Skip to content

Commit

Permalink
[NRL-793] Complete update-lambda-permissions workflow and pull-lambda…
Browse files Browse the repository at this point in the history 
…-code-for-stack.sh script
  • Loading branch information
@mattdean3-nhs
mattdean3-nhs committed Sep 17, 2024
1 parent a80f2b3 commit f27eeaa
Show file tree
Hide file tree
Showing 2 changed files with 135 additions and 13 deletions.
117 changes: 111 additions & 6 deletions .github/workflows/update-lambda-permissions.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ permissions:

jobs:
build-permissions:
name: Building permissions package for ${{ inputs.environment }}
name: Build permissions for ${{ inputs.environment }}
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}

Expand Down Expand Up @@ -73,35 +73,140 @@ jobs:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip

apply-permissions:
name: Applying permissions to ${{ inputs.environment }}
pull-deployed-lambdas:
name: Pull deployed lambdas for ${{ inputs.environment }}
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}

needs: build-permissions
steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Configure Account Role
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-chaining: true
role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }}

- name: Pull deployed lambda artifacts
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }}
- name: Save lambda artifacts in cache
uses: actions/cache/save@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: dist/*.zip

terraform-plan:
name: Plan changes to ${{ inputs.environment }}
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}

needs: [build-permissions, pull-deployed-lambdas]

steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}

- name: Restore pulled lambda artifacts
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: ./dist
fail-on-cache-miss: true

- name: Restore NRLF permissions cache
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
fail-on-cache-miss: true

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Terraform Apply
- name: Terraform Plan
run: |
terraform -chdir=terraform/infrastructure apply -auto-approve \
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
--out tfplan
- name: Save Terraform Plan
run: |
terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
terraform-apply:
name: Apply permissions to ${{ inputs.environment }}
runs-on: [self-hosted, ci]
environment: ${{ inputs.environment }}

needs: terraform-plan

steps:
- name: Git clone - ${{ github.ref }}
uses: actions/checkout@v4
with:
ref: ${{ github.ref }}

- name: Restore pulled lambda artifacts
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-pulled-lambda-artifacts
path: ./dist
fail-on-cache-miss: true

- name: Restore NRLF permissions cache
uses: actions/cache/restore@v4
with:
key: ${{ github.run_id }}-nrlf-permissions
path: dist/nrlf_permissions.zip
fail-on-cache-miss: true

- name: Configure Management Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: eu-west-2
role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Download Terraform Plan artifact
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan

- name: Terraform Init
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
- name: Terraform Apply
run: |
terraform -chdir=terraform/infrastructure apply tfplan
31 changes: 24 additions & 7 deletions scripts/pull-lambda-code-for-stack.sh
100644 → 100755
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,40 +9,57 @@ stack_name="$1"
function pull_lambda_code(){
local api_name="$1"
local endpoint_name="$2"
local lambda_name="nhds-nrlf--${stack_name}--API-${api_name}--${endpoint_name}"
local lambda_name="nhsd-nrlf--${stack_name}--api--${api_name}--${endpoint_name}"

echo "Downloading code for lambda ${lambda_name}...."
echo -n "- Downloading code for lambda ${lambda_name}.... "
code_url="$(aws lambda get-function --function-name ${lambda_name} | jq -r .Code.Location)"
curl "${code_url}" > "${DIST_DIR}/${api_name}-${endpoint_name}.zip"
curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${api_name}-${endpoint_name}.zip"
echo ""
}

function pull_layer_code(){
local name="$1"
local layer_name="nhds-nrlf--${stack_name}--${name}"
local layer_name="nhsd-nrlf--${stack_name}--${name}"
local layer_version="$(aws lambda list-layer-versions --layer-name ${layer_name} | jq -r '.LayerVersions[0].Version')"
local layer_pkg_name="$(echo ${layer_name} | tr '-' '_').zip"
local layer_pkg_name="$(echo ${name} | tr '-' '_').zip"

echo "Downloading code for layer ${layer_name} version ${layer_version}...."
echo -n "- Downloading code for layer ${layer_name} version ${layer_version}...."
code_url="$(aws lambda get-layer-version --layer-name ${layer_name} --version-number ${layer_version} | jq -r .Content.Location)"
curl "${code_url}" > "${DIST_DIR}/${layer_pkg_name}"
curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${layer_pkg_name}"
echo ""
}

mkdir -p "${DIST_DIR}"

echo
echo "Pulling code for consumer API lambdas...."
for endpoint_name in $(ls api/consumer)
do
if [ ! -d "api/consumer/${endpoint_name}" ]; then
continue
fi

pull_lambda_code "consumer" "${endpoint_name}"
done

echo
echo "Pulling code for producer API lambdas...."
for endpoint_name in $(ls api/producer)
do
if [ ! -d "api/producer/${endpoint_name}" ]; then
continue
fi

pull_lambda_code "producer" "${endpoint_name}"
done

echo
echo "Pulling code for layers...."
for layer_name in nrlf dependency-layer nrlf-permissions
do
pull_layer_code "${layer_name}"
done

echo
echo "✅ Done. Code is in ${DIST_DIR}"
echo

0 comments on commit f27eeaa

Please sign in to comment.