[CAI-252] Chatbot/deploy workflow

.github/workflows/deploy_chatbot.yaml

@@ -0,0 +1,174 @@
+name: Deploy Chatbot
+
+on:
+  push:
+    branches: ['main']
+    # Run only if there are at least one change matching the following paths
+    paths:
+      - 'apps/chatbot/**'
+      - '.github/workflows/deploy_chatbot.yaml'
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'The environment used as target'
+        type: choice
+        required: true
+        default: dev
+        options:
+          - dev
+          - prod
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - warning
+
+defaults:
+  run:
+    shell: bash
+    working-directory: apps/chatbot
+
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+jobs:
+
+  cd_deploy_chatbot:
+    name: Build and push Chatbot API lambda image (on ${{ matrix.environment }})
+    if: github.event_name == 'push' && github.event.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    continue-on-error: false
+    strategy:
+      matrix:
+        environment: [ 'dev' ]
+    environment: ${{ matrix.environment }}
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.environment }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Configure AWS Credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          aws_region: ${{ env.AWS_REGION || 'eu-south-1' }}
+          role_to_assume: ${{ secrets.IAM_ROLE_DEPLOY_CHATBOT }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build Push and Tag
+        # Enabling the "continue on error" option allows for a manual rollback
+        # to be performed in case of any issues. Without this option, the step
+        # will fail if the image already exists in the Elastic Container
+        # Registry (ECR). However, by activating this option, the deployment
+        # process will proceed to the next steps even if the ECR image already
+        # exists
+        continue-on-error: true
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: chatbot
+          IMAGE_TAG: ${{ github.sha }}
+        with:
+            context: apps/chatbot
+            file: docker/app.Dockerfile
+            push: true
+            tags: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
+            provenance: false
+
+      - name: Generate task-definition file
+        run: aws ecs describe-task-definition --task-definition chatbot-task-def --query taskDefinition > task-definition.json
+
+      - name: Update ImageTag in task-definition
+        id: task-def
+        uses: aws-actions/amazon-ecs-render-task-definition@4225e0b507142a2e432b018bc3ccb728559b437a # v1.2.0
+        with:
+           task-definition: apps/chatbot/task-definition.json
+           container-name: chatbot-docker
+           image: ${{ steps.login-ecr.outputs.registry }}/chatbot:${{ github.sha }}
+
+      - name: Deploy new ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@df9643053eda01f169e64a0e60233aacca83799a # v1.4.11
+        with:
+            task-definition: ${{ steps.task-def.outputs.task-definition }}
+            service: chatbot-ecs
+            cluster: chatbot-ecs-cluster
+
+      - name: AWS set lambda function image
+        run: |
+            aws lambda update-function-code --function-name env.CHATBOT_LAMBDA_NAME --image-uri ${{ steps.login-ecr.outputs.registry }}/chatbot:${{ github.sha }}
+
+  manual_deploy:
+    name: Build and push Chatbot API lambda image (manual trigger) - (${{ inputs.environment }})
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    continue-on-error: false
+    environment: ${{ inputs.environment }}
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ inputs.environment }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Configure AWS Credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          aws_region: ${{ env.AWS_REGION || 'eu-south-1' }}
+          role_to_assume: ${{ secrets.IAM_ROLE_DEPLOY_CHATBOT }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build Push and Tag
+        # Enabling the "continue on error" option allows for a manual rollback
+        # to be performed in case of any issues. Without this option, the step
+        # will fail if the image already exists in the Elastic Container
+        # Registry (ECR). However, by activating this option, the deployment
+        # process will proceed to the next steps even if the ECR image already
+        # exists
+        continue-on-error: true
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: chatbot
+          IMAGE_TAG: ${{ github.sha }}
+        with:
+            context: apps/chatbot
+            push: true
+            tags: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
+            provenance: false
+
+      - name: Generate task-definition file
+        run: aws ecs describe-task-definition --task-definition chatbot-task-def --query taskDefinition > task-definition.json
+
+      - name: Update ImageTag in task-definition
+        id: task-def
+        uses: aws-actions/amazon-ecs-render-task-definition@4225e0b507142a2e432b018bc3ccb728559b437a # v1.2.0
+        with:
+           task-definition: apps/chatbot/task-definition.json
+           container-name: chatbot-docker
+           image: ${{ steps.login-ecr.outputs.registry }}/chatbot:${{ github.sha }}
+
+      - name: Deploy new ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@df9643053eda01f169e64a0e60233aacca83799a # v1.4.11
+        with:
+            task-definition: ${{ steps.task-def.outputs.task-definition }}
+            service: chatbot-ecs
+            cluster: chatbot-ecs-cluster
+
+      - name: AWS set lambda function image
+        run: |
+            aws lambda update-function-code --function-name env.CHATBOT_LAMBDA_NAME --image-uri ${{ steps.login-ecr.outputs.registry }}/chatbot:${{ github.sha }}

