Merge pull request #558 from NHSDigital/release/2025-03-26

Release/2025 03 26

Author: megan-bower4

.github/workflows/_deploy.yml

@@ -47,6 +47,7 @@ jobs:
           branch_name=${branch_name#*refs/tags/}
           echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
 
+  # BACKUPS_LOGIC (Source account needs layers building)
   build:
     runs-on: [self-hosted, ci]
     needs: get-branch-from-workflow-file
@@ -61,7 +62,14 @@ jobs:
           save-to-cache: "true"
           restore-from-cache: "false"
           cache-suffix: ${{ env.CACHE_NAME }}
-      - if: ${{ env.SCOPE != 'per_workspace'}}
+      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account == 'dev'}}
+        uses: ./.github/actions/make/
+        with:
+          command: build
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account != 'dev'}}
         uses: ./.github/actions/make/
         with:
           command: poetry--update
@@ -167,7 +175,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
-      - if: ${{ env.ACCOUNT != 'mgmt'}}
+      - if: ${{ env.ACCOUNT != 'mgmt' && env.ACCOUNT != 'backups' }}
         uses: ./.github/actions/make/
         with:
           command: test--smoke WORKSPACE="${{ env.WORKSPACE }}" ACCOUNT="${{ env.ACCOUNT }}"

.github/workflows/_deploy_backups.yml

@@ -0,0 +1,162 @@
+on:
+  workflow_call:
+    inputs:
+      account:
+        description: The AWS account being deployed
+        type: string
+        required: true
+      workspace:
+        description: The Terraform workspace being deployed
+        type: string
+        required: true
+      scope:
+        description: The Terraform scope being deployed
+        type: string
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+
+env:
+  ACCOUNT: ${{ inputs.account }}
+  WORKSPACE: ${{ inputs.workspace }}
+  CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }}
+  SCOPE: ${{ inputs.scope }}
+  CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
+
+jobs:
+  parse-secrets:
+    runs-on: [self-hosted, ci]
+    steps:
+      - id: parse-secrets
+        run: |
+          echo "::add-mask::${{ secrets.CI_ROLE_NAME }}"
+
+  get-branch-from-workflow-file:
+    runs-on: [self-hosted, ci]
+    needs: [parse-secrets]
+    outputs:
+      branch_name: ${{ steps.get_branch.outputs.branch_name }}
+    steps:
+      - id: get_branch
+        run: |
+          workflow_ref=${{ github.workflow_ref }}
+          branch_name=${workflow_ref#*refs/heads/}
+          branch_name=${branch_name#*refs/tags/}
+          echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
+
+  build:
+    runs-on: [self-hosted, ci]
+    needs: get-branch-from-workflow-file
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - if: ${{ env.SCOPE == 'per_workspace'}}
+        uses: ./.github/actions/make/
+        with:
+          command: build
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+      - if: ${{ env.SCOPE != 'per_workspace'}}
+        uses: ./.github/actions/make/
+        with:
+          command: poetry--update
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--init:
+    needs: [get-branch-from-workflow-file, build]
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: init
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--plan:
+    needs: [get-branch-from-workflow-file, terraform--init]
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: plan
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--apply:
+    needs: [get-branch-from-workflow-file, terraform--plan]
+    environment: ${{ inputs.account }}
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: apply
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  set-success:
+    name: Set Success
+    needs: [terraform--apply]
+    runs-on: [self-hosted, ci]
+    steps:
+      - name: Set success env var
+        run: echo "success"
+    outputs:
+      success: "succeeded"
+
+  message-slack:
+    name: Notify slack of deployment
+    needs: [get-branch-from-workflow-file, set-success]
+    if: always()
+    runs-on: [self-hosted, ci]
+
+    steps:
+      - name: Catch failed steps
+        id: catch-failed-step
+        uses: ./.github/actions/catch-failed-step
+      - name: Send job result to slack
+        id: slack
+        uses: slackapi/[email protected]
+        with:
+          webhook-type: webhook-trigger
+          payload: |
+            {
+              "action_url": "${{ format('{0}/{1}/actions/runs/{2}/attempts/{3}', github.server_url, github.repository, github.run_id, github.run_attempt) }}",
+              "attempt": ${{ github.run_attempt }},
+              "account": "${{ env.ACCOUNT }}",
+              "workspace": "${{ env.WORKSPACE }}",
+              "caller": "${{ github.triggering_actor }}",
+              "scope": "${{ env.SCOPE }}",
+              "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}",
+              "result":  "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
+              "result_detail": "${{ needs.set-success.outputs.success && 'None' || steps.catch-failed-step.outputs.failed-step-name }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}

.github/workflows/deploy-backups-account-wide-resources.yml

@@ -0,0 +1,19 @@
+name: "Deploy: Account Wide - Backups"
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: Account to deploy
+        required: true
+        default: backups
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy_backups.yml
+    with:
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}"
+    secrets: inherit # pragma: allowlist secret
+
+run-name: Deploying account wide to nonprod workspace - ${{ inputs.account }}

.github/workflows/deploy-parameters-backups.yml

@@ -0,0 +1,20 @@
+name: "Deploy: Parameters - Backups"
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: Account to deploy
+        required: true
+        default: backups
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy_backups.yml
+    with:
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}/parameters"
+    secrets: inherit # pragma: allowlist secret
+
+run-name: Deploying parameters to nonprod workspace - ${{ inputs.account }}

CHANGELOG.md

@@ -1,5 +1,8 @@
 # Changelog
 
+## 2025-03-26
+- [PI-407] Immutable Backups
+
 ## 2025-03-25
 - [PI-857] Sonar Merge Commit
 - [PI-865] Swagger refinement 2

VERSION

@@ -1 +1 @@
-2025.03.25
+2025.03.26

changelog/2025-03-26.md

@@ -0,0 +1 @@
+- [PI-407] Immutable Backups

infrastructure/terraform/etc/backups.tfvars

@@ -0,0 +1,2 @@
+account_name = "backups"
+environment  = "backups"

infrastructure/terraform/modules/api_worker/api_lambda/lambda.tf

@@ -0,0 +1,37 @@
+module "lambda_function" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "6.0.0"
+
+  function_name = var.lambda_name
+  description   = "${replace(var.name, "_", "-")} lambda function"
+  handler       = "api.${var.name}.index.handler"
+  runtime       = var.python_version
+  timeout       = 10
+  memory_size   = var.memory_size
+
+  timeouts = {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+
+  create_current_version_allowed_triggers = false
+  allowed_triggers                        = var.allowed_triggers
+  environment_variables                   = var.environment_variables
+
+  create_package         = false
+  local_existing_package = var.source_path
+
+  tags = {
+    Name = replace(var.name, "_", "-")
+  }
+
+  layers = var.layers
+
+  trusted_entities   = var.trusted_entities
+  attach_policy_json = var.attach_policy_json
+  policy_json        = var.policy_json
+
+  attach_policy_statements = var.attach_policy_statements
+  policy_statements        = var.policy_statements
+}

infrastructure/terraform/modules/api_worker/api_lambda/outputs.tf

@@ -0,0 +1,19 @@
+output "lambda_arn" {
+  value = module.lambda_function.lambda_function_arn
+}
+
+output "lambda_role_arn" {
+  value = module.lambda_function.lambda_role_arn
+}
+
+output "lambda_role_name" {
+  value = module.lambda_function.lambda_role_name
+}
+
+output "metadata" {
+  value = {
+    lambda_invoke_arn   = module.lambda_function.lambda_function_invoke_arn
+    authoriser_iam_role = module.lambda_function.lambda_role_arn
+    authoriser_name     = var.lambda_name
+  }
+}