Updating permissions on dev using feature/made14-NRL-793-perms-pipeline-fixups by mattdean3-nhs #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Update Lambda Permissions | |
| run-name: Updating permissions on ${{ inputs.environment }} using ${{ inputs.branch_name }} by ${{ github.actor }} | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| environment: | |
| description: Environment to deploy to | |
| required: true | |
| default: "dev" | |
| type: environment | |
| stack_name: | |
| description: Name of stack to apply permissions to | |
| required: true | |
| type: string | |
| branch_name: | |
| description: Branch to deploy | |
| required: true | |
| permissions: | |
| id-token: write | |
| contents: read | |
| actions: write | |
| jobs: | |
| check-versions: | |
| name: Check versions | |
| runs-on: [self-hosted, ci] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Terraform Init | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} | |
| - name: Check deployed version matches build version | |
| run: | | |
| this_version="$(./scripts/get-current-info.sh | jq -r .version)" | |
| deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)" | |
| if [ "${deployed_version}" != "${this_version}" ]; then | |
| echo "Deployed version is ${deployed_version}, not ${this_version}" | |
| exit 1 | |
| fi | |
| echo "Deployed version matches this version: ${deployed_version}" | |
| build-permissions: | |
| name: Build permissions for ${{ inputs.environment }} | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| needs: [check-versions] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Setup asdf cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.asdf | |
| key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
| restore-keys: | | |
| ${{ runner.os }}-asdf- | |
| - name: Install asdf | |
| uses: asdf-vm/actions/[email protected] | |
| - name: Install zip | |
| run: sudo apt-get install zip | |
| - name: Setup Python environment | |
| run: | | |
| poetry install --no-root | |
| source $(poetry env info --path)/bin/activate | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Create lambda permissions layer | |
| run: | | |
| account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
| make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }} | |
| - name: Save NRLF permissions in cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| pull-deployed-lambdas: | |
| name: Pull deployed lambdas from ${{ inputs.stack_name }} | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| needs: [check-versions] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Configure Account Role | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-chaining: true | |
| role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }} | |
| role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Pull deployed lambda artifacts | |
| run: | | |
| account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
| ./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }} | |
| - name: Save lambda artifacts in cache | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ github.run_id }}-pulled-lambda-artifacts | |
| path: dist/*.zip | |
| terraform-plan: | |
| name: Plan changes to ${{ inputs.stack_name }} for ${{ inputs.environment }} | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| needs: [build-permissions, pull-deployed-lambdas] | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Restore pulled lambda artifacts | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-pulled-lambda-artifacts | |
| path: ./dist | |
| fail-on-cache-miss: true | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Terraform Init | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} | |
| - name: Terraform Plan | |
| run: | | |
| terraform -chdir=terraform/infrastructure plan \ | |
| --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ | |
| --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ | |
| --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ | |
| --out tfplan | |
| - name: Save Terraform Plan | |
| run: | | |
| terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt | |
| aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan | |
| aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt | |
| terraform-apply: | |
| name: Apply permissions to ${{ inputs.stack_name }} for ${{ inputs.environment }} | |
| runs-on: [self-hosted, ci] | |
| environment: ${{ inputs.environment }} | |
| needs: terraform-plan | |
| steps: | |
| - name: Git clone - ${{ github.ref }} | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ github.ref }} | |
| - name: Restore pulled lambda artifacts | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-pulled-lambda-artifacts | |
| path: ./dist | |
| fail-on-cache-miss: true | |
| - name: Restore NRLF permissions cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ github.run_id }}-nrlf-permissions | |
| path: dist/nrlf_permissions.zip | |
| fail-on-cache-miss: true | |
| - name: Configure Management Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: eu-west-2 | |
| role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
| role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
| - name: Download Terraform Plan artifact | |
| run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan | |
| - name: Terraform Init | |
| run: | | |
| terraform -chdir=terraform/infrastructure init | |
| terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ | |
| terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} | |
| - name: Terraform Apply | |
| run: | | |
| terraform -chdir=terraform/infrastructure apply tfplan |