Skip to content

Updating permissions on dev-2 using refs/heads/develop by hamzakhan24-nhs #23

Updating permissions on dev-2 using refs/heads/develop by hamzakhan24-nhs

Updating permissions on dev-2 using refs/heads/develop by hamzakhan24-nhs #23

name: Update Lambda Permissions
run-name: Updating permissions on ${{ inputs.stack_name }} using ${{ github.ref }} by ${{ github.actor }}
on:
workflow_dispatch:
inputs:
environment:
description: Environment to deploy to
required: true
default: "dev"
type: environment
stack_name:
description: Stack to update
required: true
type: string
strict_versioning:
description: Use strict versioning (recommended)
required: true
type: boolean
default: true
permissions:
id-token: write
contents: read
actions: write
jobs:
check-versions:
name: Check versions
runs-on: [self-hosted, ci]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup asdf cache
uses: actions/cache@v4
with:
path: ~/.asdf
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-asdf-
- name: Install asdf
uses: asdf-vm/actions/[email protected]
- name: Install zip
run: sudo apt-get install zip
- name: Setup Python environment
run: |
poetry install --no-root
source $(poetry env info --path)/bin/activate
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Check deployed version matches build version
run: |
this_version="$(./scripts/get-current-info.sh | jq -r .version)"
deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)"
echo "code-version=${this_version} deployed-version=${deployed_version}"
if [ "${deployed_version}" != "${this_version}" ]
then
echo "${this_version} does not match deployed version: ${deployed_version}" 1>&2
if [ "${{ inputs.strict_versioning }}" == "true" ]; then
echo "Strict version checking failed, cancelling workflow" 1>&2
exit 1
fi
fi
build-permissions:
name: Build permissions
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}
needs: [check-versions]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup asdf cache
uses: actions/cache@v4
with:
path: ~/.asdf
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-asdf-
- name: Install asdf
uses: asdf-vm/actions/[email protected]
- name: Install zip
run: sudo apt-get install zip
- name: Setup Python environment
run: |
poetry install --no-root
source $(poetry env info --path)/bin/activate
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Create lambda permissions layer
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }}
- name: Save NRLF permissions in cache
uses: actions/cache/save@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
pull-deployed-lambdas:
name: Pull deployed lambdas
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}
needs: [check-versions]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Configure Account Role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-chaining: true
role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }}
- name: Pull deployed lambda artifacts
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }}
- name: Save lambda artifacts in cache
uses: actions/cache/save@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip
terraform-plan:
name: Plan changes
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}
needs: [build-permissions, pull-deployed-lambdas]
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Setup asdf cache
uses: actions/cache@v4
with:
path: ~/.asdf
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
restore-keys: |
${{ runner.os }}-asdf-
- name: Install asdf
uses: asdf-vm/actions/[email protected]
- name: Install zip
run: sudo apt-get install zip
- name: Setup Python environment
run: |
poetry install --no-root
source $(poetry env info --path)/bin/activate
- name: Restore pulled lambda artifacts
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip
fail-on-cache-miss: true
- name: Restore NRLF permissions cache
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
fail-on-cache-miss: true
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Terraform Plan
run: |
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
--out tfplan
- name: Save Terraform Plan
run: |
terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
terraform-apply:
name: Apply permissions
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}
needs: terraform-plan
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: Restore pulled lambda artifacts
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip
fail-on-cache-miss: true
- name: Restore NRLF permissions cache
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
fail-on-cache-miss: true
- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
- name: Download Terraform Plan artifact
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Terraform Apply
run: |
terraform -chdir=terraform/infrastructure apply tfplan