Skip to content

Commit 1e414d1

Browse files
chrisbloechrisbloe
authored
Merge branch 'main' into PRM-741
2 parents 20bdf03 + 01b2d21 commit 1e414d1

56 files changed

Lines changed: 1471 additions & 193 deletions

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/actions/tf-plan-apply/action.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ inputs:
2222
terraform_version:
2323
description: "Terraform version to use"
2424
required: false
25-
default: "1.14.5"
25+
default: "1.14.6"
2626

2727
working_directory:
2828
description: "Terraform working directory"
@@ -56,15 +56,15 @@ runs:
5656
using: "composite"
5757
steps:
5858
- name: Configure AWS Credentials
59-
uses: aws-actions/configure-aws-credentials@v5
59+
uses: aws-actions/configure-aws-credentials@v6
6060
with:
6161
role-to-assume: ${{ inputs.aws_assume_role }}
6262
role-skip-session-tagging: true
6363
aws-region: ${{ inputs.aws_region }}
6464
mask-aws-account-id: true
6565

6666
- name: Setup Terraform
67-
uses: hashicorp/setup-terraform@v3
67+
uses: hashicorp/setup-terraform@v4
6868
with:
6969
terraform_version: ${{ inputs.terraform_version }}
7070
terraform_wrapper: false

.github/workflows/automated-deploy-dev.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -50,17 +50,17 @@ jobs:
5050
uses: actions/checkout@v6
5151

5252
- name: Configure AWS Credentials
53-
uses: aws-actions/configure-aws-credentials@v5
53+
uses: aws-actions/configure-aws-credentials@v6
5454
with:
5555
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
5656
role-skip-session-tagging: true
5757
aws-region: ${{ vars.AWS_REGION }}
5858
mask-aws-account-id: true
5959

6060
- name: Setup Terraform
61-
uses: hashicorp/setup-terraform@v3
61+
uses: hashicorp/setup-terraform@v4
6262
with:
63-
terraform_version: 1.14.5
63+
terraform_version: 1.14.6
6464
terraform_wrapper: true
6565

6666
- name: Initialise Terraform
@@ -256,7 +256,7 @@ jobs:
256256
if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
257257
steps:
258258
- name: Configure AWS Credentials
259-
uses: aws-actions/configure-aws-credentials@v5
259+
uses: aws-actions/configure-aws-credentials@v6
260260
with:
261261
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
262262
role-skip-session-tagging: true

.github/workflows/automated-sonarqube-cloud-analysis.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ jobs:
3535
if: failure() && github.event_name == 'push' && github.ref == 'refs/heads/main'
3636
steps:
3737
- name: Configure AWS Credentials
38-
uses: aws-actions/configure-aws-credentials@v5
38+
uses: aws-actions/configure-aws-credentials@v6
3939
with:
4040
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
4141
role-skip-session-tagging: true

.github/workflows/base-cleanup-lambda-edge.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ jobs:
4343
python-version: 3.11
4444

4545
- name: Configure AWS Credentials for ${{ vars.AWS_REGION }}
46-
uses: aws-actions/configure-aws-credentials@v5
46+
uses: aws-actions/configure-aws-credentials@v6
4747
with:
4848
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
4949
role-skip-session-tagging: true
@@ -69,7 +69,7 @@ jobs:
6969
if: env.DISTRIBUTION_ID != ''
7070
run: |
7171
python3 -m venv ./venv
72-
./venv/bin/pip3 install --upgrade pip boto3==1.42.1
72+
./venv/bin/pip3 install --upgrade pip boto3==1.42.59
7373
7474
- name: Remove Lambda@Edge & CloudFront Associations
7575
if: env.DISTRIBUTION_ID != ''

.github/workflows/base-cleanup-workspace.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -46,10 +46,10 @@ jobs:
4646
run: |
4747
python3 -m venv ./venv
4848
./venv/bin/pip3 install --upgrade pip
49-
./venv/bin/pip3 install boto3==1.42.1
49+
./venv/bin/pip3 install boto3==1.42.59
5050
5151
- name: Configure AWS Credentials
52-
uses: aws-actions/configure-aws-credentials@v5
52+
uses: aws-actions/configure-aws-credentials@v6
5353
with:
5454
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
5555
role-skip-session-tagging: true

.github/workflows/cron-daily-health-check.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -103,15 +103,15 @@ jobs:
103103
CYPRESS_BASE_URL: http://localhost:3000
104104

105105
- name: Upload Artifacts (Screenshots)
106-
uses: actions/upload-artifact@v6
106+
uses: actions/upload-artifact@v7
107107
if: failure()
108108
with:
109109
name: cypress-screenshots-chrome
110110
path: /home/runner/work/national-document-repository/national-document-repository/app/cypress/screenshots
111111
if-no-files-found: ignore
112112

