NRL-1595 Rough deploy account wide infra workflow

atrace · atrace · commit 933f31c86c8d · 2025-11-18T09:24:17.000Z
diff --git a/.github/workflows/deploy-account-wide-infra.yml b/.github/workflows/deploy-account-wide-infra.yml
@@ -0,0 +1,332 @@
+name: Deploy Account-wide infrastructure
+run-name: Account-wide infra deployment to ${{ inputs.account }} of ${{ inputs.branch_name }} by ${{ github.actor }}
+
+# An action environment would need
+#   name=acc-test
+#   envs_to_pull: "qa" "ref" "int" "perftest"
+#   aws_account_id: 123456789 - get this from tf vars or something maybe?
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: "Account to deploy to"
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - test
+          - prod
+      branch_name:
+        description: Branch to deploy
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+
+jobs:
+  # build:
+  #   name: Build - ${{ inputs.branch_name }}
+  #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+
+  #   steps:
+  #     - name: Git clone - ${{ inputs.branch_name }}
+  #       uses: actions/checkout@v4
+  #       with:
+  #         ref: ${{ inputs.branch_name }}
+
+  #     - name: Setup environment
+  #       run: |
+  #         echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+  #         poetry install --no-root
+
+  #     - name: Run Linting
+  #       run: make lint
+
+  #     - name: Run Unit Tests
+  #       run: make test
+
+  #     - name: Build Project
+  #       run: make build
+
+  #     - name: Configure Management Credentials
+  #       uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+  #       with:
+  #         aws-region: eu-west-2
+  #         role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+  #         role-session-name: github-actions-ci-${{ inputs.account }}-${{ github.run_id }}
+
+  #     - name: Add S3 Permissions to Lambda
+  #       env:
+  #         ENVIRONMENT: ${{ inputs.environment }}
+  #       run: |
+  #         account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
+  #         inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
+  #         make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack}
+
+  #     - name: Save Build Artifacts
+  #       uses: actions/upload-artifact@v4
+  #       with:
+  #         name: build-artifacts
+  #         path: |
+  #           dist/*.zip
+  #           !dist/nrlf_permissions.zip
+
+  #     - name: Save NRLF Permissions cache
+  #       uses: actions/cache/save@v4
+  #       with:
+  #         key: ${{ github.run_id }}-nrlf-permissions
+  #         path: dist/nrlf_permissions.zip
+
+  terraform-plan:
+    name: Terraform Plan - ${{ inputs.account }}
+    # needs: [build]
+    # environment: ${{ inputs.environment }}
+    # environment: acc-${{ inputs.environment }} ??
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+
+    steps:
+      - name: Git clone - ${{ inputs.branch_name }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.branch_name }}
+
+      - name: Setup environment
+        run: |
+          echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+          poetry install --no-root
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.account }}-${{ github.run_id }}
+
+      - name: Retrieve Server Certificates
+        env:
+          // TODO: needs to go in an environment or be looked up somehow envs_to_pull=("dev" "test" "preid")
+          ENVS_TO_PULL: ${{ vars.envs_to_pull }}
+        run: |
+          # Needs doing for each env per account
+          envs_array=($ENVS_TO_PULL)
+          for env in $envs_array; do make truststore-pull-server ENV=${env}; done
+
+      # - name: Download build artifacts
+      #   uses: actions/download-artifact@v4
+      #   with:
+      #     name: build-artifacts
+      #     path: dist
+
+      # - name: Restore NRLF permissions cache
+      #   uses: actions/cache/restore@v4
+      #   with:
+      #     key: ${{ github.run_id }}-nrlf-permissions
+      #     path: dist/nrlf_permissions.zip
+      #     fail-on-cache-miss: true
+
+      - name: Terraform Init
+        env:
+          ACCOUNT_NAME: ${{ inputs.account }}
+        run: |
+          terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} init
+          terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace new ${ACCOUNT_NAME} || \
+            terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace select ${ACCOUNT_NAME}
+
+      - name: Terraform Plan
+        env:
+          DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
+          ACCOUNT_NAME: ${{ inputs.account }}
+        run: |
+          terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} plan \
+            -var 'assume_account=AWS_ACCOUNT_ID' \
+            -var 'assume_role=terraform'  // TODO: is this still a good role? for CI?
+            -out tfplan
+
+      - name: Save Terraform Plan
+        env:
+          ACCOUNT_NAME: ${{ inputs.account }}
+        run: |
+          terraform -chdir=terraform/account-wide-infrastructure show -no-color tfplan > terraform/account-wide-infrastructure/tfplan.txt
+          aws s3 cp terraform/account-wide-infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan // TODO where tf is this?
