national-document-repository-infrastructure/.github/workflows/deploy-sandbox.yml at d8500b16baeb83ab1b3a73f06a9f7511e48becc6 · NHSDigital/national-document-repository-infrastructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
name: "Deploy - Sandbox"

run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }}"

on:
  workflow_dispatch:
    inputs:
      git_ref:
        description: "Branch, tag or SHA to deploy"
        required: true
        type: "string"
      sandbox_name:
        description: "Sandbox name [a-z0-9]{1,8}"
        required: true
        type: "string"

permissions:
  pull-requests: write
  id-token: write # This is required for requesting the JWT
  contents: read  # This is required for actions/checkout

jobs:
  validate_inputs:
    name: Validate Inputs
    runs-on: ubuntu-latest
    environment: development
    steps:
      - name: Validate sandbox name
        run: |
          if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,8}$ ]]; then
            echo "Sandbox name must match [a-z0-9]{1,8} (lowercase letters and digits only, 1-8 chars)."
            exit 1
          fi
        env:
          SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }}

  terraform_plan_apply_main:
    name: Terraform Plan/Apply (main)
    runs-on: ubuntu-latest
    needs: validate_inputs
    environment: development
    steps:
      - name: Checkout main
        uses: actions/checkout@v5
        with:
          ref: main

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
          role-skip-session-tagging: true
          aws-region: ${{ vars.AWS_REGION }}
          mask-aws-account-id: true

      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.13.3
          terraform_wrapper: false

      - name: Initialise Terraform
        id: main_init
        run: terraform init -backend-config=backend.conf
        working-directory: ./infrastructure
        shell: bash

      - name: Select Terraform Workspace
        id: main_workspace
        run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}}
        working-directory: ./infrastructure
        shell: bash

      - name: Run Terraform Plan
        id: main_plan
        run: |
          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan
        working-directory: ./infrastructure
        shell: bash

      - name: Run Terraform Apply
        run: terraform apply -auto-approve -input=false tf-main.plan
        working-directory: ./infrastructure

  terraform_plan_apply_branch:
    name: Terraform Plan/Apply (branch)
    if: ${{ github.event.inputs.git_ref != 'main' }}
    runs-on: ubuntu-latest
    needs: terraform_plan_apply_main
    environment: development
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
          role-skip-session-tagging: true
          aws-region: ${{ vars.AWS_REGION }}
          mask-aws-account-id: true

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.13.3
          terraform_wrapper: false

      - name: Checkout Branch
        uses: actions/checkout@v5
        with:
          ref: ${{ github.event.inputs.git_ref}}

        # Checks that all Terraform configuration files adhere to a canonical format.
      - name: Check Terraform Formatting
        run: terraform fmt -check
        working-directory: ./infrastructure

      - name: Initialise Terraform
        id: init
        run: terraform init -backend-config=backend.conf
        working-directory: ./infrastructure
        shell: bash

      - name: Select Terraform Workspace
        id: workspace
        run: terraform workspace select ${{ github.event.inputs.sandbox_name}}
        working-directory: ./infrastructure
        shell: bash

      - name: Run Terraform Plan
        id: plan
        run: |
          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
        working-directory: ./infrastructure
        shell: bash

      - name: Run Terraform Apply (branch over main)
        run: terraform apply -auto-approve -input=false tf.plan
        working-directory: ./infrastructure