[CAI-252] Chatbot/deploy workflow (#1292)

* chore(chatbot): Define IAM Role to use on chatbot deploy

* chore(chatbot): deploy workflow pipeline

* fix(chatbot): dockerfile

* fix(chatbot): update lambda image

* chore: policy

* chore: terraform fmt

* chore(chatbot): remove unused terraform tasks

.github/workflows/deploy_chatbot.yaml

@@ -0,0 +1,138 @@
+name: Deploy Chatbot
+
+on:
+  push:
+    branches: ['main']
+    # Run only if there are at least one change matching the following paths
+    paths:
+      - 'apps/chatbot/**'
+      - '.github/workflows/deploy_chatbot.yaml'
+
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: 'The environment used as target'
+        type: choice
+        required: true
+        default: dev
+        options:
+          - dev
+          - prod
+      logLevel:
+        description: 'Log level'
+        required: true
+        default: 'warning'
+        type: choice
+        options:
+          - warning
+
+defaults:
+  run:
+    shell: bash
+    working-directory: apps/chatbot
+
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
+jobs:
+
+  cd_deploy_chatbot:
+    name: Build and push Chatbot API lambda image (on ${{ matrix.environment }})
+    if: github.event_name == 'push' && github.event.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    continue-on-error: false
+    strategy:
+      matrix:
+        environment: [ 'dev' ]
+    environment: ${{ matrix.environment }}
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.environment }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Configure AWS Credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          aws_region: ${{ env.AWS_REGION || 'eu-south-1' }}
+          role_to_assume: ${{ secrets.IAM_ROLE_DEPLOY_CHATBOT }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build Push and Tag
+        # Enabling the "continue on error" option allows for a manual rollback
+        # to be performed in case of any issues. Without this option, the step
+        # will fail if the image already exists in the Elastic Container
+        # Registry (ECR). However, by activating this option, the deployment
+        # process will proceed to the next steps even if the ECR image already
+        # exists
+        continue-on-error: true
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: chatbot
+          IMAGE_TAG: ${{ github.sha }}
+        with:
+            context: apps/chatbot
+            file: docker/app.Dockerfile
+            push: true
+            tags: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
+            provenance: false
+
+      - name: AWS set lambda function image
+        run: |
+            aws lambda update-function-code --function-name env.CHATBOT_LAMBDA_NAME --image-uri ${{ steps.login-ecr.outputs.registry }}/chatbot:${{ github.sha }}
+
+  manual_deploy:
+    name: Build and push Chatbot API lambda image (manual trigger) - (${{ inputs.environment }})
+    if: github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    continue-on-error: false
+    environment: ${{ inputs.environment }}
+
+    concurrency:
+      group: ${{ github.workflow }}-${{ inputs.environment }}
+      cancel-in-progress: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+
+      - name: Configure AWS Credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          aws_region: ${{ env.AWS_REGION || 'eu-south-1' }}
+          role_to_assume: ${{ secrets.IAM_ROLE_DEPLOY_CHATBOT }}
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
+
+      - name: Build Push and Tag
+        # Enabling the "continue on error" option allows for a manual rollback
+        # to be performed in case of any issues. Without this option, the step
+        # will fail if the image already exists in the Elastic Container
+        # Registry (ECR). However, by activating this option, the deployment
+        # process will proceed to the next steps even if the ECR image already
+        # exists
+        continue-on-error: true
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          ECR_REPOSITORY: chatbot
+          IMAGE_TAG: ${{ github.sha }}
+        with:
+            context: apps/chatbot
+            push: true
+            tags: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPOSITORY }}:${{ env.IMAGE_TAG }}
+            provenance: false
+
+      - name: AWS set lambda function image
+        run: |
+            aws lambda update-function-code --function-name env.CHATBOT_LAMBDA_NAME --image-uri ${{ steps.login-ecr.outputs.registry }}/chatbot:${{ github.sha }}

apps/infrastructure/src/main.tf

@@ -131,6 +131,7 @@ module "chatbot" {
   security_groups         = module.cms.security_groups
   dns_domain_name         = var.dns_domain_name
   ecs_redis               = var.chatbot_ecs_redis
+  github_repository       = var.github_repository
   ecs_monitoring          = var.chatbot_ecs_monitoring
 }
 

apps/infrastructure/src/modules/chatbot/data.tf

@@ -134,6 +134,68 @@ data "aws_iam_policy_document" "bedrock_logging" {
   }
 }
 
+data "aws_iam_policy_document" "deploy_github" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "token.actions.githubusercontent.com:sub"
+      values   = ["repo:${var.github_repository}:*"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:iss"
+      values   = ["https://token.actions.githubusercontent.com"]
+    }
+
+    condition {
+      test     = "ForAllValues:StringEquals"
+      variable = "token.actions.githubusercontent.com:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "deploy_chatbot" {
+  name        = "DeployChatbot"
+  description = "Policy to allow to deploy the chatbot"
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = [
+          "lambda:*",
+          "ecr:GetAuthorizationToken",
+          "ecr:CompleteLayerUpload",
+          "ecr:GetAuthorizationToken",
+          "ecr:UploadLayerPart",
+          "ecr:InitiateLayerUpload",
+          "ecr:BatchCheckLayerAvailability",
+          "ecr:PutImage",
+          "ecr:BatchGetImage"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      },
+      {
+        Action = [
+          "iam:PassRole"
+        ]
+        Effect   = "Allow"
+        Resource = "*"
+      }
+    ]
+  })
+}
+
 data "aws_iam_policy_document" "ecs_monitoring_ssm_policy" {
   statement {
     sid    = "AllowSSMOperations"
@@ -144,4 +206,4 @@ data "aws_iam_policy_document" "ecs_monitoring_ssm_policy" {
     ]
     resources = ["arn:aws:ssm:${var.aws_region}:${data.aws_caller_identity.current.account_id}:parameter/chatbot/monitoring/*"]
   }
-}
+}

apps/infrastructure/src/modules/chatbot/ecr.tf

@@ -22,4 +22,4 @@ module "ecr" {
       }
     ]
   })
-}
+}

apps/infrastructure/src/modules/chatbot/iam.tf

@@ -92,6 +92,20 @@ module "iam_role_bedrock_logging" {
   role_requires_mfa = false
 }
 
+###############################################################################
+#                Define IAM Role to use on chatbot deploy                     #
+###############################################################################
+resource "aws_iam_role" "deploy_chatbot" {
+  name               = "GitHubActionDeployChatbot"
+  description        = "Role to assume to deploy the chatbot"
+  assume_role_policy = data.aws_iam_policy_document.deploy_github.json
+}
+
+resource "aws_iam_role_policy_attachment" "deploy_chatbot" {
+  role       = aws_iam_role.deploy_chatbot.name
+  policy_arn = aws_iam_policy.deploy_chatbot.arn
+}
+
 ###############################################################################
 #                      IAM Role used by Monitoring ECS                        #
 ###############################################################################
@@ -136,4 +150,4 @@ module "iam_policy_ecs_monitoring_task_role_ssm" {
   name   = "ECSMonitoringTaskRolePoliciesSSM"
   path   = "/"
   policy = data.aws_iam_policy_document.ecs_monitoring_ssm_policy.json
-}
+}

apps/infrastructure/src/modules/chatbot/variables.tf

@@ -81,6 +81,11 @@ variable "dns_domain_name" {
   type        = string
 }
 
+variable "github_repository" {
+  type        = string
+  description = "The repository where the IaC workflows will run"
+}
+
 ################################################################################
 # ECS - Redis
 ################################################################################
@@ -121,4 +126,4 @@ variable "ecs_monitoring" {
     port      = number
   })
   description = "Langfuse configuration for the AI chatbot"
-}
+}