Factor deploy.yaml out into a reusable workflow

ccao-data · Nov 7, 2023 · 8457d05 · 8457d05
1 parent f51c35b
commit 8457d05
Show file tree

Hide file tree

Showing 4 changed files with 45 additions and 17 deletions.
diff --git a/.github/actions/setup-terraform/action.yaml b/.github/actions/setup-terraform/action.yaml
@@ -10,6 +10,9 @@ inputs:
   batch-container-image-name:
     description: The name of the container image to use for the Batch job.
     required: true
+  repo:
+    description: The name of the repo, to use for namespacing Terraform configs.
+    required: true
   role-duration-seconds:
     description: How long the role specified by role-to-assume should be valid.
     required: false
@@ -38,9 +41,16 @@ runs:
       uses: hashicorp/setup-terraform@v2
 
     - name: Initialize Terraform
-      run: terraform init
+      run: |
+        terraform init \
+          -backend-config "bucket=ccao-terraform-state-us-east-1" \
+          -backend-config "key=terraform.tfstate" \
+          -backend-config "region=us-east-1" \
+          -backend-config "workspace_key_prefix=$REPO/workspaces"
       shell: bash
       working-directory: terraform
+      env:
+        REPO: ${{ inputs.repo }}
 
     - name: Set Terraform variables
       id: set-vars

diff --git a/.github/workflows/build-and-run-model.yaml b/.github/workflows/build-and-run-model.yaml
@@ -0,0 +1,21 @@
+name: build-and-run-model
+
+on:
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches: [master]
+
+jobs:
+  build-and-run-model:
+    permissions:
+      # These permissions are needed to interact with GitHub's OIDC Token endpoint
+      # so that we can authenticate with AWS
+      contents: read
+      id-token: write
+    uses: ./.github/workflows/deploy.yaml
+    with:
+      role-duration-seconds: 14400  # Worst-case time for a full model run
+    secrets:
+      AWS_IAM_ROLE_TO_ASSUME_ARN: ${{ secrets.AWS_IAM_ROLE_TO_ASSUME_ARN }}
+      AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -10,10 +10,16 @@
 name: deploy
 
 on:
-  pull_request:
-  workflow_dispatch:
-  push:
-    branches: [master]
+  workflow_call:
+    inputs:
+      role-duration-seconds:
+        required: false
+        default: 3600
+    secrets:
+      AWS_IAM_ROLE_TO_ASSUME_ARN:
+        required: true
+      AWS_ACCOUNT_ID:
+        required: true
 
 env:
   DOCKER_REGISTRY: ghcr.io
@@ -83,11 +89,6 @@ jobs:
     runs-on: ubuntu-latest
     # Require manual approval to run this job
     environment: deploy
-    # These permissions are needed to interact with GitHub's OIDC Token endpoint
-    # so that we can authenticate with AWS
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -98,7 +99,8 @@ jobs:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE_TO_ASSUME_ARN }}
           aws-account-id: ${{ secrets.AWS_ACCOUNT_ID }}
           batch-container-image-name: ${{ needs.publish-docker-image.outputs.image-name }}
-          role-duration-seconds: 14400  # Worst-case time for a full model run
+          repo: ${{ github.event.repository.name }}
+          role-duration-seconds: ${{ inputs.role-duration-seconds}}
 
       - name: Validate Terraform config
         run: terraform validate

diff --git a/terraform/main.tf b/terraform/main.tf
@@ -20,12 +20,7 @@ terraform {
 
   required_version = ">= 1.5.7"
 
-  backend "s3" {
-    bucket = "ccao-terraform-state-us-east-1"
-    key    = "terraform.tfstate"
-    region = "us-east-1"
-    workspace_key_prefix = "model-res-avm/workspaces"
-  }
+  backend "s3" {}
 }
 
 provider "aws" {