NHSDigital
diff --git a/‎.github/workflows/continuous-deployment.yml‎
Lines changed: 84 additions & 0 deletions b/‎.github/workflows/continuous-deployment.yml‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎.github/workflows/deploy-backend.yml‎
Lines changed: 31 additions & 37 deletions b/‎.github/workflows/deploy-backend.yml‎
Lines changed: 31 additions & 37 deletions
diff --git a/‎.github/workflows/pr-deploy-and-test.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/pr-deploy-and-test.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.github/workflows/pr-teardown.yml‎
Lines changed: 6 additions & 3 deletions b/‎.github/workflows/pr-teardown.yml‎
Lines changed: 6 additions & 3 deletions
@@ -0,0 +1,84 @@
+name: Continuous Deployment Pipeline
+
+on:
+  push:
+    branches:
+      - master
+
+jobs:
+  deploy-internal-dev-backend:
+    uses: ./.github/workflows/deploy-backend.yml
+    with:
+      apigee_environment: internal-dev
+      create_mns_subscription: true
+      environment: dev
+      sub_environment: internal-dev
+
+  run-internal-dev-sandbox-tests:
+    # Technically the first step is not a pre-requisite - sandbox backend deployment is handled by APIM
+    # Stipulating this condition simply makes it more likely the environment will be ready when tests are invoked
+    needs: [deploy-internal-dev-backend]
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      apigee_environment: internal-dev-sandbox
+      environment: dev
+      sub_environment: internal-dev-sandbox
+    secrets:
+      APIGEE_PASSWORD: ${{ secrets.APIGEE_PASSWORD }}
+      APIGEE_BASIC_AUTH_TOKEN: ${{ secrets.APIGEE_BASIC_AUTH_TOKEN }}
+      APIGEE_OTP_KEY: ${{ secrets.APIGEE_OTP_KEY }}
+      STATUS_API_KEY: ${{ secrets.STATUS_API_KEY }}
+
+  run-sandbox-tests:
+    needs: [run-internal-dev-sandbox-tests]
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      apigee_environment: sandbox
+      environment: dev
+      sub_environment: sandbox
+    secrets:
+      APIGEE_PASSWORD: ${{ secrets.APIGEE_PASSWORD }}
+      APIGEE_BASIC_AUTH_TOKEN: ${{ secrets.APIGEE_BASIC_AUTH_TOKEN }}
+      APIGEE_OTP_KEY: ${{ secrets.APIGEE_OTP_KEY }}
+      STATUS_API_KEY: ${{ secrets.STATUS_API_KEY }}
+
+  run-internal-dev-tests:
+    needs: [deploy-internal-dev-backend]
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      apigee_environment: internal-dev
+      environment: dev
+      sub_environment: internal-dev
+    secrets:
+      APIGEE_PASSWORD: ${{ secrets.APIGEE_PASSWORD }}
+      APIGEE_BASIC_AUTH_TOKEN: ${{ secrets.APIGEE_BASIC_AUTH_TOKEN }}
+      APIGEE_OTP_KEY: ${{ secrets.APIGEE_OTP_KEY }}
+      STATUS_API_KEY: ${{ secrets.STATUS_API_KEY }}
+
+  deploy-higher-dev-envs:
+    needs: [run-internal-dev-tests]
+    strategy:
+      matrix:
+        sub_environment_name: [ref, int]
+    uses: ./.github/workflows/deploy-backend.yml
+    with:
+      apigee_environment: ${{ matrix.sub_environment_name }}
+      create_mns_subscription: true
+      environment: dev
+      sub_environment: ${{ matrix.sub_environment_name }}
+
+  run-higher-dev-env-tests:
+    needs: [deploy-higher-dev-envs]
+    strategy:
+      matrix:
+        sub_environment_name: [ref, int]
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      apigee_environment: ${{ matrix.sub_environment_name }}
+      environment: dev
+      sub_environment: ${{ matrix.sub_environment_name }}
+    secrets:
+      APIGEE_PASSWORD: ${{ secrets.APIGEE_PASSWORD }}
+      APIGEE_BASIC_AUTH_TOKEN: ${{ secrets.APIGEE_BASIC_AUTH_TOKEN }}
+      APIGEE_OTP_KEY: ${{ secrets.APIGEE_OTP_KEY }}
+      STATUS_API_KEY: ${{ secrets.STATUS_API_KEY }}
@@ -27,12 +27,12 @@ on:
           - ref
           - prod
       create_mns_subscription:
-        description: Create an MNS Subscription. Only available in dev
+        description: Create an MNS Subscription programatically. Only available in AWS dev
         required: false
         type: boolean
         default: true
       environment:
-        type: string
+        type: choice
         description: Select the backend environment
         options:
           - dev
@@ -42,67 +42,59 @@ on:
         type: string
         description: Set the sub environment name e.g. pr-xxx, or green/blue in higher environments
 
