Merge pull request #5 from segmentio/wdbetts/terracode-pr-automation

Add automated deployment pipeline with DRY design

Author: wdbetts

.buildkite/pipeline.yml

@@ -50,17 +50,6 @@ steps:
             - vendor/
             - data/
 
-  - label: ":golang: Go vet"
-    key: vet
-    depends_on: vendor
-    commands:
-      - make vet
-    plugins:
-      - ssh://[email protected]/segmentio/cache-buildkite-plugin#v3.0.1:
-          key: "kubeapply-deps-{{ checksum \"go.sum\" }}"
-          paths:
-            - vendor/
-            - data/
 
   # Step 3: Testing with coverage
   - label: ":golang::test_tube::coverage: Unit Tests and Coverage"
@@ -92,10 +81,9 @@ steps:
     key: build-cli
     depends_on: 
       - lint
-      - vet
+      - test
     commands:
       - make kubeapply
-      # Artifact not used
     plugins:
       - ssh://[email protected]/segmentio/cache-buildkite-plugin#v3.0.1:
           key: "kubeapply-deps-{{ checksum \"go.sum\" }}"
@@ -107,7 +95,7 @@ steps:
     key: build-server
     depends_on: 
       - lint
-      - vet
+      - test
     commands:
       - make kubeapply-server
     plugins:
@@ -121,7 +109,7 @@ steps:
     key: build-lambda
     depends_on: 
       - lint
-      - vet
+      - test
     commands:
       - make kubeapply-lambda
       - make kubeapply-lambda-kubeapply
@@ -194,4 +182,55 @@ steps:
         imager buildpush . -f Dockerfile.lambda -d all-${ENV} \
           --build-arg VERSION_REF=$(git describe --tags --always --dirty="-dev") \
           --destination-aliases regions.yaml \
-          --repository kubeapply-lambda
+          --repository kubeapply-lambda
+
+  # Step 8: Prepare stage deployment
+  - label: ":package: Prepare Stage Deployment"
+    key: prepare-stage
+    depends_on: docker-push
+    # Only run stage deployment on main branch
+    if: build.branch == pipeline.default_branch
+    commands:
+      - echo "Preparing stage deployment branch..."
+      - chmod +x scripts/deploy-to-env.sh
+      - ./scripts/deploy-to-env.sh stage false
+
+  # Manual step to create stage PR
+  - block: ":point_right: Create Stage PR"
+    key: create-stage-pr
+    # Only run stage deployment on main branch
+    if: build.branch == pipeline.default_branch
+    depends_on: prepare-stage
+    prompt: "Stage deployment branch is ready. Create PR?"
+    blocked_state: passed
+
+  # Step 9: Create stage deployment PR
+  - label: ":rocket: Create Stage PR" 
+    key: deploy-stage
+    depends_on: create-stage-pr
+    # Only run stage deployment on main branch
+    if: build.branch == pipeline.default_branch
+    commands:
+      - echo "Creating stage deployment PR..."
+      - chmod +x scripts/deploy-to-env.sh
+      - ./scripts/deploy-to-env.sh stage true
+
+  # Manual gate before production deployment
+  - block: ":warning: Deploy to Production?"
+    key: production-gate
+    depends_on: deploy-stage
+    # Only run on version tags for production
+    if: build.env("BUILDKITE_TAG") =~ /^v[0-9]+\.[0-9]+\.[0-9]+/
+    prompt: "Stage deployment completed. Deploy to production?"
+    blocked_state: passed
+
+  # Step 10: Create production deployment PR
+  - label: ":rocket: Deploy to Production"
+    key: deploy-production
+    depends_on: production-gate
+    # Only run on version tags for production
+    if: build.env("BUILDKITE_TAG") =~ /^v[0-9]+\.[0-9]+\.[0-9]+/
+    commands:
+      - echo "Creating production deployment PR..."
+      - chmod +x scripts/deploy-to-env.sh
+      - ./scripts/deploy-to-env.sh production true

scripts/breakglass_buildpush.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+set -e
+
+if [ -z "$1" ]; then
+  echo "Usage: ./buildpush.sh stage|prod"
+  exit
+fi
+
+if [ $1 != "stage" -a $1 != "prod" ]; then
+  echo "Usage: ./buildpush.sh stage|prod"
+  exit
+fi
+
+ENV=$1
+UPLOADER_ROLE="arn:aws:iam::752180062774:role/kubeapply-uploader"
+if [ $1 != "prod" ]; then
+  UPLOADER_ROLE="arn:aws:iam::355207333203:role/kubeapply-uploader"
+fi
+
+KUBEAPPLY_LAMBDA_SCRIPT_ROOT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+cd $GOPATH/src/github.com/segmentio/kubeapply
+
+aws-okta exec $ENV-write -- cloud-toolbox assume-roles $UPLOADER_ROLE -- imager buildpush . -f Dockerfile.lambda -d all-${ENV} \
+--build-arg VERSION_REF=`git describe --tags --always --dirty="-dev"` \
+--destination-aliases $KUBEAPPLY_LAMBDA_SCRIPT_ROOT/regions.yaml \
+--repository kubeapply-lambda --local

