Merge branch 'feature/PI-407-immutable_backups' into release/2025-03-26

Author: megan-bower4

.github/workflows/_deploy.yml

@@ -167,7 +167,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
-      - if: ${{ env.ACCOUNT != 'mgmt'}}
+      - if: ${{ env.ACCOUNT != 'mgmt' && env.ACCOUNT != 'backups' }}
         uses: ./.github/actions/make/
         with:
           command: test--smoke WORKSPACE="${{ env.WORKSPACE }}" ACCOUNT="${{ env.ACCOUNT }}"

.github/workflows/_deploy_backups.yml

@@ -0,0 +1,162 @@
+on:
+  workflow_call:
+    inputs:
+      account:
+        description: The AWS account being deployed
+        type: string
+        required: true
+      workspace:
+        description: The Terraform workspace being deployed
+        type: string
+        required: true
+      scope:
+        description: The Terraform scope being deployed
+        type: string
+        required: true
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+
+env:
+  ACCOUNT: ${{ inputs.account }}
+  WORKSPACE: ${{ inputs.workspace }}
+  CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }}
+  SCOPE: ${{ inputs.scope }}
+  CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
+
+jobs:
+  parse-secrets:
+    runs-on: [self-hosted, ci]
+    steps:
+      - id: parse-secrets
+        run: |
+          echo "::add-mask::${{ secrets.CI_ROLE_NAME }}"
+
+  get-branch-from-workflow-file:
+    runs-on: [self-hosted, ci]
+    needs: [parse-secrets]
+    outputs:
+      branch_name: ${{ steps.get_branch.outputs.branch_name }}
+    steps:
+      - id: get_branch
+        run: |
+          workflow_ref=${{ github.workflow_ref }}
+          branch_name=${workflow_ref#*refs/heads/}
+          branch_name=${branch_name#*refs/tags/}
+          echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
+
+  build:
+    runs-on: [self-hosted, ci]
+    needs: get-branch-from-workflow-file
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - if: ${{ env.SCOPE == 'per_workspace'}}
+        uses: ./.github/actions/make/
+        with:
+          command: build
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+      - if: ${{ env.SCOPE != 'per_workspace'}}
+        uses: ./.github/actions/make/
+        with:
+          command: poetry--update
+          save-to-cache: "true"
+          restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--init:
+    needs: [get-branch-from-workflow-file, build]
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: init
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--plan:
+    needs: [get-branch-from-workflow-file, terraform--init]
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: plan
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  terraform--apply:
+    needs: [get-branch-from-workflow-file, terraform--plan]
+    environment: ${{ inputs.account }}
+    runs-on: [self-hosted, ci]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
+      - uses: ./.github/actions/terraform/
+        with:
+          command: apply
+          account: ${{ env.ACCOUNT }}
+          workspace: ${{ env.WORKSPACE }}
+          scope: ${{ env.SCOPE }}
+          restore-from-cache: "true"
+          save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
+
+  set-success:
+    name: Set Success
+    needs: [terraform--apply]
+    runs-on: [self-hosted, ci]
+    steps:
+      - name: Set success env var
+        run: echo "success"
+    outputs:
+      success: "succeeded"
+
+  message-slack:
+    name: Notify slack of deployment
+    needs: [get-branch-from-workflow-file, set-success]
+    if: always()
+    runs-on: [self-hosted, ci]
+
+    steps:
+      - name: Catch failed steps
+        id: catch-failed-step
+        uses: ./.github/actions/catch-failed-step
+      - name: Send job result to slack
+        id: slack
+        uses: slackapi/[email protected]
+        with:
+          webhook-type: webhook-trigger
+          payload: |
+            {
+              "action_url": "${{ format('{0}/{1}/actions/runs/{2}/attempts/{3}', github.server_url, github.repository, github.run_id, github.run_attempt) }}",
+              "attempt": ${{ github.run_attempt }},
+              "account": "${{ env.ACCOUNT }}",
+              "workspace": "${{ env.WORKSPACE }}",
+              "caller": "${{ github.triggering_actor }}",
+              "scope": "${{ env.SCOPE }}",
+              "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}",
+              "result":  "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
+              "result_detail": "${{ needs.set-success.outputs.success && 'None' || steps.catch-failed-step.outputs.failed-step-name }}"
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}

