diff --git a/.github/workflows/deploy-safelist.yml b/.github/workflows/deploy-safelist.yml new file mode 100644 index 00000000..f32db2d6 --- /dev/null +++ b/.github/workflows/deploy-safelist.yml @@ -0,0 +1,58 @@ +name: Deploy - Safelist Update +run-name: "${{ inputs.environment }} | Terraform Apply? = ${{ inputs.is_deployment }} | Tag version: ${{ github.ref }}" + +on: + workflow_dispatch: + inputs: + environment: + default: "dev" + description: "Environment" + required: true + type: choice + options: + - dev + - pre-prod + - prod + is_deployment: + default: false + type: boolean + description: "Terraform Apply?" + updated_safelist: + default: "" + type: string + required: true + description: "Comma-separated list of ODS codes to add to the safelist." + version_to_deploy: + type: string + required: true + description: "Version to deploy (e.g. 3.0.0). If not provided, the workflow version will be deployed." + +permissions: + pull-requests: write + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + suspension-service-ci: + name: Deploy Suspension Service Infrastructure + uses: ./.github/workflows/deploy-stack.yml + with: + stack: suspension-service + ecr_alias: repo/suspension-service + environment: ${{ inputs.environment }} + is_deployment: ${{ inputs.is_deployment }} + updated_safelist: ${{ inputs.updated_safelist }} + version_to_deploy: ${{ inputs.version_to_deploy }} + secrets: inherit + + gp2gp-messenger-ci: + name: Deploy GP2GP Messenger Infrastructure + uses: ./.github/workflows/deploy-stack.yml + with: + stack: gp2gp-messenger + ecr_alias: deductions/gp2gp-messenger + environment: ${{ inputs.environment }} + is_deployment: ${{ inputs.is_deployment }} + updated_safelist: ${{ inputs.updated_safelist }} + version_to_deploy: ${{ inputs.version_to_deploy }} + secrets: inherit diff --git a/.github/workflows/deploy-full.yml b/.github/workflows/deploy-tagged-version.yml similarity index 98% rename from .github/workflows/deploy-full.yml rename to .github/workflows/deploy-tagged-version.yml index aa4f51e8..2968012b 100644 --- a/.github/workflows/deploy-full.yml +++ b/.github/workflows/deploy-tagged-version.yml @@ -1,6 +1,5 @@ -name: Deploy - Full - -run-name: "${{ inputs.environment }} | Terraform Apply? = ${{ inputs.is_deployment }}" +name: Deploy - Tagged version +run-name: "${{ inputs.environment }} | Terraform Apply? = ${{ inputs.is_deployment }} | Tag version: ${{ github.ref }}" on: workflow_dispatch: diff --git a/.github/workflows/deploy-stack.yml b/.github/workflows/temp-deploy-stack-changes.yml similarity index 72% rename from .github/workflows/deploy-stack.yml rename to .github/workflows/temp-deploy-stack-changes.yml index c61cfc46..fda1e233 100644 --- a/.github/workflows/deploy-stack.yml +++ b/.github/workflows/temp-deploy-stack-changes.yml @@ -35,6 +35,17 @@ on: - pds-adapter - mesh-forwarder - base-infra + version_to_deploy: + default: "" + description: "Version to deploy (e.g. 3.0.0). If not provided, the workflow version will be deployed." + required: false + type: string + updated_safelist: + default: "" + type: string + required: true + description: "Comma-separated list of ODS codes to add to the safelist." + is_deployment: default: false type: boolean @@ -69,21 +80,34 @@ on: default: false description: "Do we need to build any lambdas before deploying?" type: boolean + updated_safelist: + default: "" + type: string + required: true + description: "Comma-separated list of ODS codes to add to the safelist." + version_to_deploy: + default: "" + description: "Version to deploy (e.g. 3.0.0). If not provided, the workflow version will be deployed." + required: false + type: string + permissions: pull-requests: write id-token: write # This is required for requesting the JWT contents: read # This is required for actions/checkout jobs: - promote-images-from-source-ecr-account: + update_safelist: environment: ${{ inputs.environment }} - name: Promote