From 2f04997645311e7b21bb98c9ae760768d145a60a Mon Sep 17 00:00:00 2001 From: jack-nhs Date: Fri, 22 Aug 2025 15:09:13 +0100 Subject: [PATCH 1/4] Adds cicd and base deployment workflows --- .github/workflows/base-deployment.yml | 96 +++++++++++++++++++++++++++ .github/workflows/ci-cd.yml | 22 ++++++ 2 files changed, 118 insertions(+) create mode 100644 .github/workflows/base-deployment.yml create mode 100644 .github/workflows/ci-cd.yml diff --git a/.github/workflows/base-deployment.yml b/.github/workflows/base-deployment.yml new file mode 100644 index 00000000..1f5569f8 --- /dev/null +++ b/.github/workflows/base-deployment.yml @@ -0,0 +1,96 @@ +on: + workflow_call: + inputs: + environment: + description: "Which Environment settings to use" + required: true + type: string + default: "dev" + is_deployment: + description: "Do you want to run Terraform Apply" + type: boolean + default: false + build_id: + description: "Which docker image tag to use" + type: string + default: "2.0.1" + + workflow_dispatch: + inputs: + environment: + description: "Which Environment settings to use" + required: true + type: choice + options: + - dev + - pre-prod + - prod + is_deployment: + description: "Do you want to run Terraform Apply" + type: boolean + default: false + build_id: + description: "Which docker image tag to use" + type: string + default: "2.0.1" + +name: Base Plan and Apply + +permissions: + contents: read + id-token: write + pull-requests: write + +jobs: + plan: + name: Terraform Plan and Apply + runs-on: ubuntu-latest + environment: ${{ inputs.environment == 'dev' && 'dev' || inputs.is_deployment && format('{0}-apply.tfvars', inputs.environment) || inputs.environment }} + defaults: + run: + working-directory: ./terraform + steps: + - name: Set up git repo + uses: actions/checkout@v4 + + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.IAM_ROLE }} + aws-region: eu-west-2 + + - name: terraform fmt + id: fmt + working-directory: ./ + run: terraform fmt -recursive -check + + - name: terraform init + id: init + run: terraform init -no-color -upgrade -backend-config="bucket=${{ secrets.TF_BACKEND_BUCKET }}" -backend-config="key=${{ secrets.TF_BACKEND_KEY }}" -backend-config="dynamodb_table=${{ secrets.TF_BACKEND_DYNAMODB_TABLE }}" + + - name: terraform validate + id: validate + run: terraform validate -no-color + + ##Repo Specific## + - name: Setup Terraform variables + id: vars + run: |- + cat > pipeline.auto.tfvars < Date: Fri, 22 Aug 2025 15:16:15 +0100 Subject: [PATCH 2/4] Restore build workflow --- .github/workflows/build.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..8a2e1858 --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,20 @@ +name: Build +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] +jobs: + sonarcloud: + name: SonarCloud + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + - name: SonarCloud Scan + uses: SonarSource/sonarqube-scan-action@v4 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} \ No newline at end of file From c5aaa41537ebac74828e1bc886ea389fdba8c5c1 Mon Sep 17 00:00:00 2001 From: Ollie Beumkes Date: Tue, 2 Sep 2025 10:09:52 +0100 Subject: [PATCH 3/4] Updated the base-deployment and its trigger to correctly apply on merge to main as well as manual deployment against other environments --- .github/workflows/base-deployment.yml | 90 +++++++++++++-------------- .github/workflows/ci-cd.yml | 3 +- 2 files changed, 43 insertions(+), 50 deletions(-) diff --git a/.github/workflows/base-deployment.yml b/.github/workflows/base-deployment.yml index 1f5569f8..8c1bd85f 100644 --- a/.github/workflows/base-deployment.yml +++ b/.github/workflows/base-deployment.yml @@ -10,10 +10,6 @@ on: description: "Do you want to run Terraform Apply" type: boolean default: false - build_id: - description: "Which docker image tag to use" - type: string - default: "2.0.1" workflow_dispatch: inputs: @@ -29,13 +25,8 @@ on: description: "Do you want to run Terraform Apply" type: boolean default: false - build_id: - description: "Which docker image tag to use" - type: string - default: "2.0.1" name: Base Plan and Apply - permissions: contents: read id-token: write @@ -43,54 +34,57 @@ permissions: jobs: plan: - name: Terraform Plan and Apply + name: ${{ inputs.environment }} - Plan and Apply runs-on: ubuntu-latest - environment: ${{ inputs.environment == 'dev' && 'dev' || inputs.is_deployment && format('{0}-apply.tfvars', inputs.environment) || inputs.environment }} + environment: ${{ inputs.environment }} defaults: run: working-directory: ./terraform steps: - - name: Set up git repo - uses: actions/checkout@v4 + - name: Set up git repo + uses: actions/checkout@v4 + + - name: Set up Terraform + uses: hashicorp/setup-terraform@v3 - - name: Set up Terraform - uses: hashicorp/setup-terraform@v3 + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: ${{ secrets.IAM_ROLE }} + aws-region: eu-west-2 + mask-aws-account-id: true - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ secrets.IAM_ROLE }} - aws-region: eu-west-2 + - name: terraform init + id: init + run: terraform init -no-color -upgrade -backend-config="bucket=${{ secrets.TF_BACKEND_BUCKET }}" -backend-config="key=${{ secrets.TF_BACKEND_KEY }}" -backend-config="dynamodb_table=${{ secrets.TF_BACKEND_DYNAMODB_TABLE }}" - - name: terraform fmt - id: fmt - working-directory: ./ - run: terraform fmt -recursive -check + - name: terraform validate + id: validate + run: terraform validate -no-color - - name: terraform init - id: init - run: terraform init -no-color -upgrade -backend-config="bucket=${{ secrets.TF_BACKEND_BUCKET }}" -backend-config="key=${{ secrets.TF_BACKEND_KEY }}" -backend-config="dynamodb_table=${{ secrets.TF_BACKEND_DYNAMODB_TABLE }}" + ## REPOSITORY SPECIFIC ## + - name: Setup Terraform variables + id: vars + run: | + COMMON_ACCOUNT_ID=$(aws ssm get-parameter --name /repo/ci/user-input/external/aws-account-id --with-decryption | jq -r .Parameter.Value) + cat > pipeline.auto.tfvars < pipeline.auto.tfvars < Date: Tue, 2 Sep 2025 10:36:50 +0100 Subject: [PATCH 4/4] Updated the pr and deploy scripts to include ehr-hard-deletion-lambda --- .github/workflows/base-deployment.yml | 4 +++- .github/workflows/pr.yml | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/base-deployment.yml b/.github/workflows/base-deployment.yml index 8c1bd85f..cd4a40be 100644 --- a/.github/workflows/base-deployment.yml +++ b/.github/workflows/base-deployment.yml @@ -76,7 +76,9 @@ jobs: touch ../generate-cost-report-lambda/build/generate-cost-report-lambda.zip mkdir ../notification-lambda/build touch ../notification-lambda/build/alarm.zip - + mkdir ../ehr-hard-deletion-lambda/build + touch ../ehr-hard-deletion-lambda/build/ehr-hard-deletion-lambda.zip + - name: terraform plan id: plan run: | diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 897c8960..8b392568 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -92,6 +92,8 @@ jobs: touch ../generate-cost-report-lambda/build/generate-cost-report-lambda.zip mkdir ../notification-lambda/build touch ../notification-lambda/build/alarm.zip + mkdir ../ehr-hard-deletion-lambda/build + touch ../ehr-hard-deletion-lambda/build/ehr-hard-deletion-lambda.zip - name: terraform plan id: plan