEST_FILE="${{ inputs.manifest-file }}"
+
+        if [ -z "$MANIFEST_FILE" ]; then
+          echo "No manifest file provided"
+          exit 1
+        fi
+
+        DIGEST="${{ inputs.digest }}"
+
+        if [ -z "$DIGEST" ]; then
+          echo "No digest provided"
+          exit 1
+        fi
+
+        function export_json_to_env () {
+          service_name="$1"
+
+          while IFS=$'\t\n' read -r LINE; do
+              export "${LINE}"
+          done < <(
+              <"${MANIFEST_FILE}" jq \
+                  --compact-output \
+                  --raw-output \
+                  --monochrome-output \
+                  --from-file \
+                  <(echo ".[\"${service_name}\"] | to_entries | map(\"\(.key)=\(.value)\") | .[]")
+            )
+        }
+
+        echo "Deploying ${MANIFEST_FILE}"
+
+        mapfile -t services < <(jq -r 'keys[]' "$MANIFEST_FILE")
+
+        for service_name in "${services[@]}"; do
+          export_json_to_env "$service_name"
+          aws eks update-kubeconfig --name "$eks_cluster_name"
+          kubectl -n "$eks_cluster_namespace" set image "$k8s_deployment_name" "${k8s_container_name}=${repository_url}@${DIGEST}"
+          kubectl -n "$eks_cluster_namespace" rollout restart "$k8s_deployment_name"
+        done
+      shell: bash
diff --git a/.github/actions/branch-specific-config/action.yml b/.github/actions/branch-specific-config/action.yml
@@ -0,0 +1,75 @@
+name: 'branch-specific-config'
+description: 'Determine branch-specific configuration'
+outputs:
+  branch-name:
+    description: "Branch name"
+    value: ${{ steps.branch-specific-config.outputs.branch-name }}
+  image-rev:
+    description: "Docker image revision"
+    value: ${{ steps.branch-specific-config.outputs.image-rev }}
+  env:
+    description: "Environment"
+    value: ${{ steps.branch-specific-config.outputs.env }}
+  tf-workingdir:
+    description: "Terraform working directory"
+    value: ${{ steps.branch-specific-config.outputs.tf-workingdir }}
+  tf-lockfile:
+    description: "Terraform lockfile"
+    value: ${{ steps.branch-specific-config.outputs.tf-lockfile }}
+  docker-load:
+    description: "Docker load"
+    value: ${{ steps.branch-specific-config.outputs.docker-load }}
+  docker-push:
+    description: "Docker push"
+    value: ${{ steps.branch-specific-config.outputs.docker-push }}
+  manifests-dir:
+    description: "Manifests directory for the environment"
+    value: ${{ steps.branch-specific-config.outputs.manifests-dir }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Branch specific config
+      id: branch-specific-config
+      run: |
+        set -euxo pipefail
+
+        PREFIX="refs/heads/"
+        BRANCH_NAME="${GITHUB_REF#"$PREFIX"}"
+
+        ret=0
+        git ls-remote --exit-code origin staging || ret=$?
+        if [ "${BRANCH_NAME}" = "main" ] || [ "${ret}" -eq 2 ]; then
+            echo "Running production build or running build in repo without a staging branch"
+            IMAGE_REV="latest"
+            ENV="prod"
+        else
+            echo "Running staging build"
+            IMAGE_REV="staging"
+            ENV="stg"
+        fi
+
+        TF_WD="terraform/workspaces/${ENV}"
+
+        TF_LF="${TF_WD}/.terraform.lock.hcl"
+
+        DOCKER_LOAD="false"
+        DOCKER_PUSH="true"
+
+        if [ "${GITHUB_EVENT_NAME}" = "pull_request" ]; then
+          echo "Running a pull request - Load Docker image only, no push"
+          DOCKER_LOAD="true"
+          DOCKER_PUSH="false"
+        fi
+
+        MANIFESTS_DIR="manifests/${ENV}"
+
+        echo "::set-output name=branch-name::$(echo $BRANCH_NAME)"
+        echo "::set-output name=image-rev::$(echo $IMAGE_REV)"
+        echo "::set-output name=env::$(echo $ENV)"
+        echo "::set-output name=tf-workingdir::$(echo $TF_WD)"
+        echo "::set-output name=tf-lockfile::$(echo $TF_LF)"
+        echo "::set-output name=docker-load::$(echo $DOCKER_LOAD)"
+        echo "::set-output name=docker-push::$(echo $DOCKER_PUSH)"
+        echo "::set-output name=manifests-dir::$(echo $MANIFESTS_DIR)"
+      shell: bash
diff --git a/.github/actions/commit-changes/action.yml b/.github/actions/commit-changes/action.yml
@@ -0,0 +1,30 @@
+name: 'commit-changes'
+description: 'Commit changes to the GitHub repository'
+inputs:
+  github-token:
+    description: 'GitHub token to commit with'
+    required: true
+  commit-message:
+    description: 'Commit message'
+    default: 'Committed automatically during workspace run'
+    required: false
+runs:
+  using: "composite"
+  steps:
+    - uses: nick-invision/retry@v2
+      with:
+        timeout_seconds: 15
+        max_attempts: 3
+        retry_on: error
+        command: |
+          echo "$GITHUB_CONTEXT"
+          git stash -u
+          git checkout "${GITHUB_REF:11}"
+          git pull
+          git stash apply ||:
+          git config --global user.name 'Devops Bot'
+          git config --global user.email 'devops-bot@flipsidecrypto.com'
+          git remote set-url origin https://x-access-token:${{ inputs.github-token }}@github.com/$GITHUB_REPOSITORY
+          git add -A
+          git commit -am "${{ inputs.commit-message }}"
+          git push ||:
diff --git a/.github/actions/docker-build-and-push/action.yml b/.github/actions/docker-build-and-push/action.yml
@@ -0,0 +1,86 @@
+name: 'docker-build-and-push'
+description: 'Docker build and push'
+inputs:
+  base-dir:
+    description: 'Base directory'
+    required: false
+    default: './services'
+  service-name:
+    description: 'Service name'
+    required: true
+  repository-name:
+    description: 'Override the repository name'
+    required: false
+    default: ''
+outputs:
+  registry:
+    description: "Registry"
+    value: ${{ steps.login-ecr.outputs.registry }}
+  service-name:
+    description: "Service name"
+    value: ${{ steps.docker-build-and-push-config.outputs.service-name }}
+  repository-name:
+    description: "Repository name"
+    value: ${{ steps.docker-build-and-push-config.outputs.repository-name }}
+  branch-name:
+    description: "Branch name"
+    value: ${{ steps.branch-specific-config.outputs.branch-name }}
+  image-rev:
+    description: "Docker image revision"
+    value: ${{ steps.branch-specific-config.outputs.image-rev }}
+  tf-workingdir:
+    description: "Terraform working directory"
+    value: ${{ steps.branch-specific-config.outputs.tf-workingdir }}
+  tf-lockfile:
+    description: "Terraform lockfile"
+    value: ${{ steps.branch-specific-config.outputs.tf-lockfile }}
+  docker-load:
+    description: "Docker load"
+    value: ${{ steps.branch-specific-config.outputs.docker-load }}
+  docker-push:
+    description: "Docker push"
+    value: ${{ steps.branch-specific-config.outputs.docker-push }}
+  manifests-dir:
+    description: "Manifests directory for the environment"
+    value: ${{ steps.branch-specific-config.outputs.manifests-dir }}
+  digest:
+    description: "Digest for the Docker repository image"
+    value: ${{ steps.docker-build-and-push.outputs.digest }}
+  repository-url:
+    description: "Repository URL for the Docker repository image"
+    value: ${{ steps.login-ecr.outputs.registry }}/${{ steps.docker-build-and-push-config.outputs.repository-name }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Docker Build and Push Config
+      id: docker-build-and-push-config
+      run: |
+        set -euxo pipefail
+
+        SERVICE_NAME="${{ inputs.service-name }}"
+        SERVICE_NAME_SANITIZED="${SERVICE_NAME//_/-}"
+
+        REPOSITORY_NAME="${{ inputs.repository-name }}"
+        if [ -z "$REPOSITORY_NAME" ]; then
+          REPOSITORY_NAME="${SERVICE_NAME_SANITIZED}"
+        fi
+
+        echo "::set-output name=service-name::$(echo $SERVICE_NAME_SANITIZED)"
+        echo "::set-output name=repository-name::$(echo $REPOSITORY_NAME)"
+      shell: bash
+    - name: Login to Amazon ECR
+      id: login-ecr
+      uses: aws-actions/amazon-ecr-login@v1
+    - name: Branch specific config
+      uses: ./.github/actions/branch-specific-config
+      id: branch-specific-config
+    - uses: docker/setup-buildx-action@v1
+    - name: Build and push image
+      id: docker-build-and-push
+      uses: docker/build-push-action@v2
+      with:
+        context: ${{ inputs.base-dir }}/${{ inputs.service-name }}
+        load: ${{ steps.branch-specific-config.outputs.docker-load }}
+        push: ${{ steps.branch-specific-config.outputs.docker-push }}
+        tags: ${{ steps.login-ecr.outputs.registry }}/${{ steps.docker-build-and-push-config.outputs.repository-name }}:${{ steps.branch-specific-config.outputs.image-rev }}
diff --git a/.github/actions/openvpn-connect/action.yml b/.github/actions/openvpn-connect/action.yml
@@ -0,0 +1,46 @@
+name: 'openvpn-connect'
+description: 'Connect to an OpenVPN server using a config file'
+inputs:
+  openvpn-profile:
+    description: 'OpenVPN profile (Must be base64-encoded)'
+    required: true
+  openvpn-version:
+    description: 'OpenVPN version to install'
+    required: false
+    default: ''
+  cache-key:
+    description: 'Cache key'
+    required: false
+    default: ''
+outputs:
+  openvpn-config:
+    description: 'OpenVPN config file'
+    value: ${{ steps.setup-openvpn.outputs.openvpn-config }}
+  openvpn-log-dir:
+    description: 'OpenVPN log directory'
+    value: ${{ steps.run-openvpn.outputs.openvpn-log-dir }}
+  openvpn-version:
+    description: 'OpenVPN version'
+    value: ${{ steps.setup-openvpn.outputs.openvpn-version }}
+  cache-key:
+    description: 'Cache key'
+    value: ${{ steps.setup-openvpn.outputs.cache-key }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Setup OpenVPN
+      uses: ./.github/actions/openvpn-setup
+      id: setup-openvpn
+      with:
+        openvpn-profile: ${{ inputs.openvpn-profile }}
+        openvpn-version: ${{ inputs.openvpn-version }}
+        cache-key: ${{ inputs.cache-key }}
+    - name: Connect to VPN Server
+      shell: bash
+      id: run-openvpn
+      run: |
+        OPENVPN_LOG_DIR="${RUNNER_TEMP}/logs"
+        mkdir -p "$OPENVPN_LOG_DIR"
+        sudo openvpn --config ${{ steps.setup-openvpn.outputs.openvpn-config }} --log "$(pwd)/vpn.log" --daemon
+        echo "::set-output name=openvpn-log-dir::${OPENVPN_LOG_DIR}"
diff --git a/.github/actions/openvpn-kill/action.yml b/.github/actions/openvpn-kill/action.yml
@@ -0,0 +1,35 @@
+name: 'openvpn-kill'
+description: 'Kill a running connection to an OpenVPN server'
+inputs:
+  openvpn-log-dir:
+    description: 'OpenVPN log directory'
+    required: false
+    default: ""
+outputs:
+  openvpn-log-dir:
+    description: 'OpenVPN log directory'
+    value: ${{ steps.kill-openvpn.outputs.openvpn-log-dir }}
+
+runs:
+  using: 'composite'
+  steps:
+    - name: Kill VPN connection
+      id: kill-openvpn
+      shell: bash
+      run: |
+        OPENVPN_LOG_DIR="${{ inputs.openvpn-log-dir }}"
+
+        if [[ ! -z "$OPENVPN_LOG_DIR" ]]; then
+          OPENVPN_LOG_DIR="${RUNNER_TEMP}/logs"
+          mkdir -p "$OPENVPN_LOG_DIR"
+        fi
+
+        sudo chmod -Rv 777 "$OPENVPN_LOG_DIR"
+        echo "::set-output name=openvpn-log-dir::${OPENVPN_LOG_DIR}"
+
+        sudo killall openvpn
+    - name: Upload VPN logs
+      uses: actions/upload-artifact@v2
+      with:
+        name: VPN logs
+        path: ${{ steps.kill-openvpn.outputs.openvpn-log-dir }}