From ac16277d2e5f851b63d78cd2aa0de7cfccf92c20 Mon Sep 17 00:00:00 2001 From: Chris Kemp Date: Mon, 18 Dec 2023 13:56:00 +0000 Subject: [PATCH 01/12] Added per_accounts Added qa Updated CI Updated secrets readability Removing test account references Made account test tighter Formatting Formatting Always use NHSDeploymentRole and use 'type' to determine expiration, rather than duplicating logic Reworking comment Amended CI Shortened names so they fit in github UI phrasing debug debug RUNNING_IN_CI completely redundant now debug Re-added mask Temporarily disable smoke tests Disable smoke tests Enabled smoke tests disable smoke tests with conditional Corrected and added missing args Made deploy slack configurable Moved to github env variable Trying to sort always() not working in vars Remove variable Added account to slack Added mgmt Added redundant parameters Corrected slack message Reverted to how NRLF is set --- .github/actions/terraform/action.yml | 13 +- .github/workflows/_deploy.yml | 45 +++--- .../deploy-account-wide-resources-prod.yml | 6 +- .../deploy-account-wide-resources.yml | 16 +- .../workflows/deploy-nonprod-workspace.yml | 19 ++- .../workflows/deploy-parameters-nonprod.yml | 14 +- .github/workflows/deploy-parameters-prod.yml | 5 +- .github/workflows/deploy-prod-workspace.yml | 3 +- .../workflows/destroy-expired-workspaces.yml | 1 - .github/workflows/pull-requests.yml | 1 - infrastructure/terraform/etc/int.tfvars | 2 + infrastructure/terraform/etc/mgmt.tfvars | 2 + infrastructure/terraform/etc/prod.tfvars | 2 + infrastructure/terraform/etc/qa.tfvars | 2 + infrastructure/terraform/etc/ref.tfvars | 2 + .../terraform/per_account/dev/vars.tf | 6 + .../terraform/per_account/int/locals.tf | 5 + .../terraform/per_account/int/main.tf | 33 ++++ .../per_account/int/parameters/locals.tf | 5 + .../per_account/int/parameters/main.tf | 32 ++++ .../per_account/int/parameters/provider.tf | 20 +++ .../per_account/int/parameters/terraform.tf | 17 ++ .../per_account/int/parameters/vars.tf | 29 ++++ .../terraform/per_account/int/provider.tf | 20 +++ .../terraform/per_account/int/terraform.tf | 18 +++ .../terraform/per_account/int/vars.tf | 25 +++ .../terraform/per_account/mgmt/locals.tf | 5 + .../terraform/per_account/mgmt/main.tf | 33 ++++ .../per_account/mgmt/parameters/locals.tf | 5 + .../per_account/mgmt/parameters/main.tf | 32 ++++ .../per_account/mgmt/parameters/provider.tf | 20 +++ .../per_account/mgmt/parameters/terraform.tf | 17 ++ .../per_account/mgmt/parameters/vars.tf | 35 +++++ .../terraform/per_account/mgmt/provider.tf | 20 +++ .../terraform/per_account/mgmt/terraform.tf | 18 +++ .../terraform/per_account/mgmt/vars.tf | 25 +++ .../terraform/per_account/prod/locals.tf | 5 + .../terraform/per_account/prod/main.tf | 33 ++++ .../per_account/prod/parameters/locals.tf | 5 + .../per_account/prod/parameters/main.tf | 32 ++++ .../per_account/prod/parameters/provider.tf | 20 +++ .../per_account/prod/parameters/terraform.tf | 17 ++ .../per_account/prod/parameters/vars.tf | 29 ++++ .../terraform/per_account/prod/provider.tf | 20 +++ .../terraform/per_account/prod/terraform.tf | 18 +++ .../terraform/per_account/prod/vars.tf | 25 +++ .../terraform/per_account/qa/locals.tf | 5 + .../terraform/per_account/qa/main.tf | 33 ++++ .../per_account/qa/parameters/locals.tf | 5 + .../per_account/qa/parameters/main.tf | 32 ++++ .../per_account/qa/parameters/provider.tf | 20 +++ .../per_account/qa/parameters/terraform.tf | 17 ++ .../per_account/qa/parameters/vars.tf | 29 ++++ .../terraform/per_account/qa/provider.tf | 20 +++ .../terraform/per_account/qa/terraform.tf | 18 +++ .../terraform/per_account/qa/vars.tf | 25 +++ .../terraform/per_account/ref/locals.tf | 5 + .../terraform/per_account/ref/main.tf | 33 ++++ .../per_account/ref/parameters/locals.tf | 5 + .../per_account/ref/parameters/main.tf | 32 ++++ .../per_account/ref/parameters/provider.tf | 20 +++ .../per_account/ref/parameters/terraform.tf | 17 ++ .../per_account/ref/parameters/vars.tf | 29 ++++ .../terraform/per_account/ref/provider.tf | 20 +++ .../terraform/per_account/ref/terraform.tf | 18 +++ .../terraform/per_account/ref/vars.tf | 25 +++ scripts/aws/helpers.sh | 4 +- scripts/infrastructure/destroy.mk | 25 ++- .../destroy/destroy-corrupted-workspace.sh | 4 +- .../destroy/destroy-expired-workspaces.sh | 2 +- .../destroy/destroy-mgmt-resources.sh | 8 +- scripts/infrastructure/initialise.mk | 10 +- .../initialise/initialise-mgmt-resources.sh | 10 +- .../roles/manage-non-mgmt-aws-roles.sh | 8 +- scripts/infrastructure/terraform.mk | 8 +- .../terraform/terraform-commands.sh | 148 +++++++----------- .../terraform/terraform-constants.sh | 4 +- .../terraform/terraform-utils.sh | 140 ++++++++--------- 78 files changed, 1296 insertions(+), 240 deletions(-) create mode 100644 infrastructure/terraform/etc/int.tfvars create mode 100644 infrastructure/terraform/etc/mgmt.tfvars create mode 100644 infrastructure/terraform/etc/prod.tfvars create mode 100644 infrastructure/terraform/etc/qa.tfvars create mode 100644 infrastructure/terraform/etc/ref.tfvars create mode 100644 infrastructure/terraform/per_account/int/locals.tf create mode 100644 infrastructure/terraform/per_account/int/main.tf create mode 100644 infrastructure/terraform/per_account/int/parameters/locals.tf create mode 100644 infrastructure/terraform/per_account/int/parameters/main.tf create mode 100644 infrastructure/terraform/per_account/int/parameters/provider.tf create mode 100644 infrastructure/terraform/per_account/int/parameters/terraform.tf create mode 100644 infrastructure/terraform/per_account/int/parameters/vars.tf create mode 100644 infrastructure/terraform/per_account/int/provider.tf create mode 100644 infrastructure/terraform/per_account/int/terraform.tf create mode 100644 infrastructure/terraform/per_account/int/vars.tf create mode 100644 infrastructure/terraform/per_account/mgmt/locals.tf create mode 100644 infrastructure/terraform/per_account/mgmt/main.tf create mode 100644 infrastructure/terraform/per_account/mgmt/parameters/locals.tf create mode 100644 infrastructure/terraform/per_account/mgmt/parameters/main.tf create mode 100644 infrastructure/terraform/per_account/mgmt/parameters/provider.tf create mode 100644 infrastructure/terraform/per_account/mgmt/parameters/terraform.tf create mode 100644 infrastructure/terraform/per_account/mgmt/parameters/vars.tf create mode 100644 infrastructure/terraform/per_account/mgmt/provider.tf create mode 100644 infrastructure/terraform/per_account/mgmt/terraform.tf create mode 100644 infrastructure/terraform/per_account/mgmt/vars.tf create mode 100644 infrastructure/terraform/per_account/prod/locals.tf create mode 100644 infrastructure/terraform/per_account/prod/main.tf create mode 100644 infrastructure/terraform/per_account/prod/parameters/locals.tf create mode 100644 infrastructure/terraform/per_account/prod/parameters/main.tf create mode 100644 infrastructure/terraform/per_account/prod/parameters/provider.tf create mode 100644 infrastructure/terraform/per_account/prod/parameters/terraform.tf create mode 100644 infrastructure/terraform/per_account/prod/parameters/vars.tf create mode 100644 infrastructure/terraform/per_account/prod/provider.tf create mode 100644 infrastructure/terraform/per_account/prod/terraform.tf create mode 100644 infrastructure/terraform/per_account/prod/vars.tf create mode 100644 infrastructure/terraform/per_account/qa/locals.tf create mode 100644 infrastructure/terraform/per_account/qa/main.tf create mode 100644 infrastructure/terraform/per_account/qa/parameters/locals.tf create mode 100644 infrastructure/terraform/per_account/qa/parameters/main.tf create mode 100644 infrastructure/terraform/per_account/qa/parameters/provider.tf create mode 100644 infrastructure/terraform/per_account/qa/parameters/terraform.tf create mode 100644 infrastructure/terraform/per_account/qa/parameters/vars.tf create mode 100644 infrastructure/terraform/per_account/qa/provider.tf create mode 100644 infrastructure/terraform/per_account/qa/terraform.tf create mode 100644 infrastructure/terraform/per_account/qa/vars.tf create mode 100644 infrastructure/terraform/per_account/ref/locals.tf create mode 100644 infrastructure/terraform/per_account/ref/main.tf create mode 100644 infrastructure/terraform/per_account/ref/parameters/locals.tf create mode 100644 infrastructure/terraform/per_account/ref/parameters/main.tf create mode 100644 infrastructure/terraform/per_account/ref/parameters/provider.tf create mode 100644 infrastructure/terraform/per_account/ref/parameters/terraform.tf create mode 100644 infrastructure/terraform/per_account/ref/parameters/vars.tf create mode 100644 infrastructure/terraform/per_account/ref/provider.tf create mode 100644 infrastructure/terraform/per_account/ref/terraform.tf create mode 100644 infrastructure/terraform/per_account/ref/vars.tf diff --git a/.github/actions/terraform/action.yml b/.github/actions/terraform/action.yml index 7ab43aade..e93b97d11 100644 --- a/.github/actions/terraform/action.yml +++ b/.github/actions/terraform/action.yml @@ -4,13 +4,16 @@ inputs: command: description: "Terraform command to run" required: true + account: + description: "AWS account name" + required: true workspace: description: "Terraform workspace name" required: true - account-wide: - description: "If account-wide then specify 'account_wide'" - required: false - default: "non_account_wide" + scope: + description: "Terraform scope" + required: true + default: "per_workspace" cache-suffix: description: "[Optional] Cache suffix (e.g. 