Skip to content
Update Lambda Permissions

Updating permissions on prod-1 using v3.0.27 by mattdean3-nhs #106

Sign in to view logs

Updating permissions on prod-1 using v3.0.27 by mattdean3-nhs

Updating permissions on prod-1 using v3.0.27 by mattdean3-nhs #106

Workflow file for this run

.github/workflows/update-lambda-permissions.yml at 4a646ba
name: Update Lambda Permissions
run-name: Updating permissions on ${{ inputs.stack_name }} using ${{ github.ref_name }} by ${{ github.actor }}
on:
workflow_dispatch:
inputs:
environment:
description: Environment to deploy to
required: true
default: "dev"
type: environment
stack_name:
description: Stack to update
required: true
type: string
strict_versioning:
description: Use strict versioning (recommended)
required: true
type: boolean
default: true
permissions:
id-token: write
contents: read
actions: write
jobs:
check-versions:
name: Check versions
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup environment
run: |
echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
poetry install --no-root
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Check deployed version matches build version
run: |
this_version="$(./scripts/get-current-info.sh | jq -r .version)"
deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)"
echo "code-version=${this_version} deployed-version=${deployed_version}"
if [ "${deployed_version}" != "${this_version}" ]
then
echo "${this_version} does not match deployed version: ${deployed_version}" 1>&2
if [ "${{ inputs.strict_versioning }}" == "true" ]; then
echo "Strict version checking failed, cancelling workflow" 1>&2
exit 1
fi
fi
build-permissions:
name: Build permissions
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
environment: ${{ inputs.environment }}
needs: [check-versions]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup environment
run: |
echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
poetry install --no-root
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Create lambda permissions layer
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }}
- name: Save NRLF permissions in cache
uses: actions/cache/save@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
pull-deployed-lambdas:
name: Pull deployed lambdas
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
environment: ${{ inputs.environment }}
needs: [check-versions]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Configure Account Role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-chaining: true
role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }}
- name: Pull deployed lambda artifacts
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }}
- name: Save lambda artifacts in cache
uses: actions/cache/save@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip
terraform-plan:
name: Plan changes
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
environment: ${{ inputs.environment }}
needs: [build-permissions, pull-deployed-lambdas]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup environment
run: |
echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
poetry install --no-root
- name: Restore pulled lambda artifacts
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip
fail-on-cache-miss: true
- name: Restore NRLF permissions cache
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
fail-on-cache-miss: true
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Terraform Plan
run: |
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
--out tfplan
- name: Save Terraform Plan
run: |
terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
terraform-apply:
name: Apply permissions
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
environment: ${{ inputs.environment }}
needs: terraform-plan
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup environment
run: |
echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
poetry install --no-root
- name: Restore pulled lambda artifacts
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip
fail-on-cache-miss: true
- name: Restore NRLF permissions cache
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
fail-on-cache-miss: true
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Download Terraform Plan artifact
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Terraform Apply
run: |
terraform -chdir=terraform/infrastructure apply tfplan