Updating permissions on dev-2 using refs/heads/develop by hamzakhan24-nhs #23
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Update Lambda Permissions | |
run-name: Updating permissions on ${{ inputs.stack_name }} using ${{ github.ref }} by ${{ github.actor }} | |
on: | |
workflow_dispatch: | |
inputs: | |
environment: | |
description: Environment to deploy to | |
required: true | |
default: "dev" | |
type: environment | |
stack_name: | |
description: Stack to update | |
required: true | |
type: string | |
strict_versioning: | |
description: Use strict versioning (recommended) | |
required: true | |
type: boolean | |
default: true | |
permissions: | |
id-token: write | |
contents: read | |
actions: write | |
jobs: | |
check-versions: | |
name: Check versions | |
runs-on: [self-hosted, ci] | |
steps: | |
- name: Git clone - ${{ github.ref }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Setup asdf cache | |
uses: actions/cache@v4 | |
with: | |
path: ~/.asdf | |
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
restore-keys: | | |
${{ runner.os }}-asdf- | |
- name: Install asdf | |
uses: asdf-vm/actions/[email protected] | |
- name: Install zip | |
run: sudo apt-get install zip | |
- name: Setup Python environment | |
run: | | |
poetry install --no-root | |
source $(poetry env info --path)/bin/activate | |
- name: Configure Management Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: eu-west-2 | |
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
- name: Terraform Init | |
run: | | |
terraform -chdir=terraform/infrastructure init | |
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ | |
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} | |
- name: Check deployed version matches build version | |
run: | | |
this_version="$(./scripts/get-current-info.sh | jq -r .version)" | |
deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)" | |
echo "code-version=${this_version} deployed-version=${deployed_version}" | |
if [ "${deployed_version}" != "${this_version}" ] | |
then | |
echo "${this_version} does not match deployed version: ${deployed_version}" 1>&2 | |
if [ "${{ inputs.strict_versioning }}" == "true" ]; then | |
echo "Strict version checking failed, cancelling workflow" 1>&2 | |
exit 1 | |
fi | |
fi | |
build-permissions: | |
name: Build permissions | |
runs-on: [self-hosted, ci] | |
environment: ${{ inputs.environment }} | |
needs: [check-versions] | |
steps: | |
- name: Git clone - ${{ github.ref }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Setup asdf cache | |
uses: actions/cache@v4 | |
with: | |
path: ~/.asdf | |
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
restore-keys: | | |
${{ runner.os }}-asdf- | |
- name: Install asdf | |
uses: asdf-vm/actions/[email protected] | |
- name: Install zip | |
run: sudo apt-get install zip | |
- name: Setup Python environment | |
run: | | |
poetry install --no-root | |
source $(poetry env info --path)/bin/activate | |
- name: Configure Management Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: eu-west-2 | |
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
- name: Create lambda permissions layer | |
run: | | |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }} | |
- name: Save NRLF permissions in cache | |
uses: actions/cache/save@v4 | |
with: | |
key: ${{ github.run_id }}-nrlf-permissions | |
path: dist/nrlf_permissions.zip | |
pull-deployed-lambdas: | |
name: Pull deployed lambdas | |
runs-on: [self-hosted, ci] | |
environment: ${{ inputs.environment }} | |
needs: [check-versions] | |
steps: | |
- name: Git clone - ${{ github.ref }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Configure Management Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: eu-west-2 | |
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
- name: Configure Account Role | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: eu-west-2 | |
role-chaining: true | |
role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }} | |
role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }} | |
- name: Pull deployed lambda artifacts | |
run: | | |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) | |
./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }} | |
- name: Save lambda artifacts in cache | |
uses: actions/cache/save@v4 | |
with: | |
key: ${{ github.run_id }}-pulled-lambda-artifacts | |
path: dist/*.zip | |
terraform-plan: | |
name: Plan changes | |
runs-on: [self-hosted, ci] | |
environment: ${{ inputs.environment }} | |
needs: [build-permissions, pull-deployed-lambdas] | |
steps: | |
- name: Git clone - ${{ github.ref }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Setup asdf cache | |
uses: actions/cache@v4 | |
with: | |
path: ~/.asdf | |
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} | |
restore-keys: | | |
${{ runner.os }}-asdf- | |
- name: Install asdf | |
uses: asdf-vm/actions/[email protected] | |
- name: Install zip | |
run: sudo apt-get install zip | |
- name: Setup Python environment | |
run: | | |
poetry install --no-root | |
source $(poetry env info --path)/bin/activate | |
- name: Restore pulled lambda artifacts | |
uses: actions/cache/restore@v4 | |
with: | |
key: ${{ github.run_id }}-pulled-lambda-artifacts | |
path: dist/*.zip | |
fail-on-cache-miss: true | |
- name: Restore NRLF permissions cache | |
uses: actions/cache/restore@v4 | |
with: | |
key: ${{ github.run_id }}-nrlf-permissions | |
path: dist/nrlf_permissions.zip | |
fail-on-cache-miss: true | |
- name: Configure Management Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: eu-west-2 | |
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
- name: Terraform Init | |
run: | | |
terraform -chdir=terraform/infrastructure init | |
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ | |
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} | |
- name: Terraform Plan | |
run: | | |
terraform -chdir=terraform/infrastructure plan \ | |
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ | |
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ | |
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ | |
--out tfplan | |
- name: Save Terraform Plan | |
run: | | |
terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt | |
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan | |
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt | |
terraform-apply: | |
name: Apply permissions | |
runs-on: [self-hosted, ci] | |
environment: ${{ inputs.environment }} | |
needs: terraform-plan | |
steps: | |
- name: Git clone - ${{ github.ref }} | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} | |
- name: Restore pulled lambda artifacts | |
uses: actions/cache/restore@v4 | |
with: | |
key: ${{ github.run_id }}-pulled-lambda-artifacts | |
path: dist/*.zip | |
fail-on-cache-miss: true | |
- name: Restore NRLF permissions cache | |
uses: actions/cache/restore@v4 | |
with: | |
key: ${{ github.run_id }}-nrlf-permissions | |
path: dist/nrlf_permissions.zip | |
fail-on-cache-miss: true | |
- name: Configure Management Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-region: eu-west-2 | |
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} | |
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} | |
- name: Download Terraform Plan artifact | |
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan | |
- name: Terraform Init | |
run: | | |
terraform -chdir=terraform/infrastructure init | |
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ | |
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} | |
- name: Terraform Apply | |
run: | | |
terraform -chdir=terraform/infrastructure apply tfplan |