scripts/deploy-to-env.sh

@@ -0,0 +1,117 @@
+#!/bin/bash
+set -euo pipefail
+
+# Deploy kubeapply to specified environment via terraform PR
+# Usage: deploy-to-env.sh <environment> [create-pr]
+#   environment: "stage" or "production" 
+#   create-pr: if "true", creates PR automatically; if "false", just prepares branch
+
+ENVIRONMENT=${1:-}
+CREATE_PR=${2:-true}
+
+if [[ -z "$ENVIRONMENT" ]]; then
+    echo "❌ Error: Environment required (stage or production)"
+    exit 1
+fi
+
+if [[ "$ENVIRONMENT" != "stage" && "$ENVIRONMENT" != "production" ]]; then
+    echo "❌ Error: Environment must be 'stage' or 'production'"
+    exit 1
+fi
+
+# Get the image tag from git
+IMAGE_TAG=$(git describe --tags --always --dirty="-dev")
+echo "🏷️  Deploying image tag: $IMAGE_TAG to $ENVIRONMENT"
+
+# Clone terracode-infra repository 
+WORK_DIR="/tmp/terracode-infra-$ENVIRONMENT-$$"
+git clone https://github.com/segmentio/terracode-infra.git "$WORK_DIR"
+cd "$WORK_DIR"
+
+# Configure git user for commits
+git config user.email "[email protected]"
+git config user.name "buildkite-kubeapply-pipeline"
+
+# Create a new branch for the deployment
+BRANCH_NAME="kubeapply-$ENVIRONMENT-deploy-$IMAGE_TAG-$(date +%s)"
+git checkout -b "$BRANCH_NAME"
+
+# Update terraform configs based on environment
+if [[ "$ENVIRONMENT" == "stage" ]]; then
+    echo "📝 Updating stage terraform configs..."
+    sed -i "s/lambda_image_tag.*=.*\".*\"/lambda_image_tag  = \"$IMAGE_TAG\"/" stage/eu-west-1/common-kubeapply/config.tf
+    sed -i "s/lambda_image_tag.*=.*\".*\"/lambda_image_tag  = \"$IMAGE_TAG\"/" stage/us-west-2/core/kubeapply/config.tf
+    git add stage/*/*/kubeapply/config.tf stage/*/common-kubeapply/config.tf
+    REGIONS="eu-west-1, us-west-2"
+elif [[ "$ENVIRONMENT" == "production" ]]; then
+    echo "📝 Updating production terraform config..."
+    sed -i "s/lambda_image_tag.*=.*\".*\"/lambda_image_tag  = \"$IMAGE_TAG\"/" production/us-west-2/core/kubeapply/config.tf
+    git add production/*/*/kubeapply/config.tf
+    REGIONS="us-west-2"
+fi
+
+# Commit and push changes
+if git diff --cached --quiet; then
+    echo "📝 No changes to commit - terraform configs already up to date with $IMAGE_TAG"
+else
+    git commit -m "Deploy kubeapply $IMAGE_TAG to $ENVIRONMENT"
+fi
+git push origin "$BRANCH_NAME"
+
+echo "✅ Branch created and pushed: $BRANCH_NAME"
+
+# Create PR if requested
+if [[ "$CREATE_PR" == "true" ]]; then
+    echo "🔄 Creating pull request..."
+    
+    if [[ "$ENVIRONMENT" == "stage" ]]; then
+        PR_BODY="Automated deployment of kubeapply image tag \`$IMAGE_TAG\` to stage environment.
+
+**Instructions:**
+1. Review the changes in this PR
+2. Comment \`atlantis apply\` to deploy to stage environment  
+3. Merge this PR after successful deployment
+
+**Image tag:** \`$IMAGE_TAG\`
+**Environment:** Stage
+**Regions:** $REGIONS"
+    else
+        PR_BODY="Automated deployment of kubeapply image tag \`$IMAGE_TAG\` to production environment.
+
+**Instructions:**
+1. Review the changes in this PR carefully
+2. Comment \`atlantis apply\` to deploy to production environment
+3. Merge this PR after successful deployment
+
+**Image tag:** \`$IMAGE_TAG\`
+**Environment:** Production  
+**Region:** $REGIONS"
+    fi
+
+    PR_URL=$(gh pr create \
+        --title "Deploy kubeapply $IMAGE_TAG to $ENVIRONMENT" \
+        --body "$PR_BODY" \
+        --head "$BRANCH_NAME" \
+        --base master)
+    
+    echo "✅ Pull request created!"
+    echo "🔗 PR URL: $PR_URL"
+    echo "📋 Instructions: Go to the PR and comment 'atlantis apply' to deploy to $ENVIRONMENT."
+    
+    # Add Buildkite annotation with deployment information
+    buildkite-agent annotate --style info "🚀 **Deployment PR Created**
+
+📦 **Image tag:** \`$IMAGE_TAG\`  
+🌍 **Environment:** $ENVIRONMENT  
+🗺️ **Regions:** $REGIONS
+
+🔗 **[View Deployment PR]($PR_URL)**
+
+**Next Steps:**
+1. Review the changes in the deployment PR
+2. Comment \`atlantis apply\` on the PR to deploy to $ENVIRONMENT
+3. Merge the PR after successful deployment"
+else
+    echo "📋 Branch ready for manual PR creation: $BRANCH_NAME"
+    echo "🔗 Create PR at: https://github.com/segmentio/terracode-infra/compare/master...$BRANCH_NAME"
+fi