images from source to current environment + name: Update Safelist in SSM Parameter Store if: ${{ inputs.is_deployment && inputs.environment != 'dev' && inputs.ecr_alias }} runs-on: ubuntu-latest steps: - name: Checkout id: checkout uses: actions/checkout@v6 + with: + ref: refs/tags/${{ github.ref_name }} - name: Configure AWS Credentials id: creds @@ -95,53 +119,20 @@ jobs: mask-aws-account-id: true # Needs the AmazonEC2ContainerRegistryPowerUser role - - name: Login to ECR - uses: aws-actions/amazon-ecr-login@v2 - with: - registries: "${{ steps.creds.outputs.aws-account-id }},${{ secrets.AWS_SOURCE_ECR_ACCOUNT_ID }}" - - - name: Get Most Recent ECR Image SHA Tag From Lower Environment - id: get-image-tag - env: - ECR_ALIAS: ${{ inputs.ecr_alias }} - run: | - LATEST_IMAGE_SHA=$(aws ecr describe-images \ - --registry-id ${{ secrets.AWS_SOURCE_ECR_ACCOUNT_ID }} \ - --repository-name $ECR_ALIAS \ - --output json | - jq -r ' - .imageDetails - | map(select(.imageTags != null and (.imageTags|length>0))) - | sort_by(.imagePushedAt) - | last - | .imageTags[] - | select(test("^[0-9a-f]{40}$")) - ' | head -n 1) - - echo "All image tags for $ECR_ALIAS: $LATEST_IMAGE_SHA" - echo "image_sha=$LATEST_IMAGE_SHA" >> $GITHUB_OUTPUT - - - name: ECR Copy - id: ecr-copy + - name: Run command to update Safelist in SSM Parameter Store env: - IMAGE_SHA: "${{ steps.get-image-tag.outputs.image_sha }}" + AWS_REGION: ${{ vars.AWS_REGION }} + PARAMETER_NAME: /repo/${{ inputs.environment }}/user-input/external/safe-listed-ods-codes + UPDATED_SAFELIST: ${{ inputs.updated_safelist }} run: | - source_repo=${{ secrets.AWS_SOURCE_ECR_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.ecr_alias }} - destination_repo=${{ steps.creds.outputs.aws-account-id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ inputs.ecr_alias }} - - docker pull $source_repo:$IMAGE_SHA - docker tag $source_repo:$IMAGE_SHA $destination_repo:$IMAGE_SHA - docker tag $source_repo:$IMAGE_SHA $destination_repo:${{ github.ref_name }} - docker push $destination_repo:$IMAGE_SHA - docker push $destination_repo:${{ github.ref_name }} - + aws ssm put-parameter --name "$PARAMETER_NAME" --value "$UPDATED_SAFELIST" --type String --overwrite --region "$AWS_REGION" + deploy_stack: - environment: ${{ !inputs.ci_account && inputs.environment || 'ci_account' }} + environment: ${{ inputs.environment }} env: - GITHUB_ENV: ${{ !inputs.ci_account && inputs.environment || 'ci_account' }} + GITHUB_ENV: ${{ inputs.environment }} runs-on: ubuntu-latest - needs: [promote-images-from-source-ecr-account] - if: always() && (needs.promote-images-from-source-ecr-account.result == 'skipped' || needs.promote-images-from-source-ecr-account.result == 'success') + needs: [update_safelist] defaults: run: working-directory: ./stacks/${{ inputs.stack }}/terraform @@ -161,48 +152,11 @@ jobs: aws-region: ${{ vars.AWS_REGION }} mask-aws-account-id: true role-skip-session-tagging: true - - - name: Setup Terraform variables for Deductions Cross Account - if: inputs.stack == 'deductions-cross-account' - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_ACCESS_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} - PROMOTION_IAM_ARN: ${{ secrets.PROMOTION_IAM_ARN }} - run: | - cat > pipeline-deductions-cross-account.auto.tfvars <0))) - | sort_by(.imagePushedAt) - | last - | .imageTags[] - | select(test("^[0-9a-f]{40}$")) - ' | head -n 1) - - echo "Found tag: $LATEST_IMAGE_SHA" - - echo "Most recent image tag for $ECR_ALIAS: $LATEST_IMAGE_SHA" - echo "image_tag=$LATEST_IMAGE_SHA" >> $GITHUB_OUTPUT - - name: Setup Terraform variables id: vars env: ECR_ALIAS: ${{ inputs.ecr_alias }} - IMAGE_TAG: ${{ steps.get-image-tag.outputs.image_tag || '' }} + IMAGE_TAG: ${{ inputs.version_to_deploy }} run: | COMMON_ACCOUNT_ID=$(aws ssm get-parameter --name /repo/ci/user-input/external/aws-account-id --with-decryption | jq -r .Parameter.Value) cat > pipeline.auto.tfvars <