Merge pull request #672 from NHSDigital/feature/axkr1-NRL-760-blue-green-stacks

NRL-760 Add logic for blue/green deployments to build/deploy scripts

Author: axelkrastek1-nhs

.github/workflows/persistent-environment.yml

@@ -134,9 +134,11 @@ jobs:
 
       - name: Terraform Plan
         run: |
+          inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
           terraform -chdir=terraform/infrastructure plan \
             --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
             --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+            --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \
             -out tfplan
 
       - name: Save Terraform Plan

.github/workflows/pr-env-deploy.yml

@@ -146,14 +146,27 @@ jobs:
       - name: Retrieve Server Certificates
         run: make truststore-pull-server ENV=dev
 
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
       - name: Terraform Init
         run: |
           terraform -chdir=terraform/infrastructure init
           terraform -chdir=terraform/infrastructure workspace new ${{ needs.set-environment-id.outputs.environment_id }} || \
           terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Terraform Plan
-        run: terraform -chdir=terraform/infrastructure plan --var-file=etc/dev.tfvars --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} -out tfplan
+        run: |
+          terraform -chdir=terraform/infrastructure plan \
+          --var-file=etc/dev.tfvars \
+          --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
+          --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ needs.set-environment-id.outputs.environment_id }}) \
+          -out tfplan
 
       - name: Terraform Apply
         id: terraform-apply

Makefile

@@ -17,6 +17,7 @@ HOST ?= $(TF_WORKSPACE_NAME).api.record-locator.$(ENV).national.nhs.uk
 ENV_TYPE ?= $(ENV)
 
 export PATH := $(PATH):$(PWD)/.venv/bin
+export USE_SHARED_RESOURCES := $(shell poetry run python scripts/are_resources_shared_for_stack.py $(TF_WORKSPACE_NAME))
 
 default: build
 
@@ -79,7 +80,11 @@ test: check-warn ## Run the unit tests
 
 test-features-integration: check-warn ## Run the BDD feature tests in the integration environment
 	@echo "Running feature tests in the integration environment"
-	behave --define="integration_test=true" --define="env=$(TF_WORKSPACE_NAME)" $(FEATURE_TEST_ARGS)
+	behave --define="integration_test=true" \
+		--define="env=$(TF_WORKSPACE_NAME)" \
+		--define="account_name=$(ENV)" \
+		--define="use_shared_resources=${USE_SHARED_RESOURCES}" \
+		$(FEATURE_TEST_ARGS)
 
 test-smoke-internal: check-warn ## Run the smoke tests against the internal environment
 	@echo "Running smoke tests against the internal environment"
@@ -129,7 +134,7 @@ get-access-token: check-warn ## Get an access token for an environment
 	@poetry run python tests/utilities/get_access_token.py $(ENV) $(APP_ALIAS)
 
 get-s3-perms: check-warn ## Get s3 permissions for an environment
-	@poetry run python scripts/get_s3_permissions.py $(ENV) $(DIST_PATH)
+	poetry run python scripts/get_s3_permissions.py ${USE_SHARED_RESOURCES} $(ENV) $(TF_WORKSPACE_NAME) "$(DIST_PATH)"
 	@echo "Creating new Lambda NRLF permissions layer zip"
 	./scripts/add-perms-to-lambda.sh $(DIST_PATH)
 

scripts/are_resources_shared_for_stack.py

@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+# Get if the stack should share resources
+import fire
+
+persistent_environments = [
+    "dev-1",
+    "dev-2",
+    "dev-sandbox-1",
+    "dev-sandbox-2",
+    "qa-1",
+    "qa-2",
+    "qa-sandbox-1",
+    "qa-sandbox-2",
+    "ref-1",
+    "ref-2",
+    "int-1",
+    "int-2",
+    "int-sandbox-1",
+    "int-sandbox-2",
+    "prod-1",
+    "prod-2",
+]
+
+
+def main(stack_name: str):
+    return "true" if stack_name in persistent_environments else "false"
+
+
+if __name__ == "__main__":
+    fire.Fire(main)

