nginx.org deploy with az-sync (#61)

nginx.org deploy

Author: eepifanova

.github/workflows/nginx.org-make-aws.yml

@@ -3,11 +3,13 @@ name: nginx.org build
 on:
   workflow_call:
     secrets:
-      AWS_ACCOUNT_ID:
+      AZURE_VAULT_CLIENT_ID:
         required: true
-      AWS_ROLE_NAME:
+      AZURE_VAULT_SUBSCRIPTION_ID:
         required: true
-      ALLOWED_USERS:
+      AZURE_VAULT_TENANT_ID:
+        required: true
+      DOCS_VAULTNAME:
         required: true
     inputs:
       deployment_env:
@@ -40,12 +42,26 @@ defaults:
     shell: 'bash -Eeo pipefail -x {0}'
 
 jobs:
-  check-if-allowed:
-    if: ${{ ( github.repository_owner == 'nginx' || github.repository_owner == 'nginxinc' ) }}
+  build-staging:
+    name: build-staging
     runs-on: ubuntu-latest
+    environment: preview
+    if: ${{ inputs.deployment_env == 'staging' }}
 
     steps:
+      - name: Get Secrets from Azure Key Vault
+        uses: nginxinc/docs-actions/.github/actions/az-sync@129ceed709adf17d9bfad75bd31a6ec0dbf1cd01 #v1.0.14
+        with:
+          az_client_id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          az_tenant_id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          az_subscription_id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+          keyvault: ${{ secrets.DOCS_VAULTNAME }}
+          secrets-filter: 'NginxOrgAwsAccountID,NginxOrgAwsRoleName,NginxOrgAllowedUsers'
+
       - name: Check if we're in the allowed environment
+        env:
+          ALLOWED_USERS: ${{ env.NginxOrgAllowedUsers }}
+          DEPLOYMENT_ENV: ${{ inputs.deployment_env }}
         run: |
           org_found=0
           event_found=0
@@ -54,22 +70,22 @@ jobs:
           ALLOWED_ORGS="nginx nginxinc"
           ALLOWED_EVENTS="push workflow_dispatch"
           ALLOWED_REFS="refs/heads/main"
-          ALLOWED_USERS="${{ secrets.ALLOWED_USERS }}"
+          USER_LIST="$(printf '%s' "$ALLOWED_USERS" | tr ',\n' '  ')"
           for org in $ALLOWED_ORGS; do
             if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi
           done
           for event in $ALLOWED_EVENTS; do
             if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi
           done
           for ref in $ALLOWED_REFS; do
-            if [ ${{ inputs.deployment_env }} == 'prod' ]; then
+            if [ "$DEPLOYMENT_ENV" = "prod" ]; then
               if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi
             else
               ref_found=1
             fi
           done
-          for user in $ALLOWED_USERS; do
-            if [ ${{ inputs.deployment_env }} == 'prod' ]; then
+          for user in $USER_LIST; do
+            if [ "$DEPLOYMENT_ENV" = "prod" ]; then
               if [ "$user" == "$GITHUB_ACTOR" ]; then user_found=1; fi
             else
               user_found=1
@@ -80,14 +96,7 @@ jobs:
             exit 1
           fi
           exit 0
-          
-  build-staging:
-    name: build-staging
-    runs-on: ubuntu-latest
-    needs: check-if-allowed
-    if: ${{ inputs.deployment_env == 'staging' }}
 
-    steps:        
       - name: Install dependencies
         run: |
           sudo apt-get update
@@ -96,10 +105,10 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Configure AWS credentials
+      - name: Configure AWS credentials via OIDC (assume role)
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+          role-to-assume: arn:aws:iam::${{ env.NginxOrgAwsAccountID }}:role/${{ env.NginxOrgAwsRoleName }}
           aws-region: ${{ inputs.aws_region }}
 
       - name: Build
@@ -149,13 +158,15 @@ jobs:
             s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/staging/.deployed.txt
 
       - name: Deployment summary
+        env:
+          DEPLOYMENT_ENV: ${{ inputs.deployment_env }}
         run: |
           {
             echo "### Deployment Summary"
             echo ""
             echo "| Key             | Value |"
             echo "|------------------|-------|"
-            echo "| deployment_env  | ${{ inputs.deployment_env }} |"
+            echo "| deployment_env  | $DEPLOYMENT_ENV |"
             echo "| repository      | $GITHUB_REPOSITORY |"
             echo "| actor           | $GITHUB_ACTOR |"
             echo "| commit          | $GITHUB_SHA |"
@@ -165,14 +176,63 @@ jobs:
   build-prod:
     name: build-prod
     runs-on: ubuntu-latest
-    needs: check-if-allowed
+    environment: preview
     if: ${{ inputs.deployment_env == 'prod' }}
 
+
     steps:
-      - name: Configure AWS credentials
+      - name: Get Secrets from Azure Key Vault
+        uses: nginxinc/docs-actions/.github/actions/az-sync@129ceed709adf17d9bfad75bd31a6ec0dbf1cd01 #v1.0.14
+        with:
+          az_client_id: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+          az_tenant_id: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+          az_subscription_id: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+          keyvault: ${{ secrets.DOCS_VAULTNAME }}
+          secrets-filter: 'NginxOrgAwsAccountID,NginxOrgAwsRoleName,NginxOrgAllowedUsers'
+
+      - name: Check if we're in the allowed environment
+        env:
+          ALLOWED_USERS: ${{ env.NginxOrgAllowedUsers }}
+          DEPLOYMENT_ENV: ${{ inputs.deployment_env }}
+        run: |
+          org_found=0
+          event_found=0
+          ref_found=0
+          user_found=0
+          ALLOWED_ORGS="nginx nginxinc"
+          ALLOWED_EVENTS="push workflow_dispatch"
+          ALLOWED_REFS="refs/heads/main"
+          USER_LIST="$(printf '%s' "$ALLOWED_USERS" | tr ',\n' '  ')"
+          for org in $ALLOWED_ORGS; do
+            if [ "$org" == "$GITHUB_REPOSITORY_OWNER" ]; then org_found=1; fi
+          done
+          for event in $ALLOWED_EVENTS; do
+            if [ "$event" == "$GITHUB_EVENT_NAME" ]; then event_found=1; fi
+          done
+          for ref in $ALLOWED_REFS; do
+            if [ "$DEPLOYMENT_ENV" = "prod" ]; then
+              if [ "$ref" == "$GITHUB_REF" ]; then ref_found=1; fi
+            else
+              ref_found=1
+            fi
+          done
+          for user in $USER_LIST; do
+            if [ "$DEPLOYMENT_ENV" = "prod" ]; then
+              if [ "$user" == "$GITHUB_ACTOR" ]; then user_found=1; fi
+            else
+              user_found=1
+            fi
+          done
+          if [ $org_found$event_found$ref_found$user_found -ne 1111 ]; then
+            echo "Repository owner, event, ref or actor are not explicitely allowed to use this workflow: $GITHUB_REPOSITORY_OWNER, $GITHUB_EVENT_NAME, $GITHUB_REF, $GITHUB_ACTOR"
+            exit 1
+          fi
+          exit 0
+
+      - name: Configure AWS credentials via OIDC (assume role)
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_ROLE_NAME }}
+          role-to-assume: arn:aws:iam::${{ env.NginxOrgAwsAccountID }}:role/${{ env.NginxOrgAwsRoleName }}
           aws-region: ${{ inputs.aws_region }}
 
       - name: Compute safe repo name
@@ -214,13 +274,15 @@ jobs:
             s3://${{ inputs.s3_bucket }}/${{ steps.vars.outputs.safe_repo }}/prod/.deployed.txt
 
       - name: Deployment summary
+        env:
+          DEPLOYMENT_ENV: ${{ inputs.deployment_env }}
         run: |
           {
             echo "### Deployment Summary"
             echo ""
             echo "| Key             | Value |"
             echo "|------------------|-------|"
-            echo "| deployment_env  | ${{ inputs.deployment_env }} |"
+            echo "| deployment_env  | $DEPLOYMENT_ENV |"
             echo "| repository      | $GITHUB_REPOSITORY |"
             echo "| actor           | $GITHUB_ACTOR |"
             echo "| commit          | $GITHUB_SHA |"

README.md

@@ -2,6 +2,7 @@
 1. [docs-actions](#docs-actions)
 1. [Hugo theme version](#hugo-theme-version)
 1. [az-sync-action](#az-sync-action)
+1. [nginx.org-make-aws workflow](nginxorg-make-aws-workflow)
 
 
 # docs-actions
@@ -194,4 +195,90 @@ A reusable composite action written by s.breen that logs into Azure, retrieves s
 Each matched secret is exported as an environment variable named after the secret (e.g. `MySecret1`). Multiline secret values are handled using the heredoc syntax supported by `$GITHUB_ENV`.
 
