-
Notifications
You must be signed in to change notification settings - Fork 2
157 lines (138 loc) · 6.16 KB
/
Copy pathdeploy.yaml
File metadata and controls
157 lines (138 loc) · 6.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
name: Deploy Text-to-Code AWS demo
run-name: Deploy Text-to-Code AWS demo by @${{ github.actor }}
on:
workflow_dispatch:
inputs:
apply:
description: "Apply changes (if false, only runs plan)"
type: boolean
default: false
destroy:
description: "Destroy all resources (WARNING: irreversible)"
type: boolean
default: false
push:
branches:
- main
concurrency:
group: deploy-text-to-code-aws-demo
cancel-in-progress: false
permissions:
id-token: write
contents: read
jobs:
deploy_text_to_code:
name: Terraform
runs-on: ubuntu-latest
env:
# Temporary debug access to the public OpenSearch endpoint.
# Secrets should contain HCL list literals, e.g. ["203.0.113.42/32"].
# Unset/empty secrets fall back to the [] default in _variables.tf.
TF_VAR_debug_allowed_ips: ${{ secrets.DEBUG_ALLOWED_IPS }}
TF_VAR_debug_iam_principals: ${{ secrets.DEBUG_IAM_PRINCIPALS }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Setup Terraform
uses: hashicorp/setup-terraform@dfe3c3f87815947d99a8997f908cb6525fc44e9e # v4.0.1
with:
terraform_version: 1.14.7
terraform_wrapper: false
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6.2.0
with:
role-to-assume: ${{ secrets.TERRAFORM_ROLE_ARN }}
role-session-name: githubDeploymentWorkflow
aws-region: ${{ vars.AWS_REGION }}
- name: Terraform Init
working-directory: terraform
run: terraform init
- name: Terraform Format Check
working-directory: terraform
run: terraform fmt -check -recursive
- name: Terraform Validate
working-directory: terraform
run: terraform validate
- name: Create ECR repositories
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
working-directory: terraform
run: terraform apply -auto-approve -target=aws_ecr_repository.index_lambda -target=aws_ecr_repository.ttc_lambda -target=aws_ecr_repository.augmentation_lambda
- name: Login to Amazon ECR
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
id: ecr-login
uses: aws-actions/amazon-ecr-login@d539f0932e70871a027e9d5a9d8fc38589180a64 # v2.1.6
- name: Get ECR repository URLs
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
id: ecr-url
working-directory: terraform
run: |
INDEX_ECR_URL=$(terraform output -raw index_ecr_repository_url)
echo "index_ecr_url=$INDEX_ECR_URL" >> "$GITHUB_OUTPUT"
ECR_URL=$(terraform output -raw ecr_repository_url)
echo "ecr_url=$ECR_URL" >> "$GITHUB_OUTPUT"
AUG_ECR_URL=$(terraform output -raw augmentation_ecr_repository_url)
echo "aug_ecr_url=$AUG_ECR_URL" >> "$GITHUB_OUTPUT"
- name: Set up Buildx
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
- name: Build and push Index Docker image
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
file: Dockerfile.index
pull: true
push: true
platforms: linux/amd64
provenance: false
tags: |
${{ steps.ecr-url.outputs.index_ecr_url }}:${{ github.sha }}
${{ steps.ecr-url.outputs.index_ecr_url }}:latest
cache-from: type=gha,scope=index
cache-to: type=gha,mode=max,scope=index
secrets: |
"huggingface_token=${{ secrets.HF_TOKEN }}"
- name: Build and push TTC Docker image
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
file: Dockerfile.ttc
pull: true
push: true
platforms: linux/amd64
provenance: false
tags: |
${{ steps.ecr-url.outputs.ecr_url }}:${{ github.sha }}
${{ steps.ecr-url.outputs.ecr_url }}:latest
cache-from: type=gha,scope=ttc
cache-to: type=gha,mode=max,scope=ttc
secrets: |
"huggingface_token=${{ secrets.HF_TOKEN }}"
- name: Build and push Augmentation Docker image
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
with:
context: .
file: Dockerfile.augmentation
pull: true
push: true
platforms: linux/amd64
provenance: false
tags: |
${{ steps.ecr-url.outputs.aug_ecr_url }}:${{ github.sha }}
${{ steps.ecr-url.outputs.aug_ecr_url }}:latest
cache-from: type=gha,scope=augmentation
cache-to: type=gha,mode=max,scope=augmentation
- name: Terraform Plan
if: ${{ !inputs.apply && !inputs.destroy || !(github.event_name == 'push' && github.ref_name == 'main') }}
working-directory: terraform
run: terraform plan
- name: Terraform Apply
if: ${{ inputs.apply && !inputs.destroy || (github.event_name == 'push' && github.ref_name == 'main') }}
working-directory: terraform
run: terraform apply -auto-approve -var="index_lambda_image_tag=${{ github.sha }}" -var="ttc_lambda_image_tag=${{ github.sha }}" -var="augmentation_lambda_image_tag=${{ github.sha }}"
- name: Terraform Destroy
if: ${{ inputs.destroy }}
working-directory: terraform
run: terraform destroy -auto-approve