update terraform and monitoring #27
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI/CD Pipeline for REST API Users | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| workflow_dispatch: | |
| env: | |
| AWS_REGION: ap-southeast-2 | |
| ECR_REPOSITORY: restapi-users | |
| EKS_CLUSTER_NAME: restapi-users-cluster | |
| K8S_DEPLOYMENT_NAME: restapi-users-deployment | |
| INGRESS_HOSTNAME: portproject.my.id | |
| jobs: | |
| build: | |
| name: Build, Test and Push | |
| runs-on: ubuntu-latest | |
| outputs: | |
| image: ${{ steps.build-image.outputs.image }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Login to Amazon ECR | |
| id: login-ecr | |
| uses: aws-actions/amazon-ecr-login@v2 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| - name: Install Dependencies | |
| run: npm install | |
| - name: Run Unit Tests | |
| run: npm test | |
| - name: Build and tag the Docker image | |
| id: build-image | |
| run: | | |
| IMAGE_TAG=${{ github.sha }}-${{ github.run_number }} | |
| docker build -t ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${IMAGE_TAG} . | |
| echo "image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| - name: Scan Docker Image with Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ steps.build-image.outputs.image }} | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| vuln-type: "os,library" | |
| severity: "CRITICAL" | |
| - name: Push image to Amazon ECR | |
| run: docker push ${{ steps.build-image.outputs.image }} | |
| deploy: | |
| name: Deploy to Staging (EKS) | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/master' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Set up Kubeconfig | |
| run: aws eks update-kubeconfig --name ${{ env.EKS_CLUSTER_NAME }} --region ${{ env.AWS_REGION }} | |
| - name: Update Ingress manifest with correct hostname | |
| run: sed -i "s|__INGRESS_HOSTNAME__|${{ env.INGRESS_HOSTNAME }}|g" k8s/ingress.yaml | |
| - name: Apply Kubernetes non-secret manifests | |
| run: | | |
| kubectl apply -f k8s/configmap.yaml | |
| kubectl apply -f k8s/deployment.yaml | |
| kubectl apply -f k8s/service.yaml | |
| kubectl apply -f k8s/ingress.yaml | |
| - name: Create or Update Kubernetes Secret | |
| run: | | |
| kubectl create secret generic restapi-users-secrets \ | |
| --from-literal=CONNECTION_URL='${{ secrets.CONNECTION_URL }}' \ | |
| --from-literal=DB_NAME='${{ secrets.DB_NAME }}' \ | |
| --from-literal=REFRESH_TOKEN_SECRET='${{ secrets.REFRESH_TOKEN_SECRET }}' \ | |
| --from-literal=ACCESS_TOKEN_SECRET='${{ secrets.ACCESS_TOKEN_SECRET }}' \ | |
| --from-literal=ACTIVATION_TOKEN_SECRET='${{ secrets.ACTIVATION_TOKEN_SECRET }}' \ | |
| --from-literal=DOCKER_USERNAME='${{ secrets.DOCKER_USERNAME }}' \ | |
| --from-literal=DOCKER_PASSWORD='${{ secrets.DOCKER_PASSWORD }}' \ | |
| --from-literal=TUNNEL_NAME='${{ secrets.TUNNEL_NAME }}' \ | |
| --from-literal=EMAIL_USER='${{ secrets.EMAIL_USER }}' \ | |
| --from-literal=EMAIL_PASSWORD='${{ secrets.EMAIL_PASSWORD }}' \ | |
| --dry-run=client -o yaml | kubectl apply -f - | |
| - name: Update deployment image | |
| run: kubectl set image deployment/${{ env.K8S_DEPLOYMENT_NAME }} restapi-users-container=${{ needs.build.outputs.image }} | |
| - name: Verify deployment rollout | |
| run: kubectl rollout status deployment/${{ env.K8S_DEPLOYMENT_NAME }} --timeout=120s | |
| - name: Deploy Monitoring Stack | |
| run: | | |
| helm repo add prometheus-community https://prometheus-community.github.io/helm-charts | |
| helm repo update | |
| helm upgrade --install prometheus prometheus-community/kube-prometheus-stack \ | |
| --namespace monitoring \ | |
| -f monitoring/alertmanager-values.yaml \ | |
| --set alertmanager.config.global.resolve_timeout='5m' \ | |
| --set alertmanager.config.global.smtp_from='${{ secrets.GMAIL_USERNAME_MONITORING }}' \ | |
| --set alertmanager.config.global.smtp_smarthost='smtp.gmail.com:587' \ | |
| --set alertmanager.config.global.smtp_auth_username='${{ secrets.GMAIL_USERNAME_MONITORING }}' \ | |
| --set alertmanager.config.global.smtp_auth_password='${{ secrets.GMAIL_APP_PASSWORD_MONITORING }}' | |
| kubectl apply -f monitoring/my-alert-rules.yaml |