VED-358 GitHub actions workflow to deploy to new INT (#691)

robertnovac1 · web-flow · commit 8adc7f476a2b · 2025-07-30T10:26:36.000+01:00
diff --git a/.github/workflows/deploy-blue-green.yml b/.github/workflows/deploy-blue-green.yml
@@ -0,0 +1,18 @@
+name: Deploy Blue Green - INT
+
+on:
+  pull_request:
+    types: [closed]
+    branches: [master]
+
+jobs:
+  deploy-green:
+    uses: ./.github/workflows/deploy-template.yml
+    with:
+      environment: green
+
+  deploy-blue:
+    needs: deploy-green
+    uses: ./.github/workflows/deploy-template.yml
+    with:
+      environment: blue
diff --git a/.github/workflows/deploy-template.yml b/.github/workflows/deploy-template.yml
@@ -0,0 +1,139 @@
+name: Deploy to INT and run E2e test
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+
+jobs:
+  terraform-plan:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Debug OIDC
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - name: Whoami
+        run: aws sts get-caller-identity
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Terraform Init
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          export ENVIRONMENT=${{ inputs.environment }}
+          make init
+
+      - name: Terraform Plan
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          make plan environment=${{ inputs.environment }} aws_account_name=int
+
+  terraform-apply:
+    needs: terraform-plan
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    environment:
+      name: int
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Terraform Init
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          export ENVIRONMENT=${{ inputs.environment }}
+          make init
+
+      - name: Terraform Apply
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: |
+          make apply environment=${{ inputs.environment }} aws_account_name=int
+
+  e2e-tests:
+    needs: terraform-apply
+    if: ${{ vars.RUN_E2E == 'true' || inputs.environment == vars.ACTIVE_ENVIRONMENT }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
+          role-session-name: github-actions
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install Poetry
+        run: |
+          curl -sSL https://install.python-poetry.org | python3 -
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Set Poetry to use Python 3.11
+        working-directory: ${{ vars.E2E_DIR_PATH }}
+        run: |
+          poetry env use $(which python3.11)
+
+      - name: Install dependencies with Poetry
+        working-directory: ${{ vars.E2E_DIR_PATH }}
+        run: |
+          poetry install --no-root
+
+      - name: Run e2e tests
+        working-directory: ${{ vars.E2E_DIR_PATH }}
+        run: |
+          apigee_token=$(aws ssm get-parameter \
+            --name "/imms/apigee/non-prod/token" \
+            --with-decryption \
+            --query "Parameter.Value" \
+            --output text)
+
+          status_api_key=$(aws ssm get-parameter \
+            --name "/imms/apigee/non-prod/status-api-key" \
+            --with-decryption \
+            --query "Parameter.Value" \
+            --output text)
+
+          export APIGEE_ACCESS_TOKEN=$apigee_token
+          export APIGEE_USERNAME=apm-testing-internal-dev@nhs.net
+          export APIGEE_ENVIRONMENT=int
+          export STATUS_API_KEY=$status_api_key
+          export PROXY_NAME=immunisation-fhir-api-internal-dev
+          export SERVICE_BASE_PATH=immunisation-fhir-api/FHIR/R4
+          export SSO_LOGIN_URL=https://login.apigee.com
+
+          make run-immunization
diff --git a/terraform_old/Makefile b/terraform_old/Makefile
@@ -1,15 +1,16 @@
 -include .env
 
-environment = $(ENVIRONMENT)
-aws_profile = $(AWS_PROFILE) #apim-dev # Leave this here for pipeline
-tf_cmd = AWS_PROFILE=$(aws_profile) terraform
+environment ?= $(ENVIRONMENT)
+aws_account_name ?= $(AWS_ACCOUNT_NAME)
+aws_profile ?= $(AWS_PROFILE) #apim-dev # Leave this here for pipeline
+tf_cmd = $(if $(AWS_PROFILE),AWS_PROFILE=$(AWS_PROFILE) ,)terraform
 
 project_name = immunisation
 project_short_name = imms
-state_bucket = $(BUCKET_NAME) #$(project_name)-$(APIGEE_ENVIRONMENT)-terraform-state-files
+state_bucket = immunisation-preprod-terraform-state-files
 tf_state= -backend-config="bucket=$(state_bucket)"
 
-tf_vars= -var="project_name=$(project_name)" -var="project_short_name=$(project_short_name)" -var="profile=$(aws_profile)" -var="aws_account_name=$(AWS_ACCOUNT)"
+tf_vars= -var="project_name=$(project_name)" -var="project_short_name=$(project_short_name)" -var="aws_account_name=$(aws_account_name)" -var="environment=$(environment)"
 
 .PHONY : lock-provider workspace init plan apply clean destroy output state-list lambda-zip catch-all-zip
 
@@ -19,7 +20,7 @@ lock-provider:
 	$(tf_cmd) providers lock -platform=darwin_arm64 -platform=darwin_amd64 -platform=linux_amd64 -platform=windows_amd64
 
 workspace:
-	$(tf_cmd) workspace new $(ENVIRONMENT) || $(tf_cmd) workspace select $(ENVIRONMENT) && echo "Switched to workspace/environment: $(ENVIRONMENT)"
+	$(tf_cmd) workspace new $(environment) || $(tf_cmd) workspace select $(environment) && echo "Switched to workspace/environment: $(environment)"
 
 init:
 	$(tf_cmd) init $(tf_state) -upgrade $(tf_vars)
@@ -43,7 +44,7 @@ clean:
 destroy: workspace
 	$(tf_cmd) destroy $(tf_vars) -auto-approve
 	$(tf_cmd) workspace select default
-	$(tf_cmd) workspace delete $(ENVIRONMENT)
+	$(tf_cmd) workspace delete $(environment)
 
 output:
 	$(tf_cmd) output -raw $(name)
diff --git a/terraform_old/api_gateway/mtls_cert.tf b/terraform_old/api_gateway/mtls_cert.tf
@@ -4,7 +4,7 @@ locals {
 }
 
 data "aws_s3_bucket" "cert_storage" {
-  bucket = "imms-fhir-${var.config_env}-cert-storage"
+  bucket = "imms-fhir-${var.aws_account_name}-cert-storage"
 }
 
 data "aws_s3_object" "cert" {
@@ -15,6 +15,14 @@ data "aws_s3_object" "cert" {
 resource "aws_s3_bucket" "truststore_bucket" {
   bucket        = "${var.prefix}-truststores"
   force_destroy = true
+
+}
+
+resource "aws_s3_bucket_versioning" "versioning" {
+  bucket = aws_s3_bucket.truststore_bucket.id
+  versioning_configuration {
+    status = "Enabled"
+  }
 }
 
 resource "aws_s3_object_copy" "copy_cert_from_storage" {
diff --git a/terraform_old/api_gateway/variables.tf b/terraform_old/api_gateway/variables.tf
@@ -4,8 +4,7 @@ variable "zone_id" {}
 variable "api_domain_name" {}
 variable "environment" {}
 variable "oas" {}
-variable "config_env" {}
-
+variable "aws_account_name" {}
 locals {
   environment = terraform.workspace == "green" ? "prod" : terraform.workspace == "blue" ? "prod" : terraform.workspace
 }
diff --git a/terraform_old/endpoints.tf b/terraform_old/endpoints.tf
@@ -24,7 +24,7 @@ locals {
   imms_table_name = data.aws_dynamodb_table.events-dynamodb-table.name
   imms_lambda_env_vars = {
     "DYNAMODB_TABLE_NAME"    = local.imms_table_name,
-    "IMMUNIZATION_ENV"       = local.environment,
+    "IMMUNIZATION_ENV"       = var.aws_account_name,
     "IMMUNIZATION_BASE_PATH" = strcontains(local.environment, "pr-") ? "immunisation-fhir-api-${local.environment}" : "immunisation-fhir-api"
     # except for prod and ref, any other env uses PDS int environment
     "PDS_ENV"              = local.environment == "prod" ? "prod" : local.environment == "ref" ? "ref" : "int",
@@ -101,14 +101,14 @@ output "oas" {
 }
 
 module "api_gateway" {
-  source          = "./api_gateway"
-  prefix          = local.prefix
-  short_prefix    = local.short_prefix
-  zone_id         = data.aws_route53_zone.project_zone.zone_id
-  api_domain_name = local.service_domain_name
-  environment     = local.environment
-  oas             = local.oas
-  config_env      = local.config_env
+  source           = "./api_gateway"
+  prefix           = local.prefix
+  short_prefix     = local.short_prefix
+  zone_id          = data.aws_route53_zone.project_zone.zone_id
+  api_domain_name  = local.service_domain_name
+  environment      = local.environment
+  oas              = local.oas
+  aws_account_name = var.aws_account_name
 }
 
 
diff --git a/terraform_old/main.tf b/terraform_old/main.tf
@@ -17,12 +17,11 @@ terraform {
 }
 
 provider "aws" {
-  region  = var.region
-  profile = var.profile
+  region = var.region
   default_tags {
     tags = {
       Project     = var.project_name
-      Environment = local.environment
+      Environment = var.aws_account_name
       Service     = var.service
     }
   }
diff --git a/terraform_old/route53.tf b/terraform_old/route53.tf
@@ -2,14 +2,6 @@ locals {
   zone_subdomain = var.project_short_name
 }
 
