Add production deployment workflow

harshavemula-ua · harshavemula-ua · commit 2dcafa85435f · 2025-12-03T14:19:07.000-06:00
- New deploy_datastream.yml workflow for deploying datastream infra
- Supports dev/prod environments with plan/apply/destroy actions
- Option to enable EventBridge schedules for daily runs
- Added backend-prod.hcl and variables-prod.tfvars
- Updated README with prod environment documentation
diff --git a/.github/workflows/deploy_datastream.yml b/.github/workflows/deploy_datastream.yml
@@ -0,0 +1,162 @@
+name: Deploy Datastream Infrastructure
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Environment to deploy'
+        required: true
+        type: choice
+        options:
+          - dev
+          - prod
+        default: 'dev'
+      action:
+        description: 'Action to perform'
+        required: true
+        type: choice
+        options:
+          - plan
+          - apply
+          - destroy
+        default: 'plan'
+      enable_schedules:
+        description: 'Enable EventBridge schedules for daily runs'
+        type: boolean
+        default: false
+
+env:
+  AWS_REGION: us-east-1
+  TERRAFORM_VERSION: 1.10.0
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  deploy:
+    name: ${{ inputs.action }} - ${{ inputs.environment }}
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: infra/aws/terraform
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get update && sudo apt-get install -y jq
+          pip install --upgrade pip boto3 pandas
+
+      - name: Configure AWS Credentials (OIDC)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+          role-session-name: GitHubActions-Deploy-${{ inputs.environment }}
+
+      - name: Set environment variables
+        id: env
+        run: |
+          ENV="${{ inputs.environment }}"
+
+          if [ "$ENV" = "prod" ]; then
+            echo "tf_backend=backend-prod.hcl" >> $GITHUB_OUTPUT
+            echo "tf_vars=variables-prod.tfvars" >> $GITHUB_OUTPUT
+            echo "sm_name=nrds_prod_sm" >> $GITHUB_OUTPUT
+          else
+            echo "tf_backend=backend-dev.hcl" >> $GITHUB_OUTPUT
+            echo "tf_vars=variables.tfvars" >> $GITHUB_OUTPUT
+            echo "sm_name=nrds_dev_sm" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Generate execution files
+        working-directory: infra/aws
+        run: |
+          echo "Generating VPU execution files..."
+          python python/src/research_datastream/gen_vpu_execs.py \
+            --arch arm \
+            --inputs terraform/modules/schedules/config/execution_forecast_inputs.json \
+            --ami_file terraform/modules/schedules/config/community_ami.txt \
+            --exec_template_vpu terraform/modules/schedules/executions/templates/execution_datastream_VPU_template.json \
+            --exec_template_fp terraform/modules/schedules/executions/templates/execution_datastream_fp_template.json \
+            --out_dir terraform/modules/schedules/executions
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TERRAFORM_VERSION }}
+          terraform_wrapper: false
+
+      - name: Terraform Init
+        run: |
+          terraform init -backend-config=${{ steps.env.outputs.tf_backend }}
+
+      - name: Terraform Plan
+        if: inputs.action == 'plan' || inputs.action == 'apply'
+        run: |
+          terraform plan \
+            -var-file=${{ steps.env.outputs.tf_vars }} \
+            -var="enable_schedules=${{ inputs.enable_schedules }}" \
+            -out=tfplan
+
+          echo "## Terraform Plan Summary" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          terraform show -no-color tfplan >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+
+      - name: Terraform Apply
+        if: inputs.action == 'apply'
+        run: |
+          terraform apply -auto-approve tfplan
+
+          echo "## Deployment Complete" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "- **Environment:** ${{ inputs.environment }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **State Machine:** ${{ steps.env.outputs.sm_name }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Schedules Enabled:** ${{ inputs.enable_schedules }}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Terraform Destroy
+        if: inputs.action == 'destroy'
+        run: |
+          terraform destroy \
+            -var-file=${{ steps.env.outputs.tf_vars }} \
+            -var="enable_schedules=${{ inputs.enable_schedules }}" \
+            -auto-approve
+
+          echo "## Infrastructure Destroyed" >> $GITHUB_STEP_SUMMARY
+          echo "Environment: ${{ inputs.environment }}" >> $GITHUB_STEP_SUMMARY
+
+      - name: Get State Machine ARN
+        if: inputs.action == 'apply'
+        run: |
+          SM_NAME="${{ steps.env.outputs.sm_name }}"
+          ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
+          ARN="arn:aws:states:${{ env.AWS_REGION }}:${ACCOUNT_ID}:stateMachine:${SM_NAME}"
+
+          echo "## State Machine Details" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**ARN:** \`${ARN}\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Execute manually:" >> $GITHUB_STEP_SUMMARY
+          echo '```bash' >> $GITHUB_STEP_SUMMARY
+          echo "aws stepfunctions start-execution \\" >> $GITHUB_STEP_SUMMARY
+          echo "  --state-machine-arn \"${ARN}\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  --name \"manual-run-\$(date +%Y%m%d%H%M%S)\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  --input 'file://execution.json'" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+
+      - name: List deployed resources
+        if: inputs.action == 'apply'
+        run: |
+          echo "### Deployed Resources" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          terraform state list >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
diff --git a/infra/aws/terraform/README.md b/infra/aws/terraform/README.md
@@ -61,8 +61,9 @@ Multiple environments are supported via separate backend and variable files:
 | Environment | Backend Config | Variables | State Machine | Purpose |
 |-------------|----------------|-----------|---------------|---------|
 | dev | `backend-dev.hcl` | `variables.tfvars` | `nrds_dev_sm` | Local development |
-| test | `backend-test.hcl` | `variables-test.tfvars` | `nrds_test_sm` | CI/CD testing (`infra_deploy.yml`) |
+| test | `backend-test.hcl` | `variables-test.tfvars` | `nrds_test_sm` | CI/CD testing (`infra_deploy_val.yaml`) |
 | healthcheck | `backend-healthcheck.hcl` | `variables-healthcheck.tfvars` | `nrds_healthcheck_sm` | Auto-rerun failures (`health_check.yml`) |
+| prod | `backend-prod.hcl` | `variables-prod.tfvars` | `nrds_prod_sm` | Production deployment (`deploy_datastream.yml`) |
 
 ### Using an Environment
 
@@ -83,6 +84,7 @@ Each environment has isolated Terraform state to prevent conflicts:
 - **dev**: `ciroh-terraform-state` bucket (us-east-2)
 - **test**: `ciroh-ngen-datastream-test-tfstate` bucket
 - **healthcheck**: `ciroh-ngen-datastream-test-tfstate` bucket (separate key)
+- **prod**: `ciroh-ngen-datastream-prod-tfstate` bucket
 
 ### Adding a New Environment
 
diff --git a/infra/aws/terraform/backend-prod.hcl b/infra/aws/terraform/backend-prod.hcl
@@ -0,0 +1,5 @@
+bucket       = "ciroh-ngen-datastream-prod-tfstate"
+key          = "terraform.tfstate"
+region       = "us-east-1"
+encrypt      = true
+use_lockfile = true
diff --git a/infra/aws/terraform/variables-prod.tfvars b/infra/aws/terraform/variables-prod.tfvars
@@ -0,0 +1,15 @@
+region                    = "us-east-1"
+sm_name                   = "nrds_prod_sm"
+sm_role_name              = "nrds_prod_sm_role"
+sm_parameter_name         = "/datastream/prod/state-machine-arn"
+starter_lambda_name       = "nrds_prod_start_ec2"
+commander_lambda_name     = "nrds_prod_ec2_commander"
+poller_lambda_name        = "nrds_prod_ec2_command_poller"
+checker_lambda_name       = "nrds_prod_s3_object_checker"
+stopper_lambda_name       = "nrds_prod_ec2_stopper"
+lambda_policy_name        = "nrds_prod_lambda_policy"
+lambda_role_name          = "nrds_prod_lambda_role"
+lambda_invoke_policy_name = "nrds_prod_lambda_invoke_policy"
+ec2_role                  = "nrds_prod_ec2_role"
+ec2_policy_name           = "nrds_prod_ec2_policy"
+profile_name              = "nrds_prod_ec2_profile"
