Skip to content

Commit 4b03f82

Browse files
misakamisaka
authored
Merge pull request #4748 from nhsuk/next
v4.4.0
2 parents e485203 + 76e8886 commit 4b03f82

File tree

95 files changed

+1616
-669
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

95 files changed

+1616
-669
lines changed

.github/workflows/build-and-push-image.yml

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,12 @@ on:
1212
description: The git commit sha to build the image from.
1313
type: string
1414

15-
concurrency:
16-
group: build-and-push-image-${{ inputs.git-sha || github.sha }}
17-
1815
env:
1916
PUSH_IMAGE_TO_PRODUCTION: ${{ github.ref_name == 'main' }}
17+
git_ref: ${{ inputs.git-sha || github.sha }}
18+
19+
concurrency:
20+
group: build-and-push-image-${{ inputs.git-sha || github.sha }}
2021

2122
permissions: {}
2223

@@ -37,7 +38,7 @@ jobs:
3738
- name: Check if dev image exists
3839
id: check-dev-image
3940
run: |
40-
if aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=${{ inputs.git-sha || github.sha }} > /dev/null 2>&1; then
41+
if aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=$git_ref > /dev/null 2>&1; then
4142
echo "Dev image with given tag already exists"
4243
else
4344
echo "Dev image does not exist. Build needed"
@@ -53,7 +54,7 @@ jobs:
5354
if: env.PUSH_IMAGE_TO_PRODUCTION == 'true'
5455
id: check-prod-image
5556
run: |
56-
if aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=${{ inputs.git-sha || github.sha }} > /dev/null 2>&1; then
57+
if aws ecr describe-images --repository-name mavis/webapp --image-ids imageTag=$git_ref > /dev/null 2>&1; then
5758
echo "Production image with given tag already exists"
5859
else
5960
echo "Production image does not exist. Build needed"
@@ -68,7 +69,7 @@ jobs:
6869
- name: Checkout code
6970
uses: actions/checkout@v5
7071
with:
71-
ref: ${{ inputs.git-sha || github.sha }}
72+
ref: ${{ env.git_ref }}
7273
- name: Write build SHA
7374
run: git rev-parse HEAD > public/sha
7475
- name: Build Docker image
@@ -90,7 +91,7 @@ jobs:
9091
- name: Set aws roles
9192
id: determine-aws-roles
9293
run: |
93-
if [ ${{ env.PUSH_IMAGE_TO_PRODUCTION }} = 'true' ]; then
94+
if [ $PUSH_IMAGE_TO_PRODUCTION = 'true' ]; then
9495
echo 'aws-roles=["arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure", "arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure"]' >> $GITHUB_OUTPUT
9596
else
9697
echo 'aws-roles=["arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure"]' >> $GITHUB_OUTPUT
@@ -119,6 +120,6 @@ jobs:
119120
- name: Load Docker image
120121
run: docker load -i image.tar
121122
- name: Tag Docker image
122-
run: docker tag mavis:latest "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"${{ inputs.git-sha || github.sha }}"
123+
run: docker tag mavis:latest "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"$git_ref"
123124
- name: Push Docker image
124-
run: docker push "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"${{ inputs.git-sha || github.sha }}"
125+
run: docker push "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"$git_ref"

.github/workflows/data-replication-pipeline.yml

Lines changed: 24 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,11 @@ on:
4141
default: false
4242

4343
env:
44+
environment: ${{ inputs.environment }}
45+
deployment_type: ${{ inputs.deployment_type }}
46+
db_snapshot_arn: ${{ inputs.db_snapshot_arn }}
47+
egress_cidr: ${{ inputs.egress_cidr }}
48+
take_db_snapshot: ${{ inputs.take_db_snapshot }}
4449
aws_role: ${{ inputs.environment == 'production'
4550
&& 'arn:aws:iam::820242920762:role/GithubDeployDataReplicationInfrastructure'
4651
|| 'arn:aws:iam::393416225559:role/GithubDeployDataReplicationInfrastructure' }}
@@ -76,7 +81,7 @@ jobs:
7681
run: |
7782
set -e
7883
snapshot_identifier=snapshot-for-data-replication-$(date +"%Y-%m-%d-%H-%M-%S")
79-
aws rds create-db-cluster-snapshot --db-cluster-identifier mavis-${{ inputs.environment }} --db-cluster-snapshot-identifier $snapshot_identifier
84+
aws rds create-db-cluster-snapshot --db-cluster-identifier mavis-$environment --db-cluster-snapshot-identifier $snapshot_identifier
8085
echo "Waiting for snapshot to be available. This can take a while."
8186
aws rds wait db-cluster-snapshot-available --db-cluster-snapshot-identifier $snapshot_identifier
8287
echo "New snapshot is now available"
@@ -89,19 +94,19 @@ jobs:
8994
id: get-latest-snapshot
9095
run: |
9196
set -e
92-
if [ -z "${{ inputs.db_snapshot_arn }}" ]; then
97+
if [ -z "$db_snapshot_arn" ]; then
9398
echo "No snapshot ARN provided, fetching the latest snapshot"
9499
SNAPSHOT_ARN=$(aws rds describe-db-cluster-snapshots \
95-
--query "DBClusterSnapshots[?DBClusterIdentifier=='mavis-${{ inputs.environment }}'].[DBClusterSnapshotArn, SnapshotCreateTime]" \
100+
--query "DBClusterSnapshots[?DBClusterIdentifier=='mavis-$environment'].[DBClusterSnapshotArn, SnapshotCreateTime]" \
96101
--output text | sort -k2 -r | head -n 1 | cut -f1)
97102
98103
if [ -z "$SNAPSHOT_ARN" ]; then
99-
echo "No snapshots found for mavis-${{ inputs.environment }}"
104+
echo "No snapshots found for mavis-$environment"
100105
exit 1
101106
fi
102107
else
103-
echo "Using provided snapshot ARN: ${{ inputs.db_snapshot_arn }}"
104-
SNAPSHOT_ARN="${{ inputs.db_snapshot_arn }}"
108+
echo "Using provided snapshot ARN: $db_snapshot_arn"
109+
SNAPSHOT_ARN="$db_snapshot_arn"
105110
fi
106111
echo "Using snapshot ARN: $SNAPSHOT_ARN"
107112
echo "SNAPSHOT_ARN=$SNAPSHOT_ARN" >> $GITHUB_OUTPUT
@@ -130,9 +135,11 @@ jobs:
130135
uses: aws-actions/amazon-ecr-login@v2
131136
- name: Get docker image digest
132137
id: get-docker-image-digest
138+
env:
139+
IMAGE_TAG: ${{ inputs.image_tag || github.sha }}
133140
run: |
134141
set -e
135-
DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ inputs.image_tag || github.sha }}"
142+
DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:$IMAGE_TAG"
136143
docker pull "$DOCKER_IMAGE"
137144
DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
138145
DIGEST="${DOCKER_DIGEST#*@}"
@@ -172,27 +179,26 @@ jobs:
172179
id: get-db-secret-arn
173180
working-directory: terraform/app
174181
run: |
175-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
182+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
176183
DB_SECRET_ARN=$(terraform output --raw db_secret_arn)
177184
echo "DB_SECRET_ARN=$DB_SECRET_ARN" >> $GITHUB_OUTPUT
178185
- name: Terraform Plan
179186
id: plan
180187
run: |
181188
set -eo pipefail
182-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
189+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
183190
184-
CIDR_BLOCKS='${{ inputs.egress_cidr }}'
185191
PLAN_ARGS=(
186192
"plan"
187-
"-var=image_digest=${{ env.DOCKER_DIGEST }}"
193+
"-var=image_digest=$DOCKER_DIGEST"
188194
"-var=db_secret_arn=${{ steps.get-db-secret-arn.outputs.DB_SECRET_ARN }}"
189-
"-var=imported_snapshot=${{ env.SNAPSHOT_ARN }}"
190-
"-var-file=env/${{ inputs.environment }}.tfvars"
191-
"-var=allowed_egress_cidr_blocks=$CIDR_BLOCKS"
195+
"-var=imported_snapshot=$SNAPSHOT_ARN"
196+
"-var-file=env/$environment.tfvars"
197+
"-var=allowed_egress_cidr_blocks=$egress_cidr"
192198
"-out=${{ runner.temp }}/tfplan"
193199
)
194200
195-
if [ "${{ env.REPLACE_DB_CLUSTER }}" = "true" ]; then
201+
if [ "$REPLACE_DB_CLUSTER" = "true" ]; then
196202
PLAN_ARGS+=("-replace" "aws_rds_cluster.cluster")
197203
fi
198204
terraform "${PLAN_ARGS[@]}" | tee ${{ runner.temp }}/tf_stdout
@@ -249,12 +255,12 @@ jobs:
249255
- name: Apply the changes
250256
run: |
251257
set -e
252-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
258+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
253259
terraform apply ${{ runner.temp }}/tfplan
254260
- name: Deploy db-access-service
255261
run: |
256262
task_definition_arn=$(terraform output -raw task_definition_arn)
257263
aws ecs update-service \
258-
--cluster mavis-${{ inputs.environment }}-data-replication \
259-
--service mavis-${{ inputs.environment }}-data-replication \
264+
--cluster "mavis-$environment-data-replication" \
265+
--service "mavis-$environment-data-replication" \
260266
--task-definition $task_definition_arn

.github/workflows/deploy-application.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -40,14 +40,17 @@ on:
4040

4141
permissions: {}
4242

43-
concurrency:
44-
group: deploy-application-${{ inputs.environment }}
45-
4643
env:
44+
git_sha_to_deploy: ${{ inputs.git_sha_to_deploy }}
45+
environment: ${{ inputs.environment }}
46+
server_types: ${{ inputs.server_types }}
4747
aws-role: ${{ inputs.environment == 'production'
4848
&& 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
4949
|| 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
5050

51+
concurrency:
52+
group: deploy-application-${{ inputs.environment }}
53+
5154
jobs:
5255
prepare-deployment:
5356
name: Prepare deployment
@@ -74,7 +77,7 @@ jobs:
7477
working-directory: terraform/app
7578
run: |
7679
set -e
77-
terraform init -backend-config=env/${{ inputs.environment }}-backend.hcl -reconfigure
80+
terraform init -backend-config="env/$environment-backend.hcl" -reconfigure
7881
terraform output -json | jq -r '
7982
"s3_bucket=" + .s3_bucket.value,
8083
"s3_key=" + .s3_key.value,

.github/workflows/deploy-backup-infrastructure.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,14 +14,15 @@ on:
1414

1515
permissions: {}
1616

17-
concurrency:
18-
group: backup-infrastructure-${{ inputs.environment }}
19-
2017
env:
18+
environment: ${{ inputs.environment }}
2119
aws_role: ${{ inputs.environment == 'production'
2220
&& 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
2321
|| 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
2422

23+
concurrency:
24+
group: backup-infrastructure-${{ inputs.environment }}
25+
2526
defaults:
2627
run:
2728
working-directory: terraform/backup/source
@@ -51,8 +52,8 @@ jobs:
5152
run: |
5253
set -e
5354
git config --global url."https://foo:${PERSONAL_ACCESS_TOKEN}@github.com/NHSDigital".insteadOf "https://github.com/NHSDigital"
54-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
55-
terraform plan -var-file="env/${{ inputs.environment }}.tfvars" \
55+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
56+
terraform plan -var-file="env/$environment.tfvars" \
5657
-out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
5758
- name: Validate the changes
5859
run: |
@@ -94,5 +95,5 @@ jobs:
9495
run: |
9596
set -e
9697
git config --global url."https://foo:${PERSONAL_ACCESS_TOKEN}@github.com/NHSDigital".insteadOf "https://github.com/NHSDigital"
97-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
98+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
9899
terraform apply ${{ runner.temp }}/tfplan

.github/workflows/deploy-infrastructure.yml

Lines changed: 12 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -17,16 +17,18 @@ on:
1717

1818
permissions: {}
1919

20-
concurrency:
21-
group: deploy-infrastructure-${{ inputs.environment }}
22-
2320
env:
21+
environment: ${{ inputs.environment }}
22+
image_tag: ${{ inputs.image_tag || github.sha }}
23+
git_ref_to_deploy: ${{ inputs.git_ref_to_deploy || github.ref_name }}
2424
aws_role: ${{ inputs.environment == 'production'
2525
&& 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
2626
|| 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
2727
aws_account_id: ${{ inputs.environment == 'production'
2828
&& '820242920762' || '393416225559' }}
29-
git_ref_to_deploy: ${{ inputs.git_ref_to_deploy || github.ref_name }}
29+
30+
concurrency:
31+
group: deploy-infrastructure-${{ inputs.environment }}
3032

3133
defaults:
3234
run:
@@ -48,17 +50,13 @@ jobs:
4850
with:
4951
role-to-assume: ${{ env.aws_role }}
5052
aws-region: eu-west-2
51-
- name: Set image tag
52-
run: |
53-
IMAGE_TAG="${{ inputs.image_tag || github.sha }}"
54-
echo "IMAGE_TAG=$IMAGE_TAG" >> $GITHUB_ENV
5553
- name: Login to ECR
5654
id: login-ecr
5755
uses: aws-actions/amazon-ecr-login@v2
5856
- name: Pull Docker image
5957
run: |
6058
set -e
61-
DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${IMAGE_TAG}"
59+
DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:$image_tag"
6260
docker pull "$DOCKER_IMAGE"
6361
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> $GITHUB_ENV
6462
- name: Extract image digest
@@ -72,14 +70,14 @@ jobs:
7270
with:
7371
terraform_version: 1.13.3
7472
- name: Check if any deployments are running
75-
run: ../scripts/check-for-running-deployments.sh ${{ inputs.environment }}
73+
run: ../scripts/check-for-running-deployments.sh $environment
7674
- name: Terraform Plan
7775
id: plan
7876
run: |
7977
set -e
80-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
81-
terraform plan -var="image_digest=$DIGEST" -var="app_version=${{ env.git_ref_to_deploy }}" \
82-
-var-file="env/${{ inputs.environment }}.tfvars" \
78+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
79+
terraform plan -var="image_digest=$DIGEST" -var="app_version=$git_ref_to_deploy" \
80+
-var-file="env/$environment.tfvars" \
8381
-out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
8482
TF_EXIT_CODE=${PIPESTATUS[0]}
8583
cat ${{ runner.temp }}/tf_stdout
@@ -122,5 +120,5 @@ jobs:
122120
- name: Apply the changes
123121
run: |
124122
set -e
125-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
123+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
126124
terraform apply ${{ runner.temp }}/tfplan

.github/workflows/deploy-monitoring.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -58,8 +58,8 @@ jobs:
5858
id: plan
5959
run: |
6060
set -e
61-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
62-
terraform plan -var-file="env/${{ inputs.environment }}.tfvars" \
61+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
62+
terraform plan -var-file="env/$environment.tfvars" \
6363
-out ${{ runner.temp }}/tfplan-aws | tee ${{ runner.temp }}/tf_stdout_aws
6464
TF_EXIT_CODE=${PIPESTATUS[0]}
6565
cat ${{ runner.temp }}/tf_stdout_aws
@@ -114,7 +114,7 @@ jobs:
114114
- name: Apply AWS changes
115115
run: |
116116
set -e
117-
terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
117+
terraform init -backend-config="env/$environment-backend.hcl" -upgrade
118118
terraform apply ${{ runner.temp }}/tfplan-aws
119119
120120
apply-grafana:
@@ -147,5 +147,5 @@ jobs:
147147
sudo apt-get install -y jq uuid-runtime
148148
- name: Deploy Grafana using tf_grafana.sh
149149
run: |
150-
./tf_grafana.sh ${{ inputs.environment }} plan --plan-file ${{ runner.temp }}/out
151-
./tf_grafana.sh ${{ inputs.environment }} apply --plan-file ${{ runner.temp }}/out
150+
./tf_grafana.sh "$environment" plan --plan-file ${{ runner.temp }}/out
151+
./tf_grafana.sh "$environment" apply --plan-file ${{ runner.temp }}/out

.github/workflows/deploy.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,9 @@ on:
4545
default: all
4646

4747
env:
48+
git_ref_to_deploy: ${{ inputs.git_ref_to_deploy }}
49+
environment: ${{ inputs.environment }}
50+
server_types: ${{ inputs.server_types }}
4851
account_id: ${{ inputs.environment == 'production' && '820242920762' || '393416225559' }}
4952

5053
jobs:
@@ -54,8 +57,8 @@ jobs:
5457
steps:
5558
- name: Validate inputs
5659
run: |
57-
if [[ "${{ inputs.environment }}" == "preview" || "${{ inputs.environment }}" == "production" ]]; then
58-
if [[ -z "${{ inputs.git_ref_to_deploy }}" ]]; then
60+
if [[ "$environment" == "preview" || "$environment" == "production" ]]; then
61+
if [[ -z "$git_ref_to_deploy" ]]; then
5962
echo "Error: git_ref_to_deploy is required for preview and production environments."
6063
exit 1
6164
fi
@@ -103,7 +106,7 @@ jobs:
103106
id: compare-permissions
104107
run: |
105108
source ./scripts/validate-github-actions-policy.sh
106-
validate_policies arn:aws:iam::${{ env.account_id }}:policy/DeployMavisResources ./account/resources/iam_policy_DeployMavisResources.json
109+
validate_policies "arn:aws:iam::$account_id:policy/DeployMavisResources" ./account/resources/iam_policy_DeployMavisResources.json
107110
exit $?
108111
update-permissions:
109112
runs-on: ubuntu-latest
@@ -126,7 +129,7 @@ jobs:
126129
role-to-assume: arn:aws:iam::${{ env.account_id }}:role/GithubDeployMavisAndInfrastructure
127130
aws-region: eu-west-2
128131
- name: Update IAM policy
129-
run: ./scripts/update-github-actions-policy.sh arn:aws:iam::${{ env.account_id }}:policy/DeployMavisResources ./account/resources/iam_policy_DeployMavisResources.json
132+
run: ./scripts/update-github-actions-policy.sh "arn:aws:iam::$account_id:policy/DeployMavisResources" ./account/resources/iam_policy_DeployMavisResources.json
130133
deploy-infrastructure:
131134
permissions:
132135
id-token: write

0 commit comments

Comments
 (0)