|
| 1 | +name: "Auto Deploy to test" |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_run: |
| 5 | + workflows: ["CI/CD publish"] |
| 6 | + types: [completed] |
| 7 | + |
| 8 | +concurrency: |
| 9 | + group: terraform-deploy-test |
| 10 | + cancel-in-progress: false |
| 11 | + |
| 12 | +permissions: |
| 13 | + contents: read |
| 14 | + id-token: write |
| 15 | + actions: read |
| 16 | + |
| 17 | +jobs: |
| 18 | + metadata: |
| 19 | + name: "Resolve metadata from triggering run" |
| 20 | + runs-on: ubuntu-latest |
| 21 | + if: > |
| 22 | + ${{ |
| 23 | + github.event.workflow_run.conclusion == 'success' && |
| 24 | + github.event.workflow_run.head_branch == 'main' |
| 25 | + }} |
| 26 | + outputs: |
| 27 | + terraform_version: ${{ steps.vars.outputs.terraform_version }} |
| 28 | + tag: ${{ steps.tag.outputs.name }} |
| 29 | + steps: |
| 30 | + - name: "Checkout exact commit from CI/CD publish" |
| 31 | + uses: actions/checkout@v5 |
| 32 | + with: |
| 33 | + ref: ${{ github.event.workflow_run.head_sha }} |
| 34 | + |
| 35 | + - name: "Set CI/CD variables" |
| 36 | + id: vars |
| 37 | + run: | |
| 38 | + echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT |
| 39 | +
|
| 40 | + - name: "Resolve the dev-* tag for this commit" |
| 41 | + id: tag |
| 42 | + run: | |
| 43 | + git fetch --tags --force |
| 44 | + SHA="${{ github.event.workflow_run.head_sha }}" |
| 45 | + TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true) |
| 46 | + if [ -z "$TAG" ]; then |
| 47 | + echo "No dev-* tag found on $SHA" >&2 |
| 48 | + exit 1 |
| 49 | + fi |
| 50 | + echo "name=$TAG" >> $GITHUB_OUTPUT |
| 51 | + echo "Resolved tag: $TAG" |
| 52 | +
|
| 53 | + deploy: |
| 54 | + name: "Deploy to TEST (approval required)" |
| 55 | + runs-on: ubuntu-latest |
| 56 | + needs: [metadata] |
| 57 | + environment: test |
| 58 | + permissions: |
| 59 | + id-token: write |
| 60 | + contents: read |
| 61 | + steps: |
| 62 | + - name: "Checkout same commit" |
| 63 | + uses: actions/checkout@v5 |
| 64 | + with: |
| 65 | + ref: ${{ github.event.workflow_run.head_sha }} |
| 66 | + |
| 67 | + - name: "Setup Terraform" |
| 68 | + uses: hashicorp/setup-terraform@v3 |
| 69 | + with: |
| 70 | + terraform_version: ${{ needs.metadata.outputs.terraform_version }} |
| 71 | + |
| 72 | + - name: "Set up Python" |
| 73 | + uses: actions/setup-python@v5 |
| 74 | + with: |
| 75 | + python-version: "3.13" |
| 76 | + |
| 77 | + - name: "Configure AWS Credentials" |
| 78 | + uses: aws-actions/configure-aws-credentials@v4 |
| 79 | + with: |
| 80 | + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role |
| 81 | + aws-region: eu-west-2 |
| 82 | + |
| 83 | + - name: "Build lambda artefact (rebuild in TEST)" |
| 84 | + run: | |
| 85 | + make dependencies install-python |
| 86 | + make build |
| 87 | +
|
| 88 | + - name: "Terraform Apply (TEST)" |
| 89 | + env: |
| 90 | + ENVIRONMENT: test |
| 91 | + WORKSPACE: "default" |
| 92 | + TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} |
| 93 | + TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} |
| 94 | + TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} |
| 95 | + TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} |
| 96 | + TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} |
| 97 | + run: | |
| 98 | + mkdir -p ./build |
| 99 | + echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" |
| 100 | + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" |
| 101 | + make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE |
| 102 | + echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" |
| 103 | + make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE |
| 104 | + working-directory: ./infrastructure |
0 commit comments