Deployment to ref of v3.0.28 by axelkrastek1-nhs #1105
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Persistent Environment Deploy | |
| run-name: Deployment to ${{ inputs.environment }} of ${{ inputs.branch_name }} by ${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Environment to deploy to" | |
| required: true | |
| default: "dev" | |
| type: environment | |
| branch_name: | |
| description: Branch to deploy | |
| required: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| jobs: | |
| build: | |
| name: Build - ${{ inputs.branch_name }} | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Run Linting | |
| run: make lint | |
| - name: Run Unit Tests | |
| run: make test | |
| - name: Build Project | |
| run: make build | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Add S3 Permissions to Lambda | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) | |
| make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack} | |
| - name: Save Build Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: | | |
| dist/*.zip | |
| !dist/nrlf_permissions.zip | |
| - name: Save NRLF Permissions cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| terraform-plan: | |
| name: Terraform Plan - ${{ inputs.environment }} | |
| needs: [build] | |
| environment: ${{ inputs.environment }} | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Retrieve Server Certificates | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) | |
| make truststore-pull-server ENV=${account} | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: dist | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Terraform Init | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} | |
| - name: Terraform Plan | |
| env: | |
| DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) | |
| terraform -chdir=terraform/infrastructure plan \ | |
| --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ | |
| --var assume_role_arn=${DEPLOY_ROLE_ARN} \ | |
| --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \ | |
| -out tfplan | |
| - name: Save Terraform Plan | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt | |
| aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan | |
| aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt | |
| terraform-apply: | |
| name: Terraform Apply - ${{ inputs.environment }} | |
| needs: [terraform-plan] | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: dist | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Download Terraform Plan artifact | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan | |
| - name: Retrieve Server Certificates | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) | |
| make truststore-pull-server ENV=${account} | |
| - name: Terraform Init | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} | |
| - name: Terraform Apply | |
| run: terraform -chdir=terraform/infrastructure apply tfplan | |
| - name: Update environment config version | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version) | |
| poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} $ENVIRONMENT | |
| - name: Smoke Test | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) | |
| make ENV=${account} truststore-pull-client | |
| make ENV=$ENVIRONMENT test-smoke-internal | |
| activate-stack: | |
| name: Activate - ${{ inputs.environment }} | |
| needs: [terraform-apply] | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Activate Stack | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) | |
| poetry run python ./scripts/activate_stack.py ${inactive_stack} $ENVIRONMENT | |
| post-release-verify: | |
| name: Verify - ${{ inputs.environment }} | |
| needs: [activate-stack] | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: "Smoke Test" | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| make ENV=$ENVIRONMENT test-smoke-public | |
| rollback-stack: | |
| name: Rollback - ${{ inputs.environment }} | |
| needs: [post-release-verify] | |
| if: always() && ( needs.post-release-verify.result == 'failure' ) | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Deactivate Stack | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) | |
| poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT |