patient-triage-api/.github/workflows/deploy-infrastructure.yaml at develop · NHSDigital/patient-triage-api · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: Deploy Infrastructure Workflow

permissions:
  contents: read
on:
  workflow_call:
    inputs:
      environment:
        description: "The name of the environment to deploy the infrastructure into"
        required: true
        type: string
      workspace:
        description: "The name of the workspace to deploy the infrastructure into"
        required: true
        type: string
      project:
        description: "The project - saet."
        required: false
        default: "saet"
        type: string
      account_type:
        description: "The type of account based on the environment"
        required: false
        default: "env"
        type: string
      stacks:
        description: "A list of the infrastructure stacks to deploy from the domain. If not supplied, no infrastructure will be deployed"
        required: false
        default: ""
        type: string
      action:
        description: "The type of action to perform with the stack."
        required: false
        default: "plan"
        type: string
      tag:
        description: "The git tag identifying the timeline in the repository to deploy from"
        required: false
        type: string
      application_tag:
        description: "The application tag identifying the timeline in the repository to deploy from"
        required: false
        type: string
      release_tag:
        description: "The release tag identifying the timeline in the repository to deploy from"
        required: false
        type: string
      workflow_timeout:
        description: "Timeout duration in minutes"
        required: false
        default: 30
        type: number
      commit_hash:
        description: "The commit hash, set by the CI/CD pipeline workflow"
        required: false
        type: string
      type:
        description: "The type of permissions (e.g., account, app)"
        required: true
        type: string
    secrets:
      ACCOUNT_ID:
        description: "AWS account ID for credentials"
        required: true
      MGMT_ACCOUNT_ID:
        description: "AWS management account ID for credentials"
        required: true
      DEV_ACCOUNT_ID:
        description: "DEV AWS account ID"
        required: true
      TEST_ACCOUNT_ID:
        description: "TEST AWS account ID"
        required: true
      SPLUNK_HEC_TOKEN:
        description: "Splunk HEC token for logging"
        required: true
      SPLUNK_HEC_URL:
        description: "Splunk HEC URL for logging"
        required: true
    outputs:
      plan_result:
        description: "The Terraform plan output"
        value: ${{ jobs.deploy-infrastructure.outputs.plan_result }}
      triage_invoke_url:
        description: "The Terraform traige invoke url"
        value: ${{ jobs.deploy-infrastructure.outputs.triage_invoke_url }}

jobs:
  deploy-infrastructure:
    name: "Deploy infrastructure"
    permissions:
      id-token: write
      contents: read
    runs-on: ubuntu-latest
    environment: ${{ inputs.environment }}
    timeout-minutes: ${{ inputs.workflow_timeout }}
    strategy:
      fail-fast: false
      matrix:
        stack: ${{ fromJSON(inputs.stacks) }}
    outputs:
      plan_result: ${{ steps.deploy_stack.outputs.plan_result }}
      triage_invoke_url: ${{ steps.deploy_stack.outputs.triage_invoke_url }}
    steps:
      - name: "Checkout code"
        uses: actions/checkout@v6
        with:
          ref: ${{ inputs.tag }}

      - name: "Configure AWS credentials"
        uses: ./.github/actions/configure-credentials
        with:
          aws_account_id: ${{ secrets.ACCOUNT_ID }}
          aws_region: ${{ vars.AWS_REGION }}
          type: ${{ inputs.type }}
          environment: ${{ inputs.environment }}

      - name: "Download Terraform Plan Artifact"
        uses: actions/download-artifact@v8
        if: ${{ inputs.action == 'apply' }}
        with:
          name: ${{ matrix.stack }}_terraform_plan_${{ inputs.account_type }}_${{ inputs.environment }}
          path: ./

      - name: "Deploy infrastructure stack"
        id: deploy_stack
        uses: ./.github/actions/action-infrastructure-stack
        env:
          TF_VAR_dev_account_id: ${{ secrets.DEV_ACCOUNT_ID }}
          TF_VAR_test_account_id: ${{ secrets.TEST_ACCOUNT_ID }}
          TF_VAR_splunk_hec_token: ${{ secrets.SPLUNK_HEC_TOKEN }}
          TF_VAR_splunk_hec_url: ${{ secrets.SPLUNK_HEC_URL }}
        with:
          environment: ${{ inputs.environment }}
          workspace: ${{ inputs.workspace }}
          stack: ${{ matrix.stack }}
          action: ${{ inputs.action }}
          project: ${{ inputs.project }}
          application_tag: ${{ inputs.application_tag }}
          release_tag: ${{ inputs.release_tag }}
          commit_hash: ${{ inputs.commit_hash }}
          mgmt_account_id: ${{ secrets.MGMT_ACCOUNT_ID }}

      - name: "Upload Terraform Plan Artifact"
        uses: actions/upload-artifact@v7
        if: ${{ inputs.action == 'plan' }}
        with:
          name: ${{ matrix.stack }}_terraform_plan_${{ inputs.account_type }}_${{ inputs.environment }}
          path: ${{ matrix.stack }}.tfplan