v2.1.1 (work in progress) (#3256)

Author: thomasleese

.github/workflows/build.yml …ithub/workflows/build-and-push-image.yml.github/workflows/build.yml renamed to .github/workflows/build-and-push-image.yml .github/workflows/build.yml renamed to .github/workflows/build-and-push-image.yml

@@ -1,37 +1,34 @@
-name: Build Mavis image
+name: Build and push image
+
 on:
   workflow_dispatch:
   workflow_call:
 
 jobs:
-  Build:
+  build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
       - name: Build Docker image
-        run: |
-          docker build -t "mavis:latest" .
+        run: docker build -t "mavis:latest" .
       - name: Save Docker image
-        run: |
-          docker save -o image.tar mavis:latest
+        run: docker save -o image.tar mavis:latest
       - name: Upload Docker image
         uses: actions/upload-artifact@v4
         with:
           name: image
           path: image.tar
-  Push-image:
+  push:
     runs-on: ubuntu-latest
-    needs: Build
+    needs: build
     permissions:
       id-token: write
     strategy:
       matrix:
         aws-role:
-          [
-            "arn:aws:iam::820242920762:role/GitHubActionsRole",
-            "arn:aws:iam::393416225559:role/GitHubActionsRole",
-          ]
+          - arn:aws:iam::820242920762:role/GitHubActionsRole
+          - arn:aws:iam::393416225559:role/GitHubActionsRole
     steps:
       - name: Download Docker image
         uses: actions/download-artifact@v4
@@ -46,11 +43,8 @@ jobs:
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
       - name: Load Docker image
-        run: |
-          docker load -i image.tar
+        run: docker load -i image.tar
       - name: Tag Docker image
-        run: |
-          docker tag mavis:latest "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"${{ github.sha }}"
+        run: docker tag mavis:latest "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"${{ github.sha }}"
       - name: Push Docker image
-        run: |
-          docker push "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"${{ github.sha }}"
+        run: docker push "${{ steps.login-ecr.outputs.registry }}/mavis/webapp":"${{ github.sha }}"

.github/workflows/continuous-deployment.yml

@@ -0,0 +1,23 @@
+name: Continuous deployment
+run-name: Continuous deployment of ${{ github.ref }} to "copilotmigration"
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+  build-and-push-image:
+    needs: test
+    uses: ./.github/workflows/build-and-push-image.yml
+  deploy-infrastructure:
+    needs: test
+    uses: ./.github/workflows/deploy-infrastructure.yml
+    with:
+      environment: copilotmigration
+  deploy-application:
+    needs: [build-and-push-image, deploy-infrastructure]
+    uses: ./.github/workflows/deploy-application.yml
+    with:
+      environment: copilotmigration

.github/workflows/continuous_deployment.yml

@@ -1,11 +1,11 @@
-name: TF Deploy Application
-run-name: TF Deploy Application on ${{ inputs.environment }}
+name: Deploy application
+run-name: Deploy application to ${{ inputs.environment }}
 
 on:
   workflow_dispatch:
     inputs:
       environment:
-        description: "Deployment environment"
+        description: Deployment environment
         required: true
         type: choice
         options:
@@ -15,9 +15,9 @@ on:
           - test
           - preview
           - training
-      #          - production
+          - production
       image_tag:
-        description: "Docker image tag"
+        description: Docker image tag
         required: false
         type: string
   workflow_call:
@@ -28,12 +28,13 @@ on:
 
 env:
   aws-role: ${{ inputs.environment == 'production'
-    && 'arn:aws:iam::820242920762:role/GitHubActionsRole'
+    && 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
   tf-dir: terraform/app
 
 jobs:
-  PlanUpdate:
+  plan-changes:
+    name: Plan task definition changes
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -78,9 +79,11 @@ jobs:
         with:
           name: tfplan_app
           path: ${{ runner.temp }}/tfplan
-  DeployUpdate:
+
+  apply-changes:
+    name: Apply task definition changes
     runs-on: ubuntu-latest
-    needs: PlanUpdate
+    needs: plan-changes
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write
@@ -115,9 +118,11 @@ jobs:
         with:
           name: CODEDEPLOY_ENV
           path: ${{ runner.temp }}/CODEDEPLOY_ENV
-  TriggerCodeDeploy:
+
+  create-deployment:
+    name: Create deployment
     runs-on: ubuntu-latest
-    needs: DeployUpdate
+    needs: apply-changes
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write
@@ -133,8 +138,7 @@ jobs:
           role-to-assume: ${{ env.aws-role }}
           aws-region: eu-west-2
       - name: Install AWS CLI
-        run: |
-          sudo snap install --classic aws-cli
+        run: sudo snap install --classic aws-cli
       - name: Trigger CodeDeploy deployment
         run: |
           source ${{ runner.temp }}/artifact/CODEDEPLOY_ENV

.github/workflows/deploy_application.yml .github/workflows/deploy-application.yml.github/workflows/deploy_application.yml renamed to .github/workflows/deploy-application.yml

@@ -1,11 +1,11 @@
-name: Deploy Infrastructure with Terraform
-run-name: Deploy AWS infrastructure for ${{ inputs.environment }}
+name: Deploy infrastructure
+run-name: Deploy infrastructure for ${{ inputs.environment }}
 
 on:
   workflow_dispatch:
     inputs:
       environment:
-        description: "Deployment environment"
+        description: Deployment environment
         required: true
         type: choice
         options:
@@ -15,22 +15,27 @@ on:
           - test
           - preview
           - training
-  #          - production
+          - production
+      docker_sha:
+        description: "Docker image sha to deploy. This is used only if no existing task definition is found"
+        required: false
+        type: string
   workflow_call:
     inputs:
       environment:
-        description: "Deployment environment"
+        description: Deployment environment
         required: true
         type: string
 
 env:
   aws_role: ${{ inputs.environment == 'production'
-    && 'arn:aws:iam::820242920762:role/GitHubActionsRole'
+    && 'arn:aws:iam::820242920762:role/GithubDeployMavisAndInfrastructure'
     || 'arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure' }}
   tf_dir: terraform/app
 
 jobs:
-  TerraformPlan:
+  plan:
+    name: Terraform plan
     runs-on: ubuntu-latest
     permissions:
       id-token: write
@@ -47,36 +52,24 @@ jobs:
         with:
           terraform_version: 1.10.5
       - name: Install AWS Cli
-        run: |
-          sudo snap install --classic aws-cli
+        run: sudo snap install --classic aws-cli
       - name: Check if any deployments are running
         working-directory: ${{ env.tf_dir }}
         run: |
-          set -e
-          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
-          APPLICATION_NAME=$(terraform output -raw codedeploy_application_name)
-          echo "Application Name: $APPLICATION_NAME"
-          APPLICATION_GROUP=$(terraform output -raw codedeploy_deployment_group_name)
-          echo "Deployment Group Name: $APPLICATION_GROUP"
-          running_deployment=$(aws deploy list-deployments --application-name $APPLICATION_NAME \
-              --deployment-group-name $APPLICATION_GROUP --include-only-statuses InProgress \
-              --query 'deployments[0]' --output text)
-          if [ "$running_deployment" != "None" ]; then
-            echo "A mavis deployment for ${{ inputs.environment }} is currently running: $running_deployment"
-            echo "Aborting infrastructure deployment"
-            exit 1
-          fi
-      - name: Get saved image digest
+          ../scripts/check-for-running-deployments.sh ${{ inputs.environment }}
+      - name: Get image digest
         working-directory: ${{ env.tf_dir }}
         run: |
-          DIGEST=$(terraform state show aws_ecs_task_definition.task_definition | grep -oP '(?<=mavis/webapp@)sha256:[0-9a-z]{64}')
-          if [ -z "$DIGEST" ]; then
-            echo "Image digest not found in the currently deployed task definition"
-            echo "Aborting infrastructure deployment"
-            exit 1
+          DIGEST="${{ inputs.docker_sha }}"
+          if terraform state list | grep -q 'aws_ecs_task_definition.task_definition'; then
+            DIGEST=$(terraform state show aws_ecs_task_definition.task_definition | grep -oP '(?<=mavis/webapp@)sha256:[0-9a-z]{64}')
+            echo "Existing task definition found, using image digest from the state: $DIGEST"
+          elif [ -z "$DIGEST" ]; then
+            echo "Aborting infrastructure deployment: Missing existing task definition or image digest input parameter"
+          else
+            echo "No existing task definition found: Using image digest from the input parameter: $DIGEST"
           fi
           echo "DIGEST=$DIGEST" >> $GITHUB_ENV
-          echo "Image digest in terraform state: $DIGEST"
       - name: Terraform Plan
         id: plan
         working-directory: ${{ env.tf_dir }}
@@ -93,9 +86,11 @@ jobs:
         with:
           name: tfplan_infrastructure
           path: ${{ runner.temp }}/tfplan
-  ApplyUpdate:
+
+  apply:
+    name: Terraform apply
     runs-on: ubuntu-latest
-    needs: TerraformPlan
+    needs: plan
     environment: ${{ inputs.environment }}
     permissions:
       id-token: write

…thub/workflows/deploy_infrastructure.yml …thub/workflows/deploy-infrastructure.yml.github/workflows/deploy_infrastructure.yml renamed to .github/workflows/deploy-infrastructure.yml .github/workflows/deploy_infrastructure.yml renamed to .github/workflows/deploy-infrastructure.yml

@@ -0,0 +1,80 @@
+name: Destroy Infrastructure
+run-name: Destroy Infrastructure for ${{ inputs.environment }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: "Environment to be Destroyed"
+        required: true
+        type: choice
+        options:
+          - qa
+          - poc
+          - copilotmigration
+          - test
+          - preview
+          - training
+
+env:
+  aws_role: arn:aws:iam::393416225559:role/GithubDeployMavisAndInfrastructure
+  tf_dir: terraform/app
+
+jobs:
+  destroy-resources:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.10.5
+      - name: Ensure DB cluster can be deleted
+        working-directory: ${{ env.tf_dir }}
+        run: |
+          set -e
+          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
+          if terraform state list | grep -q 'aws_rds_cluster.aurora_cluster'; then
+            echo "DB cluster exsits: removing delete protection"
+            CLUSTER_IDENTIFIER=$(grep -oP 'db_cluster\s*=\s*"\K[^"]+' env/${{ inputs.environment }}.tfvars)
+            aws rds modify-db-cluster --db-cluster-identifier "$CLUSTER_IDENTIFIER" --no-deletion-protection
+            echo "DB cluster delete protection removed: proceeding to delete stage"
+          else 
+            echo "DB cluster not in state: proceeding to delete stage"
+          fi
+
+      - name: Delete cluster
+        working-directory: ${{ env.tf_dir }}
+        run: |
+          terraform destroy -var-file="env/${{ inputs.environment }}.tfvars" \
+          -var="image_digest=notneededfordestroy" -auto-approve
+  destroy-backend:
+    runs-on: ubuntu-latest
+    needs: destroy-resources
+    permissions:
+      id-token: write
+    environment: ${{ inputs.environment }}
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Install AWS CLI
+        run: |
+          sudo snap install --classic aws-cli
+      - name: Delete terraform backend elements
+        run: |
+          TF_STATE_FILE=nhse-mavis-terraform-state/terraform-${{ inputs.environment }}.tfstate
+          aws s3 rm s3://$TF_STATE_FILE
+          aws dynamodb delete-item --table-name mavis-terraform-state-lock \
+          --key "{\"LockID\": {\"S\": \"$TF_STATE_FILE-md5\"}}"

.github/workflows/destroy_infrastructure.yml

@@ -59,14 +59,14 @@ resource "aws_s3_bucket" "code_deploy_bucket" {
 
 
 data "aws_s3_bucket" "logs" {
-  bucket = "nhse-mavis-logs-${var.environment}"
+  bucket = var.access_logs_bucket
 }
 
 resource "aws_s3_bucket_logging" "example" {
   bucket = aws_s3_bucket.code_deploy_bucket.id
 
   target_bucket = data.aws_s3_bucket.logs.id
-  target_prefix = "codedeploy-log/"
+  target_prefix = "codedeploy-log-${var.environment}/"
 }
 
 resource "aws_s3_bucket_versioning" "code_deploy_bucket_versioning" {