Add Ansible CD using github action to deploy project on staging vm

.github/workflows/cd.yml

@@ -0,0 +1,39 @@
+name: CD
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - 'master'
+
+jobs:
+ cd:
+ if: |
+ github.event_name == 'push' || (
+ github.event_name == 'workflow_dispatch' &&
+ contains(fromJSON(vars.PROJECT_ADMINS), github.actor)
+ )
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v3
+ - name: Generate .env for staging vm from github secrets
+ run: |
+ echo "${{secrets.PRODUCTION_DOT_ENV_FILE}}" > .env
+ - name: Decode private key file for OpenSSH access over Ansible
+ run: |
+ echo "${{secrets.SSH_PRIVATE_KEY}}" | base64 --decode > "private.pem"
+ chmod 400 private.pem
+ - name: Run playbook for deployment
+ uses: dawidd6/action-ansible-playbook@v2
+ with:
+ playbook: deploy.yml
+ inventory: |
+ pycontw:
+ hosts:
+ staging:
+ ansible_host: "${{secrets.VM_DOMAIN_IP}}"
+ ansible_user: "${{secrets.VM_USERNAME}}"
+ # secret file generated from previous step
+ ansible_ssh_private_key_file: private.pem
+ ansible_python_interpreter: "${{secrets.VM_PYTHON_INTERPRETER}}"

README.md

@@ -54,3 +54,6 @@ We strongly recommend you configure your editor to match our coding styles. You
 ## Deployment
 
 For site administrators, please refer to [document/deploy_docker_prod.md](/document/deploy_docker_prod.md).
+
+### Continuous Deployment
+Currently this is only for continuous deployment on staging server, please refer to [document/continuous_deployment.md](/document/continuous_deployment.md).

deploy.yml

@@ -0,0 +1,40 @@
+---
+- name: Deploy project to staging machine
+ hosts: staging
+ # escalate privilege
+ become: true
+ become_user: dev
+ vars:
+ project_dir: /home/dev/web-projects/pycontw-2023-ansible
+
+ tasks:
+ - name: Dependencies check dor docker and docker-compose in remote server
+ community.general.python_requirements_info:
+ dependencies:
+ - docker
+ - docker-compose
+
+ - name: Create project directory (if not exist)
+ ansible.builtin.file:
+ path: "{{ project_dir }}"
+ state: directory
+
+ # Copy project files to remote server (.env is included)
+ - name: Copy project files to remote server
+ ansible.posix.synchronize:
+ src: ./
+ dest: "{{ project_dir }}"
+ delete: true
+
+ - name: Ensure docker network network-2023 exists
+ community.docker.docker_network:
+ name: network-2023
+
+ - name: Build and start service
+ community.docker.docker_compose:
+ project_src: "{{ project_dir }}"
+ files:
+ # use ansible-specific compose file
+ - docker-compose-ansible.yml
+ build: true
+ state: present

docker-compose-ansible.yml

@@ -0,0 +1,47 @@
+version: "3.5"
+services:
+ web:
+ build: .
+ container_name: pycontw-2023-ansible
+ image: pycontw-2023_web-ansible
+ hostname: pycontw-2023
+ entrypoint: ""
+ command:
+ # Hacky script for quick demonstration purpose
+ - bash
+ - -c
+ - |
+ set -o errexit -o nounset -o pipefail
+ python3 manage.py compilemessages
+ python3 manage.py migrate
+ python3 manage.py collectstatic --no-input
+
+ exec uwsgi --http-socket :8000 \
+ --master \
+ --hook-master-start "unix_signal:15 gracefully_kill_them_all" \
+ --static-map /static=assets \
+ --static-map /media=media \
+ --mount /prs=pycontw2016/wsgi.py \
+ --manage-script-name \
+ --offload-threads 2
+ restart: always
+ environment:
+ # Save us from having to type `--setting=pycontw2016.settings.production`
+ DJANGO_SETTINGS_MODULE: pycontw2016.settings.production.pycontw2023
+ SCRIPT_NAME: /prs
+ SECRET_KEY: ${SECRET_KEY}
+ DATABASE_URL: ${DATABASE_URL}
+ EMAIL_URL: ${EMAIL_URL}
+ DSN_URL: ${DSN_URL}
+ GTM_TRACK_ID: ${GTM_TRACK_ID}
+ SLACK_WEBHOOK_URL: ${SLACK_WEBHOOK_URL}
+
+ volumes:
+ - ${MEDIA_ROOT}:/usr/local/app/src/media
+ networks:
+ - network
+
+networks:
+ network:
+ external: true
+ name: network-2023

document/continuous_deployment.md

@@ -0,0 +1,51 @@
+# Continuous Deployment on Staging Server
+
+The following describes how to setup continuous deployment for staging server. This setup presumes the site administrators have site deployment practices based on the docker production deployment [document/deploy_docker_prod.md](/document/deploy_docker_prod.md).
+
+## Requirements for Staging Server
+The staging server should have the following installed:
+- Docker 17.09+ (since we use `--chown` flag in the COPY directive)
+- Docker Compose
+- python3.6+
+- [docker](https://pypi.org/project/docker/) SDK for python
+- [docker-compose](https://pypi.org/project/docker-compose/) SDK for python
+
+
+## Prerequisite for Site Administrators
+- Gather Container Environment Variables as mention in [document/deploy_docker_prod.md](/document/deploy_docker_prod.md).
+- Have a ssh user and secret file for accessing GCE instance (staging machine)
+ - Secret file will be further encoded by base64
+- Administrators github Ids
+ - For CD workflow authorization
+
+## Settings for Github Actions Workflow
+After aboves steps, we have to add collected information to Github actions setting.
+
+Under the hood, we github action and [Ansible](https://www.ansible.com/overview/how-ansible-works) for continuous deployment. Github action will hold necessary variables and secrets that allows Ansible to access the staging VM on your behalf.
+
+So kindly configure project's action setting as the following:
+
+| Level | Type | Name | Value (example) | Remarks |
+|-----------|------------|---------------|----------|------------|
+| Repository | secrets | PRODUCTION_DOT_ENV_FILE | `DATABASE_URL=...` | multiline support |
+| Repository | secrets | VM_USERNAME | cd_user | user name for ssh {user_name}@{vm_domain} |
+| Repository | secrets | VM_DOMAIN_IP | staging.pycon.tw | IP address or Domain that points to the staging server |
+| Repository | secrets | VM_PYTHON_INTERPRETER | `/home/dev/.pyenv/shims/python` | path to your python environment that has docker/docker-compose packages installed |
+| Repository | secrets | SSH_PRIVATE_KEY | `21xa312....` | base64 encoded of key-pair (`.pem` file) |
+| Repository | variables | PROJECT_ADMINS | `["github_user_1", "github_user_2"]` | For example `["josix"]` |
+
+Reference
+- [Create a secret for a repository](https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository)
+- [Create a variable for a repository](https://docs.github.com/en/actions/learn-github-actions/variables#creating-configuration-variables-for-a-repository)
+- Create base64 encoded string for `key.pem`
+ - `base64 -i key.pem` (mac)
+ - `cat key.pem | base64` (linux)
+
+## Review
+### Events that triggers the pipeline
+1. When the PR merges to `master`
+ - no authorization needed, as PRs normally reviewed before merge
+2. Manually [trigger](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow#running-a-workflow) the CD workflow (By admins)
+ - only for Administrator specify in repository's variable called *PROJECTS_ADMINS*
+
+Why? CD workflow will directly access to the GCE instance, should prevent unwanted deployments from PRs or push. (As a deployment guardian)