 ---
+# nginx.org-make-aws workflow
 
+**Path:** `.github/workflows/nginx.org-make-aws.yml`
+
+A reusable (`workflow_call`) workflow that builds the nginx.org website using `make` and deploys it to AWS S3. It supports two separate jobs controlled by the `deployment_env` input:
+
+- **`build-staging`** — Builds the site from source and syncs the output to a versioned staging path in S3 (`staging/<sha>/`). Also uploads a `.deployed.txt` marker file used by the production job.
+- **`build-prod`** — Waits for the staging marker to be present for the current commit SHA, then promotes the staged build to the production S3 path (`prod/`).
+
+Both jobs use the [az-sync](#az-sync-action) action to retrieve AWS credentials from Azure Key Vault before assuming an AWS IAM role via OIDC.
+
+## How-to
+These instructions apply only to NGINX GitHub doc repositories.
+1. Navigate to the actions section
+1. On the left side of the page, select Deploy nginx.org
+1. Click a "Run workflow" button.
+1. Select select propper "Deployment environment" and press "Run workflow"
+The non-prod builds print an URL for the preview which is available in 3-5 minutes. 
+![Summary](/images/nginx.org.png "nginx.org deploy")
+
+## Secrets
+
+| Secret | Description | Required |
+|---|---|---|
+| `AZURE_VAULT_CLIENT_ID` | Azure Client ID for Key Vault access | Yes |
+| `AZURE_VAULT_SUBSCRIPTION_ID` | Azure Subscription ID | Yes |
+| `AZURE_VAULT_TENANT_ID` | Azure Tenant ID | Yes |
+| `DOCS_VAULTNAME` | Name of the Azure Key Vault containing AWS credentials | Yes |
+
+The Key Vault referenced by `DOCS_VAULTNAME` must contain the following secrets:
+
+| Key Vault secret | Description |
+|---|---|
+| `NginxOrgAwsAccountID` | AWS account ID used to construct the IAM role ARN |
+| `NginxOrgAwsRoleName` | AWS IAM role name to assume via OIDC |
+| `NginxOrgAllowedUsers` | Comma-separated list of GitHub usernames allowed to trigger production deployments |
+
+## Inputs
+
+| Input | Description | Required | Default |
+|---|---|---|---|
+| `deployment_env` | Target environment: `staging` or `prod` | No | `staging` |
+| `url_prod` | Public hostname for the production site | No | `nginx.org` |
+| `url_staging` | Public hostname for the staging site | No | `staging.nginx.org` |
+| `s3_bucket` | S3 bucket name for deployments | No | `nginx-org-staging` |
+| `aws_region` | AWS region for S3 operations | No | `eu-central-1` |
+
+## Access controls
+
+Both jobs verify that the workflow is triggered from an allowed context before proceeding:
+
+- **Organization**: `nginx` or `nginxinc`
+- **Event**: `push` or `workflow_dispatch`
+- **Ref** (prod only): `refs/heads/main`
+- **Actor** (prod only): must be listed in the `NginxOrgAllowedUsers` Key Vault secret
+
+## Caller example
+
+```yml
+name: nginx.org build and deploy
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+    inputs:
+      deployment_env:
+        description: 'Target environment'
+        required: false
+        default: staging
+        type: choice
+        options:
+          - staging
+          - prod
+
+jobs:
+  call-nginx-org-build:
+    uses: nginxinc/docs-actions/.github/workflows/nginx.org-make-aws.yml@main
+    with:
+      deployment_env: ${{ inputs.deployment_env || 'staging' }}
+    secrets:
+      AZURE_VAULT_CLIENT_ID: ${{ secrets.AZURE_VAULT_CLIENT_ID }}
+      AZURE_VAULT_SUBSCRIPTION_ID: ${{ secrets.AZURE_VAULT_SUBSCRIPTION_ID }}
+      AZURE_VAULT_TENANT_ID: ${{ secrets.AZURE_VAULT_TENANT_ID }}
+      DOCS_VAULTNAME: ${{ secrets.DOCS_VAULTNAME }}
+```