Add CICD pipeline for automated deployment

[alukach]

What I'm adding

This PR adds automated deployments of the project. It implements the following deployment strategies:

• Commits made to main are deployed to the dev stage
• Releases made on the repo are deployed to the prod stage
• Manual deployments can be triggered for any branch and any environment

This provides us a multi-step workflow, as such:

Once merged to main, it will also add a dropdown similar to this within the Actions UI:

How I did it

This deployment follows what I understand to be best practice for deploying to AWS from Github Actions and follows the strategy outlined in Configuring OpenID Connect in Amazon Web Services. It basically works as follows:

• We set up a Github as an Identity Provider within the AWS account. This means that we trust requests that are signed by Github as valid identities within our AWS accounts (note: those identities are not permitted to do anything unless explicitly permitted within AWS IAM). I have created that Identity Provider here: arn:aws:iam::830244800171:oidc-provider/token.actions.githubusercontent.com
• We set up IAM Roles for each deployment (ie stage) to use. I have set up the following:
  • arn:aws:iam::830244800171:role/animl-api-dev-cicd-role
  • arn:aws:iam::830244800171:role/animl-api-prod-cicd-role
    Currently, these IAM roles are configured with Trust Relationships that only allow them to be assumed by the Github identity provider from workflows within the tnc-ca-geo/animl-api repo (see JSON here).

Caution

These roles are granted with AdministratorAccess, which basically allows them to do anything with the AWS account. I recommend tightening these permissions to only grant the roles with minimal permissions necessary to deploy to each respective environment. This can be achieved by running a deployment and then using AWS IAM Access Analyzer to determine which permissions were used.

• We set up unique Github Environments within our repo to model each deployment environment (i.e. stage) that we deploy to. Each environment should be configured with the Deployment Role that they are to use:
  • environment: dev
    • Environment variables:
      • DEPLOYMENT_ROLE_ARN: arn:aws:iam::830244800171:role/animl-api-dev-cicd-role
  • environment: prod
    • Environment variables:
      • DEPLOYMENT_ROLE_ARN: arn:aws:iam::830244800171:role/animl-api-prod-cicd-role
• We add a reusable workflow (.github/workflows/deploy.yml) to model our deployment process. This workflow will fetch temporary AWS credentials from AWS via the official aws-actions/configure-aws-credentials step. We set the username of the user who kicks off the repo as the session name for betting logging with the AWS account.

This updated workflow comes with a few features:

1. Runs tests on every push, not just PRs / pushes to main. This is a departure from our current functionality.
2. Cancels in-progress tests if new tests are schedule for the same branch.
3. Allows for manual deployments to deploy any branch to any environment.

Important

Currently, any user with WRITE permissions on the repo can take this action. If we want to make an allowlist for manual deployments, this can be done in the if: clause of the manual deployment job (see this discussion for more details).

While setting this up, I put together this example rep to demonstrate the system: https://github.com/alukach/example-github-actions-deployment-workflow/

How to use it

To make this work, the following GitHub environments must be made in settings (I do not possess these permissions):

• dev
  • Environment variables:
    • DEPLOYMENT_ROLE_ARN: arn:aws:iam::830244800171:role/animl-api-dev-cicd-role
• prod
  • Environment variables:
    • DEPLOYMENT_ROLE_ARN: arn:aws:iam::830244800171:role/animl-api-prod-cicd-role

Warning

I haven't had a chance to test the actual deployment via GitHub, however I feel that this PR gets us pretty close to complete.

---

Closes #204