rest-api-users-aws-devops/.github/workflows/cicd.yml at b55a2ae585127fdd6e0106b2f7ae96d03d706f33 · Juwono136/rest-api-users-aws-devops · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: CI/CD Pipeline for REST API Users

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master
  workflow_dispatch:

env:
  AWS_REGION: ap-southeast-2
  ECR_REPOSITORY: restapi-users
  EKS_CLUSTER_NAME: restapi-users-cluster
  K8S_DEPLOYMENT_NAME: restapi-users-deployment
  INGRESS_HOSTNAME: portproject.my.id

jobs:
  build:
    name: Build, Test and Push
    runs-on: ubuntu-latest

    outputs:
      image: ${{ steps.build-image.outputs.image }}

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Login to Amazon ECR
        id: login-ecr
        uses: aws-actions/amazon-ecr-login@v2

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: "20"

      - name: Install Dependencies
        run: npm install

      - name: Run Unit Tests
        run: npm test

      - name: Build and tag the Docker image
        id: build-image
        run: |
          IMAGE_TAG=${{ github.sha }}-${{ github.run_number }}
          docker build -t ${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${IMAGE_TAG} .
          echo "image=${{ steps.login-ecr.outputs.registry }}/${{ env.ECR_REPOSITORY }}:${IMAGE_TAG}" >> $GITHUB_OUTPUT

      - name: Scan Docker Image with Trivy
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.build-image.outputs.image }}
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL"

      - name: Push image to Amazon ECR
        run: docker push ${{ steps.build-image.outputs.image }}

  deploy:
    name: Deploy to Staging (EKS)
    needs: build
    runs-on: ubuntu-latest
    if: github.ref == 'refs/heads/master' && (github.event_name == 'push' || github.event_name == 'workflow_dispatch')

    steps:
      - name: Checkout Code
        uses: actions/checkout@v4

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ env.AWS_REGION }}

      - name: Set up Kubeconfig
        run: aws eks update-kubeconfig --name ${{ env.EKS_CLUSTER_NAME }} --region ${{ env.AWS_REGION }}

      - name: Update Ingress manifest with correct hostname
        run: sed -i "s|__INGRESS_HOSTNAME__|${{ env.INGRESS_HOSTNAME }}|g" k8s/ingress.yaml

      - name: Apply Kubernetes non-secret manifests
        run: |
          kubectl apply -f k8s/configmap.yaml
          kubectl apply -f k8s/deployment.yaml
          kubectl apply -f k8s/service.yaml
          kubectl apply -f k8s/ingress.yaml

      - name: Create or Update Kubernetes Secret
        run: |
          kubectl create secret generic restapi-users-secrets \
            --from-literal=CONNECTION_URL='${{ secrets.CONNECTION_URL }}' \
            --from-literal=DB_NAME='${{ secrets.DB_NAME }}' \
            --from-literal=REFRESH_TOKEN_SECRET='${{ secrets.REFRESH_TOKEN_SECRET }}' \
            --from-literal=ACCESS_TOKEN_SECRET='${{ secrets.ACCESS_TOKEN_SECRET }}' \
            --from-literal=ACTIVATION_TOKEN_SECRET='${{ secrets.ACTIVATION_TOKEN_SECRET }}' \
            --from-literal=DOCKER_USERNAME='${{ secrets.DOCKER_USERNAME }}' \
            --from-literal=DOCKER_PASSWORD='${{ secrets.DOCKER_PASSWORD }}' \
            --from-literal=TUNNEL_NAME='${{ secrets.TUNNEL_NAME }}' \
            --from-literal=EMAIL_USER='${{ secrets.EMAIL_USER }}' \
            --from-literal=EMAIL_PASSWORD='${{ secrets.EMAIL_PASSWORD }}' \
            --dry-run=client -o yaml | kubectl apply -f -

      - name: Update deployment image
        run: kubectl set image deployment/${{ env.K8S_DEPLOYMENT_NAME }} restapi-users-container=${{ needs.build.outputs.image }}

      - name: Verify deployment rollout
        run: kubectl rollout status deployment/${{ env.K8S_DEPLOYMENT_NAME }} --timeout=120s

      - name: Deploy Monitoring Stack
        run: |
          helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
          helm repo update
          helm upgrade --install prometheus prometheus-community/kube-prometheus-stack \
            --namespace monitoring \
            -f monitoring/alertmanager-values.yaml \
            --set alertmanager.config.global.resolve_timeout='5m' \
            --set alertmanager.config.global.smtp_from='${{ secrets.GMAIL_USERNAME_MONITORING }}' \
            --set alertmanager.config.global.smtp_smarthost='smtp.gmail.com:587' \
            --set alertmanager.config.global.smtp_auth_username='${{ secrets.GMAIL_USERNAME_MONITORING }}' \
            --set alertmanager.config.global.smtp_auth_password='${{ secrets.GMAIL_APP_PASSWORD_MONITORING }}'
          kubectl apply -f monitoring/my-alert-rules.yaml