Use consistent naming for dev / preprod / prod accounts. Rename int blue / green environments to int-blue / int-green. Update pipelines to supply the correct parameters. TF fixes for state import.

Author: mfjarvis

.github/workflows/deploy-blue-green.yml

@@ -1,18 +1,14 @@
 name: Deploy Blue Green - INT
 
 on:
-  pull_request:
-    types: [closed]
-    branches: [master]
+  push:
+    branches:
+      - release-2025-08-12
 
 jobs:
   deploy-green:
     uses: ./.github/workflows/deploy-template.yml
     with:
-      environment: green
-
-  deploy-blue:
-    needs: deploy-green
-    uses: ./.github/workflows/deploy-template.yml
-    with:
-      environment: blue
+      apigee_environment: int
+      environment: preprod
+      sub_environment: int-green

.github/workflows/deploy-template.yml

@@ -1,10 +1,17 @@
-name: Deploy to INT and run E2e test
+name: Deploy Template
+
 on:
   workflow_call:
     inputs:
+      apigee_environment:
+        required: true
+        type: string
       environment:
         required: true
         type: string
+      sub_environment:
+        required: true
+        type: string
 
 jobs:
   terraform-plan:
@@ -13,7 +20,7 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - name: Debug OIDC
+      - name: Connect to AWS
         uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-region: eu-west-2
@@ -34,16 +41,13 @@ jobs:
 
       - name: Terraform Init
         working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: |
-          export ENVIRONMENT=${{ inputs.environment }}
-          make init
+        run: make init apigee_environment=${{ inputs.apigee_environment }} environment=${{ inputs.environment }} sub_environment=${{ inputs.sub_environment }}
 
       - name: Terraform Plan
         working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: |
-          make plan environment=${{ inputs.environment }} aws_account_name=int
-
+        run: make plan apigee_environment=${{ inputs.apigee_environment }} environment=${{ inputs.environment }} sub_environment=${{ inputs.sub_environment }}
   terraform-apply:
+    if: ${{ vars.SKIP_APPLY != 'true' }}
     needs: terraform-plan
     runs-on: ubuntu-latest
     permissions:
@@ -67,18 +71,14 @@ jobs:
 
       - name: Terraform Init
         working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: |
-          export ENVIRONMENT=${{ inputs.environment }}
-          make init
+        run: make init apigee_environment=${{ inputs.apigee_environment }} environment=${{ inputs.environment }} sub_environment=${{ inputs.sub_environment }}
 
       - name: Terraform Apply
         working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
-        run: |
-          make apply environment=${{ inputs.environment }} aws_account_name=int
-
+        run: make plan apigee_environment=${{ inputs.apigee_environment }} environment=${{ inputs.environment }} sub_environment=${{ inputs.sub_environment }}
   e2e-tests:
+    if: ${{ vars.RUN_E2E == 'true' && inputs.environment == vars.ACTIVE_ENVIRONMENT }}
     needs: terraform-apply
-    if: ${{ vars.RUN_E2E == 'true' || inputs.environment == vars.ACTIVE_ENVIRONMENT }}
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -93,15 +93,24 @@ jobs:
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
           role-session-name: github-actions
 
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.12.2"
+
+      - name: Terraform Init
+        working-directory: ${{ vars.TERRAFORM_DIR_PATH }}
+        run: make init apigee_environment=${{ inputs.apigee_environment }} environment=${{ inputs.environment }} sub_environment=${{ inputs.sub_environment }}
+
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.11"
 
       - name: Install Poetry
         run: |
-          curl -sSL https://install.python-poetry.org | python3 -
+          curl -sSL https://install.python-poetry.org | python3 - --version 2.1.2
           echo "$HOME/.local/bin" >> $GITHUB_PATH
+          poetry --version
 
       - name: Set Poetry to use Python 3.11
         working-directory: ${{ vars.E2E_DIR_PATH }}
@@ -113,27 +122,39 @@ jobs:
         run: |
           poetry install --no-root
 
+      - name: Install oathtool
+        run: sudo apt-get update && sudo apt-get install -y oathtool
+
+      - name: Get JWT token for apigee
+        env:
+          APIGEE_USERNAME: ${{ vars.APIGEE_USERNAME }}
+          APIGEE_PASSWORD: ${{ secrets.APIGEE_PASSWORD }}
+          APIGEE_OAUTH_TOKEN: ${{ secrets.APIGEE_BASIC_AUTH_TOKEN }}
+          APIGEE_OTP_SECRET: ${{ secrets.APIGEE_OTP_KEY }}
+        run: |
+          CODE=$(oathtool --totp -b "$APIGEE_OTP_SECRET")
+          echo "::add-mask::$CODE"
+          echo "Requesting access token from Apigee..."
+          response=$(curl -s -X POST "https://login.apigee.com/oauth/token" \
+            -H "Content-Type: application/x-www-form-urlencoded" \
+            -H "Accept: application/json;charset=utf-8" \
+            -H "Authorization: Basic $APIGEE_BASIC_AUTH_TOKEN" \
+            -d "username=$APIGEE_USERNAME&password=$APIGEE_PASSWORD&mfa_token=$CODE&grant_type=password")
+          token=$(echo "$response" | jq -e -r '.access_token')
+          if [[ -z "$token" ]]; then
+            echo "Failed to retrieve access token"
+            exit 1
+          fi
+          echo "::add-mask::$token"
+          echo "APIGEE_ACCESS_TOKEN=$token" >> $GITHUB_ENV
+
       - name: Run e2e tests
         working-directory: ${{ vars.E2E_DIR_PATH }}
+        env:
+          APIGEE_ACCESS_TOKEN: ${{ env.APIGEE_ACCESS_TOKEN }}
+          APIGEE_USERNAME: [email protected]
         run: |
-          apigee_token=$(aws ssm get-parameter \
-            --name "/imms/apigee/non-prod/token" \
-            --with-decryption \
-            --query "Parameter.Value" \
-            --output text)
-
-          status_api_key=$(aws ssm get-parameter \
-            --name "/imms/apigee/non-prod/status-api-key" \
-            --with-decryption \
-            --query "Parameter.Value" \
-            --output text)
-
-          export APIGEE_ACCESS_TOKEN=$apigee_token
-          export [email protected]
-          export APIGEE_ENVIRONMENT=int
-          export STATUS_API_KEY=$status_api_key
-          export PROXY_NAME=immunisation-fhir-api-internal-dev
-          export SERVICE_BASE_PATH=immunisation-fhir-api/FHIR/R4
-          export SSO_LOGIN_URL=https://login.apigee.com
-
+          export APIGEE_ENVIRONMENT=internal-dev
+          export PROXY_NAME=immunisation-fhir-api-int-${{ inputs.environment }}
+          export SERVICE_BASE_PATH=immunisation-fhir-api/FHIR/R4-int-${{ inputs.environment }}
           make run-immunization

azure/azure-pr-teardown-pipeline.yml

@@ -47,8 +47,8 @@ jobs:
           export AWS_PROFILE=apim-dev
 
           cd terraform
-          make init environment="dev" sub_environment="$WORKSPACE" bucket_name="immunisation-internal-dev-terraform-state-files"
-          make workspace sub_environment="$WORKSPACE"
+          make init apigee_environment=internal-dev environment=dev sub_environment=$workspace
+          make workspace apigee_environment=internal-dev environment=dev sub_environment="$WORKSPACE"
 
           # Extract values from Terraform state before destroying
           ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)
@@ -76,6 +76,6 @@ jobs:
           export AWS_PROFILE=apim-dev
 
           cd terraform
-          make destroy environment="dev" sub_environment="$WORKSPACE" bucket_name="immunisation-internal-dev-terraform-state-files"
+          make destroy apigee_environment=internal-dev environment=dev sub_environment=$workspace
         displayName: Destroy terraform PR workspace and linked resources
-        retryCountOnTaskFailure: 2
+        retryCountOnTaskFailure: 2

azure/templates/post-deploy.yml

@@ -60,7 +60,7 @@ steps:
         echo pr_no: $pr_no
 
         cd terraform
-        make init
+        make init environment=${{ parameters.aws_account_type }} sub_environment=$workspace
         make apply environment=${{ parameters.aws_account_type }} sub_environment=$workspace
 
