From d6b5004910605747ba877a6d4ccac00898e31134 Mon Sep 17 00:00:00 2001
From: Yusuke Nakamura <yusuke1994525@gmail.com>
Date: Wed, 9 Oct 2024 01:28:55 +0900
Subject: [PATCH] staging env (worker)

---
 .github/workflows/staging_deploy.yml      |  66 +++++++++
 deploy/staging/ecspresso.jsonnet          |   8 +
 deploy/staging/runtask-db-migrate.jsonnet |   8 +
 deploy/staging/service_definition.jsonnet |  25 ++++
 deploy/staging/task_definition.jsonnet    | 171 ++++++++++++++++++++++
 5 files changed, 278 insertions(+)
 create mode 100644 .github/workflows/staging_deploy.yml
 create mode 100644 deploy/staging/ecspresso.jsonnet
 create mode 100644 deploy/staging/runtask-db-migrate.jsonnet
 create mode 100644 deploy/staging/service_definition.jsonnet
 create mode 100644 deploy/staging/task_definition.jsonnet

diff --git a/.github/workflows/staging_deploy.yml b/.github/workflows/staging_deploy.yml
new file mode 100644
index 0000000..5974273
--- /dev/null
+++ b/.github/workflows/staging_deploy.yml
@@ -0,0 +1,66 @@
+on:
+  push:
+    branches:
+      # - kaigionrails
+      - "kaigionrails2024"
+      - "staging"
+      - "prepare-staging" # temp
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: "${{ github.repository == 'kaigionrails/sponsor-app' }}"
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-buildx-action@v3
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-skip-session-tagging: false
+          role-to-assume: "arn:aws:iam::861452569180:role/GhaDockerPushToEcr"
+      - id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: "${{ steps.login-ecr.outputs.registry }}/sponsor-app"
+          tags: |
+            type=sha,format=long,prefix=
+            type=raw,value=latest
+      - uses: docker/build-push-action@v5
+        with:
+          context: "."
+          platforms: linux/amd64
+          push: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          tags: ${{ steps.meta.outputs.tags }}
+
+  deploy:
+    runs-on: ubuntu-latest
+    concurrency:
+      group: "staging-deploy"
+      cancel-in-progress: false
+    needs: ["build"]
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      AWS_REGION: us-west-2
+    steps:
+      - run: sudo apt-get update && sudo apt-get install jsonnet
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-skip-session-tagging: false
+          role-to-assume: "arn:aws:iam::861452569180:role/SponsorAppDeployer"
+      - uses: kayac/ecspresso@v2
+        with:
+          version: latest
+      - run: ecspresso run --config deploy/staging/ecspresso.jsonnet --ext-str IMAGE_SHA=${{ github.sha }} --overrides-file deploy/staging/runtask-db-migrate.jsonnet
+      - run: ecspresso deploy --config deploy/staging/ecspresso.jsonnet --ext-str IMAGE_SHA=${{ github.sha }}
+      - run: jsonnet deploy/staging/apprunner.jsonnet --ext-str IMAGE_SHA=${{ github.sha }} > deploy/staging/apprunner.json
+      - run: aws apprunner update-service --cli-input-json file://deploy/staging/apprunner.json
diff --git a/deploy/staging/ecspresso.jsonnet b/deploy/staging/ecspresso.jsonnet
new file mode 100644
index 0000000..922549e
--- /dev/null
+++ b/deploy/staging/ecspresso.jsonnet
@@ -0,0 +1,8 @@
+{
+  region: 'us-west-2',
+  cluster: 'kor-usw2-fargate',