'base')" required: false @@ -32,7 +35,7 @@ runs: steps: - uses: ./.github/actions/make/ with: - command: terraform--${{ inputs.command }} TERRAFORM_WORKSPACE="${{ inputs.workspace }}" ACCOUNT_WIDE="${{ inputs.account-wide }}" PARAMETER_DEPLOY="${{ inputs.parameter-deploy }}" + command: terraform--${{ inputs.command }} AWS_ACCOUNT="${{ inputs.account }}" TERRAFORM_WORKSPACE="${{ inputs.workspace }}" TERRAFORM_SCOPE="${{ inputs.scope }}" requires-aws: true restore-from-cache: ${{ inputs.restore-from-cache }} save-to-cache: ${{ inputs.save-to-cache }} diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml index 99bef4642..03b3660fd 100644 --- a/.github/workflows/_deploy.yml +++ b/.github/workflows/_deploy.yml @@ -1,18 +1,22 @@ on: workflow_call: inputs: - workspace: - required: true - default: dev + account: + description: The AWS account being deployed type: string - parameter-deploy: - required: false + required: true + workspace: + description: The Terraform workspace being deployed type: string - default: "" - account-wide: - required: false + required: true + scope: + description: The Terraform scope being deployed type: string - default: "non_account_wide" + required: true + run_smoke_tests: + description: Run smoke tests? + type: boolean + default: true permissions: id-token: write @@ -20,11 +24,10 @@ permissions: actions: write env: - RUNNING_IN_CI: 1 + ACCOUNT: ${{ inputs.account }} WORKSPACE: ${{ inputs.workspace }} CACHE_NAME: ${{ inputs.workspace }}-cache - PARAMETER_DEPLOY: ${{ inputs.parameter-deploy }} - ACCOUNT_WIDE: ${{ inputs.account-wide }} + SCOPE: ${{ inputs.scope }} # SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }} CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }} @@ -83,9 +86,9 @@ jobs: - uses: ./.github/actions/terraform/ with: command: init + account: ${{ env.ACCOUNT }} workspace: ${{ env.WORKSPACE }} - account-wide: ${{ env.ACCOUNT_WIDE }} - parameter-deploy: ${{ env.PARAMETER_DEPLOY }} + scope: ${{ env.SCOPE }} restore-from-cache: "true" save-to-cache: "true" @@ -99,9 +102,9 @@ jobs: - uses: ./.github/actions/terraform/ with: command: plan + account: ${{ env.ACCOUNT }} workspace: ${{ env.WORKSPACE }} - account-wide: ${{ env.ACCOUNT_WIDE }} - parameter-deploy: ${{ env.PARAMETER_DEPLOY }} + scope: ${{ env.SCOPE }} restore-from-cache: "true" save-to-cache: "true" @@ -115,15 +118,16 @@ jobs: - uses: ./.github/actions/terraform/ with: command: apply + account: ${{ env.ACCOUNT }} workspace: ${{ env.WORKSPACE }} - account-wide: ${{ env.ACCOUNT_WIDE }} - parameter-deploy: ${{ env.PARAMETER_DEPLOY }} + scope: ${{ env.SCOPE }} restore-from-cache: "true" save-to-cache: "true" test--smoke: needs: [get-branch-from-workflow-file, terraform--apply] runs-on: [self-hosted, ci] + if: inputs.run_smoke_tests == 'true' steps: - uses: actions/checkout@v4 with: @@ -146,7 +150,7 @@ jobs: message-slack: name: Notify slack of deployment needs: [get-branch-from-workflow-file, set-success] - if: ${{ always() }} + if: always() runs-on: [self-hosted, ci] steps: @@ -156,7 +160,10 @@ jobs: with: payload: | { + "account": "${{ env.ACCOUNT }}", "environment": "${{ env.WORKSPACE }}", "result": "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}", "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}" } + env: + SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }} diff --git a/.github/workflows/deploy-account-wide-resources-prod.yml b/.github/workflows/deploy-account-wide-resources-prod.yml index de609d4d5..4df676fdb 100644 --- a/.github/workflows/deploy-account-wide-resources-prod.yml +++ b/.github/workflows/deploy-account-wide-resources-prod.yml @@ -1,4 +1,4 @@ -name: "Deploy: Account Wide Resources - Production" +name: "Deploy: Account Wide - Production" on: workflow_dispatch: @@ -7,6 +7,8 @@ jobs: deploy: uses: ./.github/workflows/_deploy.yml with: + account: prod workspace: prod - account-wide: account_wide + scope: per_account/prod + run_smoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-account-wide-resources.yml b/.github/workflows/deploy-account-wide-resources.yml index f0c3e71a4..2d24ea07b 100644 --- a/.github/workflows/deploy-account-wide-resources.yml +++ b/.github/workflows/deploy-account-wide-resources.yml @@ -1,21 +1,25 @@ -name: "Deploy: Account Wide Resources - Nonprod" +name: "Deploy: Account Wide - Nonprod" on: workflow_dispatch: inputs: - workspace: - description: Account to deploy to + account: + description: Account to deploy required: true default: dev type: choice options: - dev - - ref + - qa - int + - ref + - mgmt jobs: deploy: uses: ./.github/workflows/_deploy.yml with: - workspace: ${{ inputs.workspace }} - account-wide: account_wide + account: ${{ inputs.account }} + workspace: ${{ inputs.account }} + scope: "per_account/${{ inputs.account }}" + run_smoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-nonprod-workspace.yml b/.github/workflows/deploy-nonprod-workspace.yml index bd8c5227b..6b3ca34e7 100644 --- a/.github/workflows/deploy-nonprod-workspace.yml +++ b/.github/workflows/deploy-nonprod-workspace.yml @@ -3,23 +3,26 @@ name: "Deploy: Workspace - Nonprod" on: workflow_dispatch: inputs: - workspace: - description: Workspace to deploy to + account: + description: Account to deploy required: true default: dev type: choice options: - dev - - dev-sandbox - - ref - - ref-sandbox + - qa - int - - int-sandbox + - ref + sandbox: + description: Do you want to deploy the sandbox version? + type: boolean + default: false jobs: deploy: uses: ./.github/workflows/_deploy.yml with: - workspace: ${{ inputs.workspace }} - account-wide: non_account_wide + account: ${{ inputs.account }} + workspace: ${{ inputs.account }}${{ inputs.sandbox == 'true' && '-sandbox' || '' }} + scope: "per_workspace" secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-parameters-nonprod.yml b/.github/workflows/deploy-parameters-nonprod.yml index f35943ecc..f47bc32a2 100644 --- a/.github/workflows/deploy-parameters-nonprod.yml +++ b/.github/workflows/deploy-parameters-nonprod.yml @@ -3,21 +3,23 @@ name: "Deploy: Parameters - Nonprod" on: workflow_dispatch: inputs: - workspace: - description: Workspace to deploy to + account: + description: Account to deploy required: true default: dev type: choice options: - dev - - ref + - qa - int + - ref jobs: deploy: uses: ./.github/workflows/_deploy.yml with: - workspace: ${{ inputs.workspace }} - parameter-deploy: "parameter_deploy" - account-wide: "account_wide" + account: ${{ inputs.account }} + workspace: ${{ inputs.account }} + scope: "per_account/${{ inputs.account }}/parameters" + smrun_smoke_testsoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-parameters-prod.yml b/.github/workflows/deploy-parameters-prod.yml index e83a02648..82d3099f7 100644 --- a/.github/workflows/deploy-parameters-prod.yml +++ b/.github/workflows/deploy-parameters-prod.yml @@ -7,7 +7,8 @@ jobs: deploy: uses: ./.github/workflows/_deploy.yml with: + account: prod workspace: prod - parameter-deploy: "parameter_deploy" - account-wide: "account_wide" + scope: per_account/prod/parameters + run_smoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-prod-workspace.yml b/.github/workflows/deploy-prod-workspace.yml index 9e2ad624d..d8211653d 100644 --- a/.github/workflows/deploy-prod-workspace.yml +++ b/.github/workflows/deploy-prod-workspace.yml @@ -7,6 +7,7 @@ jobs: deploy: uses: ./.github/workflows/_deploy.yml with: + account: prod workspace: prod - account-wide: non_account_wide + scope: per_workspace secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/destroy-expired-workspaces.yml b/.github/workflows/destroy-expired-workspaces.yml index c094d64c8..efac9bcd5 100644 --- a/.github/workflows/destroy-expired-workspaces.yml +++ b/.github/workflows/destroy-expired-workspaces.yml @@ -14,7 +14,6 @@ env: AWS_DEFAULT_REGION: eu-west-2 TF_CLI_ARGS: -no-color CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }} - RUNNING_IN_CI: 1 BRANCH_NAME: ${{ github.ref_name }} jobs: diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index d30ac770c..3cdc1078a 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -12,7 +12,6 @@ env: BASE_BRANCH_NAME: ${{ github.event.pull_request.base.ref }} BRANCH_NAME: ${{ github.event.pull_request.head.ref }} CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }} - RUNNING_IN_CI: 1 BRANCH_GITHUB_SHA_SHORT: $(echo ${{ github.event.pull_request.head.sha }} | cut -c 1-7) TF_CLI_ARGS: -no-color diff --git a/infrastructure/terraform/etc/int.tfvars b/infrastructure/terraform/etc/int.tfvars new file mode 100644 index 000000000..00e5cfa9f --- /dev/null +++ b/infrastructure/terraform/etc/int.tfvars @@ -0,0 +1,2 @@ +account_name = "int" +environment = "int" diff --git a/infrastructure/terraform/etc/mgmt.tfvars b/infrastructure/terraform/etc/mgmt.tfvars new file mode 100644 index 000000000..4d3811c73 --- /dev/null +++ b/infrastructure/terraform/etc/mgmt.tfvars @@ -0,0 +1,2 @@ +account_name = "mgmt" +environment = "mgmt" diff --git a/infrastructure/terraform/etc/prod.tfvars b/infrastructure/terraform/etc/prod.tfvars new file mode 100644 index 000000000..41c154639 --- /dev/null +++ b/infrastructure/terraform/etc/prod.tfvars @@ -0,0 +1,2 @@ +account_name = "prod" +environment = "prod" diff --git a/infrastructure/terraform/etc/qa.tfvars b/infrastructure/terraform/etc/qa.tfvars new file mode 100644 index 000000000..214c55063 --- /dev/null +++ b/infrastructure/terraform/etc/qa.tfvars @@ -0,0 +1,2 @@ +account_name = "qa" +environment = "qa" diff --git a/infrastructure/terraform/etc/ref.tfvars b/infrastructure/terraform/etc/ref.tfvars new file mode 100644 index 000000000..718f4c6da --- /dev/null +++ b/infrastructure/terraform/etc/ref.tfvars @@ -0,0 +1,2 @@ +account_name = "ref" +environment = "ref" diff --git a/infrastructure/terraform/per_account/dev/vars.tf b/infrastructure/terraform/per_account/dev/vars.tf index 6baf3dcb2..747fba8de 100644 --- a/infrastructure/terraform/per_account/dev/vars.tf +++ b/infrastructure/terraform/per_account/dev/vars.tf @@ -17,3 +17,9 @@ variable "expiration_date" { variable "updated_date" { default = "NEVER" } + +variable "lambdas" {} + +variable "layers" {} + +variable "workspace_type" {} diff --git a/infrastructure/terraform/per_account/int/locals.tf b/infrastructure/terraform/per_account/int/locals.tf new file mode 100644 index 000000000..9d2eefbf5 --- /dev/null +++ b/infrastructure/terraform/per_account/int/locals.tf @@ -0,0 +1,5 @@ +locals { + region = "eu-west-2" + project = "nhse-cpm" + current_time = timestamp() +} diff --git a/infrastructure/terraform/per_account/int/main.tf b/infrastructure/terraform/per_account/int/main.tf new file mode 100644 index 000000000..dd97616dc --- /dev/null +++ b/infrastructure/terraform/per_account/int/main.tf @@ -0,0 +1,33 @@ +resource "aws_resourcegroups_group" "resource_group" { + name = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group" + description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group." + tags = { + Name = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group" + CreatedOn = var.updated_date + LastUpdated = var.updated_date + ExpirationDate = var.expiration_date + } + + lifecycle { + ignore_changes = [tags["CreatedOn"]] + } + + resource_query { + query = <&2 + return 1 + fi + + cd "$terraform_dir" || return 1 + case $TERRAFORM_COMMAND in #---------------- "validate") - cd "$terraform_dir" || return 1 terraform validate || return 1 ;; #---------------- "init") - if [[ "${contact_info}" != *MGMT* ]]; then - echo "Please log in as the mgmt account" >&2 - return 1 - fi - - cd "$terraform_dir" || return 1 _terraform_init "$workspace" "$TERRAFORM_ARGS" ;; #---------------- "plan") - if [[ "${contact_info}" != *MGMT* ]]; then - echo "Please log in as the mgmt account" >&2 - return 1 - fi - - cd "$terraform_dir" || return 1 - _terraform_plan "$workspace" "$var_file" "$plan_file" "$aws_account_id" "$ACCOUNT_WIDE" "$TERRAFORM_ARGS" + _terraform_plan "$workspace" "$var_file" "$plan_file" "$aws_account_id" "$TERRAFORM_ARGS" ;; #---------------- "apply") - if [[ "${contact_info}" != *MGMT* ]]; then - echo "Please log in as the mgmt account" >&2 - return 1 - fi - - cd "$terraform_dir" || return 1 - _terraform_apply "$workspace" "$plan_file" "$ACCOUNT_WIDE" "$TERRAFORM_ARGS" + _terraform_apply "$workspace" "$plan_file" "$TERRAFORM_ARGS" ;; #---------------- "destroy") - if [[ "${contact_info}" != *MGMT* ]]; then - echo "Please log in as the mgmt account" >&2 - return 1 - fi - if [[ -z ${workspace} ]]; then echo "Non-mgmt parameter required" >&2 return 1 fi - cd "$terraform_dir" || return 1 - _terraform_destroy "$workspace" "$var_file" "$aws_account_id" "$ACCOUNT_WIDE" "$TERRAFORM_ARGS" + _terraform_destroy "$workspace" "$var_file" "$aws_account_id" "$TERRAFORM_ARGS" ;; #---------------- "unlock") - if [[ "${contact_info}" != *MGMT* ]]; then - echo "Please log in as the mgmt account" >&2 - return 1 - fi - - cd "$terraform_dir" || return 1 _terraform_unlock "$workspace" "$TERRAFORM_ARGS" ;; esac @@ -116,40 +99,29 @@ function _terraform_plan() { local var_file=$2 local plan_file=$3 local aws_account_id=$4 - local account_wide=$5 - local args=${@:6} + local args=${@:5} terraform workspace select default terraform init || return 1 terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1 - if [[ "${account_wide}" = "account_wide" ]]; then - terraform plan $args \ - -out="$plan_file" \ - -var-file="$var_file" \ - -var "assume_account=${aws_account_id}" \ - -var "assume_role=${terraform_role_name}" \ - -var "updated_date=${current_date}" \ - -var "expiration_date=${expiration_date}" || return 1 - else - terraform plan $args \ - -out="$plan_file" \ - -var-file="$var_file" \ - -var "assume_account=${aws_account_id}" \ - -var "assume_role=${terraform_role_name}" \ - -var "updated_date=${current_date}" \ - -var "expiration_date=${expiration_date}" \ - -var "lambdas=${lambdas}" \ - -var "workspace_type=${workspace_type}" \ - -var "layers=${layers}" || return 1 - fi + terraform plan $args \ + -out="$plan_file" \ + -var-file="$var_file" \ + -var "assume_account=${aws_account_id}" \ + -var "assume_role=${terraform_role_name}" \ + -var "updated_date=${current_date}" \ + -var "expiration_date=${expiration_date}" \ + -var "workspace_type=${workspace_type}" \ + -var "lambdas=${lambdas}" \ + -var "layers=${layers}" \ + || return 1 } function _terraform_apply() { local workspace=$1 local plan_file=$2 - local account_wide=$3 - local args=${@:4} + local args=${@:3} terraform init || return 1 terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1 @@ -161,26 +133,19 @@ function _terraform_destroy() { local workspace=$1 local var_file=$2 local aws_account_id=$3 - local account_wide=$4 - local args=${@:5} + local args=${@:4} terraform init -reconfigure || return 1 terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1 - if [[ "${account_wide}" = "account_wide" ]]; then - terraform apply -destroy $args \ - -var-file="$var_file" \ - -var "assume_account=${aws_account_id}" \ - -var "assume_role=${terraform_role_name}" || return 1 - else - terraform apply -destroy $args \ - -var-file="$var_file" \ - -var "assume_account=${aws_account_id}" \ - -var "assume_role=${terraform_role_name}" \ - -var "workspace_type=${workspace_type}" \ - -var "lambdas=${lambdas}" \ - -var "layers=${layers}" || return 1 - fi + terraform apply -destroy $args \ + -var-file="$var_file" \ + -var "assume_account=${aws_account_id}" \ + -var "assume_role=${terraform_role_name}" \ + -var "workspace_type=${workspace_type}" \ + -var "lambdas=${lambdas}" \ + -var "layers=${layers}" \ + || return 1 if [ "$workspace" != "default" ]; then terraform workspace select default || return 1 @@ -189,6 +154,7 @@ function _terraform_destroy() { } function _terraform_unlock() { + local workspace=$1 terraform force-unlock "$workspace" } diff --git a/scripts/infrastructure/terraform/terraform-constants.sh b/scripts/infrastructure/terraform/terraform-constants.sh index 86ac67337..09218a1ad 100644 --- a/scripts/infrastructure/terraform/terraform-constants.sh +++ b/scripts/infrastructure/terraform/terraform-constants.sh @@ -5,5 +5,7 @@ AWS_REGION_NAME="eu-west-2" VERSION="v1.0.0" MGMT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--mgmt-account-id-${VERSION}" PROD_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--prod-account-id-${VERSION}" -TEST_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-account-id-${VERSION}" +REF_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--ref-account-id-${VERSION}" +INT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--int-account-id-${VERSION}" +QA_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--qa-account-id-${VERSION}" DEV_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--dev-account-id-${VERSION}" diff --git a/scripts/infrastructure/terraform/terraform-utils.sh b/scripts/infrastructure/terraform/terraform-utils.sh index 8d43f4aeb..e8933c815 100644 --- a/scripts/infrastructure/terraform/terraform-utils.sh +++ b/scripts/infrastructure/terraform/terraform-utils.sh @@ -1,10 +1,28 @@ #!/bin/bash source ./scripts/infrastructure/terraform/terraform-constants.sh -PERSISTENT_WORKSPACES=("dev" "ref" "int" "prod" "dev-sandbox" "int-sandbox" "ref-sandbox") +PERSISTENT_WORKSPACES=("dev" "qa" "ref" "int" "prod" "dev-sandbox" "int-sandbox" "ref-sandbox") + + +function _get_account_name() { + local account=$1 + local workspace=$2 + + # if account not specified then infer it + if [[ -z "$account" ]]; then + if [[ "$workspace" = "ci-"* ]]; then + echo "ref" # ci builds go here + else + echo "dev" # personal builds co here + fi + else + echo "$account" + fi +} function _get_workspace_name() { - local workspace=$1 + local account=$1 + local workspace=$2 if [[ -z $workspace ]]; then if [[ -z $TERRAFORM_LOCAL_WORKSPACE_OVERRIDE ]]; then @@ -18,107 +36,77 @@ function _get_workspace_name() { } function _get_workspace_type() { - local env=$1 - if [ "$RUNNING_IN_CI" = 1 ]; then - if [[ ${PERSISTENT_WORKSPACES[@]} =~ $env ]]; then - echo "PERSISTENT" - else - echo "CI" - fi + local account=$1 + local workspace=$2 + + # persistent environments are where the workspace and account names match (e.g. qa/qa or qa/qa-sandbox) + if [[ "${workspace}" = "${account}" || "${workspace}" = "${account}-sandbox" ]]; then + echo "PERSISTENT" + # CI environments start with 'ci-' + elif [[ "${workspace}" = "ci-"* ]]; then + echo "CI" + # everything else is classified as 'LOCAL' else echo "LOCAL" fi } function _get_workspace_expiration() { - local env=$1 - if [ "$RUNNING_IN_CI" = 1 ]; then - if [[ ${PERSISTENT_WORKSPACES[@]} =~ $env ]]; then - echo "NEVER" - else - echo "168" - fi - else - echo "72" - fi + case $1 in + "PERSISTENT") + echo "NEVER" ;; + "CI") + echo "168" ;; + *) + echo "72" ;; + esac } function _get_account_id_location() { - local workspace=$1 - - if [ "$RUNNING_IN_CI" = 1 ]; then - ## DELETE THIS WHEN TEST ACCOUNT ENABLED - echo "${DEV_ACCOUNT_ID_LOCATION}" - ## UNCOMMENT THIS WHEN TEST ACCOUNT ENABLED - # echo "${TEST_ACCOUNT_ID_LOCATION}" # CI deployments to TEST by default - elif [ "$workspace" = "mgmt" ]; then - echo "${MGMT_ACCOUNT_ID_LOCATION}" - elif [ "$workspace" = "prod" ]; then - echo "${PROD_ACCOUNT_ID_LOCATION}" - elif [ "$workspace" = "ref" ] || [ "$workspace" = "ref-sandbox" ]; then - echo "${TEST_ACCOUNT_ID_LOCATION}" - elif [ "$workspace" = "int" ] || [ "$workspace" = "int-sandbox" ]; then - echo "${TEST_ACCOUNT_ID_LOCATION}" - else - echo "${DEV_ACCOUNT_ID_LOCATION}" - fi + local account=$1 + local prefix=$2 + local version=$3 + + echo "${prefix}--mgmt--${account}-account-id-${version}" } -function _get_contact_information(){ - echo $(aws account get-contact-information --region "${AWS_REGION_NAME}") +function _get_account_full_name(){ + echo $(aws account get-contact-information --region "${AWS_REGION_NAME}" | jq .ContactInformation.FullName -r) } function _get_aws_account_id() { local account_id_location local profile_info - account_id_location=$(_get_account_id_location "$1") - profile_info="--profile nhse-cpm-mgmt-admin" - if [ "$RUNNING_IN_CI" = 1 ]; then - profile_info="" - fi - aws secretsmanager get-secret-value --secret-id "$account_id_location" --query SecretString --output text ${profile_info} + account_id_location=$(_get_account_id_location "$1" "$2" "$3") + + aws secretsmanager get-secret-value \ + --secret-id "$account_id_location" \ + --query SecretString \ + --output text } function _get_workspace_vars_file() { local dir=$(pwd) - local workspace=$1 - local vars_prefix="dev" - - if [ "$RUNNING_IN_CI" = 1 ]; then - ## DELETE THIS WHEN TEST ACCOUNT ENABLED - vars_prefix="dev" - ## UNCOMMENT THIS WHEN TEST ACCOUNT ENABLED - #vars_prefix="test" - elif [ "$workspace" = "mgmt" ]; then - vars_prefix="mgmt" - elif [ "$workspace" = "prod" ]; then - vars_prefix="prod" - elif [ "$workspace" = "ref" ] || [ "$workspace" = "ref-sandbox" ]; then - vars_prefix="test" - elif [ "$workspace" = "int" ] || [ "$workspace" = "int-sandbox" ]; then - vars_prefix="test" - fi + local account=$1 - echo "${dir}/infrastructure/terraform/etc/${vars_prefix}.tfvars" + echo "${dir}/infrastructure/terraform/etc/${account}.tfvars" } -function _get_terraform_dir() { - local env=$1 - local account_wide=$2 - local parameter_deploy=$3 - local dir=$(pwd) - if [ "$parameter_deploy" = "parameter_deploy" ] && [ "$account_wide" = "account_wide" ]; then - echo "${dir}/infrastructure/terraform/per_account/$env/parameters" - elif [ "$account_wide" = "account_wide" ]; then - echo "${dir}/infrastructure/terraform/per_account/$env" - elif [ "$account_wide" = "non_account_wide" ]; then - echo "${dir}/infrastructure/terraform/per_workspace" +function _get_terraform_scope() { + if [[ -z "$TERRAFORM_SCOPE" ]]; then + echo "per_workspace" else - echo " must either be 'non_account_wide' or 'account_wide'" - return 1 + echo "$TERRAFORM_SCOPE" fi } +function _get_terraform_dir() { + local scope=$1 + local dir=$(pwd) + + echo "${dir}/infrastructure/terraform/${scope}" +} + function _get_current_date() { local timestamp=$(python -c "from datetime import datetime, timedelta, timezone; print(format(datetime.now(timezone.utc), '%Y-%m-%dT%H:%M:%SZ'))") echo "${timestamp}" From 6783090e16ce2c1b27ca1d01aa23dc16c19a609c Mon Sep 17 00:00:00 2001 From: Chris Kemp Date: Fri, 22 Dec 2023 09:18:54 +0000 Subject: [PATCH 02/12] Make step optional --- .github/workflows/_deploy.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml index 03b3660fd..39dae35b3 100644 --- a/.github/workflows/_deploy.yml +++ b/.github/workflows/_deploy.yml @@ -127,12 +127,13 @@ jobs: test--smoke: needs: [get-branch-from-workflow-file, terraform--apply] runs-on: [self-hosted, ci] - if: inputs.run_smoke_tests == 'true' + if: always() steps: - uses: actions/checkout@v4 with: ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }} - - uses: ./.github/actions/make/ + - if: inputs.run_smoke_tests == 'true' + uses: ./.github/actions/make/ with: command: test--smoke requires-aws: true From 4c68d86d6a5e3b861591e0cb16884e64c04bc312 Mon Sep 17 00:00:00 2001 From: Chris Kemp Date: Fri, 22 Dec 2023 09:39:32 +0000 Subject: [PATCH 03/12] typo --- .github/workflows/deploy-parameters-nonprod.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-parameters-nonprod.yml b/.github/workflows/deploy-parameters-nonprod.yml index f47bc32a2..af5526592 100644 --- a/.github/workflows/deploy-parameters-nonprod.yml +++ b/.github/workflows/deploy-parameters-nonprod.yml @@ -21,5 +21,5 @@ jobs: account: ${{ inputs.account }} workspace: ${{ inputs.account }} scope: "per_account/${{ inputs.account }}/parameters" - smrun_smoke_testsoke_tests: false + run_smoke_testsoke_tests: false secrets: inherit # pragma: allowlist secret From 4ffd6b16486bef0ca81bd4fd1162ef86210a57d4 Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Thu, 28 Dec 2023 11:22:20 +0000 Subject: [PATCH 04/12] [feature/PI-165_environments] PR feedback --- infrastructure/terraform/per_account/dev/parameters/main.tf | 2 +- infrastructure/terraform/per_account/int/parameters/main.tf | 2 +- infrastructure/terraform/per_account/int/terraform.tf | 2 +- infrastructure/terraform/per_account/mgmt/parameters/main.tf | 2 +- infrastructure/terraform/per_account/mgmt/terraform.tf | 2 +- infrastructure/terraform/per_account/prod/parameters/main.tf | 2 +- infrastructure/terraform/per_account/prod/terraform.tf | 2 +- infrastructure/terraform/per_account/qa/parameters/main.tf | 2 +- infrastructure/terraform/per_account/qa/terraform.tf | 2 +- infrastructure/terraform/per_account/ref/parameters/main.tf | 2 +- infrastructure/terraform/per_account/ref/terraform.tf | 2 +- scripts/infrastructure/destroy/destroy-corrupted-workspace.sh | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/infrastructure/terraform/per_account/dev/parameters/main.tf b/infrastructure/terraform/per_account/dev/parameters/main.tf index 899e1c196..ea3b458e3 100644 --- a/infrastructure/terraform/per_account/dev/parameters/main.tf +++ b/infrastructure/terraform/per_account/dev/parameters/main.tf @@ -27,6 +27,6 @@ JSON } } -resource "aws_secretsmanager_secret" "dev-apigee-credentials" { +resource "aws_secretsmanager_secret" "apigee-credentials" { name = "${terraform.workspace}-apigee-credentials" } diff --git a/infrastructure/terraform/per_account/int/parameters/main.tf b/infrastructure/terraform/per_account/int/parameters/main.tf