+          aws s3 cp terraform/account-wide-infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan.txt
+
+  terraform-apply:
+    name: Terraform Apply - ${{ inputs.account }}
+    needs: [terraform-plan]
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    # environment: ${{ inputs.environment }}
+
+    steps:
+      - name: Git clone - ${{ inputs.branch_name }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.branch_name }}
+
+      - name: Setup environment
+        run: |
+          echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+          poetry install --no-root
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: build-artifacts
+          path: dist
+
+      - name: Restore NRLF permissions cache
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ github.run_id }}-nrlf-permissions
+          path: dist/nrlf_permissions.zip
+          fail-on-cache-miss: true
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.account }}-${{ github.run_id}}
+
+      - name: Download Terraform Plan artifact
+        env:
+          ACCOUNT_NAME: ${{ inputs.ACCOUNT }}
+        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/acc-$ACCOUNT_NAME/${{ github.run_id }}/tfplan terraform/account-wide-infrastructure/tfplan
+
+      - name: Retrieve Server Certificates
+        env:
+          // TODO: needs to go in an environment or be looked up somehow envs_to_pull=("dev" "test" "preid")
+          ENVS_TO_PULL: ${{ vars.envs_to_pull }}
+        run: |
+          # Needs doing for each env per account
+          envs_array=($ENVS_TO_PULL)
+          for env in $envs_array; do make truststore-pull-server ENV=${env}; done
+
+      - name: Terraform Init
+        env:
+          ACCOUNT_NAME: ${{ inputs.account }}
+        run: |
+          terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} init
+          terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace new ${ACCOUNT_NAME} || \
+            terraform -chdir=terraform/account-wide-infrastructure/${ACCOUNT_NAME} workspace select ${ACCOUNT_NAME}
+
+      - name: Terraform Apply
+        run: |
+          terraform -chdir=terraform/account-wide-infrastructure apply tfplan \
+          -var 'assume_account=AWS_ACCOUNT_ID' \
+          -var 'assume_role=terraform'
+          # TODO: the rest of this still needed now we're applying from a file? if not, don;t forget the backslash above!! \
+
+      # Is this where we'd burn commit & datetime into state?
+      - name: Update environment config version
+        env:
+          ENVIRONMENT: ${{ inputs.environment }}
+        run: |
+          deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version)
+          poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} $ENVIRONMENT
+
+      - name: Smoke Test ?
+        env:
+          ENVIRONMENT: ${{ inputs.environment }}
+        run: |
+          account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
+          make ENV=${account} truststore-pull-client
+          make ENV=$ENVIRONMENT test-smoke-internal
+
+  # do we need this for account infra-only changes??
+  # activate-stack:
+  #   name: Activate - ${{ inputs.environment }}
+  #   needs: [terraform-apply]
+  #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+  #   environment: ${{ inputs.environment }}
+
+  #   steps:
+  #     - name: Git clone - ${{ inputs.branch_name }}
+  #       uses: actions/checkout@v4
+  #       with:
+  #         ref: ${{ inputs.branch_name }}
+
+  #     - name: Setup environment
+  #       run: |
+  #         echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+  #         poetry install --no-root
+
+  #     - name: Configure Management Credentials
+  #       uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+  #       with:
+  #         aws-region: eu-west-2
+  #         role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+  #         role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+  #     - name: Activate Stack
+  #       env:
+  #         ENVIRONMENT: ${{ inputs.environment }}
+  #       run: |
+  #         inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
+  #         poetry run python ./scripts/activate_stack.py ${inactive_stack} $ENVIRONMENT
+
+  # post-release-verify:
+  #   name: Verify - ${{ inputs.account }}
+  #   needs: [activate-stack]
+  #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+  #   # environment: ${{ inputs.environment }}
+
+  #   steps:
+  #     - name: Git clone - ${{ inputs.branch_name }}
+  #       uses: actions/checkout@v4
+  #       with:
+  #         ref: ${{ inputs.branch_name }}
+
+  #     - name: Setup environment
+  #       run: |
+  #         echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+  #         poetry install --no-root
+
+  #     - name: Configure Management Credentials
+  #       uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+  #       with:
+  #         aws-region: eu-west-2
+  #         role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+  #         role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+  #     - name: "Smoke Test"
+  #       env:
+  #         ENVIRONMENT: ${{ inputs.environment }}
+  #       run: |
+  #         make ENV=$ENVIRONMENT test-smoke-public
+
+  # Can we rollback changes if needed? Or just manually rerun pipeline for last working commit?
+  # rollback-stack:
+  #   name: Rollback - ${{ inputs.environment }}
+  #   needs: [post-release-verify]
+  #   if: always() && ( needs.post-release-verify.result == 'failure' )
+  #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+  #   environment: ${{ inputs.environment }}
+
+  #   steps:
+  #     - name: Git clone - ${{ inputs.branch_name }}
+  #       uses: actions/checkout@v4
+  #       with:
+  #         ref: ${{ inputs.branch_name }}
+
+  #     - name: Setup environment
+  #       run: |
+  #         echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+  #         poetry install --no-root
+
+  #     - name: Configure Management Credentials
+  #       uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+  #       with:
+  #         aws-region: eu-west-2
+  #         role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+  #         role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+  #     - name: Deactivate Stack
+  #       env:
+  #         ENVIRONMENT: ${{ inputs.environment }}
+  #       run: |
+  #         inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
+  #         poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT
