diff --git a/.github/workflows/automated-deploy-dev.yml b/.github/workflows/automated-deploy-dev.yml index 0f57771df..ee75029c7 100644 --- a/.github/workflows/automated-deploy-dev.yml +++ b/.github/workflows/automated-deploy-dev.yml @@ -3,226 +3,219 @@ name: 'Z-AUTOMATED: Deploy - Dev' on: push: branches: - - main + - main pull_request: branches: - - main + - main permissions: pull-requests: write - actions: read # This is required for Plan comment + actions: read # This is required for Plan comment id-token: write # This is required for requesting the JWT - contents: write # This is required for SBOM action + contents: write # This is required for SBOM action jobs: - terraform_process: - name: Terraform Process - ndr-dev + terraform_plan_apply: + name: Terraform Plan/Apply (ndr-dev) runs-on: ubuntu-latest environment: development - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v5 - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} - role-skip-session-tagging: true - aws-region: ${{ vars.AWS_REGION }} - mask-aws-account-id: true - - - name: View AWS Role - run: aws sts get-caller-identity - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: 1.13.3 - terraform_wrapper: true - - - name: Terraform Init - id: init - run: terraform init -backend-config=backend.conf -no-color - working-directory: ./infrastructure - shell: bash - - - name: Terraform Set Workspace - id: workspace - run: terraform workspace select ${{ secrets.AWS_WORKSPACE }} - working-directory: ./infrastructure - shell: bash - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - id: fmt - run: terraform fmt -check - working-directory: ./infrastructure - - - name: terraform validate - id: validate - run: terraform validate -no-color - - - name: Terraform Plan - id: plan - run: | - terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1 - terraform show -no-color tf.plan > tfplan.txt 2>&1 - - # Mask PEM certificates (BEGIN...END CERTIFICATE) - awk 'BEGIN{cert=""} - /-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next} - /-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next} - in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do - if [ -n "$cert_block" ]; then - echo "::add-mask::$cert_block" - fi - done || echo "No certificate blocks found to mask." - - # Mask sensitive URLs in the Terraform Plan output - grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do - if [ -n "$api_url" ]; then - echo "::add-mask::$api_url" - fi - done || echo "No api URLs found to mask." - - # Mask Lambda invocation URLs - grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do - if [ -n "$lambda_url" ]; then - echo "::add-mask::$lambda_url" - fi - done || echo "No Lambda URLs found to mask." - - # Mask AWS account IDs (12-digit numbers) - grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do - if [ -n "$account_id" ]; then - echo "::add-mask::$account_id" - fi - done || echo "No Account IDs found to mask." - - # Mask GitHub secrets - echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}" - echo "::add-mask::${{ secrets.GITHUB_TOKEN }}" - - # Mask Terraform variables - echo "::add-mask::${{ vars.TF_VARS_FILE }}" - - # Output the sanitized plan to logs - cat plan_output.txt - - echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT - working-directory: ./infrastructure - shell: bash - - - name: Truncate Plan Output - id: plan-truncated - if: success() || failure() - env: - LENGTH: 64512 - run: | - PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF' - ${{ steps.plan.outputs.stdout }} - ${{ steps.plan.outputs.stderr }} - EOF - ) - - # Optionally redact sensitive strings in the PLAN_FULL variable - PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g') - PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g') - PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g') - PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g') - PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/') - - echo "PLAN<> $GITHUB_ENV - echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV - [ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV - echo "EOF" >> $GITHUB_ENV - working-directory: ./infrastructure - shell: bash - - - name: Add PR comment - uses: actions/github-script@v8 - if: github.event_name == 'pull_request' && (success() || failure()) - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - script: | - // 1. Retrieve existing bot comments for the PR - const { data: comments } = await github.rest.issues.listComments({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.issue.number, - }) - const botComment = comments.find(comment => { - return comment.user.type === 'Bot' && comment.body.includes('Report for environment: ndr-dev') - }) - - // 2. Prepare format of the comment - const output = `### Report for environment: ndr-dev + - name: Checkout + uses: actions/checkout@v5 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }} + role-skip-session-tagging: true + aws-region: ${{ vars.AWS_REGION }} + mask-aws-account-id: true + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.13.3 + terraform_wrapper: true + + - name: Initialise Terraform + id: init + run: terraform init -backend-config=backend.conf -no-color + working-directory: ./infrastructure + shell: bash + + - name: Select Terraform Workspace + id: workspace + run: terraform workspace select ${{ secrets.AWS_WORKSPACE }} + working-directory: ./infrastructure + shell: bash + + - name: Check Terraform Formatting + id: fmt + run: terraform fmt -check + working-directory: ./infrastructure + + - name: Check Terraform Validation + id: validate + run: terraform validate -no-color + + - name: Run Terraform Plan + id: plan + run: | + terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1 + terraform show -no-color tf.plan > tfplan.txt 2>&1 + + # Mask PEM certificates (BEGIN...END CERTIFICATE) + awk 'BEGIN{cert=""} + /-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next} + /-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next} + in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do + if [ -n "$cert_block" ]; then + echo "::add-mask::$cert_block" + fi + done || echo "No certificate blocks found to mask." - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` -
Initialization Output + # Mask sensitive URLs in the Terraform Plan output + grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do + if [ -n "$api_url" ]; then + echo "::add-mask::$api_url" + fi + done || echo "No api URLs found to mask." + + # Mask Lambda invocation URLs + grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do + if [ -n "$lambda_url" ]; then + echo "::add-mask::$lambda_url" + fi + done || echo "No Lambda URLs found to mask." + + # Mask AWS account IDs (12-digit numbers) + grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do + if [ -n "$account_id" ]; then + echo "::add-mask::$account_id" + fi + done || echo "No Account IDs found to mask." + + # Mask GitHub secrets + echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}" + echo "::add-mask::${{ secrets.GITHUB_TOKEN }}" + + # Mask Terraform variables + echo "::add-mask::${{ vars.TF_VARS_FILE }}" + + # Output the sanitized plan to logs + cat plan_output.txt + + echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT + working-directory: ./infrastructure + shell: bash + + - name: Truncate Plan Output + id: plan-truncated + if: success() || failure() + env: + LENGTH: 64512 + run: | + PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF' + ${{ steps.plan.outputs.stdout }} + ${{ steps.plan.outputs.stderr }} + EOF + ) + + # Optionally redact sensitive strings in the PLAN_FULL variable + PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g') + PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g') + PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g') + PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g') + PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/') + + echo "PLAN<> $GITHUB_ENV + echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV + [ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + working-directory: ./infrastructure + shell: bash + + - name: Add PR Comment + uses: