Merge branch 'main' into feature/rgjb-te-eli-422-s3_audit_copy_terraform_changes

Author: TOEL2

.github/workflows/base-deploy.yml

@@ -119,7 +119,7 @@ jobs:
           path: ./build
 
       - name: "Configure AWS Credentials"
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
@@ -266,3 +266,13 @@ jobs:
             Auto-release created during production deployment.
           draft: false
           prerelease: false
+
+  regression-tests:
+    name: "Regression Tests"
+    if: ${{ needs.metadata.outputs.environment == 'preprod' }}
+    needs: deploy
+    uses: ./.github/workflows/regression-tests.yml
+    with:
+      ENVIRONMENT: "preprod"
+      VERSION_NUMBER: "main"
+    secrets: inherit

.github/workflows/cicd-2-publish.yaml

@@ -88,7 +88,7 @@ jobs:
           path: ./build
 
       - name: "Configure AWS Credentials"
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
@@ -103,7 +103,6 @@ jobs:
           TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
           TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
 
-        # just planning for now for safety and until review
         run: |
           mkdir -p ./build
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
@@ -119,29 +118,6 @@ jobs:
           git tag ${{ needs.metadata.outputs.version }}
           git push origin ${{ needs.metadata.outputs.version }}
 
-      # --- Keeping these just in case: Uncomment to release to GitHub ---
-      # - name: "Create release"
-      #   id: create_release
-      #   uses: actions/create-release@v1
-      #   env:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #   with:
-      #     tag_name: ${{ needs.metadata.outputs.version }}
-      #     release_name: Release ${{ needs.metadata.outputs.version }}
-      #     body: |
-      #       Release of ${{ needs.metadata.outputs.version }}
-      #     draft: false
-      #     prerelease: true
-
-      # - name: "Upload release asset"
-      #   uses: actions/upload-release-asset@v1
-      #   env:
-      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      #   with:
-      #     upload_url: "${{ steps.create_release.outputs.upload_url }}"
-      #     asset_path: ./build/lambda.zip
-      #     asset_name: lambda-${{ needs.metadata.outputs.version }}.zip
-      #     asset_content_type: application/zip
       - name: "Notify Slack on PR merge"
         uses: slackapi/[email protected]
         with:
@@ -153,3 +129,12 @@ jobs:
             Author: "${{ github.actor }}"
             title: "Pushed to main"
             version: "${{ needs.metadata.outputs.version }}"
+
+  regression-tests:
+    name: "Regression Tests"
+    needs: publish
+    uses: ./.github/workflows/regression-tests.yml
+    with:
+      ENVIRONMENT: "dev"
+      VERSION_NUMBER: "main"
+    secrets: inherit

.github/workflows/cicd-3-test.yaml

@@ -88,6 +88,8 @@ jobs:
 
       - name: "Checkout Repository"
         uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.inputs.tag }}
 
       - name: "Build lambda artefact"
         run: |
@@ -107,7 +109,7 @@ jobs:
           path: ./build
 
       - name: "Configure AWS Credentials"
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@v5
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
@@ -128,3 +130,12 @@ jobs:
           echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
           make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
         working-directory: ./infrastructure
+
+  regression-tests:
+    name: "Regression Tests"
+    needs: deploy
+    uses: ./.github/workflows/regression-tests.yml
+    with:
+      ENVIRONMENT: "test"
+      VERSION_NUMBER: "main"
+    secrets: inherit

