NRL-1595 pre-feedback pipeline. Different loop attempts

atrace · atrace · commit f6fdcfa76adc · 2025-11-20T10:18:51.000Z
diff --git a/.github/workflows/deploy-account-wide-infra.yml b/.github/workflows/deploy-account-wide-infra.yml
@@ -3,8 +3,14 @@ run-name: Account-wide infra deployment to ${{ inputs.account }} of ${{ inputs.b
 
 # An action environment would need
 #   name=acc-test
-#   envs_to_pull: "qa" "ref" "int" "perftest"
-#   aws_account_id: 123456789 - get this from tf vars or something maybe?
+#   envs_to_pull: "qa" "ref" "int" "perftest" - use aws session assume.py - pull out
+# OR json format: ["qa", "ref", "int", "perftest"] - feels better
+# OR json obj lookup in repo-wide variable instead + same for below
+#   aws_account_id: 123456789 - get this from tf vars or something maybe? - use get_account_name script
+
+# MGMT_ROLE_ARN is in repo secrets, so not needed in env
+
+# Looping through envs to pull certs
 
 on:
   workflow_dispatch:
@@ -28,6 +34,49 @@ permissions:
   actions: write
 
 jobs:
+  # provide-cert-env-matrix:
+  #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+  #   steps:
+  #     # here we create the json, we need the "id:" so we can use it in "outputs" bellow
+  #     - id: set-matrix
+  #       run: echo "::set-output name=matrix::$(vendor/bin/monorepo-builder packages-json --names)"
+
+  #   # here, we save the result of this 1st phase to the "outputs"
+  #   outputs:
+  #     matrix: ${{ steps.set-matrix.outputs.matrix }}
+
+  pull-certs:
+    name: Pull certs per env
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+    # env:
+    #   ENVS_TO_PULL: ${{ vars.envs_to_pull }}
+    strategy:
+      matrix:
+        env_to_pull: ${{ fromJson(vars.envs_to_pull) }}
+    steps:
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.account }}-${{ github.run_id }}
+
+      - name: Retrieve Server Certificates
+        env:
+          # // TODO: needs to go in an environment or be looked up somehow envs_to_pull=("dev" "test" "preid")
+          ENV_TO_PULL: ${{ matrix.env_to_pull }}
+        run: |
+          echo $ENV_TO_PULL
+          make truststore-pull-server ENV=$ENV_TO_PULL
+
+      # Can I even do this for something sensitive? Maybe no
+      - name: Save Cert Artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: cert-artifact-${{ matrix.env_to_pull }}
+          path: |
+            truststore/**/*.pem
+
   # build:
   #   name: Build - ${{ inputs.branch_name }}
   #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
@@ -84,6 +133,7 @@ jobs:
   terraform-plan:
     name: Terraform Plan - ${{ inputs.account }}
     # needs: [build]
+    needs: [pull-certs]
     # environment: ${{ inputs.environment }}
     # environment: acc-${{ inputs.environment }} ??
     runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
@@ -106,6 +156,14 @@ jobs:
           role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
           role-session-name: github-actions-ci-${{ inputs.account }}-${{ github.run_id }}
 
+      - name: Download certs
+        uses: actions/download-artifact@v5
+        with:
+          name: cert-artifacts-*
+          path: truststore
+
+      # -------- OR --------
+
       - name: Retrieve Server Certificates
         env:
           // TODO: needs to go in an environment or be looked up somehow envs_to_pull=("dev" "test" "preid")
@@ -298,35 +356,42 @@ jobs:
   #       run: |
   #         make ENV=$ENVIRONMENT test-smoke-public
 
-  # Can we rollback changes if needed? Or just manually rerun pipeline for last working commit?
-  # rollback-stack:
-  #   name: Rollback - ${{ inputs.environment }}
-  #   needs: [post-release-verify]
-  #   if: always() && ( needs.post-release-verify.result == 'failure' )
-  #   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
-  #   environment: ${{ inputs.environment }}
-
-  #   steps:
-  #     - name: Git clone - ${{ inputs.branch_name }}
-  #       uses: actions/checkout@v4
-  #       with:
-  #         ref: ${{ inputs.branch_name }}
-
-  #     - name: Setup environment
-  #       run: |
-  #         echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
-  #         poetry install --no-root
-
-  #     - name: Configure Management Credentials
-  #       uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
-  #       with:
-  #         aws-region: eu-west-2
-  #         role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
-  #         role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
-
-  #     - name: Deactivate Stack
-  #       env:
-  #         ENVIRONMENT: ${{ inputs.environment }}
-  #       run: |
-  #         inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
-  #         poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT
+  # Slack notif: starting deploy of account-wide infra <branch deets>
+  # tf-plan: ensure output is visible in job output
+
+# pre-apply: check current commit deployed in state
+# post-apply: update current deployed commit in state
+#  no auto rollback
+
+# Can we rollback changes if needed? Or just manually rerun pipeline for last working commit?
+# rollback-stack:
+#   name: Rollback - ${{ inputs.environment }}
+#   needs: [post-release-verify]
+#   if: always() && ( needs.post-release-verify.result == 'failure' )
+#   runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
+#   environment: ${{ inputs.environment }}
+
+#   steps:
+#     - name: Git clone - ${{ inputs.branch_name }}
+#       uses: actions/checkout@v4
+#       with:
+#         ref: ${{ inputs.branch_name }}
+
+#     - name: Setup environment
+#       run: |
+#         echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
+#         poetry install --no-root
+
+#     - name: Configure Management Credentials
+#       uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
+#       with:
+#         aws-region: eu-west-2
+#         role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+#         role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}
+
+#     - name: Deactivate Stack
+#       env:
+#         ENVIRONMENT: ${{ inputs.environment }}
+#       run: |
+#         inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
+#         poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT
