Account-wide infra deployment to of by anjalitrace2-nhs #1
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Account-wide infrastructure | |
| run-name: Account-wide infra deployment to ${{ inputs.environment }} of ${{ inputs.branch_name }} by ${{ github.actor }} | |
| # An action environment would need | |
| # name=acc-test | |
| # ACCOUNT_NAME=test | |
| # AWS_ACCOUNT_ID | |
| # envs_to_pull: "qa" "ref" "int" "perftest" - use aws session assume.py - pull out | |
| # OR json format: ["qa", "ref", "int", "perftest"] - feels better | |
| # OR json obj lookup in repo-wide variable instead + same for below | |
| # aws_account_id: 123456789 - get this from tf vars or something maybe? - use get_account_name script | |
| # MGMT_ROLE_ARN is in repo secrets, so not needed in env | |
| # Looping through envs to pull certs | |
| on: | |
| push: | |
| branches: | |
| - "NRL-1595**" | |
| # on: | |
| # workflow_dispatch: | |
| # inputs: | |
| # environment: | |
| # description: "Environment to deploy to" | |
| # required: true | |
| # default: "account-dev" | |
| # type: environment | |
| # branch_name: | |
| # description: Branch to deploy | |
| # required: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| jobs: | |
| check-selected-environment: | |
| name: Check Workflow Env | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - name: Validate environment | |
| env: | |
| IS_VALID_ENV: startsWith(${{inputs.environment}}, "account-") | |
| run: | | |
| echo $IS_VALID_ENV | |
| exit $IS_VALID_ENV == true | |
| terraform-plan: | |
| name: Terraform Plan - ${{ inputs.environment }} | |
| environment: ${{ inputs.environment }} | |
| if: startsWith(${{inputs.environment}}, "account-") | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Retrieve Server Certificates | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| run: | | |
| make truststore-pull-all-for-account ACCOUNT=${ACCOUNT_NAME} | |
| - name: Terraform Init | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| run: | | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} init | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace new ${ACCOUNT_NAME} || \ | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace select ${ACCOUNT_NAME} | |
| - name: Terraform Plan | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| run: | | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} plan \ | |
| -var 'assume_account=${AWS_ACCOUNT_ID}' \ | |
| -var 'assume_role=terraform' | |
| -out tfplan | |
| - name: Save Terraform Plan | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| run: | | |
| terraform -chdir=terraform/account-wide-infrastructure show -no-color tfplan > terraform/account-wide-infrastructure/tfplan.txt | |
| aws s3 cp terraform/account-wide-infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan | |
| aws s3 cp terraform/account-wide-infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan.txt | |
| terraform-apply: | |
| name: Terraform Apply - ${{ inputs.environment }} | |
| needs: [terraform-plan] | |
| runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup environment | |
| run: | | |
| echo "${HOME}/.asdf/bin" >> $GITHUB_PATH | |
| poetry install --no-root | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Download Terraform Plan artifact | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan terraform/account-wide-infrastructure/tfplan | |
| - name: Retrieve Server Certificates | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| run: | | |
| make truststore-pull-all-for-account ACCOUNT=${ACCOUNT_NAME} | |
| - name: Terraform Init | |
| env: | |
| ACCOUNT_NAME: ${{ vars.ACCOUNT_NAME }} | |
| run: | | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} init | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace new ${ACCOUNT_NAME} || \ | |
| terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace select ${ACCOUNT_NAME} | |
| # - name: Terraform Apply | |
| # env: | |
| # AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} | |
| # run: | | |
| # terraform -chdir=terraform/account-wide-infrastructure apply tfplan \ | |
| # -var 'assume_account=AWS_ACCOUNT_ID' \ | |
| # -var 'assume_role=terraform' | |
| # TODO: fix this | |
| # # Is this where we'd burn commit & datetime into state? | |
| # - name: Update environment config version | |
| # env: | |
| # ENVIRONMENT: ${{ inputs.environment }} | |
| # run: | | |
| # deployed_version=$(terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} output --raw version) | |
| # poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} $ENVIRONMENT | |
| # Slack notif: starting deploy of account-wide infra <branch deets> | |
| # tf-plan: ensure output is visible in job output | |
| # pre-apply: check current commit deployed in state | |
| # post-apply: update current deployed commit in state | |
| # no auto rollback |