immunisation-fhir-api/.github/workflows/deploy-backend.yml at fe95ee791abc8d1aa4c34a8f875d20e8a34e4d99 · NHSDigital/immunisation-fhir-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Deploy Backend

on:
  workflow_call:
    inputs:
      apigee_environment:
        required: true
        type: string
      create_mns_subscription:
        required: false
        type: boolean
        default: true
      environment:
        required: true
        type: string
      sub_environment:
        required: true
        type: string
  workflow_dispatch:
    inputs:
      apigee_environment:
        type: choice
        description: Select the Apigee proxy environment
        options:
          - internal-dev
          - int
          - ref
          - prod
      create_mns_subscription:
        description: Create an MNS Subscription programatically. Only available in AWS dev
        required: false
        type: boolean
        default: true
      environment:
        type: choice
        description: Select the backend environment
        options:
          - dev
          - preprod
          - prod
      sub_environment:
        type: string
        description: Set the sub environment name e.g. pr-xxx, or green/blue in higher environments

env: # Sonarcloud - do not allow direct usage of untrusted data
  APIGEE_ENVIRONMENT: ${{ inputs.apigee_environment }}
  ENVIRONMENT: ${{ inputs.environment }}
  SUB_ENVIRONMENT: ${{ inputs.sub_environment }}

permissions:
  id-token: write
  contents: read

run-name: Deploy Backend - ${{ inputs.environment }} ${{ inputs.sub_environment }}

jobs:
  terraform-plan:
    runs-on: ubuntu-latest
    environment:
      name: ${{ inputs.environment }}
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

      - name: Connect to AWS
        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
        with:
          aws-region: eu-west-2
          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
          role-session-name: github-actions

      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
        with:
          terraform_version: "1.12.2"

      - name: Terraform Init
        working-directory: infrastructure/instance
        run: make init

      - name: Terraform Plan
        working-directory: infrastructure/instance
        run: make plan-ci

      - name: Save Terraform Plan
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4
        with:
          name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
          path: infrastructure/instance/tfplan

  terraform-apply:
    needs: terraform-plan
    runs-on: ubuntu-latest
    environment:
      name: ${{ inputs.environment }}
    steps:
      - name: Checkout
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

      - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8
        with:
          aws-region: eu-west-2
          role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/auto-ops
          role-session-name: github-actions

      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
        with:
          terraform_version: "1.12.2"

      - name: Retrieve Terraform Plan
        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
        with:
          name: ${{ env.ENVIRONMENT }}-${{ env.SUB_ENVIRONMENT }}-tfplan
          path: infrastructure/instance

      - name: Terraform Init
        working-directory: infrastructure/instance
        run: make init

      - name: Terraform Apply
        working-directory: infrastructure/instance
        run: |
          make apply-ci
          echo "ID_SYNC_QUEUE_ARN=$(make -s output name=id_sync_queue_arn)" >> $GITHUB_ENV

      - name: Install poetry
        if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
        run: pip install poetry==2.1.4

      - uses: actions/setup-python@v6
        if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
        with:
          python-version: 3.11
          cache: "poetry"
          cache-dependency-path: |
            lambdas/mns_subscription/poetry.lock
            lambdas/shared/poetry.lock

      - name: Create MNS Subscription
        if: ${{ inputs.environment == 'dev' && inputs.create_mns_subscription }}
        working-directory: "./lambdas/mns_subscription"
        env:
          APIGEE_ENVIRONMENT: int
          SQS_ARN: ${{ env.ID_SYNC_QUEUE_ARN }}
        run: |
          poetry install --no-root
          echo "Subscribing SQS to MNS for notifications..."
          make subscribe