.github/workflows/deploy-backups-account-wide-resources.yml

@@ -0,0 +1,19 @@
+name: "Deploy: Account Wide - Backups"
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: Account to deploy
+        required: true
+        default: backups
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy_backups.yml
+    with:
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}"
+    secrets: inherit # pragma: allowlist secret
+
+run-name: Deploying account wide to nonprod workspace - ${{ inputs.account }}

.github/workflows/deploy-parameters-backups.yml

@@ -0,0 +1,20 @@
+name: "Deploy: Parameters - Backups"
+
+on:
+  workflow_dispatch:
+    inputs:
+      account:
+        description: Account to deploy
+        required: true
+        default: backups
+
+jobs:
+  deploy:
+    uses: ./.github/workflows/_deploy_backups.yml
+    with:
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}/parameters"
+    secrets: inherit # pragma: allowlist secret
+
+run-name: Deploying parameters to nonprod workspace - ${{ inputs.account }}

infrastructure/terraform/etc/backups.tfvars

@@ -0,0 +1,2 @@
+account_name = "backups"
+environment  = "backups"

infrastructure/terraform/modules/api_worker/api_lambda/lambda.tf

@@ -0,0 +1,37 @@
+module "lambda_function" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "6.0.0"
+
+  function_name = var.lambda_name
+  description   = "${replace(var.name, "_", "-")} lambda function"
+  handler       = "api.${var.name}.index.handler"
+  runtime       = var.python_version
+  timeout       = 10
+  memory_size   = var.memory_size
+
+  timeouts = {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+
+  create_current_version_allowed_triggers = false
+  allowed_triggers                        = var.allowed_triggers
+  environment_variables                   = var.environment_variables
+
+  create_package         = false
+  local_existing_package = var.source_path
+
+  tags = {
+    Name = replace(var.name, "_", "-")
+  }
+
+  layers = var.layers
+
+  trusted_entities   = var.trusted_entities
+  attach_policy_json = var.attach_policy_json
+  policy_json        = var.policy_json
+
+  attach_policy_statements = var.attach_policy_statements
+  policy_statements        = var.policy_statements
+}

infrastructure/terraform/modules/api_worker/api_lambda/outputs.tf

@@ -0,0 +1,19 @@
+output "lambda_arn" {
+  value = module.lambda_function.lambda_function_arn
+}
+
+output "lambda_role_arn" {
+  value = module.lambda_function.lambda_role_arn
+}
+
+output "lambda_role_name" {
+  value = module.lambda_function.lambda_role_name
+}
+
+output "metadata" {
+  value = {
+    lambda_invoke_arn   = module.lambda_function.lambda_function_invoke_arn
+    authoriser_iam_role = module.lambda_function.lambda_role_arn
+    authoriser_name     = var.lambda_name
+  }
+}

infrastructure/terraform/modules/api_worker/api_lambda/vars.tf

@@ -0,0 +1,46 @@
+variable "name" {}
+
+variable "python_version" {
+}
+
+variable "lambda_name" {
+  default = ""
+}
+
+variable "layers" {
+  type = list(string)
+}
+
+variable "source_path" {}
+
+variable "attach_policy_json" {
+  default = false
+}
+
+variable "policy_json" {
+  default = ""
+}
+
+variable "trusted_entities" {
+  default = []
+}
+
+variable "allowed_triggers" {
+  default = {}
+}
+
+variable "environment_variables" {
+  default = {}
+}
+
+variable "attach_policy_statements" {
+  default = false
+}
+
+variable "policy_statements" {
+  default = {}
+}
+
+variable "memory_size" {
+  default = 128
+}

infrastructure/terraform/modules/api_worker/api_layer/layer.tf

@@ -0,0 +1,24 @@
+module "lambda_layer" {
+  source  = "terraform-aws-modules/lambda/aws"
+  version = "6.0.0"
+
+  timeouts = {
+    create = "5m"
+    update = "5m"
+    delete = "5m"
+  }
+
+  create_layer = true
+
+  layer_name          = var.layer_name
+  description         = "${replace(var.name, "_", "-")} lambda layer"
+  compatible_runtimes = [var.python_version]
+
+  create_package         = false
+  local_existing_package = var.source_path
+  environment_variables  = var.environment_variables
+
+  tags = {
+    Name = replace(var.name, "_", "-")
+  }
+}

infrastructure/terraform/modules/api_worker/api_layer/outputs.tf

@@ -0,0 +1,7 @@
+output "layer_arn" {
+  value = module.lambda_layer.lambda_layer_arn
+}
+
+output "name" {
+  value = var.name
+}