+  service: 'sponsor-app-staging-worker',
+  service_definition: 'service_definition.jsonnet',
+  task_definition: 'task_definition.jsonnet',
+  timeout: '5m',
+}
diff --git a/deploy/staging/runtask-db-migrate.jsonnet b/deploy/staging/runtask-db-migrate.jsonnet
new file mode 100644
index 0000000..c8edfc9
--- /dev/null
+++ b/deploy/staging/runtask-db-migrate.jsonnet
@@ -0,0 +1,8 @@
+{
+  containerOverrides: [
+    {
+      name: 'app',
+      command: ['bundle', 'exec', 'rails', 'db:migrate'],
+    },
+  ],
+}
diff --git a/deploy/staging/service_definition.jsonnet b/deploy/staging/service_definition.jsonnet
new file mode 100644
index 0000000..6992b01
--- /dev/null
+++ b/deploy/staging/service_definition.jsonnet
@@ -0,0 +1,25 @@
+{
+  publicSubnets:: ['subnet-0a12bdf9fec833793', 'subnet-01c36fdbe2d472874'],  // c, d
+
+  launchType: 'FARGATE',
+  platformFamily: 'LINUX',
+  platformVersion: 'LATEST',
+  serviceName: 'sponsor-app-staging-worker',
+  deploymentConfiguration: {
+    maximumPercent: 100,
+    minimumHealthyPercent: 0,
+  },
+  tags: [
+    { key: 'Project', value: 'kaigionrails' },
+  ],
+  enableECSManagedTags: true,
+  networkConfiguration: {
+    awsvpcConfiguration: {
+      subnets: $.publicSubnets,
+      securityGroups: [
+        'sg-0a7b02c6f8ee18e6c',
+      ],
+      assignPublicIp: 'ENABLED',
+    },
+  },
+}
diff --git a/deploy/staging/task_definition.jsonnet b/deploy/staging/task_definition.jsonnet
new file mode 100644
index 0000000..9062ad0
--- /dev/null
+++ b/deploy/staging/task_definition.jsonnet
@@ -0,0 +1,171 @@
+// IF YOU EDIT ENVITORONMENT VARIABLES OR SECRETS, YOU SHOULD ALSO EDIT kaigionrails/terraform/aws/sponsor-app/*.tf FILES.
+{
+  parameterStoreArn(name):: std.format('arn:aws:ssm:us-west-2:861452569180:parameter/sponsor-app-staging/%s', name),
+
+  family: 'sponsor-app-staging-worker',
+  runtimePlatform: { operatingSystemFamily: 'LINUX' },
+  taskRoleArn: 'arn:aws:iam::861452569180:role/SponsorApp',
+  executionRoleArn: 'arn:aws:iam::861452569180:role/EcsExecSponsorApp',
+  networkMode: 'awsvpc',
+  containerDefinitions: [
+    {
+      name: 'app',
+      image: '861452569180.dkr.ecr.us-west-2.amazonaws.com/sponsor-app:' + std.extVar('IMAGE_SHA'),
+      cpu: 0,
+      essential: true,
+      command: ['bundle', 'exec', 'sidekiq', '--queue', 'default', '--queue', 'mailers'],
+      environment: [
+        {
+          name: 'AWS_ACCESS_KEY_ID',
+          value: 'sample',
+        },
+        {
+          name: 'AWS_REGION',
+          value: 'ap-northeast-1',
+        },
+        {
+          name: 'AWS_SECRET_ACCESS_KEY',
+          value: 'sample',
+        },
+        {
+          name: 'DEFAULT_EMAIL_ADDRESS',
+          value: 'sponsorships-staging@kaigionrails.org',
+        },
+        {
+          name: 'DEFAULT_EMAIL_HOST',
+          value: 'sponsorships-staging.kaigionrails.org',
+        },
+        {
+          name: 'DEFAULT_URL_HOST',
+          value: 'sponsorships-staging.kaigionrails.org',
+        },
+        {
+          name: 'LANG',
+          value: 'en_US.UTF-8',
+        },
+        {
+          name: 'MAILGUN_SMTP_SERVER',
+          value: 'smtp.mailgun.org',
+        },
+        {
+          name: 'ORG_NAME',
