[NRL-793] Add version checks before updating perms

NHSDigital · Sep 17, 2024 · 2c56821 · 2c56821
1 parent 50353af
commit 2c56821
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 5 deletions.
diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml
@@ -234,8 +234,7 @@ jobs:
 
       - name: Update environment config version
         run: |
-          short_commit_ref="$(echo ${{ github.sha }} | cut -c1-8)"
-          deployed_version="${{ inputs.branch_name }}@${short_commit_ref}"
+          deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version)
           poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} ${{ inputs.environment }}
 
       - name: Smoke Test

diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml
@@ -25,11 +25,67 @@ permissions:
   actions: write
 
 jobs:
+  check-versions:
+    name: Check versions
+    runs-on: [self-hosted, ci]
+
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Install asdf
+        uses: asdf-vm/actions/[email protected]
+
+      - name: Install zip
+        run: sudo apt-get install zip
+
+      - name: Setup Python environment
+        run: |
+          poetry install --no-root
+          source $(poetry env info --path)/bin/activate
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
+
+      - name: Terraform Init
+        run: |
+          terraform -chdir=terraform/infrastructure init
+          terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
+              terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
+
+      - name: Check deployed version matches build version
+        run: |
+          this_version="$(./scripts/get-current-info.sh) | jq -r .version)"
+          deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)"
+
+          if [ "${deployed_version}" != "${this_version}" ]; then
+            echo "Deployed version is ${deployed_version}, not ${this_version}"
+            exit 1
+          fi
+
+          echo "Deployed version matches this version: ${deployed_version}"
+
   build-permissions:
     name: Build permissions for ${{ inputs.environment }}
     runs-on: [self-hosted, ci]
     environment: ${{ inputs.environment }}
 
+    needs: [check-versions]
+
     steps:
       - name: Git clone - ${{ github.ref }}
         uses: actions/checkout@v4
@@ -74,10 +130,12 @@ jobs:
           path: dist/nrlf_permissions.zip
 
   pull-deployed-lambdas:
-    name: Pull deployed lambdas for ${{ inputs.environment }}
+    name: Pull deployed lambdas from ${{ inputs.stack_name }}
     runs-on: [self-hosted, ci]
     environment: ${{ inputs.environment }}
 
+    needs: [check-versions]
+
     steps:
       - name: Git clone - ${{ github.ref }}
         uses: actions/checkout@v4
@@ -111,7 +169,7 @@ jobs:
           path: dist/*.zip
 
   terraform-plan:
-    name: Plan changes to ${{ inputs.environment }}
+    name: Plan changes to ${{ inputs.stack_name }} for ${{ inputs.environment }}
     runs-on: [self-hosted, ci]
     environment: ${{ inputs.environment }}
 
@@ -165,7 +223,7 @@ jobs:
           aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
 
   terraform-apply:
-    name: Apply permissions to ${{ inputs.environment }}
+    name: Apply permissions to ${{ inputs.stack_name }} for ${{ inputs.environment }}
     runs-on: [self-hosted, ci]
     environment: ${{ inputs.environment }}
 

diff --git a/scripts/get_current_info.sh b/scripts/get_current_info.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+# Get the current info about the codebase
+set -o errexit -o nounset -o pipefail
+
+BRANCH_NAME="$(git rev-parse --abbrev-ref HEAD)"
+SHORT_COMMIT_HASH="$(git rev-parse --short=8 HEAD)"
+
+echo "{ \"version\": \"${BRANCH_NAME}@${SHORT_COMMIT_HASH}\" }"
diff --git a/terraform/infrastructure/data.tf b/terraform/infrastructure/data.tf
@@ -34,3 +34,10 @@ data "aws_iam_policy" "pointers-kms-read-write" {
   count = var.use_shared_resources ? 1 : 0
   name  = "${local.shared_prefix}-pointers-kms-read-write"
 }
+
+data "external" "current-info" {
+  program = [
+    "bash",
+    "../../scripts/get_current_info.sh",
+  ]
+}
diff --git a/terraform/infrastructure/output.tf b/terraform/infrastructure/output.tf
@@ -46,3 +46,7 @@ output "certificate_domain_name" {
 output "auth_store" {
   value = local.auth_store_id
 }
+
+output "version" {
+  value = data.external.current-info.result.version
+}