+env: # Sonarcloud - do not allow direct usage of untrusted data
+  APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
+  ENVIRONMENT: ${{ inputs.environment }}
+  SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
+
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   terraform-plan:
     runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.environment }}
-    env: # Sonarcloud - do not allow direct usage of untrusted data
-      APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
-      BACKEND_ENVIRONMENT: ${{ inputs.environment }}
-      BACKEND_SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
-    permissions:
-      id-token: write
-      contents: read
     steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
+
       - name: Connect to AWS
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
           role-session-name: github-actions
 
-      - name: Whoami
-        run: aws sts get-caller-identity
-
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
-
       - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
         with:
           terraform_version: "1.12.2"
 
       - name: Terraform Init
-        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+        working-directory: terraform
+        run: make init
 
       - name: Terraform Plan
-        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: make plan-ci apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+        working-directory: terraform
+        run: make plan-ci
 
       - name: Save Terraform Plan
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
         with:
-          name: tfplan
-          path: ${{ vars.TERRAFORM_DIR_PATH }}/tfplan
+          name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
+          path: terraform/tfplan
 
   terraform-apply:
     needs: terraform-plan
     runs-on: ubuntu-latest
     environment:
       name: ${{ inputs.environment }}
-    env: # Sonarcloud - do not allow direct usage of untrusted data
-      APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
-      BACKEND_ENVIRONMENT: ${{ inputs.environment }}
-      BACKEND_SUB_ENVIRONMENT: ${{ inputs.sub_environment }}
-    permissions:
-      id-token: write
-      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
 
-      - uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
+      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
@@ -115,17 +107,17 @@ jobs:
       - name: Retrieve Terraform Plan
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
         with:
-          name: tfplan
-          path: ${{ vars.TERRAFORM_DIR_PATH }}
+          name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
+          path: terraform
 
       - name: Terraform Init
-        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+        working-directory: terraform
+        run: make init
 
       - name: Terraform Apply
-        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        working-directory: terraform
         run: |
-          make apply-ci apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
+          make apply-ci
           echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV
 
       - name: Install poetry
@@ -137,12 +129,14 @@ jobs:
         with:
           python-version: 3.11
           cache: "poetry"
+          cache-dependency-path: |
+            lambdas/mns_subscription/poetry.lock
+            lambdas/shared/poetry.lock
 
       - name: Create MNS Subscription
         if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
         working-directory: "./lambdas/mns_subscription"
         env:
-          APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
           SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
         run: |
           poetry install --no-root
 
@@ -0,0 +1,30 @@
+name: PR Deploy and Test
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  deploy-pr-backend:
+    uses: ./.github/workflows/deploy-backend.yml
+    with:
+      apigee_environment: internal-dev
+      create_mns_subscription: true
+      environment: dev
+      sub_environment: pr-${{github.event.pull_request.number}}
+
+  run-e2e-tests:
+    needs: [deploy-pr-backend]
+    strategy:
+      matrix:
+        apigee_environment_name: [internal-dev, internal-dev-sandbox]
+    uses: ./.github/workflows/run-e2e-tests.yml
+    with:
+      apigee_environment: ${{ matrix.apigee_environment_name }}
+      environment: dev
+      sub_environment: pr-${{github.event.pull_request.number}}
+    secrets:
+      APIGEE_PASSWORD: ${{ secrets.APIGEE_PASSWORD }}
+      APIGEE_BASIC_AUTH_TOKEN: ${{ secrets.APIGEE_BASIC_AUTH_TOKEN }}
+      APIGEE_OTP_KEY: ${{ secrets.APIGEE_OTP_KEY }}
+      STATUS_API_KEY: ${{ secrets.STATUS_API_KEY }}
@@ -26,7 +26,7 @@ jobs:
 
     steps:
       - name: Connect to AWS
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
         with:
           aws-region: eu-west-2
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
@@ -43,7 +43,7 @@ jobs:
           terraform_version: "1.12.2"
 
       - name: Terraform Init and extract MNS SQS QUEUE ARN
-        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        working-directory: terraform
         run: |
           make init apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
           make workspace apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT
@@ -56,6 +56,9 @@ jobs:
         with:
           python-version: 3.11
           cache: "poetry"
+          cache-dependency-path: |
+            lambdas/mns_subscription/poetry.lock
+            lambdas/shared/poetry.lock
 
       - name: Unsubscribe MNS
         working-directory: "./lambdas/mns_subscription"
@@ -68,6 +71,6 @@ jobs:
           make unsubscribe
 
       - name: Terraform Destroy
-        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        working-directory: terraform
         run: |
           make destroy apigee_environment=$APIGEE_ENVIRONMENT environment=$BACKEND_ENVIRONMENT sub_environment=$BACKEND_SUB_ENVIRONMENT