Deployment to dev of feature/made14-NRL-793-perms-pipeline-fixups by mattdean3-nhs #758
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Persistent Environment Deploy | |
| run-name: Deployment to ${{ inputs.environment }} of ${{ inputs.branch_name }} by ${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: "Environment to deploy to" | |
| required: true | |
| default: "dev" | |
| type: environment | |
| branch_name: | |
| description: Branch to deploy | |
| required: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| jobs: | |
| build: | |
| name: Build - ${{ inputs.branch_name }} | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Run Linting | |
| run: make lint | |
| - name: Run Unit Tests | |
| run: make test | |
| - name: Build Project | |
| run: make build | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Add S3 Permissions to Lambda | |
| run: | | |
| account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) | |
| make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack} | |
| - name: Save Build Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: | | |
| dist/*.zip | |
| !dist/nrlf_permissions.zip | |
| - name: Save NRLF Permissions cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| terraform-plan: | |
| name: Terraform Plan - ${{ inputs.environment }} | |
| needs: [build] | |
| environment: ${{ inputs.environment }} | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Retrieve Server Certificates | |
| run: | | |
| account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
| make truststore-pull-server ENV=${account} | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: dist | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Terraform Init | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} | |
| - name: Terraform Plan | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) | |
| terraform -chdir=terraform/infrastructure plan \ | |
| --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ | |
| --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ | |
| --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \ | |
| -out tfplan | |
| - name: Save Terraform Plan | |
| run: | | |
| terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt | |
| aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan | |
| aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt | |
| terraform-apply: | |
| name: Terraform Apply - ${{ inputs.environment }} | |
| needs: [terraform-plan] | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: build-artifacts | |
| path: dist | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Download Terraform Plan artifact | |
| run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan | |
| - name: Retrieve Server Certificates | |
| run: | | |
| account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
| make truststore-pull-server ENV=${account} | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Terraform Init | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} | |
| - name: Terraform Apply | |
| run: terraform -chdir=terraform/infrastructure apply tfplan | |
| - name: Update environment config version | |
| run: | | |
| deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version) | |
| poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} ${{ inputs.environment }} | |
| - name: Smoke Test | |
| run: | | |
| account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
| make ENV=${account} truststore-pull-client | |
| make ENV=${{ inputs.environment }} test-smoke-internal | |
| activate-stack: | |
| name: Activate - ${{ inputs.environment }} | |
| needs: [terraform-apply] | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Activate Stack | |
| run: | | |
| inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) | |
| poetry run python ./scripts/activate_stack.py ${inactive_stack} ${{ inputs.environment }} | |
| post-release-verify: | |
| name: Verify - ${{ inputs.environment }} | |
| needs: [activate-stack] | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: "Smoke Test" | |
| run: | | |
| make ENV=${{ inputs.environment }} test-smoke-public | |
| rollback-stack: | |
| name: Rollback - ${{ inputs.environment }} | |
| needs: [post-release-verify] | |
| if: always() && ( needs.post-release-verify.result == 'failure' ) | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| steps: | |
| - name: Git clone - ${{ inputs.branch_name }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ inputs.branch_name }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Deactivate Stack | |
| run: | | |
| inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) | |
| poetry run python ./scripts/activate_stack.py ${inactive_stack_name} ${{ inputs.environment }} |