Skip to content

OT-14 chore setup terraform and cicd #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weโ€™ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
arlen02-01 merged 10 commits into from
May 17, 2026
Merged

OT-14 chore setup terraform and cicd #238

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
853ab90
[OT-14] [CHORE]: deploy-ai AWS ์ธ์ฆ์„ OIDC role assume ๋ฐฉ์‹์œผ๋กœ ์ „ํ™˜
arlen02-01 May 15, 2026
cb4d1e7
[OT-14] [FEAT]: deploy-ec2-docker ์ธํ”„๋ผ ํŒŒ๋ผ๋ฏธํ„ฐยทDB ๋น„๋ฐ€ ์กฐํšŒ ๊ธฐ๋ฐ˜ ๋ฐฐํฌ๋กœ ๊ฐœ์„ 
arlen02-01 May 15, 2026
97608ad
[OT-14] [FEAT]: monitoring ๋ฐฐํฌ ํƒ€๊นƒ ์ž๋™ ํ•ด์„ ๋ฐ Grafana Secret Manager ์—ฐ๋™
arlen02-01 May 15, 2026
23aed85
[OT-14] [FEAT]: rabbitmq ์‚ฌ์šฉ์ž ์„ค์ •์„ Secrets Manager ๋™๊ธฐํ™” ๋ฐฉ์‹์œผ๋กœ ์ „ํ™˜
arlen02-01 May 15, 2026
7061e4c
[OT-14] [CHORE]: dev ์ธํ”„๋ผ ๊ธฐ์ค€ ๋ฐฐํฌ ์›Œํฌํ”Œ๋กœ์šฐ ์ •ํ•ฉ์„ฑ ๋ฐ ๋ณด์•ˆ ๊ฐœ์„ 
arlen02-01 May 15, 2026
3e12138
[OT-14] [FIX]: deploy-ai monitoring ์กฐํšŒ๋ฅผ ํ”„๋กœ์ ํŠธ/ํ™˜๊ฒฝ ํƒœ๊ทธ๋กœ ํ•œ์ •
arlen02-01 May 15, 2026
c456878
[OT-14] fix(ci): harden SSM deploys and align workflows with terraforโ€ฆ
arlen02-01 May 15, 2026
b254580
[OT-14] fix(ci): align ai env parameter path with dev scoped ssm
arlen02-01 May 15, 2026
4abe536
[OT-14] [CHORE]: deploy-ec2-docker OIDC ๋””๋ฒ„๊ทธ ๊ฒ€์ฆ ์Šคํ… ์ถ”๊ฐ€
arlen02-01 May 15, 2026
d6cd836
[OT-14] ci: wait for ec2 running and ssm online before send-command
arlen02-01 May 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 31 additions & 8 deletions .github/workflows/deploy-ai.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,10 @@ on:
types:
- closed

permissions:
id-token: write
contents: read

env:
AWS_REGION: ap-northeast-2
SERVICE_NAME: machine
Expand All @@ -28,8 +32,7 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}

- name: Login to ECR
Expand Down Expand Up @@ -73,16 +76,16 @@ jobs:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}
Comment on lines 76 to 80
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

โš ๏ธ Potential issue | ๐ŸŸ  Major | ๐Ÿ—๏ธ Heavy lift

๐Ÿงฉ Analysis chain

๐Ÿ Script executed:

cat -n .github/workflows/deploy-ai.yml | head -100

Repository: OpenTheTaste/backend

Length of output: 4350

๐Ÿ Script executed:

cat -n .github/workflows/deploy-ai.yml | sed -n '200,280p'

Repository: OpenTheTaste/backend

Length of output: 4593

๐ŸŒ Web query:

aws-actions configure-aws-credentials@v4 default role-duration-seconds OIDC session

๐Ÿ’ก Result:

In the aws-actions/configure-aws-credentials action (including v4), the role-duration-seconds input controls the duration of the assumed role session in seconds [1][2]. Key details regarding this setting include: Default Value: The default duration is 1 hour (3600 seconds) [1][3]. Configurability: You can adjust this value by providing an integer to the role-duration-seconds input [1][3]. Constraints: The requested duration cannot exceed the MaxSessionDuration setting configured for the specific IAM Role in AWS [1][4]. Acceptable values generally range from 15 minutes (900 seconds) to 12 hours (43200 seconds), depending on the IAM role's configuration [3][5]. OIDC Context: When using OIDC to assume a role, the same 1-hour default applies [6][7]. If you require a session longer than 1 hour, you must explicitly set role-duration-seconds to your desired value (up to the role's maximum) [6]. If you encounter an error stating that the requested duration exceeds the maximum, ensure that the IAM Role's MaxSessionDuration in the AWS console or via CLI/API is set high enough to accommodate your requested duration [4][5].