+          value: 'Kaigi on Rails (staging)',
+        },
+        {
+          name: 'RACK_ENV',
+          value: 'production',
+        },
+        {
+          name: 'RAILS_ENV',
+          value: 'production',
+        },
+        {
+          name: 'RAILS_LOG_TO_STDOUT',
+          value: 'enabled',
+        },
+        {
+          name: 'RAILS_SERVE_STATIC_FILES',
+          value: 'enabled',
+        },
+        {
+          name: 'SENTRY_ENV',
+          value: 'staging',
+        },
+      ],
+      secrets: [
+        {
+          name: 'DATABASE_URL',
+          valueFrom: $.parameterStoreArn('DATABASE_URL'),
+        },
+        {
+          name: 'GITHUB_APP_ID',
+          valueFrom: $.parameterStoreArn('GITHUB_APP_ID'),
+        },
+        {
+          name: 'GITHUB_CLIENT_ID',
+          valueFrom: $.parameterStoreArn('GITHUB_CLIENT_ID'),
+        },
+        {
+          name: 'GITHUB_CLIENT_PRIVATE_KEY',
+          valueFrom: $.parameterStoreArn('GITHUB_CLIENT_PRIVATE_KEY'),
+        },
+        {
+          name: 'GITHUB_CLIENT_SECRET',
+          valueFrom: $.parameterStoreArn('GITHUB_CLIENT_SECRET'),
+        },
+        {
+          name: 'GITHUB_REPO',
+          valueFrom: $.parameterStoreArn('GITHUB_REPO'),
+        },
+        {
+          name: 'GOOGLE_CLOUD_CREDENTIALS',
+          valueFrom: $.parameterStoreArn('GOOGLE_CLOUD_CREDENTIALS'),
+        },
+        {
+          name: 'MAILGUN_API_KEY',
+          valueFrom: $.parameterStoreArn('MAILGUN_API_KEY'),
+        },
+        {
+          name: 'MAILGUN_SMTP_LOGIN',
+          valueFrom: $.parameterStoreArn('MAILGUN_SMTP_LOGIN'),
+        },
+        {
+          name: 'MAILGUN_SMTP_PASSWORD',
+          valueFrom: $.parameterStoreArn('MAILGUN_SMTP_PASSWORD'),
+        },
+        {
+          name: 'MAILGUN_SMTP_PORT',
+          valueFrom: $.parameterStoreArn('MAILGUN_SMTP_PORT'),
+        },
+        {
+          name: 'REDIS_TLS_URL',
+          valueFrom: $.parameterStoreArn('REDIS_TLS_URL'),
+        },
+        {
+          name: 'REDIS_URL',
+          valueFrom: $.parameterStoreArn('REDIS_URL'),
+        },
+        {
+          name: 'S3_FILES_BUCKET',
+          valueFrom: $.parameterStoreArn('S3_FILES_BUCKET'),
+        },
+        {
+          name: 'S3_FILES_PREFIX',
+          valueFrom: $.parameterStoreArn('S3_FILES_PREFIX'),
+        },
+        {
+          name: 'SECRET_KEY_BASE',
+          valueFrom: $.parameterStoreArn('SECRET_KEY_BASE'),
+        },
+        {
+          name: 'SLACK_WEBHOOK_URL',
+          valueFrom: $.parameterStoreArn('SLACK_WEBHOOK_URL'),
+        },
+        {
+          name: 'SENTRY_DSN',
+          valueFrom: $.parameterStoreArn('SENTRY_DSN'),
+        },
+        {
+          name: 'TITO_API_TOKEN',
+          valueFrom: $.parameterStoreArn('TITO_API_TOKEN'),
+        },
+      ],
+      logConfiguration: {
+        logDriver: 'awslogs',
+        options: {
+          'awslogs-group': '/ecs/sponsor-app-staging-worker',
+          'awslogs-region': 'us-west-2',
+          'awslogs-stream-prefix': 'ecs',
+        },
+      },
+    },
+  ],
+  cpu: '256',
+  memory: '512',
+  tags: [
+    {
+      key: 'Project',
+      value: 'kaigionrails',
+    },
+  ],
+}