national-document-repository-infrastructure/.github/workflows/deploy-sandbox.yml at 1af93aa3310912bef681bd6d4d7346777ce89ccb · NHSDigital/national-document-repository-infrastructure · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: "Deploy - Sandbox"

run-name: "${{ github.event.inputs.git_ref }} | ${{ github.event.inputs.sandbox_name }}"

on:
  workflow_dispatch:
    inputs:
      git_ref:
        description: "Branch, tag or SHA to deploy"
        required: true
        type: "string"
      sandbox_name:
        description: "Sandbox name [a-z0-9]{1,8}"
        required: true
        type: "string"

permissions:
  pull-requests: write
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout

jobs:
  validate_inputs:
    runs-on: ubuntu-latest
    environment: development

    steps:
      - name: Validate inputs
        run: |
          if ! [[ "$SANDBOX_NAME" =~ ^[a-z0-9]{1,8}$ ]]; then
            echo "Sandbox name must match [a-z0-9]{1,8} (lowercase letters and digits only, 1-8 chars)."
            exit 1
          fi
        env:
          SANDBOX_NAME: ${{ github.event.inputs.sandbox_name }}

  terraform_process--main:
    runs-on: ubuntu-latest
    needs: validate_inputs
    environment: development

    steps:
      # Checkout the repository to the GitHub Actions runner
      - name: Checkout main
        uses: actions/checkout@v5
        with:
          ref: main

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
          role-skip-session-tagging: true
          aws-region: ${{ vars.AWS_REGION }}
          mask-aws-account-id: true

      - name: View AWS Role
        run: aws sts get-caller-identity

      # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.13.3
          terraform_wrapper: false

      - name: Terraform Init main
        id: main_init
        run: terraform init -backend-config=backend.conf
        working-directory: ./infrastructure
        shell: bash

      - name: Terraform Set Workspace
        id: main_workspace
        run: terraform workspace select -or-create ${{ github.event.inputs.sandbox_name}}
        working-directory: ./infrastructure
        shell: bash

      - name: Terraform Plan main
        id: main_plan
        run: |
          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf-main.plan
        working-directory: ./infrastructure
        shell: bash

      - name: Terraform Apply main
        run: terraform apply -auto-approve -input=false tf-main.plan
        working-directory: ./infrastructure

  terraform_process--branch:
    if: ${{ github.event.inputs.git_ref != 'main' }}
    runs-on: ubuntu-latest
    needs: terraform_process--main
    environment: development

    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v5
        with:
          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
          role-skip-session-tagging: true
          aws-region: ${{ vars.AWS_REGION }}
          mask-aws-account-id: true

      - name: View AWS Role
        run: aws sts get-caller-identity

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3
        with:
          terraform_version: 1.11.4
          terraform_wrapper: false

      - name: Checkout Branch
        uses: actions/checkout@v5
        with:
          ref: ${{ github.event.inputs.git_ref}}

        # Checks that all Terraform configuration files adhere to a canonical format.
      - name: Terraform Format Branch
        run: terraform fmt -check
        working-directory: ./infrastructure

      - name: Terraform Init Branch
        id: init
        run: terraform init -backend-config=backend.conf
        working-directory: ./infrastructure
        shell: bash

      - name: Terraform Set Workspace
        id: workspace
        run: terraform workspace select ${{ github.event.inputs.sandbox_name}}
        working-directory: ./infrastructure
        shell: bash

      - name: Terraform Plan Branch
        id: plan
        run: |
          terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
        working-directory: ./infrastructure
        shell: bash

      - name: Terraform Apply Branch (over main)
        run: terraform apply -auto-approve -input=false tf.plan
        working-directory: ./infrastructure