CCM-12722 Digital Letters initial workflows and infra (#70)

* CCM-12722 Digital Letters initial workflows and infra

* CCM-12722 Drop example lambda

* CCM-12722 Drop example lambda

* CCM-12722 Digital Letters initial workflows and infra

* CCM-12722 Digital Letters initial workflows and infra

* CCM-12722 Digital Letters initial workflows and infra

Author: aidenvaines-cgi

.github/workflows/cicd-1-pull-request.yaml

@@ -11,6 +11,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   metadata:
     name: "Set CI/CD metadata"
@@ -27,6 +31,7 @@ jobs:
       version: ${{ steps.variables.outputs.version }}
       is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
+      pr_number: ${{ steps.pr_exists.outputs.pr_number }}
     steps:
       - name: "Checkout code"
         uses: actions/checkout@v5
@@ -53,13 +58,20 @@ jobs:
         run: |
           branch_name=${GITHUB_HEAD_REF:-$(echo $GITHUB_REF | sed 's#refs/heads/##')}
           echo "Current branch is '$branch_name'"
-          if gh pr list --head $branch_name | grep -q .; then
-            echo "Pull request exists"
+
+          pr_json=$(gh pr list --head "$branch_name" --state open --json number --limit 1)
+          pr_number=$(echo "$pr_json" | jq -r '.[0].number // empty')
+
+          if [[ -n "$pr_number" ]]; then
+            echo "Pull request exists: #$pr_number"
             echo "does_pull_request_exist=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$pr_number" >> $GITHUB_OUTPUT
           else
             echo "Pull request doesn't exist"
             echo "does_pull_request_exist=false" >> $GITHUB_OUTPUT
+            echo "pr_number=" >> $GITHUB_OUTPUT
           fi
+
       - name: "List variables"
         run: |
           export BUILD_DATETIME_LONDON="${{ steps.variables.outputs.build_datetime_london }}"
@@ -113,6 +125,29 @@ jobs:
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
     secrets: inherit
+  pr-create-dynamic-environment:
+    name: Trigger dynamic environment creation
+    needs: [metadata, build-stage]
+    runs-on: ubuntu-latest
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
+    steps:
+      - uses: actions/checkout@v5.0.0
+      - name: Trigger dynamic environment creation
+        env:
+          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+        shell: bash
+        run: |
+          .github/scripts/dispatch_internal_repo_workflow.sh \
+            --infraRepoName "$(echo ${{ github.repository }} | cut -d'/' -f2)" \
+            --releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --targetWorkflow "dispatch-deploy-dynamic-env.yaml" \
+            --targetEnvironment "pr${{ needs.metadata.outputs.pr_number }}" \
+            --targetComponent "dl" \
+            --targetAccountGroup "nhs-notify-digital-letters-dev" \
+            --terraformAction "apply" \
+            --overrideProjectName "nhs" \
+            --overrideRoleName "nhs-main-acct-digital-letters-github-deploy" \
+            --overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"
   acceptance-stage: # Recommended maximum execution time is 10 minutes
     name: "Acceptance stage"
     needs: [metadata, build-stage]

.github/workflows/pr_closed.disabled .github/workflows/pr_closed.yaml.github/workflows/pr_closed.disabled renamed to .github/workflows/pr_closed.yaml

@@ -1,5 +1,3 @@
-## This workflow is DISABLED.
-## To enable, rename from .disabled to .yaml and replace any references as per the comments.
 name: PR Closed
 
 on:
@@ -46,7 +44,7 @@ jobs:
     strategy:
       max-parallel: 1
       matrix:
-        component: [acct, app]
+        component: [dl]
 
     steps:
       - name: Checkout repository
@@ -58,8 +56,8 @@ jobs:
         run: |
           bash .github/scripts/dispatch_internal_repo_workflow.sh \
             --releaseVersion "main" \
-            --targetWorkflow "dispatch-deploy-static-notify-bounded-context-env.yaml" ## Replace with correct targetWorkflow \
+            --targetWorkflow "dispatch-deploy-static-notify-digital-letters-env.yaml" \
             --targetEnvironment "main" \
-            --targetAccountGroup "nhs-notify-bounded-context-dev" ## Replace with correct targetAccountGroup \
+            --targetAccountGroup "nhs-notify-digital-letters-dev" \
             --targetComponent "${{ matrix.component }}" \
             --terraformAction "apply"