.github/workflows/cicd-3-test_auto.yaml

@@ -0,0 +1,113 @@
+name: "Auto Deploy to test"
+
+on:
+  workflow_run:
+    workflows: ["CI/CD publish"]
+    types: [completed]
+
+concurrency:
+  group: terraform-deploy-test
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  id-token: write
+  actions: read
+
+jobs:
+  metadata:
+    name: "Resolve metadata from triggering run"
+    runs-on: ubuntu-latest
+    if: >
+      ${{
+        github.event.workflow_run.conclusion == 'success' &&
+        github.event.workflow_run.head_branch == 'main'
+      }}
+    outputs:
+      terraform_version: ${{ steps.vars.outputs.terraform_version }}
+      tag: ${{ steps.tag.outputs.name }}
+    steps:
+      - name: "Checkout exact commit from CI/CD publish"
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: "Set CI/CD variables"
+        id: vars
+        run: |
+          echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+
+      - name: "Resolve the dev-* tag for this commit"
+        id: tag
+        run: |
+          git fetch --tags --force
+          SHA="${{ github.event.workflow_run.head_sha }}"
+          TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true)
+          if [ -z "$TAG" ]; then
+            echo "No dev-* tag found on $SHA" >&2
+            exit 1
+          fi
+          echo "name=$TAG" >> $GITHUB_OUTPUT
+          echo "Resolved tag: $TAG"
+
+  deploy:
+    name: "Deploy to TEST (approval required)"
+    runs-on: ubuntu-latest
+    needs: [metadata]
+    environment: test
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: "Checkout same commit"
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.workflow_run.head_sha }}
+
+      - name: "Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ needs.metadata.outputs.terraform_version }}
+
+      - name: "Set up Python"
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: eu-west-2
+
+      - name: "Build lambda artefact (rebuild in TEST)"
+        run: |
+          make dependencies install-python
+          make build
+
+      - name: "Terraform Apply (TEST)"
+        env:
+          ENVIRONMENT: test
+          WORKSPACE: "default"
+          TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
+          TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
+          TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
+          TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }}
+          TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }}
+        run: |
+          mkdir -p ./build
+          echo "Deploying tag: ${{ needs.metadata.outputs.tag }}"
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
+        working-directory: ./infrastructure
+
+  regression-tests:
+    name: "Regression Tests"
+    needs: deploy
+    uses: ./.github/workflows/regression-tests.yml
+    with:
+      ENVIRONMENT: "test"
+      VERSION_NUMBER: "main"
+    secrets: inherit

…thub/workflows/cicd-4-preprod-deploy.yml …hub/workflows/cicd-4a-preprod-deploy.yml.github/workflows/cicd-4-preprod-deploy.yml renamed to .github/workflows/cicd-4a-preprod-deploy.yml .github/workflows/cicd-4-preprod-deploy.yml renamed to .github/workflows/cicd-4a-preprod-deploy.yml

@@ -30,3 +30,4 @@ jobs:
       ref: ${{ inputs.ref }}
       release_type: ${{ inputs.release_type }}
     secrets: inherit
+

.github/workflows/cicd-4b-preprod-seed-users.yml

@@ -0,0 +1,59 @@
+name: preprod - Seed DynamoDB table
+
+concurrency:
+  group: seed-preprod-dynamodb
+  cancel-in-progress: false
+
+on:
+  workflow_run:
+    workflows: [ "Preprod Deploy" ]
+    types:
+      - completed
+    filters:
+      conclusion:
+        - success
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Target environment
+        required: true
+        type: choice
+        options:
+          - preprod
+
+jobs:
+  seed-dynamodb:
+    runs-on: ubuntu-latest
+    environment: "preprod"
+    permissions:
+      id-token: write
+      contents: read
+    env:
+      AWS_REGION: eu-west-2
+      DATA_FOLDER: tests/e2e/data/dynamoDB/vitaIntegrationTestData
+      DYNAMODB_TABLE: eligibility-signposting-api-preprod-eligibility_datastore
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v5
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.13'
+
+      - name: Install dependencies
+        run: pip install boto3
+
+      - name: "Configure AWS Credentials"
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Run seed script
+        run: |
+          python scripts/seed_users/seed_dynamodb.py \
+            --table-name "${{ env.DYNAMODB_TABLE }}" \
+            --region "${{ env.AWS_REGION }}" \
+            --data-folder "${{ env.DATA_FOLDER }}"