         AWS_DOMAIN_NAME=$(make -s output name=service_domain_name)

azure/templates/post-prod-deploy.yml

@@ -26,7 +26,6 @@ steps:
       set -e
       if ! [[ $APIGEE_ENVIRONMENT =~ .*-*sandbox ]]; then
         export AWS_PROFILE=apim-dev
-        aws_account_no="$(aws sts get-caller-identity --query Account --output text)"
 
         service_name=$(FULLY_QUALIFIED_SERVICE_NAME)
 
@@ -35,12 +34,12 @@ steps:
         echo sandbox with following parameters:
         echo workspace: $workspace
         echo AWS environment: $APIGEE_ENVIRONMENT
-        
+
           cd terraform
 
-        make init
-        make apply aws_account_no=${aws_account_no} environment=$workspace
+        make init environment=${{ parameters.aws_account_type }} sub_environment=$workspace
+        make plan environment=${{ parameters.aws_account_type }} sub_environment=$workspace
       fi
     displayName: Apply Terraform
     workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)"
-    retryCountOnTaskFailure: 2
+    retryCountOnTaskFailure: 2

infra/.terraform.lock.hcl

@@ -2,7 +2,7 @@
 
 interactionId=$(ENVIRONMENT)
 
-tf_cmd = AWS_PROFILE=$(AWS_PROFILE) terraform
+tf_cmd = terraform
 tf_state= -backend-config="bucket=$(BUCKET_NAME)"
 tf_vars= -var-file=environments/$(ENVIRONMENT)/variables.tfvars
 
@@ -42,7 +42,7 @@ ifndef name
 endif
 	$(tf_cmd) output -raw $(name)
 
-import: 
+import:
 	$(tf_cmd) import $(tf_vars) $(to) $(id)
 
 tf-%:

infra/Makefile

@@ -3,9 +3,7 @@ dspp_account_id          = "603871901111"
 mns_account_id           = "631615744739"
 admin_role               = "root" # We shouldn't be using the root account. There should be an Admin role
 dev_ops_role             = "role/DevOps"
-auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
 mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "dev"
-parent_route53_zone_name = "dev.vds.platform.nhs.uk"
-child_route53_zone_name  = "imms.dev.vds.platform.nhs.uk"
+blue_green_split = false

…a/environments/non-prod/variables.tfvars infra/environments/dev/variables.tfvarsinfra/environments/non-prod/variables.tfvars renamed to infra/environments/dev/variables.tfvars infra/environments/non-prod/variables.tfvars renamed to infra/environments/dev/variables.tfvars

@@ -3,9 +3,7 @@ dspp_account_id          = "603871901111"
 mns_account_id           = "631615744739"
 admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Admin_acce656dcacf6f4c"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PREPROD-IMMS-Devops_1d28e4f37b940bcd"
-auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
 mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
-environment              = "int"
-parent_route53_zone_name = "int.vds.platform.nhs.uk"
-child_route53_zone_name  = "imms.int.vds.platform.nhs.uk"
+environment              = "preprod"
+blue_green_split = true

infra/environments/int/variables.tfvars …ra/environments/preprod/variables.tfvarsinfra/environments/int/variables.tfvars renamed to infra/environments/preprod/variables.tfvars infra/environments/int/variables.tfvars renamed to infra/environments/preprod/variables.tfvars

@@ -3,9 +3,7 @@ dspp_account_id          = "232116723729"
 mns_account_id           = "758334270304"
 admin_role               = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Admin_edd6691e4b74064e"
 dev_ops_role             = "role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_PROD-IMMS-Devops_8f32c62195d56b76"
-auto_ops_role            = "role/auto-ops"
 dspp_admin_role          = "root"
 mns_admin_role           = "role/nhs-mns-events-lambda-delivery"
 environment              = "prod"
-parent_route53_zone_name = "prod.vds.platform.nhs.uk"
-child_route53_zone_name  = "imms.prod.vds.platform.nhs.uk"
+blue_green_split = true