scripts/check-deploy-environment.sh

@@ -6,6 +6,7 @@ set -o errexit -o pipefail -o nounset
 : "${SHOULD_WARN_ONLY:="false"}"
 : "${ENV:="dev"}"
 : "${ENV_ACCOUNT_NAME:="dev"}"
+: "${TF_WORKSPACE_NAME:=""}"
 
 function success() {
   [ "${SHOULD_WARN_ONLY}" == "true" ] && return
@@ -51,22 +52,37 @@ else
     warning "${ENV_ACCOUNT_NAME} account id not found in mgmt account. Check you are logged into the NRLF mgmt account."
 fi
 
+
 # Check the Terraform workspace is set
 set +e
 tf_workspace="$(cd terraform/infrastructure && terraform workspace show)"
 set -e
+
+is_using_shared_resources="$(poetry run python ./scripts/are_resources_shared_for_stack.py ${tf_workspace})"
+if [ "${is_using_shared_resources}" == "true" ]
+then
+    warning "Will use shared resources for stack '${tf_workspace}'"
+else
+    success "Not using shared resources for stack '${tf_workspace}'"
+fi
+
+
+# Check the Terraform workspace value
 case "${tf_workspace}" in
-    dev|qa|int|ref|prod)
+    dev-*|qa-*|int-*|ref-*|prod-*)
         warning "Terraform workspace set to persistent environment '${tf_workspace}'"
-        if [ "${tf_workspace}" != "${ENV}" ]
+
+        if [[ "${tf_workspace}" =~ "${ENV}-" ]]
         then
+            success "Terraform workspace '${tf_workspace}' matches deployment environment '${ENV}'"
+        else
             warning "Terraform workspace '${tf_workspace}' does not match deployment environment '${ENV}'"
         fi
         ;;
-    dev-sandbox|qa-sandbox|int-sandbox)
+    *-sandbox-*)
         warning "Terraform workspace set to sandbox environment '${tf_workspace}'"
         ;;
-    account_wide|default)
+    default)
         warning "Terraform workspace set to '${tf_workspace}'"
         ;;
     *)

scripts/get_s3_permissions.py

@@ -75,8 +75,10 @@ def download_files(s3_client, bucket_name, local_path, file_names, folders):
     add_test_files("K6PerformanceTest", "Y05868.json", local_path)
 
 
-def main(env: str, path_to_store: str):
-    bucket = f"nhsd-nrlf--{env}-authorization-store"
+def main(use_shared_resources: str, env: str, workspace: str, path_to_store: str):
+    stack_name = env if use_shared_resources else workspace
+
+    bucket = f"nhsd-nrlf--{stack_name}-authorization-store"
     boto_session = get_boto_session(env)
 
     s3 = boto_session.client("s3")

terraform/infrastructure/Makefile

@@ -4,8 +4,9 @@ TF_WORKSPACE_NAME ?= $(shell (whoami || hostname) | head -c 5)-$(ENV)
 TF_ARGS ?=
 ENV_ACCOUNT_NAME ?= $(shell ../../scripts/get-account-name-for-env.sh $(ENV))
 ENV_ACCOUNT_ID ?= $(shell aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--$(ENV_ACCOUNT_NAME)-account-id --query SecretString --output text)
+USE_SHARED_RESOURCES ?= $(shell poetry run python ../../scripts/are_resources_shared_for_stack.py $(TF_WORKSPACE_NAME))
 