Citations:

OIDC ์„ธ์…˜ ๊ธธ์ด๋ฅผ ๋ฐฐํฌ ์ตœ๋Œ€ ์‹œ๊ฐ„์— ๋งž์ถฐ ๋ช…์‹œํ•ด์•ผ ํ•ฉ๋‹ˆ๋‹ค.

ํ˜„์žฌ configure-aws-credentials ์•ก์…˜์˜ ๊ธฐ๋ณธ OIDC ์„ธ์…˜ ๊ธฐ๊ฐ„์€ 3,600์ดˆ(1์‹œ๊ฐ„)์ด์ง€๋งŒ, ๋ผ์ธ 235์˜ SSM ๋ช…๋ น ํƒ€์ž„์•„์›ƒ์€ 7,200์ดˆ์ด๊ณ  ๋ผ์ธ 244-270์˜ ํด๋ง ๋ฃจํ”„๋„ ์ตœ๋Œ€ 7,200์ดˆ๊นŒ์ง€ ์ง€์†๋ฉ๋‹ˆ๋‹ค. ์ด ๊ฒฝ์šฐ ๋ฐฐํฌ๊ฐ€ 1์‹œ๊ฐ„์„ ์ดˆ๊ณผํ•˜๋ฉด ๋ผ์ธ 245, 259, 273์˜ AWS API ํ˜ธ์ถœ์ด ExpiredToken ์˜ค๋ฅ˜๋กœ ์‹คํŒจํ•ฉ๋‹ˆ๋‹ค. role-duration-seconds๋ฅผ 7,200์ดˆ ์ด์ƒ์œผ๋กœ ์„ค์ •ํ•˜๊ณ , ํ•ด๋‹น IAM ์—ญํ• ์˜ MaxSessionDuration์ด ์ถฉ๋ถ„ํžˆ ๊ตฌ์„ฑ๋˜์–ด ์žˆ๋Š”์ง€ ํ™•์ธํ•˜์„ธ์š”.

๐Ÿค– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-ai.yml around lines 76 - 80, The OIDC session
length is too short (default 3600s) for your deployment which can exceed that;
update the GitHub Action step that uses aws-actions/configure-aws-credentials@v4
(the "Configure AWS credentials" step) to set with: role-duration-seconds to at
least 7200 (or a bit higher to match your SSM/polling timeouts) and verify the
target IAM role's MaxSessionDuration is configured to the same or greater value
so AssumeRole tokens won't expire during the long-running SSM/polling
operations.


- name: Deploy AI service to EC2 via SSM
env:
ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com
IMAGE_TAG_INPUT: ${{ github.event.inputs.image_tag }}
PROJECT_NAME: oplust
SSM_MACHINE_ENV_PARAM: /oplust/machine/env
ENV_NAME: dev
SSM_MACHINE_ENV_PARAM: /oplust/dev/machine/env
SSM_MACHINE_NODE_EXPORTER_TARGET_PARAM: /oplust/monitoring/targets/machine-node-exporter
run: |
set -euo pipefail
Expand All @@ -96,12 +99,12 @@ jobs:

MONITORING_PRIVATE_IP=$(aws ec2 describe-instances \
--region "$AWS_REGION" \
--filters "Name=tag:Name,Values=${PROJECT_NAME}-monitoring-ec2" "Name=instance-state-name,Values=running" \
--filters "Name=tag:Name,Values=monitoring" "Name=tag:Project,Values=${PROJECT_NAME}" "Name=tag:Env,Values=${ENV_NAME}" "Name=instance-state-name,Values=running" \
--query "Reservations[0].Instances[0].PrivateIpAddress" \
--output text)
Comment on lines 100 to 104
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

โš ๏ธ Potential issue | ๐ŸŸ  Major | โšก Quick win

๐Ÿงฉ Analysis chain

๐Ÿ Script executed:

cat -n .github/workflows/deploy-ai.yml | sed -n '95,160p'

Repository: OpenTheTaste/backend

Length of output: 3433

๋ชจ๋‹ˆํ„ฐ๋ง ์ธ์Šคํ„ด์Šค๋Š” ID๋กœ ๋จผ์ € ๊ฒฐ์ • ํ›„ ์žฌ์‚ฌ์šฉํ•˜์„ธ์š”.

lines 100-104์™€ 148-152์—์„œ ๋™์ผํ•œ ํ•„ํ„ฐ๋กœ describe-instances๋ฅผ ๋‘ ๋ฒˆ ํ˜ธ์ถœํ•˜๊ณ  ์žˆ์Šต๋‹ˆ๋‹ค. ๊ฐ™์€ ํƒœ๊ทธ๋ฅผ ๊ฐ€์ง„ ๋ชจ๋‹ˆํ„ฐ๋ง ์ธ์Šคํ„ด์Šค๊ฐ€ ๋‘˜ ์ด์ƒ ์žˆ์„ ๊ฒฝ์šฐ, ๊ฐ ์ฟผ๋ฆฌ๊ฐ€ Reservations[0].Instances[0]์—์„œ ์„œ๋กœ ๋‹ค๋ฅธ ์ธ์Šคํ„ด์Šค๋ฅผ ๋ฐ˜ํ™˜ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋กœ ์ธํ•ด MONITORING_PRIVATE_IP์™€ MONITORING_SG_ID๊ฐ€ ์„œ๋กœ ๋‹ค๋ฅธ ์ธ์Šคํ„ด์Šค๋ฅผ ๊ฐ€๋ฆฌํ‚ฌ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

๋ชจ๋‹ˆํ„ฐ๋ง ์ธ์Šคํ„ด์Šค ID๋ฅผ ๋จผ์ € 1ํšŒ ์กฐํšŒ๋กœ ๊ฒฐ์ •ํ•œ ํ›„, ๊ทธ ID๋กœ private IP์™€ SG๋ฅผ ๋ชจ๋‘ ์ฝ์–ด์˜ค์„ธ์š”. (MACHINE_INSTANCE์˜ ํŒจํ„ด์„ ์ฐธ๊ณ : lines 142-146์—์„œ instance-ids ์‚ฌ์šฉ)

๐Ÿค– Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/deploy-ai.yml around lines 100 - 104, Currently you call
aws ec2 describe-instances twice with the same filters which can return
different instances; instead, first query and store the monitoring instance ID
(e.g., MONITORING_INSTANCE_ID using the same filters and --query
"Reservations[0].Instances[0].InstanceId"), then reuse that ID with
--instance-ids to fetch MONITORING_PRIVATE_IP and MONITORING_SG_ID (querying
PrivateIpAddress and SecurityGroups[*].GroupId) so both values come from the
same instance (follow the MACHINE_INSTANCE pattern that uses instance-ids).


if [ -z "$MONITORING_PRIVATE_IP" ] || [ "$MONITORING_PRIVATE_IP" = "None" ]; then
echo "No running monitoring instance found for tag: ${PROJECT_NAME}-monitoring-ec2" >&2
echo "No running monitoring instance found for Name=monitoring, Project=${PROJECT_NAME}, Env=${ENV_NAME}" >&2
exit 1
Comment thread
coderabbitai[bot] marked this conversation as resolved.
fi

Expand All @@ -116,6 +119,26 @@ jobs:
exit 1
fi

wait_for_ssm_online() {
local iid="$1"
for _ in $(seq 1 30); do
ping_status=$(aws ssm describe-instance-information \
--region "$AWS_REGION" \
--filters "Key=InstanceIds,Values=${iid}" \
--query 'InstanceInformationList[0].PingStatus' \
--output text 2>/dev/null || true)
if [ "$ping_status" = "Online" ]; then
return 0
fi
sleep 5
done
return 1
}

if ! wait_for_ssm_online "$INSTANCE_ID"; then
echo "Instance is running but not SSM Online: $INSTANCE_ID" >&2
exit 1
fi
MACHINE_PRIVATE_IP=$(aws ec2 describe-instances \
--region "$AWS_REGION" \
--instance-ids "$INSTANCE_ID" \
Expand All @@ -124,7 +147,7 @@ jobs:

