diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index b35f7c76..9fb14a32 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -9,6 +9,7 @@ on: branches: - main - hotfix/* + - fix/bring_back_github_artifacts workflow_dispatch: {} concurrency: @@ -87,35 +88,35 @@ jobs: name: lambda-${{ needs.metadata.outputs.version }} path: dist/lambda.zip - - name: "Download Built Lambdas" - uses: actions/download-artifact@v5 - with: - name: lambda-${{ needs.metadata.outputs.version }} - path: ./build - - - name: "Configure AWS Credentials" - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role - aws-region: eu-west-2 - - - name: "Terraform Apply" - env: - ENVIRONMENT: dev - WORKSPACE: "default" - TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} - TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} - TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} - TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} - TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} - - run: | - mkdir -p ./build - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" - make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" - make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE - working-directory: ./infrastructure +# - name: "Download Built Lambdas" +# uses: actions/download-artifact@v5 +# with: +# name: lambda-${{ needs.metadata.outputs.version }} +# path: ./build +# +# - name: "Configure AWS Credentials" +# uses: aws-actions/configure-aws-credentials@v5 +# with: +# role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role +# aws-region: eu-west-2 +# +# - name: "Terraform Apply" +# env: +# ENVIRONMENT: dev +# WORKSPACE: "default" +# TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} +# TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} +# TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} +# TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} +# TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} +# +# run: | +# mkdir -p ./build +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" +# make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" +# make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE +# working-directory: ./infrastructure - name: "Tag the dev deployment" run: | @@ -124,23 +125,23 @@ jobs: git tag ${{ needs.metadata.outputs.version }} git push origin ${{ needs.metadata.outputs.version }} - - name: "Notify Slack on PR merge" - uses: slackapi/slack-github-action@v2.1.1 - with: - webhook: ${{ secrets.SLACK_WEBHOOK_URL }} - webhook-type: webhook-trigger - payload: | - status: "${{ job.status }}" - link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" - Author: "${{ github.actor }}" - title: "Pushed to main" - version: "${{ needs.metadata.outputs.version }}" - - regression-tests: - name: "Regression Tests" - needs: publish - uses: ./.github/workflows/regression-tests.yml - with: - ENVIRONMENT: "dev" - VERSION_NUMBER: "main" - secrets: inherit +# - name: "Notify Slack on PR merge" +# uses: slackapi/slack-github-action@v2.1.1 +# with: +# webhook: ${{ secrets.SLACK_WEBHOOK_URL }} +# webhook-type: webhook-trigger +# payload: | +# status: "${{ job.status }}" +# link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" +# Author: "${{ github.actor }}" +# title: "Pushed to main" +# version: "${{ needs.metadata.outputs.version }}" + +# regression-tests: +# name: "Regression Tests" +# needs: publish +# uses: ./.github/workflows/regression-tests.yml +# with: +# ENVIRONMENT: "dev" +# VERSION_NUMBER: "main" +# secrets: inherit diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml index c386c969..b35845ab 100644 --- a/.github/workflows/cicd-3-test-deploy.yaml +++ b/.github/workflows/cicd-3-test-deploy.yaml @@ -79,6 +79,7 @@ jobs: name: lambda-${{ needs.metadata.outputs.tag }} path: ./build run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} - name: "Terraform Apply (TEST)" env: @@ -111,11 +112,11 @@ jobs: s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ --region eu-west-2 - regression-tests: - name: "Regression Tests" - needs: deploy - uses: ./.github/workflows/regression-tests.yml - with: - ENVIRONMENT: "test" - VERSION_NUMBER: "main" - secrets: inherit +# regression-tests: +# name: "Regression Tests" +# needs: deploy +# uses: ./.github/workflows/regression-tests.yml +# with: +# ENVIRONMENT: "test" +# VERSION_NUMBER: "main" +# secrets: inherit diff --git a/.github/workflows/mock_deploy.yaml b/.github/workflows/mock_deploy.yaml new file mode 100644 index 00000000..c64d9ee1 --- /dev/null +++ b/.github/workflows/mock_deploy.yaml @@ -0,0 +1,122 @@ +name: "mock deploy" + +on: + workflow_run: + workflows: ["2. CD | Deploy to Dev"] + types: [completed] + +permissions: + contents: read + id-token: write + actions: read + +jobs: + metadata: + name: "Resolve metadata from triggering run" + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + outputs: + terraform_version: ${{ steps.vars.outputs.terraform_version }} + tag: ${{ steps.tag.outputs.name }} + steps: + - name: "Checkout exact commit from CI/CD publish" + uses: actions/checkout@v5 + with: + ref: ${{ github.event.workflow_run.head_sha }} + + - name: "Set CI/CD variables" + id: vars + run: | + echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + + - name: "Resolve the dev-* tag for this commit" + id: tag + run: | + git fetch --tags --force + SHA="${{ github.event.workflow_run.head_sha }}" + TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true) + if [ -z "$TAG" ]; then + echo "No dev-* tag found on $SHA" >&2 + exit 1 + fi + echo "name=$TAG" >> $GITHUB_OUTPUT + echo "Resolved tag: $TAG" + + deploy: + name: "Deploy to TEST (approval required)" + runs-on: ubuntu-latest + needs: [metadata] + environment: test + timeout-minutes: 10080 + permissions: + id-token: write + contents: read + steps: + - name: "Acquire deploy lock" + uses: softprops/turnstyle@v3 + with: + poll-interval-seconds: 10 + + - name: "Checkout same commit" + uses: actions/checkout@v5 + with: + ref: ${{ github.event.workflow_run.head_sha }} + +# - name: "Setup Terraform" +# uses: hashicorp/setup-terraform@v3 +# with: +# terraform_version: ${{ needs.metadata.outputs.terraform_version }} + + - name: "Configure AWS Credentials" + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role + aws-region: eu-west-2 + + - name: "Download lambda artefact from dev workflow" + uses: actions/download-artifact@v5 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./build + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + +# - name: "Terraform Apply (TEST)" +# env: +# ENVIRONMENT: test +# WORKSPACE: "default" +# TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} +# TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} +# TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} +# TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} +# TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} +# run: | +# mkdir -p ./build +# echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" +# make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" +# make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE +# working-directory: ./infrastructure +# +# - name: "Extract S3 bucket name from Terraform output" +# id: tf_output +# run: | +# BUCKET=$(terraform output -raw lambda_artifact_bucket) +# echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT +# working-directory: ./infrastructure/stacks/api-layer +# +# - name: "Upload lambda artifact to S3" +# run: | +# aws s3 cp ./build/lambda.zip \ +# s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ +# --region eu-west-2 + +# regression-tests: +# name: "Regression Tests" +# needs: deploy +# uses: ./.github/workflows/regression-tests.yml +# with: +# ENVIRONMENT: "test" +# VERSION_NUMBER: "main" +# secrets: inherit diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 1fb835a2..4e88c4c6 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -331,6 +331,7 @@ resource "aws_iam_policy" "api_infrastructure" { "ssm:ListTagsForResource", "ssm:PutParameter", "ssm:AddTagsToResource", + "ssm:DeleteParameter", # acm "acm:ListTagsForCertificate", diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 1eff6615..09ba6733 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -232,7 +232,8 @@ data "aws_iam_policy_document" "permissions_boundary" { "ssm:GetParameters", "ssm:ListTagsForResource", "ssm:PutParameter", - "ssm:AddTagsToResource" + "ssm:AddTagsToResource", + "ssm:DeleteParameter" ] resources = ["*"]