ADE-11 Add GitHub Actions workflows

GuidoBR · GuidoBR · commit 9ef68cfb5ba1 · 2025-03-07T14:03:53.000-05:00
Add automated deployment pipelines for staging and production environments
using GitHub Actions. Set up AWS infrastructure with CDK and configure
secure role-based authentication.

Key Changes:
- Add GitHub Actions workflows for staging and production deployments
- Configure environment-specific CDK stack deployments
- Set up test jobs to run before deployments
- Use AWS IAM role for secure authentication
- Update Dockerfile with environment support
- Add environment variable handling for different stages

Infrastructure:
- Configure ECS Fargate service with environment-specific settings
- Set up API Gateway integration
- Configure environment-specific secrets paths
- Add CDK infrastructure tests

Testing:
- Add test jobs as deployment prerequisites
- Run unit tests with Vitest
- Run CDK infrastructure tests
- Ensure tests must pass before deployment

Security:
- Use role-based authentication with AWS
- Configure environment-specific permissions
- Remove hardcoded credentials
- Use environment-specific secret paths

This change enables automated deployments while maintaining security
and environment separation.
diff --git a/.github/workflows/deploy-production.yml b/.github/workflows/deploy-production.yml
@@ -0,0 +1,76 @@
+name: Deploy to Production
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          cd backend
+          npm ci
+
+      - name: Run unit tests
+        run: |
+          cd backend
+          npm test
+
+      - name: Run CDK tests
+        run: |
+          cd backend
+          npm run test:cdk
+
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    environment: production
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::841162674562:role/GitHubAction-AssumeRoleWithAction
+          aws-region: us-east-1
+          role-session-name: GithubActionsDeployment
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          cd backend
+          npm ci
+
+      - name: Build application
+        run: |
+          cd backend
+          npm run build
+
+      - name: Deploy to AWS
+        run: |
+          cd backend
+          npm run cdk deploy -- \
+            --require-approval never \
+            --context environment=production
+        env:
+          CDK_DEFAULT_ACCOUNT: ${{ secrets.AWS_ACCOUNT_ID }}
+          CDK_DEFAULT_REGION: us-east-1
diff --git a/.github/workflows/deploy-staging.yml b/.github/workflows/deploy-staging.yml
@@ -0,0 +1,76 @@
+name: Deploy to Staging
+
+on:
+  push:
+    branches:
+      - staging
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          cd backend
+          npm ci
+
+      - name: Run unit tests
+        run: |
+          cd backend
+          npm test
+
+      - name: Run CDK tests
+        run: |
+          cd backend
+          npm run test:cdk
+
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    environment: staging
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::841162674562:role/GitHubAction-AssumeRoleWithAction
+          aws-region: us-east-1
+          role-session-name: GithubActionsDeployment
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Install dependencies
+        run: |
+          cd backend
+          npm ci
+
+      - name: Build application
+        run: |
+          cd backend
+          npm run build
+
+      - name: Deploy to AWS
+        run: |
+          cd backend
+          npm run cdk deploy -- \
+            --require-approval never \
+            --context environment=staging
+        env:
+          CDK_DEFAULT_ACCOUNT: ${{ secrets.AWS_ACCOUNT_ID }}
+          CDK_DEFAULT_REGION: us-east-1
diff --git a/backend/Dockerfile.prod b/backend/Dockerfile.prod
@@ -1,5 +1,8 @@
 FROM node:20-slim as builder
 
+ARG NODE_ENV=production
+ENV NODE_ENV=${NODE_ENV}
+
 WORKDIR /usr/src/app
 
 COPY package*.json ./
@@ -10,6 +13,9 @@ RUN npm run build
 
 FROM node:20-slim
 
+ARG NODE_ENV=production
+ENV NODE_ENV=${NODE_ENV}
+
 WORKDIR /usr/src/app
 
 COPY package*.json ./
diff --git a/backend/src/iac/backend-stack.ts b/backend/src/iac/backend-stack.ts
@@ -6,10 +6,16 @@ import * as apigateway from 'aws-cdk-lib/aws-apigateway';
 import * as ecr from 'aws-cdk-lib/aws-ecr';
 import { Construct } from 'constructs';
 
+interface BackendStackProps extends cdk.StackProps {
+  environment: 'staging' | 'production';
+}
+
 export class BackendStack extends cdk.Stack {
-  constructor(scope: Construct, id: string, props?: cdk.StackProps) {
+  constructor(scope: Construct, id: string, props: BackendStackProps) {
     super(scope, id, props);
 
+    const isProd = props.environment === 'production';
+
     // VPC
     const vpc = new ec2.Vpc(this, 'MedicalReportsVPC', {
       maxAzs: 2,
@@ -29,12 +35,15 @@ export class BackendStack extends cdk.Stack {
       desiredCount: 2,
       taskImageOptions: {
         image: ecs.ContainerImage.fromAsset('../backend/', {
-          file: 'Dockerfile.prod'
+          file: 'Dockerfile.prod',
+          buildArgs: {
+            NODE_ENV: props.environment,
+          },
         }),
         containerPort: 3000,
         environment: {
-          NODE_ENV: 'production',
-          PERPLEXITY_API_KEY_SECRET_NAME: 'medical-reports-explainer/perplexity-api-key',
+          NODE_ENV: props.environment,
+          PERPLEXITY_API_KEY_SECRET_NAME: `medical-reports-explainer/${props.environment}/perplexity-api-key`,
           PERPLEXITY_MODEL: 'sonar',
           PERPLEXITY_MAX_TOKENS: '2048',
         },
