feat: add cd deployment of aws-site

.github/workflows/cd.yaml

@@ -0,0 +1,115 @@
+---
+# Prerequisites:
+#
+# * terraform/aws/aws-github-oidc - to provide ability to assume AWS role via GitHub Action OIDC provider
+name: CD
+
+on:
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+    branches: [main]
+
+  workflow_dispatch:
+    inputs:
+      runner:
+        description: 'Runner type'
+        required: true
+        default: 'ubuntu-24.04'
+        type: choice
+        options:
+        - ubuntu-24.04
+        - matihost
+      env:
+        description: 'Target environment'
+        required: true
+        default: 'dev'
+        type: environment
+      mode:
+        description: 'Deployment mode'
+        required: true
+        default: 'plan'
+        type: choice
+        options:
+        - plan
+        - apply
+        - destroy
+      module:
+        description: 'Module to deploy'
+        required: true
+        default: 'aws/aws-site'
+permissions:
+  contents: read
+  id-token: write
+concurrency:
+  group: aws-${{ github.ref }}-${{ inputs.env || 'dev' }}
+  cancel-in-progress: false
+env:
+  DEPLOY_ENV: ${{ inputs.env || 'dev' }}
+  DEPLOY_MODE: ${{ inputs.mode || 'plan' }}
+jobs:
+  sources:
+    name: Checkout
+
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
+    timeout-minutes: 5
+    container:
+      image: quay.io/matihost/cd
+    outputs:
+      GIT_COMMIT_HASH: ${{ steps.git_hash.outputs.GIT_COMMIT_HASH }}
+    steps:
+    - name: Checkout sources
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    # Workaround for https://github.com/actions/runner/issues/2033
+    - name: Set ownership
+      run: |
+        chown -R $(id -u):$(id -g) $PWD
+    - name: Obtain git version
+      id: git_hash
+      run: |
+        echo "GIT_COMMIT_HASH=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+    - name: Cache workspace
+      uses: actions/cache/save@v4
+      with:
+        # avoid using github.workspace in caching?
+        # so how effectivelly share source code between jobs?
+        # https://github.com/actions/cache/blob/main/tips-and-workarounds.md#cross-os-cache
+        # artifacts?
+        # cleaning artifacts after workflow requires custom, non standard action:
+        # https://github.com/marketplace/actions/delete-artifact
+        path: ${{ github.workspace }}
+        key: sources-${{ github.run_id }}-${{ github.run_attempt }}
+        enableCrossOsArchive: true
+  aws:
+    name: AWS deployment mode ${{ inputs.mode || 'plan' }} of ${{ inputs.module || 'aws/aws-site'}} on  ${{ inputs.env || 'dev' }} environment
+    needs: sources
+    environment: ${{ inputs.env || 'dev' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
+    timeout-minutes: 30
+    container:
+      image: quay.io/matihost/cd
+    steps:
+    - name: Download sources
+      uses: actions/cache/restore@v4
+      with:
+        path: ${{ github.workspace }}
+        key: sources-${{ github.run_id }}-${{ github.run_attempt }}
+        fail-on-cache-miss: true
+        enableCrossOsArchive: true
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@v4
+      with:
+        aws-region: us-east-1
+        role-to-assume: ${{ secrets.AWS_OIDC_ASSUMED_ROLE }}
+        role-session-name: gh-${{ inputs.env || 'dev' }}-aws@monorepo@matihost-${{ github.run_id }}-${{ github.run_attempt }}
+    - name: Deployment
+      working-directory: "terraform/${{ inputs.module || 'aws/aws-site'}}"
+      # Copying all secrets hack as env variables so that
+      # it is not necessary to recall which module requires which secrets as env variables
+      # https://github.com/orgs/community/discussions/47165#discussioncomment-10885166
+      env: ${{ secrets }}
+      run: |-
+        make run ENV=${{env.DEPLOY_ENV}} MODE=${{ env.DEPLOY_MODE }}

