eli-540 attach secret access policy to lambda and external role (#493) #461
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Description: Deploys merged code to the dev environment. | |
| # Triggered on push to main. Tags the commit with a dev-<timestamp> label. | |
| # Does not create GitHub Releases or production tags (v1.x.x). | |
| name: "2. CD | Deploy to Dev" | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - hotfix/* | |
| workflow_dispatch: {} | |
| concurrency: | |
| group: terraform-dev | |
| cancel-in-progress: false | |
| jobs: | |
| metadata: | |
| name: "Set CI/CD metadata" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 1 | |
| outputs: | |
| build_datetime: ${{ steps.variables.outputs.build_datetime }} | |
| build_timestamp: ${{ steps.variables.outputs.build_timestamp }} | |
| build_epoch: ${{ steps.variables.outputs.build_epoch }} | |
| nodejs_version: ${{ steps.variables.outputs.nodejs_version }} | |
| python_version: ${{ steps.variables.outputs.python_version }} | |
| terraform_version: ${{ steps.variables.outputs.terraform_version }} | |
| version: ${{ steps.variables.outputs.version }} | |
| steps: | |
| - name: "Checkout code" | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.ref_name }} | |
| - name: "Set CI/CD variables" | |
| id: variables | |
| run: | | |
| datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z') | |
| echo "build_datetime=$datetime" >> $GITHUB_OUTPUT | |
| echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT | |
| echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT | |
| echo "version=dev-$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT | |
| - name: "List variables" | |
| run: | | |
| echo "Deploying to: DEV" | |
| echo "VERSION=${{ steps.variables.outputs.version }}" | |
| publish: | |
| name: "Publish to dev" | |
| runs-on: ubuntu-latest | |
| needs: [metadata] | |
| timeout-minutes: 30 | |
| environment: "dev" | |
| permissions: | |
| id-token: write | |
| contents: write | |
| steps: | |
| - name: "Setup Terraform" | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: ${{ needs.metadata.outputs.terraform_version }} | |
| - name: "Set up Python" | |
| uses: actions/setup-python@v6 | |
| with: | |
| python-version: '3.13' | |
| - name: "Checkout Repository" | |
| uses: actions/checkout@v5 | |
| with: | |
| ref: ${{ github.ref_name }} | |
| - name: "Build lambda artefact" | |
| run: | | |
| make dependencies install-python | |
| make build | |
| - name: "Upload lambda artefact for cross-workflow use" | |
| uses: actions/upload-artifact@v5 | |
| with: | |
| name: lambda-${{ needs.metadata.outputs.version }} | |
| path: dist/lambda.zip | |
| - name: "Configure AWS Credentials" | |
| uses: aws-actions/configure-aws-credentials@v5 | |
| with: | |
| role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role | |
| aws-region: eu-west-2 | |
| - name: "Terraform Apply" | |
| env: | |
| ENVIRONMENT: dev | |
| WORKSPACE: "default" | |
| TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} | |
| TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} | |
| TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} | |
| TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} | |
| TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} | |
| run: | | |
| mkdir -p ./build | |
| echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" | |
| make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE | |
| echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" | |
| make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE | |
| working-directory: ./infrastructure | |
| - name: "Validate Feature Toggles" | |
| env: | |
| ENV: dev | |
| run: | | |
| pip install boto3 | |
| python scripts/feature_toggle/validate_toggles.py | |
| - name: "Tag the dev deployment" | |
| run: | | |
| git config user.name "github-actions" | |
| git config user.email "[email protected]" | |
| git tag ${{ needs.metadata.outputs.version }} | |
| git push origin ${{ needs.metadata.outputs.version }} | |
| - name: "Notify Slack on PR merge" | |
| uses: slackapi/[email protected] | |
| with: | |
| webhook: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| webhook-type: webhook-trigger | |
| payload: | | |
| status: "${{ job.status }}" | |
| link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" | |
| Author: "${{ github.actor }}" | |
| title: "Pushed to main" | |
| version: "${{ needs.metadata.outputs.version }}" | |
| regression-tests: | |
| name: "Regression Tests" | |
| needs: publish | |
| uses: ./.github/workflows/regression-tests.yml | |
| with: | |
| ENVIRONMENT: "dev" | |
| VERSION_NUMBER: "main" | |
| secrets: inherit |