diff --git a/.github/workflows/base-cleanup-lambda-edge.yml b/.github/workflows/base-cleanup-lambda-edge.yml index eae811270..b4c936bdf 100644 --- a/.github/workflows/base-cleanup-lambda-edge.yml +++ b/.github/workflows/base-cleanup-lambda-edge.yml @@ -3,25 +3,18 @@ name: 'Z-BASE: Cleanup - Lambda@Edge' on: workflow_call: inputs: - sandbox_workspace: - description: 'The sandbox workspace name' + git_ref: + description: 'Branch, tag or SHA' required: true type: string - environment: + sandbox_name: + description: 'Sandbox name' required: true type: string - lambda_function_name: - description: 'The sandbox workspace name' + environment: + description: "GitHub Environment name" required: true type: string - python_version: - description: 'Version of Python to run the cleanup script against' - required: true - type: 'string' - build_branch: - description: 'Feature branch to push to sandbox.' - required: true - type: 'string' secrets: AWS_ASSUME_ROLE: required: true @@ -39,23 +32,21 @@ jobs: steps: - name: Display passed variables run: | - echo Python Version: ${{ inputs.python_version }} - echo Build Branch: ${{ inputs.build_branch }} + echo Sandbox name: ${{ inputs.sandbox_name }} + echo Git branch/tag/sha: ${{ inputs.git_ref }} echo Environment: ${{ inputs.environment }} - echo Sandbox: ${{ inputs.sandbox_workspace }} - echo Lambda Function Name: ${{ inputs.lambda_function_name }} - name: Checkout uses: actions/checkout@v5 with: repository: 'nhsconnect/national-document-repository-infrastructure' - ref: ${{ inputs.build_branch }} + ref: ${{ inputs.git_ref }} fetch-depth: '0' - - name: Set up Python ${{ inputs.python_version }} + - name: Set up Python 3.11 uses: actions/setup-python@v6 with: - python-version: ${{ inputs.python_version }} + python-version: 3.11 - name: Configure AWS Credentials for ${{ vars.AWS_REGION }} uses: aws-actions/configure-aws-credentials@v5 @@ -69,11 +60,11 @@ jobs: id: cloudfront run: | aws cloudfront list-distributions > distributions.json - distribution_id=$(jq -r --arg origin_id "${{ inputs.sandbox_workspace }}-lloyd-george-store" \ + distribution_id=$(jq -r --arg origin_id "${{ inputs.sandbox_name }}-lloyd-george-store" \ '.DistributionList.Items[] | select(.Origins.Items[].Id==$origin_id) | .Id' distributions.json | head -n 1) if [ -z "$distribution_id" ]; then - echo "No distribution found for origin ID: ${{ inputs.sandbox_workspace }}-lloyd-george-store" + echo "No distribution found for origin ID: ${{ inputs.sandbox_name }}-lloyd-george-store" else echo "Distribution ID found: $distribution_id" fi @@ -91,4 +82,4 @@ jobs: run: ./venv/bin/python3 -u scripts/remove_edge_associations.py env: DISTRIBUTION_ID: ${{ env.DISTRIBUTION_ID }} - LAMBDA_FUNCTION_NAME: ${{ inputs.lambda_function_name }} + LAMBDA_FUNCTION_NAME: "${{ inputs.sandbox_name }}_EdgePresignLambda" diff --git a/.github/workflows/base-cleanup-workspace.yml b/.github/workflows/base-cleanup-workspace.yml index b917f3dcd..1de1ed082 100644 --- a/.github/workflows/base-cleanup-workspace.yml +++ b/.github/workflows/base-cleanup-workspace.yml @@ -3,22 +3,18 @@ name: 'Z-BASE: Cleanup - Workspace' on: workflow_call: inputs: - build_branch: - description: 'Feature branch to push to sandbox.' + git_ref: + description: 'Branch, tag or SHA' required: true - type: 'string' - sandbox: - description: 'Which Sandbox to push to.' + type: string + sandbox_name: + description: 'Sandbox name' required: true - type: 'string' + type: string environment: - description: "Which environment should this run against" + description: "GitHub Environment name" required: true - type: "string" - python_version: - description: "Version of Python to run the cleanup script against" - required: true - type: "string" + type: string secrets: AWS_ASSUME_ROLE: required: true @@ -35,10 +31,9 @@ jobs: steps: - name: Display client passed variables run: | - echo Python Version: ${{ inputs.python_version }} - echo Build Branch: ${{ inputs.build_branch }} + echo Sandbox name: ${{ inputs.sandbox_name }} + echo Git branch/tag/sha: ${{ inputs.git_ref }} echo Environment: ${{ inputs.environment }} - echo Sandbox: ${{ inputs.sandbox }} cleanup_process: name: Run Cleanup Versions script @@ -50,13 +45,13 @@ jobs: uses: actions/checkout@v5 with: repository: 