.github/workflows/ci.yaml

@@ -16,10 +16,10 @@ on:
       runner:
         description: 'Runner type'
         required: true
-        default: 'ubuntu-22.04'
+        default: 'ubuntu-24.04'
         type: choice
         options:
-        - ubuntu-22.04
+        - ubuntu-24.04
         - matihost
   schedule:
   - cron: '27 20 * * 0'
@@ -37,7 +37,7 @@ env:
 jobs:
   sources:
     name: Checkout sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 5
     container:
       image: maven:3-eclipse-temurin-21
@@ -70,7 +70,7 @@ jobs:
         enableCrossOsArchive: true
   java:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
       image: maven:3-eclipse-temurin-21
@@ -116,10 +116,10 @@ jobs:
         enableCrossOsArchive: true
   java-image-mq-app:
     needs: java
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
-      image: quay.io/matihost/gh-gcp-java-kaniko
+      image: quay.io/matihost/java-ci
     steps:
     - name: Download java build sources
       uses: actions/cache/restore@v4
@@ -131,7 +131,7 @@ jobs:
     - name: Build Java mq client image
       working-directory: java/apps/mq/client
       env:
-        container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}"
+        container: "${{ inputs.runner == 'ubuntu-24.04' && 'docker' || 'kube' }}"
         REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}"
         REGISTRY_USER: "${{ secrets.REGISTRY_USER }}"
         REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}"
@@ -144,10 +144,10 @@ jobs:
           --destination="${{ env.REGISTRY }}/matihost/mq/basic-client:${{ env.IMAGE_TAG }}"
   java-image-cmdline:
     needs: java
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
-      image: quay.io/matihost/gh-gcp-java-kaniko
+      image: quay.io/matihost/java-ci
     steps:
     - name: Download java build sources
       uses: actions/cache/restore@v4
@@ -159,7 +159,7 @@ jobs:
     - name: Build Java command-line image
       working-directory: java/apps/command-line
       env:
-        container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}"
+        container: "${{ inputs.runner == 'ubuntu-24.04' && 'docker' || 'kube' }}"
         REGISTRY: "${{ vars.REGISTRY || 'quay.io' }}"
         REGISTRY_USER: "${{ secrets.REGISTRY_USER }}"
         REGISTRY_PASSWORD: "${{ secrets.REGISTRY_PASSWORD }}"
@@ -173,7 +173,7 @@ jobs:
           --destination="${{ env.REGISTRY }}/matihost/commandline:${{ env.IMAGE_TAG }}"
   codeql-java:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
       image: maven:3-eclipse-temurin-21
@@ -206,7 +206,7 @@ jobs:
         category: "/language:java"
   codeql-go:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container: golang:1.22
     env:
@@ -241,7 +241,7 @@ jobs:
         category: "/language:go"
   codeql-python:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
       image: quay.io/matihost/ansible:root
@@ -275,7 +275,7 @@ jobs:
         category: "/language:python"
   ansible:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
       image: quay.io/matihost/ansible:root
@@ -292,7 +292,7 @@ jobs:
       working-directory: ansible/learning
   rust:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
       image: rust
@@ -308,11 +308,11 @@ jobs:
       working-directory: rust/guessing_game
   image-build-on-gcp-artifact-registry:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
-    if: ((inputs.runner || 'ubuntu-22.04') != 'ubuntu-22.04') && vars.GCP_PROJECT
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
+    if: ((inputs.runner || 'ubuntu-24.04') != 'ubuntu-24.04') && vars.GCP_PROJECT
     timeout-minutes: 30
     container:
-      image: quay.io/matihost/gh-gcp-java-kaniko
+      image: quay.io/matihost/java-ci
     steps:
     - name: Download sources
       uses: actions/cache/restore@v4
@@ -333,11 +333,11 @@ jobs:
           --destination="gcr.io/${{ env.GCP_PROJECT }}/ansible:${{ env.GIT_COMMIT_HASH }}"
   image-build-generic-registry:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     if: vars.REGISTRY
     timeout-minutes: 30
     container:
-      image: quay.io/matihost/gh-gcp-java-kaniko
+      image: quay.io/matihost/java-ci
     steps:
     - name: Download sources
       uses: actions/cache/restore@v4
@@ -360,10 +360,10 @@ jobs:
           --destination="${{ env.REGISTRY }}/matihost/ansible:${{ env.IMAGE_TAG }}"
   image-build-ghcr:
     needs: sources
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     timeout-minutes: 30
     container:
-      image: quay.io/matihost/gh-gcp-java-kaniko
+      image: quay.io/matihost/java-ci
     steps:
     - name: Download sources
       uses: actions/cache/restore@v4
@@ -375,7 +375,7 @@ jobs:
     - name: Build Ansible image on GH hosted runner with deployment to GH Packages
       working-directory: k8s/images/ansible
       env:
-        container: "${{ inputs.runner == 'ubuntu-22.04' && 'docker' || 'kube' }}"
+        container: "${{ inputs.runner == 'ubuntu-24.04' && 'docker' || 'kube' }}"
       run: |
         mkdir -p /kaniko/.docker
         AUTH=$(echo -n ${{ github.actor }}:${{ secrets.GITHUB_TOKEN }} | base64)

.github/workflows/gcp.yaml

@@ -14,10 +14,10 @@ on:
       runner:
         description: 'Runner type'
         required: true
-        default: 'ubuntu-22.04'
+        default: 'ubuntu-24.04'
         type: choice
         options:
-        - ubuntu-22.04
+        - ubuntu-24.04
         - matihost
       env:
         description: 'Target environment'
@@ -38,11 +38,11 @@ env:
 jobs:
   gcp:
     name: Run GCP related tasks
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
     environment: ${{ inputs.env || 'dev' }}
     timeout-minutes: 30
     container:
-      image: quay.io/matihost/gh-gcp-java-kaniko
+      image: quay.io/matihost/cd
     permissions:
       contents: 'read'
       id-token: 'write'
@@ -97,14 +97,14 @@ jobs:
           --destination="${GAR_LOCATION}-docker.pkg.dev/${GCP_PROJECT}/${GAR_REPOSITORY}/ansible:${{ env.IMAGE_TAG }}"
     - name: Set up GKE credentials
       uses: google-github-actions/get-gke-credentials@v2
-      if: ((inputs.runner || 'ubuntu-22.04') != 'ubuntu-22.04')
+      if: ((inputs.runner || 'ubuntu-24.04') != 'ubuntu-24.04')
       with:
         cluster_name: ${{ env.GKE_CLUSTER }}
         location: ${{ env.GKE_LOCATION }}
         use_internal_ip: true
     - name: Run kubectl
       # when run on self-hosted runner within GCP network, otherwise cluster is not accessible from internet
       # TODO consider add https://api.github.com/meta actions servers to authz GKE networks...
-      if: ((inputs.runner || 'ubuntu-22.04') != 'ubuntu-22.04')
+      if: ((inputs.runner || 'ubuntu-24.04') != 'ubuntu-24.04')
       run: |-
         kubectl get svc -A

.github/workflows/images-wo-checkout.yaml

@@ -18,10 +18,10 @@ on:
       runner:
         description: 'Runner type'
         required: true
-        default: 'ubuntu-22.04'
+        default: 'ubuntu-24.04'
         type: choice
         options:
-        - ubuntu-22.04
+        - ubuntu-24.04
         - matihost
 # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
 permissions:
@@ -34,8 +34,8 @@ env:
   IMAGE_TAG: "${{ github.ref == 'refs/heads/main' && 'latest' || github.sha }}"
 jobs:
   image-build-on-gcp-artifact-registry:
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
-    if: ${{ (inputs.runner || 'ubuntu-22.04') != 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
+    if: ${{ (inputs.runner || 'ubuntu-24.04') != 'ubuntu-24.04' }}
     container:
       image: gcr.io/kaniko-project/executor:debug
     steps:
@@ -55,8 +55,8 @@ jobs:
           --push-retry 2 --image-name-with-digest-file /workspace/image-digest.txt
 
   image-build-generic-registry:
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
-    if: ${{ (inputs.runner || 'ubuntu-22.04') == 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
+    if: ${{ (inputs.runner || 'ubuntu-24.04') == 'ubuntu-24.04' }}
     container:
       image: gcr.io/kaniko-project/executor:debug
     steps:
@@ -81,8 +81,8 @@ jobs:
   # kaniko does not allow to build second image - hence it has to run as separated job
   # https://github.com/GoogleContainerTools/kaniko/issues/1118
   image-build-ghcr:
-    runs-on: ${{ inputs.runner || 'ubuntu-22.04' }}
-    if: ${{ (inputs.runner || 'ubuntu-22.04') == 'ubuntu-22.04' }}
+    runs-on: ${{ inputs.runner || 'ubuntu-24.04' }}
+    if: ${{ (inputs.runner || 'ubuntu-24.04') == 'ubuntu-24.04' }}
     container:
       image: gcr.io/kaniko-project/executor:debug
     steps:

.github/workflows/kaniko.yaml

@@ -16,10 +16,10 @@ on:
       runner:
         description: 'Runner type'
         required: true
-        default: 'ubuntu-22.04'
+        default: 'ubuntu-24.04'
         type: choice
         options:
-        - ubuntu-22.04
+        - ubuntu-24.04
         - matihost
 # https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token
 permissions:
@@ -33,7 +33,7 @@ env:
   ROOT_IMAGE_TAG: "${{ github.ref == 'refs/heads/main' && 'root' || format('root-{0}', github.sha) }}"
 jobs:
   images:
-    runs-on: 'ubuntu-22.04'
+    runs-on: 'ubuntu-24.04'
     container:
       image: maven:3-eclipse-temurin-21
     steps: