[LW-9879] Move deployment code from lace-ops to here

.envrc.local.example

@@ -0,0 +1,8 @@
+
+export K8S_USER=eks-devs
+export AWS_ACCESS_KEY_ID=xxxxxxxxxxxxxxxxxxxx
+export AWS_SECRET_ACCESS_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+
+export NIX_CONFIG='
+allow-import-from-derivation = true
+'

.github/workflows/std.yml

@@ -13,21 +13,18 @@ on:
     branches:
       - master
       - conway-era
+      - dev-preview
   push:
     branches:
       - master
       - conway-era
+      - dev-preview
     tags:
       - '@cardano-sdk/cardano-services**'
 env:
-  AWS_REGION: us-east-1
-  AWS_ROLE_ARN: arn:aws:iam::926093910549:role/lace-ci
   # NIX_UPLOAD_CACHE: s3://lace-nix-cache?region=us-east-1
   DISCOVERY_USER_NAME: gha-runner
   DISCOVERY_KNOWN_HOSTS_ENTRY: "65.109.126.156 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOVVDZydvD+diYa6A3EtA3WGw5NfN0wv7ckQxa/fX1O"
-permissions:
-  id-token: write
-  contents: read
 concurrency:
   group: std-${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -36,6 +33,12 @@ jobs:
     outputs:
       hits: ${{ steps.discovery.outputs.hits }}
     runs-on: [self-hosted, discovery]
+    env:
+      AWS_REGION: us-east-1
+      AWS_ROLE_ARN: arn:aws:iam::926093910549:role/lace-ci
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Configure AWS Credentials
         uses: aws-actions/[email protected]
@@ -67,25 +70,36 @@ jobs:
     name: ${{ matrix.target.jobName }}
     runs-on: ubuntu-latest
     needs: discover
-    if: fromJSON(needs.discover.outputs.hits).oci-images.publish != '{}'
+    env:
+      AWS_REGION: us-east-1
+      AWS_ROLE_ARN: arn:aws:iam::926093910549:role/lace-ci
+      # NIX_UPLOAD_CACHE: s3://lace-nix-cache?region=us-east-1
+    permissions:
+      id-token: write
+      contents: read
     strategy:
       matrix:
-        target: ${{ fromJSON(needs.discover.outputs.hits).oci-images.publish }}
+        target: ${{ contains(fromJSON(needs.discover.outputs.hits), 'oci-images') && fromJSON(needs.discover.outputs.hits).oci-images.publish || fromJSON('["dummy-target"]') }}
     steps:
       - name: Configure AWS Credentials
+        if: matrix.target != 'dummy-target'
         uses: aws-actions/[email protected]
         with:
           role-to-assume: ${{ env.AWS_ROLE_ARN }}
           aws-region: ${{ env.AWS_REGION }}
       - name: Login to Amazon ECR
+        if: matrix.target != 'dummy-target'
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v1
       - uses: nixbuild/nix-quick-install-action@v25
+        if: matrix.target != 'dummy-target'
       - uses: nixbuild/nixbuild-action@v17
+        if: matrix.target != 'dummy-target'
         with:
           nixbuild_ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
           generate_summary_for: job
       - uses: divnix/std-action/setup-discovery-ssh@main
+        if: matrix.target != 'dummy-target'
         with:
           ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
           user_name: ${{ env.DISCOVERY_USER_NAME }}
@@ -95,100 +109,124 @@ jobs:
         run: |
           echo commit: ${{ github.sha }}
       - uses: divnix/std-action/run@main
+        if: matrix.target != 'dummy-target'
         with: {ffBuildInstructions: true, remoteStore: "ssh-ng://eu.nixbuild.net"}
 
 
-  diff-to-eu:
-    runs-on: ubuntu-latest
-    needs: [discover, images]
-    name: ${{ matrix.target.jobName }} (us-east-1)
-    env:
-      AWS_REGION: us-east-1
+  # TODO: remove all hardcoded instances of `dev-preview` in the next iteration
+  diff-to-us:
+    needs: images
+    name: Diff & Comment (dev-preview)
+    if: github.event_name == 'pull_request' && (github.base_ref == 'master')
     permissions:
-      id-token: write
       contents: read
       pull-requests: write
-    if: fromJSON(needs.discover.outputs.hits).deployments.diff != '{}' && github.event_name == 'pull_request'
-    strategy:
-      matrix:
-        target: ${{ fromJSON(needs.discover.outputs.hits).deployments.diff }}
+    runs-on: ubuntu-22.04
     steps:
-      - name: Configure AWS Credentials
-        uses: aws-actions/[email protected]
-        with:
-          role-to-assume: ${{ env.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
+      - uses: actions/checkout@v4
       - uses: nixbuild/nix-quick-install-action@v25
       - uses: nixbuild/nixbuild-action@v17
         with:
           nixbuild_ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
           generate_summary_for: job
+      # Further steps assume AWS_PROFILE=lw, while the official action has no way to specify that profile:
+      - name: Set up AWS credentials
+        run: |
+          mkdir -p ~/.aws
+
+          cat <<EOF >~/.aws/credentials
+          [lw]
+          aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY}}
+          aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          EOF
+
+          cat <<EOF >~/.aws/config
+          [lw]
+          region = us-east-1
+          EOF
       - uses: divnix/std-action/setup-discovery-ssh@main
         with:
           ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
           user_name: ${{ env.DISCOVERY_USER_NAME }}
           ssh_known_hosts_entry: ${{ env.DISCOVERY_KNOWN_HOSTS_ENTRY }}
-      - name: Configure K8S Cluster Access
-        shell: bash
-        run: |
-          echo "Assuming role '$(aws sts get-caller-identity)' in cluster 'lace-dev-us-east-1'."
-          aws eks update-kubeconfig --name "lace-dev-us-east-1"
-      - name: Show commit
-        shell: bash
+      - name: Generate the Diff
         run: |
-          echo commit: ${{ github.sha }}
-      - uses: divnix/std-action/run@main
+          echo 'export K8S_USER=eks-devs' >.envrc.local
+
+          nix develop .#x86_64-linux.local.envs.main -L --command bash -c '
+            set -euo pipefail
+
+            export AWS_PROFILE="lw"
+            export AWS_REGION="us-east-1"
+
+            # FIXME: before merging: change target to `dev-preview@us-east-1`
+            nix run -L ".#[email protected]" | tee k8s-plan.diff
+          '
+      - name: Post Comment on the PR
         env:
-          BRANCH: ${{ github.ref_type == 'branch' && github.head_ref }}
           GH_TOKEN: ${{ github.token }}
-          OWNER_AND_REPO: ${{ github.repository }}
-        with: {ffBuildInstructions: true, remoteStore: "ssh-ng://eu.nixbuild.net"}
+        run: |
+          prNumber=$(cut -d/ -f1 <<<'${{ github.ref_name }}')
+          gh pr comment "$prNumber" --body "$(
+            echo '<details>'
+            echo "<summary>$(head -n 1 k8s-plan.diff)</summary>"
+            echo
+            echo '```diff'
+            tail -n +2 k8s-plan.diff
+            echo '```'
+            echo '</details>'
+          )"
 
 
-  deploy-to-eu:
-    runs-on: ubuntu-latest
-    needs: [discover, images]
-    name: ${{ matrix.target.jobName }} (us-east-1)
-    env:
-      AWS_REGION: us-east-1
-    permissions:
-      id-token: write
-      contents: read
-      deployments: write
+  # TODO: remove all hardcoded instances of `dev-preview` in the next iteration
+  deploy-to-us:
+    if: (github.event_name == 'push' && github.ref_name == 'master') || (github.event_name == 'workflow_dispatch' && inputs.deploy)
+    needs: [images]
+    concurrency:
+      # Only one deployment at a time per environment, and wait for the previous one to finish:
+      group: deploy-dev-preview
+      cancel-in-progress: false
+    name: Deploy (dev-preview)
+    runs-on: ubuntu-22.04
     environment:
       name: dev-preview
-      url: https://backend.dev-preview.eks.lw.iog.io
-    # Boolean input should be compared with string until https://github.com/actions/runner/issues/2238 resolved
-    if: >
-      fromJSON(needs.discover.outputs.hits).deployments.apply != '{}' && ((github.event_name == 'push' && github.ref == 'refs/heads/master') || inputs.deploy)
-
-    strategy:
-      matrix:
-        target: ${{ fromJSON(needs.discover.outputs.hits).deployments.apply }}
+      url: https://dev-preview.lw.iog.io/
     steps:
-      - name: Configure AWS Credentials
-        uses: aws-actions/[email protected]
-        with:
-          role-to-assume: ${{ env.AWS_ROLE_ARN }}
-          aws-region: ${{ env.AWS_REGION }}
+      - uses: actions/checkout@v4
       - uses: nixbuild/nix-quick-install-action@v25
       - uses: nixbuild/nixbuild-action@v17
         with:
           nixbuild_ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
           generate_summary_for: job
+      # Further steps assume AWS_PROFILE=lw, while the official action has no way to specify that profile:
+      - name: Set up AWS credentials
+        run: |
+          mkdir -p ~/.aws
+
+          cat <<EOF >~/.aws/credentials
+          [lw]
+          aws_access_key_id = ${{ secrets.AWS_ACCESS_KEY}}
+          aws_secret_access_key = ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          EOF
+
+          cat <<EOF >~/.aws/config
+          [lw]
+          region = us-east-1
+          EOF
       - uses: divnix/std-action/setup-discovery-ssh@main
         with:
           ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
           user_name: ${{ env.DISCOVERY_USER_NAME }}
           ssh_known_hosts_entry: ${{ env.DISCOVERY_KNOWN_HOSTS_ENTRY }}
-      - name: Configure K8S Cluster Access
-        shell: bash
+      - name: Deploy to K8s
         run: |
-          echo "Assuming role '$(aws sts get-caller-identity)' in cluster 'lace-dev-us-east-1'."
-          aws eks update-kubeconfig --name "lace-dev-us-east-1"
-      - name: Show commit
-        shell: bash
-        run: |
-          echo commit: ${{ github.sha }}
-      - uses: divnix/std-action/run@main
-        with: {ffBuildInstructions: true, remoteStore: "ssh-ng://eu.nixbuild.net"}
+          echo 'export K8S_USER=eks-devs' >.envrc.local
+
+          nix develop .#x86_64-linux.local.envs.main -L --command bash -c '
+            set -euo pipefail
+
+            export AWS_PROFILE="lw"
+            export AWS_REGION="us-east-1"
+
+            echo yes | nix run -L ".#[email protected]"
+          '

.kube/us-east-1

@@ -0,0 +1,111 @@
+apiVersion: v1
+clusters:
+- cluster:
+    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURCVENDQWUyZ0F3SUJBZ0lJRXF6d2E1VTRYREl3RFFZSktvWklodmNOQVFFTEJRQXdGVEVUTUJFR0ExVUUKQXhNS2EzVmlaWEp1WlhSbGN6QWVGdzB5TkRBeE1Ea3hOVE13TlRaYUZ3MHpOREF4TURZeE5UTTFOVFphTUJVeApFekFSQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13Z2dFaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQkR3QXdnZ0VLCkFvSUJBUURoYi94eStyNTFBR0tsUFVUQVdwTzJlbkI3Vzc0RStGS2pvV3VUd0FsdWIwcVRFSlR6ZlVjLzROOWIKZ3dsYk85TFdIN2ZYRGY0dEVCbjEwK2VRYzlYSTYzN09LYng2bzhuMmlib2JVNlJzY1dxOXNzMk1WY3BGN0VDOQpiZVprRHd4N2FlODZtSmhnZDNKeFBXRWI3SGdPZE8yaEVSN3Z0VEV4NjRwNWl4TzFMbDRrT2VvYzRGQm1tTURvCm9oNjJJRy9YZ3ZFdjc4azZteVRZeWdYV2JDcGRMR3hWa0YzNVRTOE93TTc0YWl6SWNFQ3JSZDAzVDFaT2NOaUoKcUhKQnJBbEt5MzB2OXJ6L0NFbGxwWEFJclY1WXJmcVd1NVBkeUsrdDliSU9zTGJYd2pIalJ2bGJ6Z3ZML1Izegp2MEQwdno2UVhVdy92eGt0VER5bEtyNitkSDVUQWdNQkFBR2pXVEJYTUE0R0ExVWREd0VCL3dRRUF3SUNwREFQCkJnTlZIUk1CQWY4RUJUQURBUUgvTUIwR0ExVWREZ1FXQkJSMlJHOExESzdOYXJOV3FhNnpkRWJjdmt1c3RqQVYKQmdOVkhSRUVEakFNZ2dwcmRXSmxjbTVsZEdWek1BMEdDU3FHU0liM0RRRUJDd1VBQTRJQkFRQTJqTGQ5UThYRApQYmpsSDhXZjV1ZHAwZDRTSXIzcHYvU0lWQjIwazhHcHFPZFFRcTZVc2IrZVVFL0lwY2tBMkZ3d0ZOZ3M1amJDCjNGRGt2QjE2NHMwT3hQRFYzbnNxTkt0ZDJCUCtITS9QTEFJOXVLOW9QM0ZHYXREZDY1QkJoRnBoaWtGdDIyczIKY3ZVUHByY1VNVG9wT3ZPZGpteEIxdDR3ZDFRVmRCOVRwaVc0eEVPcEsxdmJLc2ZWeEpHdzdYdHFMRlF2dzB3MgpQMXgyNDZJRWlRWXRnazlMcE9WRDNUQ1VwMS9ReUEvclJ3NlFNWU8xdlpqQWpWaXJzWUZQQVlPOU1KcUZOS2x1CmhlRm5UTENiME1JL0NNQWEyOHhmWlFHUVhkNDExWnZUdFFTdWxnUTlMUmovclBQSWRmZ3RzdVJMU2JvVzlqMXYKZVRJWDRkc0RBVkZUCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+    server: https://EB65A880B90DF0A9B8455038EF27A45E.gr7.us-east-1.eks.amazonaws.com
+  name: arn:aws:eks:us-east-1:926093910549:cluster/lace-dev-us-east-1
+contexts:
+- context:
+    cluster: arn:aws:eks:us-east-1:926093910549:cluster/lace-dev-us-east-1
+    user: eks-admin
+  name: eks-admin
+- context:
+    cluster: arn:aws:eks:us-east-1:926093910549:cluster/lace-dev-us-east-1
+    user: eks-devs
+  name: eks-devs
+- context:
+    cluster: arn:aws:eks:us-east-1:926093910549:cluster/lace-dev-us-east-1
+    user: eks-readonly
+  name: eks-readonly
+- context:
+    cluster: arn:aws:eks:us-east-1:926093910549:cluster/lace-dev-us-east-1
+    user: lace-ci
+  name: lace-ci
+current-context: eks-devs
+kind: Config
+preferences: {}
+users:
+- name: eks-admin
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - --region
+      - us-east-1
+      - eks
+      - get-token
+      - --cluster-name
+      - lace-dev-us-east-1
+      - --output
+      - json
+      - --role
+      - arn:aws:iam::926093910549:role/eks-admin
+      command: aws
+      env:
+      - name: AWS_PROFILE
+        value: lw
+      interactiveMode: IfAvailable
+      provideClusterInfo: false
+- name: eks-devs
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - --region
+      - us-east-1
+      - eks
+      - get-token
+      - --cluster-name
+      - lace-dev-us-east-1
+      - --output
+      - json
+      - --role
+      - arn:aws:iam::926093910549:role/eks-devs
+      command: aws
+      env:
+      - name: AWS_PROFILE
+        value: lw
+      interactiveMode: IfAvailable
+      provideClusterInfo: false
+- name: eks-readonly
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - --region
+      - us-east-1
+      - eks
+      - get-token
+      - --cluster-name
+      - lace-dev-us-east-1
+      - --output
+      - json
+      - --role
+      - arn:aws:iam::926093910549:role/eks-readonly
+      command: aws
+      env:
+      - name: AWS_PROFILE
+        value: lw
+      interactiveMode: IfAvailable
+      provideClusterInfo: false
+- name: lace-ci
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1beta1
+      args:
+      - --region
+      - us-east-1
+      - eks
+      - get-token
+      - --cluster-name
+      - lace-dev-us-east-1
+      - --output
+      - json
+      - --role
+      - arn:aws:iam::926093910549:role/lace-ci
+      command: aws
+      env:
+      - name: AWS_PROFILE
+        value: lw
+      interactiveMode: IfAvailable
+      provideClusterInfo: false