113113
- name: Upload Artifacts (Videos)
114-
uses: actions/upload-artifact@v6
114+
uses: actions/upload-artifact@v7
115115
if: failure()
116116
with:
117117
name: cypress-videos-chrome
@@ -173,7 +173,7 @@ jobs:
173173
if: failure()
174174
steps:
175175
- name: Configure AWS Credentials
176-
uses: aws-actions/configure-aws-credentials@v5
176+
uses: aws-actions/configure-aws-credentials@v6
177177
with:
178178
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
179179
role-skip-session-tagging: true

.github/workflows/cron-tear-down-sandbox.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ jobs:
2121
ref: main
2222

2323
- name: Configure AWS Credentials
24-
uses: aws-actions/configure-aws-credentials@v5
24+
uses: aws-actions/configure-aws-credentials@v6
2525
with:
2626
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
2727
role-skip-session-tagging: true

.github/workflows/cron-tear-down-test.yml

Lines changed: 42 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ jobs:
1818
sandbox_name: ndr-test
1919
environment: test
2020
secrets:
21-
AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
21+
AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
2222

2323
cleanup_versions:
2424
name: Cleanup Versions
@@ -28,7 +28,7 @@ jobs:
2828
sandbox_name: ndr-test
2929
environment: test
3030
secrets:
31-
AWS_ASSUME_ROLE: ${{ secrets.AWS_ASSUME_ROLE }}
31+
AWS_ASSUME_ROLE: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
3232

3333
terraform_destroy_process:
3434
name: Destroy Test Environment
@@ -46,17 +46,18 @@ jobs:
4646
ref: main
4747

4848
- name: Configure AWS Credentials
49-
uses: aws-actions/configure-aws-credentials@v5
49+
uses: aws-actions/configure-aws-credentials@v6
5050
with:
51-
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
51+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_WORKSPACE }}-github-actions-role
5252
role-skip-session-tagging: true
5353
aws-region: ${{ vars.AWS_REGION }}
5454
mask-aws-account-id: true
5555

56+
5657
- name: Setup Terraform
57-
uses: hashicorp/setup-terraform@v3
58+
uses: hashicorp/setup-terraform@v4
5859
with:
59-
terraform_version: 1.14.5
60+
terraform_version: 1.14.6
6061
terraform_wrapper: false
6162

6263
- name: Initialise Terraform
@@ -100,3 +101,38 @@ jobs:
100101
id: destroy
101102
run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}"
102103
working-directory: ./infrastructure
104+
105+
terraform_destroy_base_iam:
106+
name: Terraform Destroy base_iam
107+
runs-on: ubuntu-latest
108+
needs: [terraform_destroy_process]
109+
environment: test
110+
steps:
111+
- name: Checkout
112+
uses: actions/checkout@v6
113+
with:
114+
ref: main
115+
116+
- name: Configure AWS Credentials
117+
uses: aws-actions/configure-aws-credentials@v5
118+
with:
119+
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/test-github-bootstrap
120+
aws-region: ${{ vars.AWS_REGION }}
121+
mask-aws-account-id: true
122+
123+
- name: Setup Terraform
124+
uses: hashicorp/setup-terraform@v3
125+
with:
126+
terraform_version: 1.14.3
127+
128+
- name: Initialise Terraform
129+
run: terraform init -backend-config=bucket=${{ secrets.AWS_WORKSPACE }}-terraform-state-${{ secrets.AWS_ACCOUNT_ID }}
130+
working-directory: ./base_iam
131+
132+
- name: Select Terraform Workspace
133+
run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
134+
working-directory: ./base_iam
135+
136+
- name: Run Terraform Destroy
137+
run: terraform destroy -auto-approve -var-file="${{ vars.TF_VARS_FILE }}" -var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}
138+
working-directory: ./base_iam

.github/workflows/deploy-pre-prod.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: "Deploy - Pre-prod"
22

3-
run-name: "${{ github.event.inputs.branch_or_tag }}"
3+
run-name: "${{ inputs.branch_or_tag }}"
44

55
on:
66
workflow_dispatch:
@@ -21,18 +21,18 @@ jobs:
2121
name: Tag main
2222
runs-on: ubuntu-latest
2323
outputs:
24-
version: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
24+
version: ${{ steps.versioning.outputs.tag || inputs.branch_or_tag }}
2525
permissions: write-all
2626
steps:
2727
- name: Checkout main
28-
if: ${{ github.event.inputs.branch_or_tag == 'main' }}
28+
if: ${{ inputs.branch_or_tag == 'main' }}
2929
uses: actions/checkout@v6
3030
with:
3131
ref: main
3232
fetch-depth: "0"
3333

3434
- name: Bump version and push tag
35-
if: ${{ github.event.inputs.branch_or_tag == 'main' }}
35+
if: ${{ inputs.branch_or_tag == 'main' }}
3636
id: versioning
3737
uses: anothrNick/github-tag-action@1.64.0
3838
env:
@@ -42,7 +42,7 @@ jobs:
4242

4343
- name: View outputs
4444
run: |
45-
echo Tag to deploy: ${{ steps.versioning.outputs.tag || github.event.inputs.branch_or_tag }}
45+
echo Tag to deploy: ${{ steps.versioning.outputs.tag || inputs.branch_or_tag }}
4646
4747
terraform_plan_apply_base_iam:
4848
name: Terraform Plan/Apply base-iam (pre-prod)

.github/workflows/deploy-prod.yml

Lines changed: 34 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
name: "Deploy - Prod"
22

3-
run-name: "${{ github.event.inputs.git_tag }}"
3+
run-name: "${{ inputs.git_tag }}"
44

55
on:
66
workflow_dispatch:
@@ -16,54 +16,48 @@ permissions:
1616
contents: read # This is required for actions/checkout
1717

1818
jobs:
19-
terraform_plan_apply:
20-
name: Terraform Plan/Apply (prod)
19+
terraform_plan_apply_base_iam:
20+
name: Terraform Plan/Apply base-iam (prod)
2121
runs-on: ubuntu-latest
2222
environment: prod
2323
steps:
24-
- name: Checkout Tag
24+
- name: Checkout
2525
uses: actions/checkout@v6
2626
with:
2727
ref: refs/tags/${{ github.event.inputs.git_tag}}
2828
fetch-depth: "0"
2929

30-
- name: Configure AWS Credentials
31-
uses: aws-actions/configure-aws-credentials@v5
30+
- name: Apply base_iam
31+
uses: ./.github/actions/tf-plan-apply
3232
with:
33-
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE }}
34-
role-skip-session-tagging: true
35-
aws-region: ${{ vars.AWS_REGION }}
36-
mask-aws-account-id: true
33+
aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/prod-github-bootstrap
34+
bucket_prefix: "prod"
35+
aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
36+
aws_region: ${{ vars.AWS_REGION }}
37+
working_directory: "./base_iam" # Use separate base_iam directory
38+
workspace: ${{ secrets.AWS_WORKSPACE }}
39+
tf_vars_file: ${{ vars.TF_VARS_FILE }}
40+
tf_extra_args: "-var aws_account_id=${{ secrets.AWS_ACCOUNT_ID }}"
3741

38-
- name: Setup Terraform
39-
uses: hashicorp/setup-terraform@v3
42+
terraform_plan_apply:
43+
name: Terraform Plan/Apply (prod)
44+
needs: ["terraform_plan_apply_base_iam"]
45+
runs-on: ubuntu-latest
46+
environment: prod
47+
steps:
48+
- name: Checkout Tag
49+
uses: actions/checkout@v6
4050
with:
41-
terraform_version: 1.14.5
42-
terraform_wrapper: false
43-
44-
- name: Initialise Terraform
45-
id: init
46-
run: terraform init -backend-config=backend-prod.conf
47-
working-directory: ./infrastructure
48-
shell: bash
49-
50-
- name: Select Terraform Workspace
51-
id: workspace
52-
run: terraform workspace select ${{ secrets.AWS_WORKSPACE }}
53-
working-directory: ./infrastructure
54-
shell: bash
55-
56-
- name: Check Terraform Formatting
57-
run: terraform fmt -check
58-
working-directory: ./infrastructure
59-
60-
- name: Run Terraform Plan
61-
id: plan
62-
run: |
63-
terraform plan -input=false -no-color -var-file="${{vars.TF_VARS_FILE}}" -out tf.plan
64-
working-directory: ./infrastructure
65-
shell: bash
51+
ref: refs/tags/${{ inputs.git_tag}}
52+
fetch-depth: "0"
6653

67-
- name: Run Terraform Apply
68-
run: terraform apply -auto-approve -input=false tf.plan
69-
working-directory: ./infrastructure
54+
- name: Apply Main
55+
uses: ./.github/actions/tf-plan-apply
56+
with:
57+
# use newly updated role
58+
aws_assume_role: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/prod-github-actions-role
59+
bucket_prefix: "prod"
60+
aws_account_id: ${{ secrets.AWS_ACCOUNT_ID }}
61+
aws_region: ${{ vars.AWS_REGION }}
62+
workspace: ${{ secrets.AWS_WORKSPACE }}
63+
tf_vars_file: ${{ vars.TF_VARS_FILE }}

0 commit comments

Comments
 (0)