-export ENV ENV_ACCOUNT_NAME
+export ENV ENV_ACCOUNT_NAME TF_WORKSPACE_NAME
 
 help: ## Show this help message
 	@echo "Usage: make [target]"
@@ -31,16 +32,19 @@ plan: check-warn ## Plan the Terraform changes
 	terraform plan \
 		-var-file=./etc/$(ENV).tfvars \
 		-var 'assume_role_arn=arn:aws:iam::$(ENV_ACCOUNT_ID):role/terraform' \
+		-var 'use_shared_resources=$(USE_SHARED_RESOURCES)' \
 		$(TF_ARGS)
 
 apply: check-warn ## Apply the Terraform changes
 	terraform apply \
 		-var-file=./etc/$(ENV).tfvars \
 		-var 'assume_role_arn=arn:aws:iam::$(ENV_ACCOUNT_ID):role/terraform' \
+		-var 'use_shared_resources=$(USE_SHARED_RESOURCES)' \
 		$(TF_ARGS)
 
 destroy: check-warn ## Destroy the Terraform resources
 	terraform destroy \
 		-var-file=./etc/$(ENV).tfvars \
 		-var 'assume_role_arn=arn:aws:iam::$(ENV_ACCOUNT_ID):role/terraform' \
+		-var 'use_shared_resources=$(USE_SHARED_RESOURCES)' \
 		$(TF_ARGS)

terraform/infrastructure/data.tf

@@ -6,26 +6,26 @@ data "aws_s3_object" "api-truststore-certificate" {
 }
 
 data "aws_s3_bucket" "authorization-store" {
-  count  = local.use_shared_resources ? 1 : 0
-  bucket = "${local.prefix}-authorization-store"
+  count  = var.use_shared_resources ? 1 : 0
+  bucket = "${local.shared_prefix}-authorization-store"
 }
 
 data "aws_dynamodb_table" "pointers-table" {
-  count = local.use_shared_resources ? 1 : 0
-  name  = "${local.prefix}-pointers-table"
+  count = var.use_shared_resources ? 1 : 0
+  name  = "${local.shared_prefix}-pointers-table"
 }
 
 data "aws_iam_policy" "pointers-table-read" {
-  count = local.use_shared_resources ? 1 : 0
-  name  = "${local.prefix}-pointers-table-read"
+  count = var.use_shared_resources ? 1 : 0
+  name  = "${local.shared_prefix}-pointers-table-read"
 }
 
 data "aws_iam_policy" "pointers-table-write" {
-  count = local.use_shared_resources ? 1 : 0
-  name  = "${local.prefix}-pointers-table-write"
+  count = var.use_shared_resources ? 1 : 0
+  name  = "${local.shared_prefix}-pointers-table-write"
 }
 
 data "aws_iam_policy" "pointers-kms-read-write" {
-  count = local.use_shared_resources ? 1 : 0
-  name  = "${local.prefix}-pointers-kms-read-write"
+  count = var.use_shared_resources ? 1 : 0
+  name  = "${local.shared_prefix}-pointers-kms-read-write"
 }

terraform/infrastructure/ephemeral-resources.tf

@@ -1,11 +1,11 @@
 module "ephemeral-s3-permission-store" {
-  count       = local.use_shared_resources ? 0 : 1
+  count       = var.use_shared_resources ? 0 : 1
   source      = "./modules/permissions-store-bucket"
   name_prefix = local.prefix
 }
 
 module "ephemeral-pointers-table" {
-  count       = local.use_shared_resources ? 0 : 1
+  count       = var.use_shared_resources ? 0 : 1
   source      = "./modules/pointers-table"
   name_prefix = local.prefix
 }

terraform/infrastructure/lambda.tf

@@ -121,7 +121,6 @@ module "producer__createDocumentReference" {
     AUTH_STORE           = local.auth_store_id
     SPLUNK_INDEX         = module.firehose__processor.splunk.index
     POWERTOOLS_LOG_LEVEL = local.log_level
-    ENDPOINT_URL         = "${local.public_domain}/nrl-producer-api/FHIR/R4/DocumentReference"
     TABLE_NAME           = local.pointers_table_name
   }
   additional_policies = [