Updating permissions on int-1 using v3.0.29 by sandyforresternhs #112
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Lambda Permissions | |
| run-name: Updating permissions on ${{ inputs.stack_name }} using ${{ github.ref_name }} by ${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: Environment to deploy to | |
| required: true | |
| default: "dev" | |
| type: environment | |
| stack_name: | |
| description: Stack to update | |
| required: true | |
| type: string | |
| strict_versioning: | |
| description: Use strict versioning (recommended) | |
| required: true | |
| type: boolean | |
| default: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| jobs: | |
| check-versions: | |
| name: Check versions | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Terraform Init | |
| env: | |
| STACK_NAME: ${{ inputs.stack_name }} | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \ | |
| terraform -chdir=terraform/infrastructure workspace select $STACK_NAME | |
| - name: Check deployed version matches build version | |
| env: | |
| STRICT_VERSIONING: ${{ inputs.strict_versioning }} | |
| run: | | |
| this_version="$(./scripts/get-current-info.sh | jq -r .version)" | |
| deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)" | |
| echo "code-version=${this_version} deployed-version=${deployed_version}" | |
| if [ "${deployed_version}" != "${this_version}" ] | |
| then | |
| echo "${this_version} does not match deployed version: ${deployed_version}" 1>&2 | |
| if [ "$STRICT_VERSIONING" == "true" ]; then | |
| echo "Strict version checking failed, cancelling workflow" 1>&2 | |
| exit 1 | |
| fi | |
| fi | |
| build-permissions: | |
| name: Build permissions | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| needs: [check-versions] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Create lambda permissions layer | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| STACK_NAME: ${{ inputs.stack_name }} | |
| run: | | |
| account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) | |
| make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=$STACK_NAME | |
| - name: Save NRLF permissions in cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| pull-deployed-lambdas: | |
| name: Pull deployed lambdas | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| needs: [check-versions] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Configure Account Role | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-chaining: true | |
| role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }} | |
| role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Pull deployed lambda artifacts | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| STACK_NAME: ${{ inputs.stack_name }} | |
| run: | | |
| account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) | |
| ./scripts/pull-lambda-code-for-stack.sh $STACK_NAME | |
| - name: Save lambda artifacts in cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-pulled-lambda-artifacts | |
| path: dist/*.zip | |
| terraform-plan: | |
| name: Plan changes | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| needs: [build-permissions, pull-deployed-lambdas] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Restore pulled lambda artifacts | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-pulled-lambda-artifacts | |
| path: dist/*.zip | |
| fail-on-cache-miss: true | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Terraform Init | |
| env: | |
| STACK_NAME: ${{ inputs.stack_name }} | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \ | |
| terraform -chdir=terraform/infrastructure workspace select $STACK_NAME | |
| - name: Terraform Plan | |
| env: | |
| DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} | |
| STACK_NAME: ${{ inputs.stack_name }} | |
| run: | | |
| terraform -chdir=terraform/infrastructure plan \ | |
| --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ | |
| --var assume_role_arn=${DEPLOY_ROLE_ARN} \ | |
| --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py $STACK_NAME) \ | |
| --out tfplan | |
| - name: Save Terraform Plan | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: | | |
| terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt | |
| aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan | |
| aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt | |
| terraform-apply: | |
| name: Apply permissions | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| needs: terraform-plan | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Restore pulled lambda artifacts | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-pulled-lambda-artifacts | |
| path: dist/*.zip | |
| fail-on-cache-miss: true | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Download Terraform Plan artifact | |
| env: | |
| ENVIRONMENT: ${{ inputs.environment }} | |
| run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan | |
| - name: Terraform Init | |
| env: | |
| STACK_NAME: ${{ inputs.stack_name }} | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \ | |
| terraform -chdir=terraform/infrastructure workspace select $STACK_NAME | |
| - name: Terraform Apply | |
| run: | | |
| terraform -chdir=terraform/infrastructure apply tfplan |