Update: [AEA-5930] - Copy Documents from INT to other environments (#278)

## Summary

Copies documents from INT to other environments

### Details
- Downloads S3 documents from INT 
- Check if the files exist in the destination environment's S3 (dev, qa,
prod, pr)
- Upload S3 documents to destination environment's S3

---------

Co-authored-by: bencegadanyi1-nhs <bence.gadanyi1@nhs.net>

Author: kieran-wilkinson-4

.gitallowed

@@ -34,3 +34,4 @@ client = WebClient\(token=slack_event_data\["bot_token"\]\)
 context accountId=123456789012
 .*:sample_docs/.*
 token = get_bot_token\(\)
+"AWS_ACCOUNT_ID": "123456789012"

.github/actions/sync_documents/action.yml

@@ -0,0 +1,82 @@
+name: "Document Sync"
+description: "Sync Documents between INT and a target Environment"
+inputs:
+  TARGET_ENVIRONMENT:
+    required: true
+    description: "The Environment to Copy Files into (e.g., DEV, PROD)"
+  STACK:
+    required: false
+    description: "The stack being deployed (ie., 'epsam' or 'epsam-pr-123')"
+    default: "epsam"
+  INT_CLOUD_FORMATION_DEPLOY_ROLE:
+    required: true
+    description: "The role to assume for the source (INT) account"
+  TARGET_CLOUD_FORMATION_DEPLOY_ROLE:
+    required: true
+    description: "The role to assume for the target account"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Connect to Source Account (INT)
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+      with:
+        aws-region: eu-west-2
+        role-to-assume: ${{ inputs.INT_CLOUD_FORMATION_DEPLOY_ROLE }}
+        role-session-name: epsam-document-sync-source
+
+    - name: Find Source Bucket by Partial Name
+      id: find-source-bucket
+      shell: bash
+      working-directory: .github/scripts
+      env:
+        STACK: "epsam"
+      run: ./find_s3_bucket.sh
+
+    - name: Download all Files from Source Bucket
+      shell: bash
+      run: |
+        mkdir -p ./s3-content
+        aws s3 sync s3://${{ steps.find-source-bucket.outputs.BUCKET_NAME }} ./s3-content
+
+    - name: Connect to Target Account
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708
+      with:
+        aws-region: eu-west-2
+        role-to-assume: ${{ inputs.TARGET_CLOUD_FORMATION_DEPLOY_ROLE }}
+        role-session-name: epsam-document-sync-target
+
+    - name: Find Destination Bucket by Partial Name
+      id: find-destination-bucket
+      shell: bash
+      working-directory: .github/scripts
+      env:
+        STACK: ${{ inputs.STACK }}
+      run: ./find_s3_bucket.sh
+
+    - name: Check Discrepancies
+      id: compare
+      shell: bash
+      run: |
+        printf "\n"
+        echo "Comparing local files with s3://${{ steps.find-destination-bucket.outputs.BUCKET_NAME }}..."
+        DIFFS=$(aws s3 sync ./s3-content s3://${{ steps.find-destination-bucket.outputs.BUCKET_NAME }} --dryrun)
+
+        if [ -z "$DIFFS" ]; then
+          echo -e "\033[0;32m✔ NO DISCREPANCIES FOUND.\033[0m"
+        else
+          echo -e "\033[0;33m⚠ WARNING: DISCREPANCIES FOUND:" 
+
+          echo "$DIFFS" 
+          echo "--------------------------------------------------\033[0m"
+
+          CLEAN_DIFFS="${DIFFS//$'\n'/'%0A'}"
+          echo "::warning title=Discrepancy Found in ${{ inputs.TARGET_ENVIRONMENT }}::$CLEAN_DIFFS"
+        fi
+        printf "\n"
+
+    - name: Upload Files to Target S3
+      shell: bash
+      run: |
+        echo "Updating s3://${{ steps.find-destination-bucket.outputs.BUCKET_NAME }}..."
+        aws s3 sync ./s3-content s3://${{ steps.find-destination-bucket.outputs.BUCKET_NAME }} --delete

.github/scripts/find_s3_bucket.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+echo "Searching for bucket in CloudFormation exports..."
+
+# Ensure the STACK variable is present
+if [ -z "$STACK" ]; then
+  echo "Error: The STACK environment variable is not set."
+  exit 1
+fi
+
+echo "Searching for bucket in CloudFormation exports for stack prefix: $STACK..."
+
+# List buckets and filter using JMESPath
+# We use 'tail -n 1' or 'awk' to ensure we only get one result if multiple match
+BUCKET_NAME=$(aws cloudformation list-exports --query "Exports[?Name=='${STACK}:kbDocsBucket:Name'].Value" --output text)
+
+if [ -z "$BUCKET_NAME" ] || [ "$BUCKET_NAME" == "None" ]; then
+  echo "Error: No bucket found matching '$PARTIAL_NAME'"
+  exit 1
+fi
+
+echo "Success: Found bucket '$BUCKET_NAME'"
+
+# This special syntax tells GitHub Actions to set an output variable
+echo "BUCKET_NAME=$BUCKET_NAME" >> "$GITHUB_OUTPUT"

.github/workflows/release_all_stacks.yml

@@ -61,6 +61,10 @@ on:
         required: false
       DEV_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
         required: false
+      INT_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
+        required: false
+      PROD_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE:
+        required: false
       REGRESSION_TESTS_PEM:
         required: false
       SLACK_BOT_TOKEN:
@@ -186,6 +190,24 @@ jobs:
           cdk-utils-build-repo:latest
         shell: bash
 
+      - name: Normalize Environment Name
+        if: ${{ inputs.TARGET_ENVIRONMENT != 'int' && (inputs.DEPLOY_CODE == true || inputs.IS_PULL_REQUEST == true) }}
+        run: |
+          # Convert TARGET_ENVIRONMENT to Uppercase (e.g., 'prod' -> 'PROD')
+          VAL=$(echo "$TARGET_ENVIRONMENT" | tr '[:lower:]' '[:upper:]')
+          echo "UPPER_TARGET_ENVIRONMENT=$VAL" >> "$GITHUB_OUTPUT"
+        env:
+          TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
+
+      - name: Sync Documents
+        uses: ./.github/actions/sync_documents
+        if: ${{ inputs.TARGET_ENVIRONMENT != 'int' && (inputs.DEPLOY_CODE == true || inputs.IS_PULL_REQUEST == true) }}
+        with: 
+          TARGET_ENVIRONMENT: ${{ inputs.TARGET_ENVIRONMENT }}
+          STACK: ${{ inputs.STACK_NAME }}
+          INT_CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets.INT_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE }}
+          TARGET_CLOUD_FORMATION_DEPLOY_ROLE: ${{ secrets[format('{0}_CLOUD_FORMATION_EXECUTE_LAMBDA_ROLE', github.event.inputs.UPPER_TARGET_ENVIRONMENT)] }}
+
       - name: create_int_release_notes
         uses: ./.github/actions/update_confluence_jira
         if: ${{ inputs.CREATE_INT_RELEASE_NOTES == true && always() && !failure() && !cancelled() }}