-data "aws_route53_zone" "root_zone" {
-  name = local.root_domain
-}
-
-locals {
-  project_zone_name = "${local.zone_subdomain}.${data.aws_route53_zone.root_zone.name}"
-}
-
 data "aws_route53_zone" "project_zone" {
-  name    = local.project_zone_name
-}
+  name = "imms.${var.aws_account_name}.vds.platform.nhs.uk"
+}
diff --git a/terraform_old/splunk.tf b/terraform_old/splunk.tf
@@ -1,16 +1,13 @@
-locals {
-    splunk_env = local.environment == "prod" ? "prod" : local.environment == "int" ? "int" : "dev"
-}
 data "aws_secretsmanager_secret" "splunk_token" {
-    name = "imms/splunk/${local.splunk_env}/hec"
+  name = "imms/splunk/${var.aws_account_name}/hec"
 }
 data "aws_secretsmanager_secret_version" "splunk_token_id" {
-    secret_id = data.aws_secretsmanager_secret.splunk_token.id
+  secret_id = data.aws_secretsmanager_secret.splunk_token.id
 }
 
 module "splunk" {
-    source = "./splunk"
-    prefix = local.prefix
-    splunk_endpoint = "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event"
-    hec_token = data.aws_secretsmanager_secret_version.splunk_token_id.secret_string
-}
+  source          = "./splunk"
+  prefix          = local.prefix
+  splunk_endpoint = "https://firehose.inputs.splunk.aws.digital.nhs.uk/services/collector/event"
+  hec_token       = data.aws_secretsmanager_secret_version.splunk_token_id.secret_string
+}
diff --git a/terraform_old/variables.tf b/terraform_old/variables.tf
@@ -1,6 +1,9 @@
 variable "profile" {
   default = "apim-dev"
 }
+
+variable "environment" {}
+
 variable "aws_account_name" {
   default = "int"
 }
@@ -30,10 +33,6 @@ data "aws_subnets" "default" {
   }
 }
 
-locals {
-  root_domain = "${local.config_env}.vds.platform.nhs.uk"
-}
-
 locals {
   project_domain_name = data.aws_route53_zone.project_zone.name
 }
@@ -50,6 +49,7 @@ locals {
   service_domain_name     = "${local.env}.${local.project_domain_name}"
   immunisation_account_id = "084828561157"
   dspp_core_account_id    = "603871901111"
+  root_domain             = "${local.config_env}.vds.platform.nhs.uk"
 
   tags = {
     Project     = var.project_name
@@ -86,7 +86,7 @@ data "aws_security_group" "existing_securitygroup" {
 }
 
 data "aws_s3_bucket" "existing_config_bucket" {
-  bucket = "imms-int-supplier-config"
+  bucket = "imms-${var.aws_account_name}-supplier-config"
 }
 
 data "aws_s3_bucket" "existing_destination_bucket" {

Original file line number	Diff line number	Diff line change
`@@ -17,12 +17,11 @@ terraform {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`provider "aws" {`
`20`		`- region = var.region`
`21`		`- profile = var.profile`
	`20`	`+ region = var.region`
`22`	`21`	`default_tags {`
`23`	`22`	`tags = {`
`24`	`23`	`Project = var.project_name`
`25`		`- Environment = local.environment`
	`24`	`+ Environment = var.aws_account_name`
`26`	`25`	`Service = var.service`
`27`	`26`	`}`
`28`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,9 @@`
`1`	`1`	`variable "profile" {`
`2`	`2`	`default = "apim-dev"`
`3`	`3`	`}`
	`4`	`+`
	`5`	`+variable "environment" {}`
	`6`	`+`
`4`	`7`	`variable "aws_account_name" {`
`5`	`8`	`default = "int"`
`6`	`9`	`}`
`@@ -30,10 +33,6 @@ data "aws_subnets" "default" {`
`30`	`33`	`}`
`31`	`34`	`}`
`32`	`35`
`33`		`-locals {`
`34`		`- root_domain = "${local.config_env}.vds.platform.nhs.uk"`
`35`		`-}`
`36`		`-`
`37`	`36`	`locals {`
`38`	`37`	`project_domain_name = data.aws_route53_zone.project_zone.name`
`39`	`38`	`}`
`@@ -50,6 +49,7 @@ locals {`
`50`	`49`	`service_domain_name = "${local.env}.${local.project_domain_name}"`
`51`	`50`	`immunisation_account_id = "084828561157"`
`52`	`51`	`dspp_core_account_id = "603871901111"`
	`52`	`+ root_domain = "${local.config_env}.vds.platform.nhs.uk"`
`53`	`53`
`54`	`54`	`tags = {`
`55`	`55`	`Project = var.project_name`
`@@ -86,7 +86,7 @@ data "aws_security_group" "existing_securitygroup" {`
`86`	`86`	`}`
`87`	`87`
`88`	`88`	`data "aws_s3_bucket" "existing_config_bucket" {`
`89`		`- bucket = "imms-int-supplier-config"`
	`89`	`+ bucket = "imms-${var.aws_account_name}-supplier-config"`
`90`	`90`	`}`
`91`	`91`
`92`	`92`	`data "aws_s3_bucket" "existing_destination_bucket" {`