apps/infrastructure/src/main.tf

@@ -128,6 +128,7 @@ module "chatbot" {
   security_groups         = module.cms.security_groups
   dns_domain_name         = var.dns_domain_name
   ecs_redis               = var.chatbot_ecs_redis
+  github_repository       = var.github_repository
 }
 
 module "cicd" {

apps/infrastructure/src/modules/chatbot/data.tf

@@ -130,4 +130,66 @@ data "aws_iam_policy_document" "bedrock_logging" {
       "${module.bedrock_log_group[0].cloudwatch_log_group_arn}:log-stream:aws/bedrock/modelinvocations"
     ]
   }
-}
+}
+
+data "aws_iam_policy_document" "deploy_github" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repository}:*"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:iss"
+      values   = ["https://token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "deploy_chatbot" {
+  name        = "DeployChatbot"
+  description = "Policy to allow to deploy the chatbot"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "lambda:*",
+          "ecr:GetAuthorizationToken",
+          "ecr:CompleteLayerUpload",
+          "ecr:GetAuthorizationToken",
+          "ecr:UploadLayerPart",
+          "ecr:InitiateLayerUpload",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:PutImage",
+          "ecr:BatchGetImage"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Action = [
+          "iam:PassRole"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}

apps/infrastructure/src/modules/chatbot/ecr.tf

@@ -1,4 +1,4 @@
-## ECR Container Registry for CMS Strapi
+## ECR Container Registry for Chatbot
 module "ecr" {
   source = "git::https://github.com/terraform-aws-modules/terraform-aws-ecr.git?ref=9f4b587846551110b0db199ea5599f016570fefe" # v1.6.0
 
@@ -22,4 +22,4 @@ module "ecr" {
       }
     ]
   })
-}
+}

apps/infrastructure/src/modules/chatbot/iam.tf

@@ -90,4 +90,19 @@ module "iam_role_bedrock_logging" {
     "bedrock.amazonaws.com"
   ]
   role_requires_mfa = false
-}
+}
+
+###############################################################################
+#                Define IAM Role to use on chatbot deploy                     #
+###############################################################################
+resource "aws_iam_role" "deploy_chatbot" {
+  name               = "GitHubActionDeployChatbot"
+  description        = "Role to assume to deploy the chatbot"
+  assume_role_policy = data.aws_iam_policy_document.deploy_github.json
+}
+
+resource "aws_iam_role_policy_attachment" "deploy_chatbot" {
+  role       = aws_iam_role.deploy_chatbot.name
+  policy_arn = aws_iam_policy.deploy_chatbot.arn
+}
+

apps/infrastructure/src/modules/chatbot/variables.tf

@@ -80,6 +80,11 @@ variable "dns_domain_name" {
   type        = string
 }
 
+variable "github_repository" {
+  type        = string
+  description = "The repository where the IaC workflows will run"
+}
+
 ################################################################################
 # ECS - Redis
 ################################################################################
@@ -106,4 +111,4 @@ variable "api_gateway" {
   default = {
     integration_timeout_sec = 60
   }
-}
+}