-
Notifications
You must be signed in to change notification settings - Fork 0
229 lines (189 loc) · 8.24 KB
/
automated-deploy-dev.yml
File metadata and controls
229 lines (189 loc) · 8.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
name: 'Z-AUTOMATED: Deploy - Dev'
on:
push:
branches:
- main
pull_request:
branches:
- main
permissions:
pull-requests: write
actions: read # This is required for Plan comment
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
jobs:
terraform_process:
name: Terraform Process - ndr-dev
runs-on: ubuntu-latest
environment: development
steps:
# Checkout the repository to the GitHub Actions runner
- name: Checkout
uses: actions/checkout@v5
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
role-skip-session-tagging: true
aws-region: ${{ vars.AWS_REGION }}
mask-aws-account-id: true
- name: View AWS Role
run: aws sts get-caller-identity
# Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
- name: Setup Terraform
uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.13.3
terraform_wrapper: true
- name: Terraform Init
id: init
run: terraform init -backend-config=backend.conf -no-color
working-directory: ./infrastructure
shell: bash
- name: Terraform Set Workspace
id: workspace
run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
working-directory: ./infrastructure
shell: bash
# Checks that all Terraform configuration files adhere to a canonical format
- name: Terraform Format
id: fmt
run: terraform fmt -check
working-directory: ./infrastructure
- name: terraform validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
run: |
terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan > plan_output.txt 2>&1
terraform show -no-color tf.plan > tfplan.txt 2>&1
# Mask PEM certificates (BEGIN...END CERTIFICATE)
awk 'BEGIN{cert=""}
/-----BEGIN CERTIFICATE-----/{cert=$0; in_cert=1; next}
/-----END CERTIFICATE-----/{cert=cert"\n"$0; print cert; cert=""; in_cert=0; next}
in_cert{cert=cert"\n"$0}' tfplan.txt | while IFS= read -r cert_block; do
if [ -n "$cert_block" ]; then
echo "::add-mask::$cert_block"
fi
done || echo "No certificate blocks found to mask."
# Mask sensitive URLs in the Terraform Plan output
grep -Eo 'https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*' tfplan.txt | while read -r api_url; do
if [ -n "$api_url" ]; then
echo "::add-mask::$api_url"
fi
done || echo "No api URLs found to mask."
# Mask Lambda invocation URLs
grep -Eo 'https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+' tfplan.txt | while read -r lambda_url; do
if [ -n "$lambda_url" ]; then
echo "::add-mask::$lambda_url"
fi
done || echo "No Lambda URLs found to mask."
# Mask AWS account IDs (12-digit numbers)
grep -Eo '[0-9]{12}' tfplan.txt | while read -r account_id; do
if [ -n "$account_id" ]; then
echo "::add-mask::$account_id"
fi
done || echo "No Account IDs found to mask."
# Mask GitHub secrets
echo "::add-mask::${{ secrets.AWS_ASSUME_ROLE }}"
echo "::add-mask::${{ secrets.GITHUB_TOKEN }}"
# Mask Terraform variables
echo "::add-mask::${{ vars.TF_VARS_FILE }}"
# Output the sanitized plan to logs
cat plan_output.txt
echo "summary=$(grep -E 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy\.|No changes\. Your infrastructure matches the configuration\.' tfplan.txt | sed 's/.*No changes\. Your infrastructure matches the configuration/Plan: no changes/g' | sed 's/.*Plan: //g' | sed 's/\..*//g')" >> $GITHUB_OUTPUT
working-directory: ./infrastructure
shell: bash
- name: Truncate Plan Output
id: plan-truncated
if: success() || failure()
env:
LENGTH: 64512
run: |
PLAN_FULL=$(grep -v 'Refreshing state...' <<'EOF'
${{ steps.plan.outputs.stdout }}
${{ steps.plan.outputs.stderr }}
EOF
)
# Optionally redact sensitive strings in the PLAN_FULL variable
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#arn:aws:iam::[0-9]{12}:role/[a-zA-Z0-9_-]+#[REDACTED_IAM_ROLE_ARN]#g')
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's/[0-9]{12}/[REDACTED_AWS_ACCOUNT_ID]/g')
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.lambda\.amazonaws\.com/[a-zA-Z0-9/._-]+#[REDACTED_LAMBDA_URL]#g')
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E 's#https://[a-zA-Z0-9.-]+\.execute-api\.[a-zA-Z0-9.-]+\.amazonaws\.com/[a-zA-Z0-9/._-]*#[REDACTED_API_GATEWAY_URL]#g')
PLAN_FULL=$(echo "$PLAN_FULL" | sed -E '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/s/.*/[REDACTED_PEM_CERT]/')
echo "PLAN<<EOF" >> $GITHUB_ENV
echo "${PLAN_FULL::$LENGTH}" >> $GITHUB_ENV
[ ${#PLAN_FULL} -gt $LENGTH ] && echo "(truncated - see workflow logs for full output)" >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
working-directory: ./infrastructure
shell: bash
- name: Add PR comment
uses: actions/github-script@v8
if: github.event_name == 'pull_request' && (success() || failure())
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
// 1. Retrieve existing bot comments for the PR
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
})
const botComment = comments.find(comment => {
return comment.user.type === 'Bot' && comment.body.includes('Report for environment: ndr-dev')
})
// 2. Prepare format of the comment
const output = `### Report for environment: ndr-dev
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
<details><summary>Initialization Output</summary>
\`\`\`\n
${{ steps.init.outputs.stdout }}
\`\`\`
</details>
#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
<details><summary>Validation Output</summary>
\`\`\`\n
${{ steps.validate.outputs.stdout }}
\`\`\`
</details>
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan (${{ steps.plan.outputs.summary }})</summary>
\`\`\`\n
${{ env.PLAN }}
\`\`\`
</details>`;
// 3. If we have a comment, update it, otherwise create a new one
if (botComment) {
github.rest.issues.deleteComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: output
})
}
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
# Terraform apply will only occur on a push (merge request completion)
- name: Terraform Apply
if: github.ref == 'refs/heads/main'
run: terraform apply -auto-approve -input=false tf.plan
working-directory: ./infrastructure
run_main_repo_deploy_lambdas:
name: Deploy Lambdas on NDR Functional Repo
needs: ['terraform_process']
if: github.ref == 'refs/heads/main'
uses: NHSDigital/national-document-repository/.github/workflows/lambdas-dev-to-main-ci.yml@main
secrets:
AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
run_main_repo_deploy_ui:
name: Deploy UI on NDR Functional Repo
needs: ['terraform_process']
if: github.ref == 'refs/heads/main'
uses: NHSDigital/national-document-repository/.github/workflows/ui-dev-to-main-ci.yml@main
secrets:
AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}