MONITORING_SG_ID=$(aws ec2 describe-instances \
--region "$AWS_REGION" \
--filters "Name=tag:Name,Values=${PROJECT_NAME}-monitoring-ec2" "Name=instance-state-name,Values=running" \
--filters "Name=tag:Name,Values=monitoring" "Name=tag:Project,Values=${PROJECT_NAME}" "Name=tag:Env,Values=${ENV_NAME}" "Name=instance-state-name,Values=running" \
--query "Reservations[0].Instances[0].SecurityGroups[0].GroupId" \
--output text)

Expand Down
138 changes: 119 additions & 19 deletions .github/workflows/deploy-ec2-docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Deploy Docker Apps To EC2
๏ปฟname: Deploy Docker Apps To EC2

on:
workflow_dispatch:
Expand All @@ -11,6 +11,10 @@ on:
types:
- closed

permissions:
id-token: write
contents: read

env:
AWS_REGION: ap-northeast-2

Expand All @@ -33,13 +37,32 @@ jobs:
- name: Checkout
uses: actions/checkout@v4

- name: Validate OIDC inputs
env:
ROLE_ARN: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }}
run: |
set -euo pipefail
if [ -z "${ROLE_ARN:-}" ]; then
echo "AWS_GITHUB_ACTIONS_ROLE_ARN is empty or not injected." >&2
exit 1
fi
if ! echo "$ROLE_ARN" | grep -Eq '^arn:aws:iam::[0-9]{12}:role/.+'; then
echo "AWS_GITHUB_ACTIONS_ROLE_ARN format is invalid: expected role ARN." >&2
exit 1
fi
echo "GitHub ref: ${GITHUB_REF}"
echo "GitHub ref_name: ${GITHUB_REF_NAME}"
echo "Role ARN format check passed."

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}

- name: Verify assumed identity
run: aws sts get-caller-identity

- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2

Expand All @@ -55,6 +78,7 @@ jobs:
run: |
IMAGE_TAG="${IMAGE_TAG_INPUT:-${GITHUB_SHA}}"
IMAGE_URI="${ECR_REGISTRY}/${{ matrix.ecr_repo }}:${IMAGE_TAG}"

IMAGE_URI_LATEST="${ECR_REGISTRY}/${{ matrix.ecr_repo }}:latest"

docker build \
Expand All @@ -72,44 +96,92 @@ jobs:
needs: build-and-push

steps:
- name: Validate OIDC inputs
env:
ROLE_ARN: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }}
run: |
set -euo pipefail
if [ -z "${ROLE_ARN:-}" ]; then
echo "AWS_GITHUB_ACTIONS_ROLE_ARN is empty or not injected." >&2
exit 1
fi
if ! echo "$ROLE_ARN" | grep -Eq '^arn:aws:iam::[0-9]{12}:role/.+'; then
echo "AWS_GITHUB_ACTIONS_ROLE_ARN format is invalid: expected role ARN." >&2
exit 1
fi
echo "GitHub ref: ${GITHUB_REF}"
echo "GitHub ref_name: ${GITHUB_REF_NAME}"
echo "Role ARN format check passed."

- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
role-to-assume: ${{ secrets.AWS_GITHUB_ACTIONS_ROLE_ARN }}
aws-region: ${{ env.AWS_REGION }}

- name: Verify assumed identity
run: aws sts get-caller-identity

- name: Deploy to EC2 instances via SSM
env:
ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ env.AWS_REGION }}.amazonaws.com
IMAGE_TAG_INPUT: ${{ github.event.inputs.image_tag }}
PROJECT_NAME: oplust
DB_NAME: oplust
SSM_RDS_ENDPOINT_PARAM: /oplust/common/rds-endpoint
SSM_DB_USERNAME_PARAM: /oplust/common/db-username
SSM_DB_PASSWORD_PARAM: /oplust/common/db-password
RDS_INSTANCE_IDENTIFIER: oplust-dev-db
MONITORING_INSTANCE_TAG: monitoring
NODE_EXPORTER_TARGET_SSM_PARAM: /oplust/monitoring/targets/node-exporter
Comment thread
arlen02-01 marked this conversation as resolved.
ECS_CLUSTER_NAME: fluffy-flamingo-5ag1uq
ECS_SERVICE_NAME: oplust-transcoder-service
SSM_ECS_CLUSTER_NAME_PARAM: /oplust/dev/lambda/worker/ecs_cluster_name
SSM_ECS_SERVICE_NAME_PARAM: /oplust/dev/lambda/worker/ecs_service_name
TRANSCODER_REPOSITORY: oplust-transcoder
TRANSCODER_CONTAINER_NAME: oplust-transcoder
SCALER_LAMBDA_NAME: oplust-transcoder-scaler
ENV_NAME: dev
run: |
set -euo pipefail

IMAGE_TAG="${IMAGE_TAG_INPUT:-${GITHUB_SHA}}"

ECS_CLUSTER_NAME=$(aws ssm get-parameter --region "$AWS_REGION" --name "$SSM_ECS_CLUSTER_NAME_PARAM" --with-decryption --query 'Parameter.Value' --output text)
ECS_SERVICE_NAME=$(aws ssm get-parameter --region "$AWS_REGION" --name "$SSM_ECS_SERVICE_NAME_PARAM" --with-decryption --query 'Parameter.Value' --output text)
SCALER_LAMBDA_NAME="${PROJECT_NAME}-${ENV_NAME}-worker"

if [ -z "$ECS_CLUSTER_NAME" ] || [ "$ECS_CLUSTER_NAME" = "None" ] || [ -z "$ECS_SERVICE_NAME" ] || [ "$ECS_SERVICE_NAME" = "None" ]; then
echo "Failed to resolve ECS cluster/service from SSM parameters" >&2
exit 1
fi

DB_HOST=$(aws rds describe-db-instances --region "$AWS_REGION" --db-instance-identifier "$RDS_INSTANCE_IDENTIFIER" --query 'DBInstances[0].Endpoint.Address' --output text)
if [ -z "$DB_HOST" ] || [ "$DB_HOST" = "None" ]; then
echo "Failed to resolve DB host from RDS" >&2
exit 1
fi

MONITORING_PRIVATE_IP=$(aws ec2 describe-instances \
--region "$AWS_REGION" \
--filters "Name=tag:Name,Values=${PROJECT_NAME}-monitoring-ec2" "Name=instance-state-name,Values=running" \
--filters "Name=tag:Name,Values=${MONITORING_INSTANCE_TAG}" "Name=instance-state-name,Values=running" \
--query "Reservations[0].Instances[0].PrivateIpAddress" \
--output text)

if [ -z "$MONITORING_PRIVATE_IP" ] || [ "$MONITORING_PRIVATE_IP" = "None" ]; then
echo "No running monitoring instance found for tag: ${PROJECT_NAME}-monitoring-ec2" >&2
echo "No running monitoring instance found for tag: ${MONITORING_INSTANCE_TAG}" >&2
exit 1
fi

wait_for_ssm_online() {
local iid="$1"
for _ in $(seq 1 30); do
ping_status=$(aws ssm describe-instance-information \
--region "$AWS_REGION" \
--filters "Key=InstanceIds,Values=${iid}" \
--query 'InstanceInformationList[0].PingStatus' \
--output text 2>/dev/null || true)
if [ "$ping_status" = "Online" ]; then
return 0
fi
sleep 5
done
return 1
}
deploy_service() {
local target_tag="$1"
local image_uri="$2"
Expand All @@ -130,6 +202,26 @@ jobs:
echo "No running instance found for tag: ${target_tag}" >&2
exit 1
fi
local instance_state
instance_state=$(aws ec2 describe-instances \
--region "$AWS_REGION" \
--instance-ids "$instance_id" \
--query "Reservations[0].Instances[0].State.Name" \
--output text)

if [ "$instance_state" != "running" ]; then
echo "Instance is not running for tag ${target_tag}: ${instance_id} (${instance_state})" >&2
exit 1
fi

if ! wait_for_ssm_online "$instance_id"; then
echo "Instance is not SSM online for tag ${target_tag}: ${instance_id}" >&2
aws ssm describe-instance-information \
--region "$AWS_REGION" \
--filters "Key=InstanceIds,Values=${instance_id}" \
--output table || true
exit 1
fi

local private_ip
private_ip=$(aws ec2 describe-instances \
Expand Down Expand Up @@ -187,11 +279,14 @@ jobs:
commands=(
"set -e"
"sudo mkdir -p /etc/oplust"
"DB_HOST=\$(aws ssm get-parameter --region $AWS_REGION --name '$SSM_RDS_ENDPOINT_PARAM' --with-decryption --query 'Parameter.Value' --output text)"
"DB_USER=\$(aws ssm get-parameter --region $AWS_REGION --name '$SSM_DB_USERNAME_PARAM' --with-decryption --query 'Parameter.Value' --output text)"
"DB_PASS=\$(aws ssm get-parameter --region $AWS_REGION --name '$SSM_DB_PASSWORD_PARAM' --with-decryption --query 'Parameter.Value' --output text)"
"SERVICE_ENV=\$(aws ssm get-parameter --region $AWS_REGION --name '${service_env_param}' --with-decryption --query 'Parameter.Value' --output text)"
"echo \"SPRING_DATASOURCE_URL=jdbc:mysql://\$DB_HOST:3306/${DB_NAME}\" | sudo tee ${env_file} >/dev/null"
"if ! command -v jq >/dev/null 2>&1; then if command -v dnf >/dev/null 2>&1; then sudo dnf -y install jq; elif command -v yum >/dev/null 2>&1; then sudo yum -y install jq; elif command -v apt-get >/dev/null 2>&1; then sudo apt-get update -y && sudo apt-get install -y jq; else echo 'jq not found and no supported package manager to install it' >&2; exit 1; fi; fi"
"DB_SECRET_ARN=\$(aws rds describe-db-instances --region $AWS_REGION --db-instance-identifier '$RDS_INSTANCE_IDENTIFIER' --query 'DBInstances[0].MasterUserSecret.SecretArn' --output text)"
"DB_SECRET_JSON=\$(aws secretsmanager get-secret-value --region $AWS_REGION --secret-id \"\$DB_SECRET_ARN\" --query 'SecretString' --output text)"
"DB_USER=\$(echo \"\$DB_SECRET_JSON\" | jq -r '.username')"
"DB_PASS=\$(echo \"\$DB_SECRET_JSON\" | jq -r '.password')"
"if [ -z \"\$DB_USER\" ] || [ \"\$DB_USER\" = \"null\" ] || [ -z \"\$DB_PASS\" ] || [ \"\$DB_PASS\" = \"null\" ]; then echo 'Failed to resolve DB credentials from Secrets Manager' >&2; exit 1; fi"
"echo \"SPRING_DATASOURCE_URL=jdbc:mysql://${DB_HOST}:3306/${DB_NAME}\" | sudo tee ${env_file} >/dev/null"
"echo \"SPRING_DATASOURCE_USERNAME=\$DB_USER\" | sudo tee -a ${env_file} >/dev/null"
"echo \"SPRING_DATASOURCE_PASSWORD=\$DB_PASS\" | sudo tee -a ${env_file} >/dev/null"
"printf '%s\n' \"\$SERVICE_ENV\" | sudo tee -a ${env_file} >/dev/null"
Expand Down Expand Up @@ -469,6 +564,11 @@ jobs:
rm -f "$td_file" "$new_td_file"
}

deploy_service "${PROJECT_NAME}-user-ec2" "${ECR_REGISTRY}/oplust-api-user:${IMAGE_TAG}" "oplust-api-user" "/etc/oplust/api-user.env" "8080" "/oplust/api-user/env" "user-api"
deploy_service "${PROJECT_NAME}-admin-ec2" "${ECR_REGISTRY}/oplust-api-admin:${IMAGE_TAG}" "oplust-api-admin" "/etc/oplust/api-admin.env" "8081" "/oplust/api-admin/env" "admin-api"
deploy_service "user" "${ECR_REGISTRY}/oplust-api-user:${IMAGE_TAG}" "oplust-api-user" "/etc/oplust/api-user.env" "8080" "/oplust/${ENV_NAME}/api-user/env" "user-api"
deploy_service "admin" "${ECR_REGISTRY}/oplust-api-admin:${IMAGE_TAG}" "oplust-api-admin" "/etc/oplust/api-admin.env" "8081" "/oplust/${ENV_NAME}/api-admin/env" "admin-api"
deploy_transcoder_ecs





Loading
Loading