.github/workflows/pr_create_dynamic_env.disabled

@@ -0,0 +1,33 @@
+name: PR Destroy Environment
+
+on:
+  pull_request:
+    types: [closed]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  create-dynamic-environment:
+    name: Destroy Dynamic Environment
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v5.0.0
+      - name: Trigger dynamic environment creation
+        env:
+          PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+        shell: bash
+        run: |
+          .github/scripts/dispatch_internal_repo_workflow.sh \
+            --infraRepoName "$(echo ${{ github.repository }} | cut -d'/' -f2)" \
+            --releaseVersion "${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" \
+            --targetWorkflow "dispatch-deploy-dynamic-env.yaml" \
+            --targetEnvironment "pr${{ github.event.number }}" \
+            --targetComponent "dl" \
+            --targetAccountGroup "nhs-notify-digital-letters-dev" \
+            --terraformAction "destroy" \
+            --overrideProjectName "nhs" \
+            --overrideRoleName "nhs-main-acct-digital-letters-github-deploy" \
+            --overrides "branch_name=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}"

.github/workflows/pr_destroy_dynamic_env.disabled

@@ -1,5 +1,3 @@
-## This workflow is DISABLED.
-## To enable, rename from .disabled to .yaml and replace any references as per the comments.
 name: Github Release Created
 
 on:
@@ -22,20 +20,30 @@ jobs:
     strategy:
       max-parallel: 1
       matrix:
-        component: [component1, component2] ## Replace with correct components
+        component: [dl]
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5.0.0
 
-      - name: Updating Main Environment
+      - name: Deploy Nonprod Environment
         env:
           PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
         run: |
           bash .github/scripts/dispatch_internal_repo_workflow.sh \
             --releaseVersion "${{ github.event.release.tag_name }}" \
-            --targetWorkflow "dispatch-deploy-static-notify-bounded-context-env.yaml" ## Replace with correct targetWorkflow \
+            --targetWorkflow "dispatch-deploy-static-notify-digital-letters-env.yaml" \
             --targetEnvironment "main" \
-            --targetAccountGroup "nhs-notify-bounded-context-nonprod" ## Replace with correct targetAccountGroup \
+            --targetAccountGroup "nhs-notify-digital-letters-nonprod" \
             --targetComponent "${{ matrix.component }}" \
             --terraformAction "apply"
+
+  acceptance-stage:
+    name: "Acceptance stage"
+    needs: [deploy-main]
+    uses: ./.github/workflows/stage-4-acceptance.yaml
+    secrets:
+      PR_TRIGGER_PAT: ${{ secrets.PR_TRIGGER_PAT }}
+    with:
+      target_environment: "main"
+      target_account_group: nhs-notify-digital-letters-nonprod

.github/workflows/pr_destroy_dynamic_env.yaml

@@ -0,0 +1 @@
+terraform 1.10.1

…ithub/workflows/release_created.disabled .github/workflows/release_created.yaml.github/workflows/release_created.disabled renamed to .github/workflows/release_created.yaml .github/workflows/release_created.disabled renamed to .github/workflows/release_created.yaml