actions/github-script@v8 + if: github.event_name == 'pull_request' && (success() || failure()) + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + // 1. Retrieve existing bot comments for the PR + const { data: comments } = await github.rest.issues.listComments({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.issue.number, + }) + const botComment = comments.find(comment => { + return comment.user.type === 'Bot' && comment.body.includes('Report for environment: ndr-dev') + }) + + // 2. Prepare format of the comment + const output = `### Report for environment: ndr-dev + + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` +
Initialization Output - \`\`\`\n - ${{ steps.init.outputs.stdout }} - \`\`\` + \`\`\`\n + ${{ steps.init.outputs.stdout }} + \`\`\` -
+
- #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` -
Validation Output + #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` +
Validation Output - \`\`\`\n - ${{ steps.validate.outputs.stdout }} - \`\`\` + \`\`\`\n + ${{ steps.validate.outputs.stdout }} + \`\`\` -
+
- #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` -
Show Plan (${{ steps.plan.outputs.summary }}) +
Show Plan (${{ steps.plan.outputs.summary }}) - \`\`\`\n - ${{ env.PLAN }} - \`\`\` + \`\`\`\n + ${{ env.PLAN }} + \`\`\` -
`; +
`; - // 3. If we have a comment, update it, otherwise create a new one - if (botComment) { - github.rest.issues.deleteComment({ + // 3. If we have a comment, update it, otherwise create a new one + if (botComment) { + github.rest.issues.deleteComment({ + owner: context.repo.owner, + repo: context.repo.repo, + comment_id: botComment.id, + body: output + }) + } + + github.rest.issues.createComment({ + issue_number: context.issue.number, owner: context.repo.owner, repo: context.repo.repo, - comment_id: botComment.id, body: output }) - } - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) - - # Terraform apply will only occur on a push (merge request completion) - - name: Terraform Apply - if: github.ref == 'refs/heads/main' - run: terraform apply -auto-approve -input=false tf.plan - working-directory: ./infrastructure - - run_main_repo_deploy_lambdas: - name: Deploy Lambdas on NDR Functional Repo - needs: ['terraform_process'] + + # Terraform apply will only occur on a push (merge request completion) + - name: Run Terraform Apply + if: github.ref == 'refs/heads/main' + run: terraform apply -auto-approve -input=false tf.plan + working-directory: ./infrastructure + + deploy_lambdas: + name: Deploy Lambdas (ndr-dev) + needs: ['terraform_plan_apply'] if: github.ref == 'refs/heads/main' uses: nhsconnect/national-document-repository/.github/workflows/lambdas-dev-to-main-ci.yml@main secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} - - run_main_repo_deploy_ui: - name: Deploy UI on NDR Functional Repo - needs: ['terraform_process'] + + deploy_ui: + name: Deploy UI (ndr-dev) + needs: ['terraform_plan_apply'] if: github.ref == 'refs/heads/main' uses: nhsconnect/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main secrets: diff --git a/.github/workflows/automated-sonarqube-cloud-analysis.yml b/.github/workflows/automated-sonarqube-cloud-analysis.yml index e73b8f8f3..2489a3d05 100644 --- a/.github/workflows/automated-sonarqube-cloud-analysis.yml +++ b/.github/workflows/automated-sonarqube-cloud-analysis.yml @@ -6,19 +6,22 @@ on: - main pull_request: types: [opened, synchronize, reopened] + permissions: contents: read pull-requests: write jobs: - sonarqube: - name: SonarQube + sonarqube_cloud: + name: SonarQube Cloud Analysis runs-on: ubuntu-latest steps: - - uses: actions/checkout@v5 + - name: Checkout + uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: SonarQube Scan + + - name: SonarQube Cloud Scan uses: SonarSource/sonarqube-scan-action@v6 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any diff --git a/.github/workflows/base-cleanup-lambda-edge.yml b/.github/workflows/base-cleanup-lambda-edge.yml index b4c936bdf..e1feae70a 100644 --- a/.github/workflows/base-cleanup-lambda-edge.yml +++ b/.github/workflows/base-cleanup-lambda-edge.yml @@ -30,12 +30,6 @@ jobs: runs-on: ubuntu-latest environment: ${{ inputs.environment }} steps: - - name: Display passed variables - run: | - echo Sandbox name: ${{ inputs.sandbox_name }} - echo Git branch/tag/sha: ${{ inputs.git_ref }} - echo Environment: ${{ inputs.environment }} - - name: Checkout uses: actions/checkout@v5 with: @@ -43,7 +37,7 @@ jobs: ref: ${{ inputs.git_ref }} fetch-depth: '0' - - name: Set up Python 3.11 + - name: Setup Python 3.11 uses: actions/setup-python@v6 with: python-version: 3.11 diff --git a/.github/workflows/base-cleanup-workspace.yml b/.github/workflows/base-cleanup-workspace.yml index 1de1ed082..bd6a9a9d8 100644 --- a/.github/workflows/base-cleanup-workspace.yml +++ b/.github/workflows/base-cleanup-workspace.yml @@ -25,21 +25,10 @@ permissions: contents: read # This is required for actions/checkout jobs: - view_action_parameters: - name: View Deploy all input variables - runs-on: ubuntu-latest - steps: - - name: Display client passed variables - run: | - echo Sandbox name: ${{ inputs.sandbox_name }} - echo Git branch/tag/sha: ${{ inputs.git_ref }} - echo Environment: ${{ inputs.environment }} - cleanup_process: - name: Run Cleanup Versions script + name: Run Cleanup Versions Script runs-on: ubuntu-latest environment: ${{ inputs.environment }} - steps: - name: Checkout uses: actions/checkout@v5 @@ -48,12 +37,12 @@ jobs: ref: ${{ inputs.git_ref }} fetch-depth: '0' - - name: Set up Python 3.11 + - name: Setup Python 3.11 uses: actions/setup-python@v6 with: python-version: 3.11 - - name: Make virtual environment + - name: Make Virtual Environment run: | python3 -m venv ./venv ./venv/bin/pip3 install --upgrade pip @@ -67,6 +56,6 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: Run Version Cleanup Script + - name: Run Cleanup Versions Script run: | ./venv/bin/python3 scripts/cleanup_versions.py ${{ inputs.sandbox_name }} diff --git a/.github/workflows/cron-daily-health-check.yml b/.github/workflows/cron-daily-health-check.yml index 9b56ace08..98a48434b 100644 --- a/.github/workflows/cron-daily-health-check.yml +++ b/.github/workflows/cron-daily-health-check.yml @@ -12,6 +12,7 @@ permissions: jobs: set_workspace: + name: Set Workspace (ndrd) runs-on: ubuntu-latest outputs: workspace: ${{ steps.set-output.outputs.workspace }} @@ -20,7 +21,8 @@ jobs: id: set-output run: echo 'workspace=ndrd' >> $GITHUB_OUTPUT - terraform_process: + terraform_plan_apply: + name: Terraform Plan/Apply (ndrd) runs-on: ubuntu-latest environment: development needs: ['set_workspace'] @@ -38,56 +40,54 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.13.3 terraform_wrapper: false - - name: Terraform Init + - name: Initialise Terraform id: init run: terraform init -backend-config=backend.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: workspace run: terraform workspace select -or-create ${{ needs.set_workspace.outputs.workspace }} working-directory: ./infrastructure shell: bash - - name: Terraform Format + - name: Check Terraform Formatting run: terraform fmt -check working-directory: ./infrastructure - - name: Terraform Plan + - name: Run Terraform Plan id: plan run: | terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan working-directory: ./infrastructure shell: bash - - name: Terraform Apply + - name: Run Terraform Apply run: terraform apply -auto-approve -input=false tf.plan working-directory: ./infrastructure - lambda_test_job: + run_lambda_unit_tests: name: Run Lambda Unit Tests uses: nhsconnect/national-document-repository/.github/workflows/base-lambdas-reusable-test.yml@main with: python_version: "3.11" build_branch: main - react_testing_job: + run_ui_unit_tests: name: Run UI Unit Tests uses: nhsconnect/national-document-repository/.github/workflows/base-vitest-test.yml@main with: build_branch: main - cypress-run-job: + run_cypress_tests: + name: Run Cypress Tests runs-on: ubuntu-22.04 steps: - name: Checkout @@ -95,11 +95,11 @@ jobs: with: repository: nhsconnect/national-document-repository - - name: Cypress install + - name: npm install run: npm install --legacy-peer-deps working-directory: ./app - - name: Configure React environment vars + - name: Configure React Environment Vars env: ENDPOINT_DOC_STORE_API: http://localhost:3000 AWS_REGION: test region @@ -112,7 +112,7 @@ jobs: ./react-environment-config.sh working-directory: ./app - - name: Cypress build + - name: Cypress Build uses: cypress-io/github-action@v6 with: install: false @@ -120,10 +120,10 @@ jobs: build: npm run build working-directory: ./app - - name: Install NPM serve + - name: npm install serve -g run: npm install serve -g - - name: Cypress run + - name: Run Cypress Tests (Chrome) uses: cypress-io/github-action@v6 with: install: false @@ -134,23 +134,25 @@ jobs: CYPRESS_BASE_URL: http://localhost:3000 CYPRESS_grepTags: 'regression' - - uses: actions/upload-artifact@v4 + - name: Upload Artifacts (Screenshots) + uses: actions/upload-artifact@v4 if: failure() with: name: cypress-screenshots-chrome path: /home/runner/work/national-document-repository/national-document-repository/app/cypress/screenshots if-no-files-found: ignore - - - uses: actions/upload-artifact@v4 + + - name: Upload Artifacts (Videos) + uses: actions/upload-artifact@v4 if: failure() with: name: cypress-videos-chrome path: /home/runner/work/national-document-repository/national-document-repository/app/cypress/videos if-no-files-found: ignore - publish_all_lambda_layers: - name: Publish all Lambda Layers - needs: ['set_workspace', 'terraform_process'] + publish_lambda_layers: + name: Publish Lambda Layers + needs: ['set_workspace', 'terraform_plan_apply'] uses: nhsconnect/national-document-repository/.github/workflows/base-lambda-layer-reusable-publish-all.yml@main with: build_branch: main @@ -160,10 +162,10 @@ jobs: secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} - deploy_all_lambdas: - name: Deploy all Lambdas + deploy_lambdas: + name: Deploy Lambdas uses: nhsconnect/national-document-repository/.github/workflows/base-lambdas-reusable-deploy-all.yml@main - needs: ['set_workspace', 'publish_all_lambda_layers'] + needs: ['set_workspace', 'publish_lambda_layers'] with: build_branch: main sandbox: ${{ needs.set_workspace.outputs.workspace }} @@ -176,7 +178,7 @@ jobs: deploy_ui: name: Deploy UI uses: nhsconnect/national-document-repository/.github/workflows/base-deploy-ui.yml@main - needs: ['terraform_process', 'set_workspace'] + needs: ['terraform_plan_apply', 'set_workspace'] with: build_branch: main sandbox: ${{ needs.set_workspace.outputs.workspace }} @@ -186,8 +188,8 @@ jobs: destroy_test_environment: if: always() - name: Destroy the Sandbox Environment from previous job - needs: [ 'set_workspace', 'deploy_ui', 'deploy_all_lambdas' ] + name: Destroy Sandbox (ndrd) + needs: ['set_workspace', 'deploy_ui', 'deploy_lambdas'] uses: ./.github/workflows/tear-down-sandbox.yml with: git_ref: main diff --git a/.github/workflows/cron-tear-down-sandbox.yml b/.github/workflows/cron-tear-down-sandbox.yml index 5a8af25b3..a172b9e0e 100644 --- a/.github/workflows/cron-tear-down-sandbox.yml +++ b/.github/workflows/cron-tear-down-sandbox.yml @@ -1,4 +1,4 @@ -name: 'Z-CRON: Tear down - Sandbox' +name: 'Z-CRON: Tear down - Sandboxes' on: schedule: @@ -11,7 +11,7 @@ permissions: jobs: destroy_process: - name: Destroy Sandbox Environments + name: Destroy Sandboxes runs-on: ubuntu-latest environment: development steps: @@ -28,7 +28,7 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: Set up Python + - name: Setup Python 3.11 uses: actions/setup-python@v6 with: python-version: 3.11 diff --git a/.github/workflows/cron-tear-down-test.yml b/.github/workflows/cron-tear-down-test.yml index 819d9fc22..3670a97eb 100644 --- a/.github/workflows/cron-tear-down-test.yml +++ b/.github/workflows/cron-tear-down-test.yml @@ -20,8 +20,8 @@ jobs: secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} - cleanup_versions_process: - name: Cleanup Versions Process + cleanup_versions: + name: Cleanup Versions uses: ./.github/workflows/base-cleanup-workspace.yml with: git_ref: main @@ -31,16 +31,15 @@ jobs: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} terraform_destroy_process: + name: Destroy Test Environment runs-on: ubuntu-latest environment: test - needs: [cleanup_versions_process] + needs: [cleanup_versions] strategy: matrix: # Can't use an env var here unfortunately, we will have to update here with new sandbox environments sandbox-name: [ndr-test] - steps: - # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v5 with: @@ -54,23 +53,19 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.13.3 terraform_wrapper: false - - name: Terraform Init + - name: Initialise Terraform id: init run: terraform init -backend-config=backend-test.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: workspace run: terraform workspace select ${{ matrix.sandbox-name }} working-directory: ./infrastructure @@ -101,7 +96,7 @@ jobs: --region eu-west-2 done - - name: Terraform Destroy + - name: Run Terraform Destroy id: destroy run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" working-directory: ./infrastructure diff --git a/.github/workflows/deploy-pre-prod.yml b/.github/workflows/deploy-pre-prod.yml index 0ed4bb575..bce8e835b 100644 --- a/.github/workflows/deploy-pre-prod.yml +++ b/.github/workflows/deploy-pre-prod.yml @@ -17,12 +17,12 @@ permissions: contents: read # This is required for actions/checkout jobs: - tag_and_release: + tag_main: + name: Tag main runs-on: ubuntu-latest outputs: version: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }} permissions: write-all - steps: - name: Checkout main if: ${{ github.event.inputs.branch_or_tag == 'main' }} @@ -42,18 +42,18 @@ jobs: - name: View outputs run: | - echo Deploying branch or tagged version to pre-prod: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }} + echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }} - terraform_process: + terraform_plan_apply: + name: Terraform Plan/Apply (pre-prod) runs-on: ubuntu-latest - needs: ["tag_and_release"] + needs: ["tag_main"] environment: pre-prod - steps: - name: Checkout uses: actions/checkout@v5 with: - ref: ${{needs.tag_and_release.outputs.version}} + ref: ${{ needs.tag_main.outputs.version }} fetch-depth: "0" - name: Configure AWS Credentials @@ -70,29 +70,29 @@ jobs: terraform_version: 1.13.3 terraform_wrapper: false - - name: Terraform Init + - name: Initialise Terraform id: init run: terraform init -backend-config=backend-pre-prod.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: workspace run: terraform workspace select ${{ secrets.AWS_WORKSPACE }} working-directory: ./infrastructure shell: bash - - name: Terraform Format + - name: Check Terraform Formatting run: terraform fmt -check working-directory: ./infrastructure - - name: Terraform Plan + - name: Run Terraform Plan id: plan run: | terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan working-directory: ./infrastructure shell: bash - - name: Terraform Apply + - name: Run Terraform Apply run: terraform apply -auto-approve -input=false tf.plan working-directory: ./infrastructure diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index 47d49662d..d07afa7b2 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -16,13 +16,12 @@ permissions: contents: read # This is required for actions/checkout jobs: - terraform_process: + terraform_plan_apply: + name: Terraform Plan/Apply (prod) runs-on: ubuntu-latest environment: prod - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout + - name: Checkout Tag uses: actions/checkout@v5 with: ref: refs/tags/${{ github.event.inputs.git_tag}} @@ -36,40 +35,35 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.13.3 terraform_wrapper: false - - name: Terraform Init + - name: Initialise Terraform id: init run: terraform init -backend-config=backend-prod.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: workspace run: terraform workspace select ${{ secrets.AWS_WORKSPACE }} working-directory: ./infrastructure shell: bash - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format + - name: Check Terraform Formatting run: terraform fmt -check working-directory: ./infrastructure - - name: Terraform Plan + - name: Run Terraform Plan id: plan run: | terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan working-directory: ./infrastructure shell: bash - - name: Terraform Apply + - name: Run Terraform Apply run: terraform apply -auto-approve -input=false tf.plan working-directory: ./infrastructure diff --git a/.github/workflows/deploy-sandbox.yml b/.github/workflows/deploy-sandbox.yml index 819898a3a..1afd9ad57 100644 --- a/.github/workflows/deploy-sandbox.yml +++ b/.github/workflows/deploy-sandbox.yml @@ -17,15 +17,15 @@ on: permissions: pull-requests: write id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout jobs: validate_inputs: + name: Validate Inputs runs-on: ubuntu-latest environment: development - steps: - - name: Validate inputs + - name: Validate sandbox name run: | if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,8}$ ]]; then echo "Sandbox name must match [a-z0-9]{1,8} (lowercase letters and digits only, 1-8 chars)." @@ -34,13 +34,12 @@ jobs: env: SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }} - terraform_process--main: + terraform_plan_apply_main: + name: Terraform Plan/Apply (main) runs-on: ubuntu-latest needs: validate_inputs environment: development - steps: - # Checkout the repository to the GitHub Actions runner - name: Checkout main uses: actions/checkout@v5 with: @@ -54,9 +53,6 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 @@ -64,35 +60,35 @@ jobs: terraform_version: 1.13.3 terraform_wrapper: false - - name: Terraform Init main + - name: Initialise Terraform id: main_init run: terraform init -backend-config=backend.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: main_workspace run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}} working-directory: ./infrastructure shell: bash - - name: Terraform Plan main + - name: Run Terraform Plan id: main_plan run: | terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan working-directory: ./infrastructure shell: bash - - name: Terraform Apply main + - name: Run Terraform Apply run: terraform apply -auto-approve -input=false tf-main.plan working-directory: ./infrastructure - terraform_process--branch: + terraform_plan_apply_branch: + name: Terraform Plan/Apply (branch) if: ${{ github.event.inputs.git_ref != 'main' }} runs-on: ubuntu-latest - needs: terraform_process--main + needs: terraform_plan_apply_main environment: development - steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v5 @@ -102,9 +98,6 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -117,29 +110,29 @@ jobs: ref: ${{ github.event.inputs.git_ref}} # Checks that all Terraform configuration files adhere to a canonical format. - - name: Terraform Format Branch + - name: Check Terraform Formatting run: terraform fmt -check working-directory: ./infrastructure - - name: Terraform Init Branch + - name: Initialise Terraform id: init run: terraform init -backend-config=backend.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: workspace run: terraform workspace select ${{ github.event.inputs.sandbox_name}} working-directory: ./infrastructure shell: bash - - name: Terraform Plan Branch + - name: Run Terraform Plan id: plan run: | terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan working-directory: ./infrastructure shell: bash - - name: Terraform Apply Branch (over main) + - name: Run Terraform Apply (branch over main) run: terraform apply -auto-approve -input=false tf.plan working-directory: ./infrastructure diff --git a/.github/workflows/deploy-test.yml b/.github/workflows/deploy-test.yml index 33c7a2a53..3c701f8c2 100644 --- a/.github/workflows/deploy-test.yml +++ b/.github/workflows/deploy-test.yml @@ -13,15 +13,14 @@ on: permissions: pull-requests: write id-token: write # This is required for requesting the JWT - contents: read # This is required for actions/checkout + contents: read # This is required for actions/checkout jobs: - terraform_process: + terraform_plan_apply: + name: Terraform Plan/Apply (ndr-test) runs-on: ubuntu-latest environment: test - steps: - # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v5 with: @@ -35,9 +34,6 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token - name: Setup Terraform uses: hashicorp/setup-terraform@v3 @@ -45,30 +41,29 @@ jobs: terraform_version: 1.13.3 terraform_wrapper: false - - name: Terraform Init + - name: Initialise Terraform id: init run: terraform init -backend-config=backend-test.conf working-directory: ./infrastructure shell: bash - - name: Terraform Set Workspace + - name: Select Terraform Workspace id: workspace run: terraform workspace select -or-create ${{ secrets.AWS_WORKSPACE }} working-directory: ./infrastructure shell: bash - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format + - name: Check Terraform Formatting run: terraform fmt -check working-directory: ./infrastructure - - name: Terraform Plan + - name: Run Terraform Plan id: plan run: | terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan working-directory: ./infrastructure shell: bash - - name: Terraform Apply + - name: Run Terraform Apply run: terraform apply -auto-approve -input=false tf.plan working-directory: ./infrastructure diff --git a/.github/workflows/tear-down-sandbox.yml b/.github/workflows/tear-down-sandbox.yml index 853f0ff7a..70c7d44c7 100644 --- a/.github/workflows/tear-down-sandbox.yml +++ b/.github/workflows/tear-down-sandbox.yml @@ -56,8 +56,8 @@ jobs: secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} - cleanup_versions_process: - name: Cleanup Versions Process + cleanup_versions: + name: Cleanup Versions uses: ./.github/workflows/base-cleanup-workspace.yml with: git_ref: ${{ inputs.git_ref }} @@ -66,19 +66,18 @@ jobs: secrets: AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }} - terraform_destroy_process: - name: Terraform Destroy Process + terraform_destroy: + name: Terraform Destroy runs-on: ubuntu-latest needs: [remove_edge_associations] # Ensure this runs after Lambda@Edge removal environment: ${{ inputs.environment }} - steps: - - name: Checkout Repository + - name: Checkout uses: actions/checkout@v5 with: ref: ${{ inputs.git_ref }} - - name: Set up Python + - name: Setup Python 3.11 uses: actions/setup-python@v6 with: python-version: 3.11 @@ -95,28 +94,25 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true - - name: View AWS Role - run: aws sts get-caller-identity - - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: terraform_version: 1.13.3 - - name: Terraform Init + - name: Initialise Terraform run: terraform init -backend-config=${{ vars.TF_BACKEND_FILE }} working-directory: ./infrastructure - - name: Set Terraform Workspace + - name: Select Terraform Workspace run: terraform workspace select ${{ inputs.sandbox_name }} working-directory: ./infrastructure - - name: Terraform Destroy + - name: Run Terraform Destroy run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" working-directory: ./infrastructure - - name: Run Terraform Workspace Cleanup Script + - name: Run Cleanup Script (Terraform Workspace) run: ./venv/bin/python3 -u scripts/cleanup_terraform_states.py ${{ inputs.sandbox_name }} - - name: Run Log Group Cleanup Script + - name: Run Cleanup Script (Log Group) run: ./venv/bin/python3 -u scripts/cleanup_log_groups.py ${{ inputs.sandbox_name }} diff --git a/.github/workflows/tool-rename-git-tag.yml b/.github/workflows/tool-rename-git-tag.yml index bc1d32a3d..fa6905e01 100644 --- a/.github/workflows/tool-rename-git-tag.yml +++ b/.github/workflows/tool-rename-git-tag.yml @@ -25,7 +25,6 @@ jobs: tag_renaming_process: runs-on: ubuntu-latest permissions: write-all - steps: - name: Checkout uses: actions/checkout@v5 @@ -40,9 +39,9 @@ jobs: - name: Check SHA value run: | - echo Branch SHA: ${{steps.get-sha.outputs.BRANCH_SHA}} + echo Branch SHA: ${{ steps.get-sha.outputs.BRANCH_SHA }} - - name: Create tag + - name: Overwrite tag uses: actions/github-script@v8 with: script: | @@ -50,6 +49,6 @@ jobs: github.rest.git.createRef({ owner: context.repo.owner, repo: context.repo.repo, - ref: 'refs/tags/${{github.event.inputs.new_tag}}', - sha:'${{steps.get-sha.outputs.BRANCH_SHA}}' + ref: 'refs/tags/${{ github.event.inputs.new_tag }}', + sha: '${{ steps.get-sha.outputs.BRANCH_SHA }}' })