'nhsconnect/national-document-repository-infrastructure' - ref: ${{ inputs.build_branch }} + ref: ${{ inputs.git_ref }} fetch-depth: '0' - - name: Set up Python ${{ inputs.python_version }} + - name: Set up Python 3.11 uses: actions/setup-python@v6 with: - python-version: ${{ inputs.python_version }} + python-version: 3.11 - name: Make virtual environment run: | @@ -74,4 +69,4 @@ jobs: - name: Run Version Cleanup Script run: | - ./venv/bin/python3 scripts/cleanup_versions.py ${{ inputs.sandbox }} + ./venv/bin/python3 scripts/cleanup_versions.py ${{ inputs.sandbox_name }} diff --git a/.github/workflows/automated-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml similarity index 96% rename from .github/workflows/automated-daily-health-check.yml rename to .github/workflows/cron-daily-health-check.yml index 5aa9577ec..16fe97bc5 100644 --- a/.github/workflows/automated-daily-health-check.yml +++ b/.github/workflows/cron-daily-health-check.yml @@ -1,8 +1,8 @@ -name: 'Z-AUTOMATED: Daily health check' +name: 'Z-CRON: Daily health check' on: - schedule: - - cron: 30 4 * * 1-5 + schedule: + - cron: 30 4 * * 1-5 permissions: pull-requests: write @@ -189,9 +189,7 @@ jobs: needs: [ 'set_workspace', 'deploy_ui', 'deploy_all_lambdas' ] uses: ./.github/workflows/tear-down-sandbox.yml with: - build_branch: main + git_ref: main + sandbox_name: ${{ needs.set_workspace.outputs.workspace }} environment: development - sandbox_workspace: ${{ needs.set_workspace.outputs.workspace }} - terraform_vars: dev.tfvars - backend: backend.conf secrets: inherit diff --git a/.github/workflows/automated-tear-down-sandbox.yml b/.github/workflows/cron-tear-down-sandbox.yml similarity index 96% rename from .github/workflows/automated-tear-down-sandbox.yml rename to .github/workflows/cron-tear-down-sandbox.yml index 8aa483a60..5a8af25b3 100644 --- a/.github/workflows/automated-tear-down-sandbox.yml +++ b/.github/workflows/cron-tear-down-sandbox.yml @@ -1,4 +1,4 @@ -name: 'Z-AUTOMATED: Tear down - Sandbox' +name: 'Z-CRON: Tear down - Sandbox' on: schedule: diff --git a/.github/workflows/automated-tear-down-test.yml b/.github/workflows/cron-tear-down-test.yml similarity index 92% rename from .github/workflows/automated-tear-down-test.yml rename to .github/workflows/cron-tear-down-test.yml index f2e1a6418..eec8c45a8 100644 --- a/.github/workflows/automated-tear-down-test.yml +++ b/.github/workflows/cron-tear-down-test.yml @@ -1,4 +1,4 @@ -name: 'Z-AUTOMATED: Tear down - Test' +name: 'Z-CRON: Tear down - Test' on: schedule: @@ -14,10 +14,8 @@ jobs: name: Remove Lambda@Edge Associations uses: ./.github/workflows/base-cleanup-lambda-edge.yml with: - sandbox_workspace: ndr-test - lambda_function_name: 'ndr-test_EdgePresignLambda' - python_version: 3.11 - build_branch: main + git_ref: main + sandbox_name: ndr-test environment: test secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} @@ -26,10 +24,9 @@ jobs: name: Cleanup Versions Process uses: ./.github/workflows/base-cleanup-workspace.yml with: - build_branch: main - sandbox: ndr-test + git_ref: main + sandbox_name: ndr-test environment: test - python_version: 3.11 secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} diff --git a/.github/workflows/deploy-pre-prod.yml b/.github/workflows/deploy-pre-prod.yml index 9c7226755..e29abe167 100644 --- a/.github/workflows/deploy-pre-prod.yml +++ b/.github/workflows/deploy-pre-prod.yml @@ -1,10 +1,12 @@ name: "Deploy - Pre-prod" +run-name: "${{ github.event.inputs.branch_or_tag }}" + on: workflow_dispatch: inputs: branch_or_tag: - description: "Which branch or tag do you want to deploy to pre-prod?" + description: "Branch or tag to deploy" required: true type: string default: main diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 4f5c8675f..c86ed4d5c 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -1,11 +1,12 @@ -# .github/workflows/terraform-dev name: "Deploy - Prod" +run-name: "${{ github.event.inputs.git_tag }}" + on: workflow_dispatch: inputs: - tagVersion: - description: "What tagged verison do you want to push to prod?" + git_tag: + description: "Git tag to deploy" required: true type: "string" @@ -24,7 +25,7 @@ jobs: - name: Checkout uses: actions/checkout@v5 with: - ref: ${{ github.event.inputs.tagVersion}} + ref: refs/tags/${{ github.event.inputs.git_tag}} fetch-depth: "0" - name: Configure AWS Credentials diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 8a78dd07c..d5f0d5dfa 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -1,20 +1,16 @@ -# .github/workflows/terraform-dev name: "Deploy - Sandbox" +run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }}" + on: workflow_dispatch: inputs: - buildBranch: - description: "Feature branch to push to sandbox." - required: true - type: "string" - sandboxWorkspace: - description: "Which Sandbox to push to." + git_ref: + description: "Branch, tag or SHA to deploy" required: true type: "string" - environment: - default: "development" - description: "Which environment should this run against" + sandbox_name: + description: "Sandbox name [a-z0-9]{1,9}" required: true type: "string" @@ -26,9 +22,18 @@ permissions: jobs: terraform_process: runs-on: ubuntu-latest - environment: ${{ github.event.inputs.environment }} + environment: development steps: + - name: Validate inputs + run: | + if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,9}$ ]]; then + echo "Sandbox name must match [a-z0-9]{1,9} (lowercase letters and digits only, 1-9 chars)." + exit 1 + fi + env: + SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} + # Checkout the repository to the GitHub Actions runner - name: Checkout Base uses: actions/checkout@v5 @@ -61,7 +66,7 @@ jobs: - name: Terraform Set Workspace Base id: base_workspace - run: terraform workspace select -or-create ${{ github.event.inputs.sandboxWorkspace}} + run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} working-directory: ./infrastructure shell: bash @@ -79,7 +84,7 @@ jobs: - name: Checkout Branch uses: actions/checkout@v5 with: - ref: ${{ github.event.inputs.buildBranch}} + ref: ${{ github.event.inputs.git_ref}} # Checks that all Terraform configuration files adhere to a canonical format. - name: Terraform Format @@ -94,7 +99,7 @@ jobs: - name: Terraform Set Workspace id: workspace - run: terraform workspace select ${{ github.event.inputs.sandboxWorkspace}} + run: terraform workspace select ${{ github.event.inputs.sandbox_name}} working-directory: ./infrastructure shell: bash diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index 077e90dd1..b70ffae28 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -1,11 +1,12 @@ -# .github/workflows/terraform-dev name: "Deploy - Test" +run-name: "${{ github.event.inputs.git_ref }}" + on: workflow_dispatch: inputs: - build_branch: - description: "Feature branch to push to test?" + git_ref: + description: "Branch, tag or SHA to deploy" required: true type: "string" @@ -24,7 +25,7 @@ jobs: - name: Checkout uses: actions/checkout@v5 with: - ref: ${{ github.event.inputs.build_branch}} + ref: ${{ github.event.inputs.git_ref}} - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index a8b143a11..9e63d32b1 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -1,54 +1,42 @@ -# .github/workflows/destroy.yml +name: "Tear down - Sandbox/Test" -name: "Tear down - Sandbox" +run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }} | ${{ github.event.inputs.environment }}" on: workflow_dispatch: inputs: - build_branch: + git_ref: default: "main" - description: "Branch to use for the destroy action." + description: "Branch, tag or SHA for the destroy action" required: true - sandbox_workspace: - description: "The sandbox workspace to destroy." - required: true - terraform_vars: - default: "dev.tfvars" - description: "Terraform vars file to use." + type: "string" + sandbox_name: + description: "Sandbox to destroy" required: true + type: "string" environment: default: "development" - description: "Environment for destruction." - required: true - backend: - default: "backend.conf" - description: "Terraform backend configuration." + description: "GitHub Environment name" required: true + type: choice + options: + - "development" + - "test" workflow_call: inputs: - build_branch: + git_ref: default: "main" - description: "Branch to use for the destroy action." + description: "Branch, tag or SHA for the destroy action" required: true type: "string" - sandbox_workspace: - description: "The sandbox workspace to destroy." - required: true - type: "string" - terraform_vars: - default: "dev.tfvars" - description: "Terraform vars file to use." + sandbox_name: + description: "Sandbox to destroy" required: true type: "string" environment: default: "development" - description: "Environment for destruction." - required: true - type: "string" - backend: - default: "backend.conf" - description: "Terraform backend configuration." + description: "GitHub Environment name" required: true type: "string" @@ -62,11 +50,9 @@ jobs: name: Remove Lambda@Edge Associations uses: ./.github/workflows/base-cleanup-lambda-edge.yml with: - sandbox_workspace: ${{ inputs.sandbox_workspace }} - lambda_function_name: "${{ inputs.sandbox_workspace }}_EdgePresignLambda" - python_version: 3.11 - build_branch: ${{ inputs.build_branch }} - environment: ${{ inputs.environment}} + git_ref: ${{ inputs.git_ref }} + sandbox_name: ${{ inputs.sandbox_name }} + environment: ${{ inputs.environment }} secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} @@ -74,10 +60,9 @@ jobs: name: Cleanup Versions Process uses: ./.github/workflows/base-cleanup-workspace.yml with: - build_branch: ${{ inputs.build_branch }} - sandbox: ${{ inputs.sandbox_workspace }} + git_ref: ${{ inputs.git_ref }} + sandbox_name: ${{ inputs.sandbox_name }} environment: ${{ inputs.environment }} - python_version: 3.11 secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} @@ -91,7 +76,7 @@ jobs: - name: Checkout Repository uses: actions/checkout@v5 with: - ref: ${{ inputs.build_branch }} + ref: ${{ inputs.git_ref }} - name: Set up Python uses: actions/setup-python@v6 @@ -119,19 +104,19 @@ jobs: terraform_version: 1.11.4 - name: Terraform Init - run: terraform init -backend-config=${{ inputs.backend }} + run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }} working-directory: ./infrastructure - name: Set Terraform Workspace - run: terraform workspace select ${{ inputs.sandbox_workspace }} + run: terraform workspace select ${{ inputs.sandbox_name }} working-directory: ./infrastructure - name: Terraform Destroy - run: terraform destroy -auto-approve -var-file="${{ inputs.terraform_vars }}" + run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" working-directory: ./infrastructure - name: Run Terraform Workspace Cleanup Script - run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_workspace }} + run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_name }} - name: Run Log Group Cleanup Script - run: ./venv/bin/python3 -u scripts/cleanup_log_groups.py ${{ inputs.sandbox_workspace }} + run: ./venv/bin/python3 -u scripts/cleanup_log_groups.py ${{ inputs.sandbox_name }} diff --git a/.github/workflows/tool-rename-git-tag.yml b/.github/workflows/tool-rename-git-tag.yml index 4430847c4..bc1d32a3d 100644 --- a/.github/workflows/tool-rename-git-tag.yml +++ b/.github/workflows/tool-rename-git-tag.yml @@ -1,16 +1,20 @@ name: 'Tool: Rename Git Tag' +run-name: "${{ github.event.inputs.old_tag }} -> ${{ github.event.inputs.new_tag }}" + on: workflow_dispatch: inputs: old_tag: - description: 'Numerical only e.g. 1.0.0' + description: 'Existing tag' required: true type: 'string' + default: 1.0.0 new_tag: - description: 'Numerical only e.g. 1.1.0' + description: 'Replacement tag' required: true type: 'string' + default: 1.1.0 permissions: pull-requests: write @@ -23,7 +27,6 @@ jobs: permissions: write-all steps: - - name: Checkout uses: actions/checkout@v5 with: diff --git a/scripts/cleanup_sandboxes.py b/scripts/cleanup_sandboxes.py index ed91c63cf..d71c65c8c 100644 --- a/scripts/cleanup_sandboxes.py +++ b/scripts/cleanup_sandboxes.py @@ -16,11 +16,9 @@ def trigger_delete_workflow(token: str, sandbox: str): } inputs = { - "build_branch": "main", - "sandbox_workspace": sandbox, - "terraform_vars": "dev.tfvars", + "git_ref": "main", + "sandbox_name": sandbox, "environment": "development", - "backend": "backend.conf", } resp = requests.post( @@ -43,7 +41,9 @@ def get_workspaces() -> list[str]: if not name: print("Failed to extract TF workspace from AppConfig application") sys.exit(1) - workspaces.append(name.replace("RepositoryConfiguration-", "")) + + if name.startswith("RepositoryConfiguration-"): + workspaces.append(name.replace("RepositoryConfiguration-", "")) return workspaces except ClientError as e: print(f"Failed to extract TF workspace from AppConfig applications: {str(e)}")