@@ -10,17 +10,24 @@ No requirements.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_aws_account_id"></a> [aws\_account\_id](#input\_aws\_account\_id) | The AWS Account ID (numeric) | `string` | n/a | yes |
-| <a name="input_component"></a> [component](#input\_component) | The variable encapsulating the name of this component | `string` | `"examplecomponent"` | no |
 | <a name="input_default_tags"></a> [default\_tags](#input\_default\_tags) | A map of default tags to apply to all taggable resources within the component | `map(string)` | `{}` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | The name of the tfscaffold environment | `string` | n/a | yes |
 | <a name="input_force_lambda_code_deploy"></a> [force\_lambda\_code\_deploy](#input\_force\_lambda\_code\_deploy) | If the lambda package in s3 has the same commit id tag as the terraform build branch, the lambda will not update automatically. Set to True if making changes to Lambda code from on the same commit for example during development | `bool` | `false` | no |
 | <a name="input_group"></a> [group](#input\_group) | The group variables are being inherited from (often synonmous with account short-name) | `string` | n/a | yes |
+| <a name="input_kms_deletion_window"></a> [kms\_deletion\_window](#input\_kms\_deletion\_window) | When a kms key is deleted, how long should it wait in the pending deletion state? | `string` | `"30"` | no |
+| <a name="input_log_level"></a> [log\_level](#input\_log\_level) | The log level to be used in lambda functions within the component. Any log with a lower severity than the configured value will not be logged: https://docs.python.org/3/library/logging.html#levels | `string` | `"INFO"` | no |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days) | The retention period in days for the Cloudwatch Logs events to be retained, default of 0 is indefinite | `number` | `0` | no |
+| <a name="input_mesh_poll_schedule"></a> [mesh\_poll\_schedule](#input\_mesh\_poll\_schedule) | Schedule to poll MESH for messages | `string` | `"cron(0,30 8-16 ? * MON-FRI *)"` | no |
+| <a name="input_parent_acct_environment"></a> [parent\_acct\_environment](#input\_parent\_acct\_environment) | Name of the environment responsible for the acct resources used, affects things like DNS zone. Useful for named dev environments | `string` | `"main"` | no |
 | <a name="input_project"></a> [project](#input\_project) | The name of the tfscaffold project | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The AWS Region | `string` | n/a | yes |
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms"></a> [kms](#module\_kms) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.20/terraform-kms.zip | n/a |
+| <a name="module_mesh_poll"></a> [mesh\_poll](#module\_mesh\_poll) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-lambda.zip | n/a |
+| <a name="module_s3bucket_letters"></a> [s3bucket\_letters](#module\_s3bucket\_letters) | https://github.com/NHSDigital/nhs-notify-shared-modules/releases/download/v2.0.24/terraform-s3bucket.zip | n/a |
 ## Outputs
 
 No outputs.

infrastructure/terraform/components/dl/.tool-versions

@@ -0,0 +1,29 @@
+resource "aws_cloudwatch_event_bus" "main" {
+  name = "${local.csi}"
+
+  kms_key_identifier = module.kms.key_id
+
+  log_config {
+    include_detail = "FULL"
+    level          = "TRACE"
+  }
+}
+
+# CloudWatch Log Delivery Sources for INFO, ERROR, and TRACE logs
+resource "aws_cloudwatch_log_delivery_source" "main_info_logs" {
+  name         = "EventBusSource-${aws_cloudwatch_event_bus.main.name}-INFO_LOGS"
+  log_type     = "INFO_LOGS"
+  resource_arn = aws_cloudwatch_event_bus.main.arn
+}
+
+resource "aws_cloudwatch_log_delivery_source" "main_error_logs" {
+  name         = "EventBusSource-${aws_cloudwatch_event_bus.main.name}-ERROR_LOGS"
+  log_type     = "ERROR_LOGS"
+  resource_arn = aws_cloudwatch_event_bus.main.arn
+}
+
+resource "aws_cloudwatch_log_delivery_source" "main_trace_logs" {
+  name         = "EventBusSource-${aws_cloudwatch_event_bus.main.name}-TRACE_LOGS"
+  log_type     = "TRACE_LOGS"
+  resource_arn = aws_cloudwatch_event_bus.main.arn
+}

…rm/components/examplecomponent/README.md …ucture/terraform/components/dl/README.mdinfrastructure/terraform/components/examplecomponent/README.md renamed to infrastructure/terraform/components/dl/README.md infrastructure/terraform/components/examplecomponent/README.md renamed to infrastructure/terraform/components/dl/README.md

@@ -0,0 +1,28 @@
+resource "aws_cloudwatch_log_delivery_destination" "event_bus" {
+  name = "EventsDeliveryDestination-${aws_cloudwatch_event_bus.main.name}"
+
+  delivery_destination_configuration {
+    destination_resource_arn = aws_cloudwatch_log_group.event_bus.arn
+  }
+}
+
+resource "aws_cloudwatch_log_delivery" "events_info_logs" {
+  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.event_bus.arn
+  delivery_source_name     = aws_cloudwatch_log_delivery_source.main_info_logs.name
+}
+
+resource "aws_cloudwatch_log_delivery" "events_error_logs" {
+  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.event_bus.arn
+  delivery_source_name     = aws_cloudwatch_log_delivery_source.main_error_logs.name
+  depends_on = [
+    aws_cloudwatch_log_delivery.events_info_logs
+  ]
+}
+
+resource "aws_cloudwatch_log_delivery" "events_trace_logs" {
+  delivery_destination_arn = aws_cloudwatch_log_delivery_destination.event_bus.arn
+  delivery_source_name     = aws_cloudwatch_log_delivery_source.main_trace_logs.name
+  depends_on = [
+    aws_cloudwatch_log_delivery.events_error_logs
+  ]
+}