index 899e1c196..ea3b458e3 100644 --- a/infrastructure/terraform/per_account/int/parameters/main.tf +++ b/infrastructure/terraform/per_account/int/parameters/main.tf @@ -27,6 +27,6 @@ JSON } } -resource "aws_secretsmanager_secret" "dev-apigee-credentials" { +resource "aws_secretsmanager_secret" "apigee-credentials" { name = "${terraform.workspace}-apigee-credentials" } diff --git a/infrastructure/terraform/per_account/int/terraform.tf b/infrastructure/terraform/per_account/int/terraform.tf index 75a4ba797..07024f81a 100644 --- a/infrastructure/terraform/per_account/int/terraform.tf +++ b/infrastructure/terraform/per_account/int/terraform.tf @@ -4,7 +4,7 @@ terraform { region = "eu-west-2" bucket = "nhse-cpm--terraform-state-v1.0.0" dynamodb_table = "nhse-cpm--terraform-state-lock-v1.0.0" - key = "terraform-state-infrastructure-dev-account-wide" + key = "terraform-state-infrastructure-int-account-wide" workspace_key_prefix = "nhse-cpm" } diff --git a/infrastructure/terraform/per_account/mgmt/parameters/main.tf b/infrastructure/terraform/per_account/mgmt/parameters/main.tf index 899e1c196..ea3b458e3 100644 --- a/infrastructure/terraform/per_account/mgmt/parameters/main.tf +++ b/infrastructure/terraform/per_account/mgmt/parameters/main.tf @@ -27,6 +27,6 @@ JSON } } -resource "aws_secretsmanager_secret" "dev-apigee-credentials" { +resource "aws_secretsmanager_secret" "apigee-credentials" { name = "${terraform.workspace}-apigee-credentials" } diff --git a/infrastructure/terraform/per_account/mgmt/terraform.tf b/infrastructure/terraform/per_account/mgmt/terraform.tf index 75a4ba797..c188d301d 100644 --- a/infrastructure/terraform/per_account/mgmt/terraform.tf +++ b/infrastructure/terraform/per_account/mgmt/terraform.tf @@ -4,7 +4,7 @@ terraform { region = "eu-west-2" bucket = "nhse-cpm--terraform-state-v1.0.0" dynamodb_table = "nhse-cpm--terraform-state-lock-v1.0.0" - key = "terraform-state-infrastructure-dev-account-wide" + key = "terraform-state-infrastructure-mgmt-account-wide" workspace_key_prefix = "nhse-cpm" } diff --git a/infrastructure/terraform/per_account/prod/parameters/main.tf b/infrastructure/terraform/per_account/prod/parameters/main.tf index 899e1c196..ea3b458e3 100644 --- a/infrastructure/terraform/per_account/prod/parameters/main.tf +++ b/infrastructure/terraform/per_account/prod/parameters/main.tf @@ -27,6 +27,6 @@ JSON } } -resource "aws_secretsmanager_secret" "dev-apigee-credentials" { +resource "aws_secretsmanager_secret" "apigee-credentials" { name = "${terraform.workspace}-apigee-credentials" } diff --git a/infrastructure/terraform/per_account/prod/terraform.tf b/infrastructure/terraform/per_account/prod/terraform.tf index 75a4ba797..c339885cf 100644 --- a/infrastructure/terraform/per_account/prod/terraform.tf +++ b/infrastructure/terraform/per_account/prod/terraform.tf @@ -4,7 +4,7 @@ terraform { region = "eu-west-2" bucket = "nhse-cpm--terraform-state-v1.0.0" dynamodb_table = "nhse-cpm--terraform-state-lock-v1.0.0" - key = "terraform-state-infrastructure-dev-account-wide" + key = "terraform-state-infrastructure-prod-account-wide" workspace_key_prefix = "nhse-cpm" } diff --git a/infrastructure/terraform/per_account/qa/parameters/main.tf b/infrastructure/terraform/per_account/qa/parameters/main.tf index 899e1c196..ea3b458e3 100644 --- a/infrastructure/terraform/per_account/qa/parameters/main.tf +++ b/infrastructure/terraform/per_account/qa/parameters/main.tf @@ -27,6 +27,6 @@ JSON } } -resource "aws_secretsmanager_secret" "dev-apigee-credentials" { +resource "aws_secretsmanager_secret" "apigee-credentials" { name = "${terraform.workspace}-apigee-credentials" } diff --git a/infrastructure/terraform/per_account/qa/terraform.tf b/infrastructure/terraform/per_account/qa/terraform.tf index 75a4ba797..ca947a046 100644 --- a/infrastructure/terraform/per_account/qa/terraform.tf +++ b/infrastructure/terraform/per_account/qa/terraform.tf @@ -4,7 +4,7 @@ terraform { region = "eu-west-2" bucket = "nhse-cpm--terraform-state-v1.0.0" dynamodb_table = "nhse-cpm--terraform-state-lock-v1.0.0" - key = "terraform-state-infrastructure-dev-account-wide" + key = "terraform-state-infrastructure-qa-account-wide" workspace_key_prefix = "nhse-cpm" } diff --git a/infrastructure/terraform/per_account/ref/parameters/main.tf b/infrastructure/terraform/per_account/ref/parameters/main.tf index 899e1c196..ea3b458e3 100644 --- a/infrastructure/terraform/per_account/ref/parameters/main.tf +++ b/infrastructure/terraform/per_account/ref/parameters/main.tf @@ -27,6 +27,6 @@ JSON } } -resource "aws_secretsmanager_secret" "dev-apigee-credentials" { +resource "aws_secretsmanager_secret" "apigee-credentials" { name = "${terraform.workspace}-apigee-credentials" } diff --git a/infrastructure/terraform/per_account/ref/terraform.tf b/infrastructure/terraform/per_account/ref/terraform.tf index 75a4ba797..1427e70ab 100644 --- a/infrastructure/terraform/per_account/ref/terraform.tf +++ b/infrastructure/terraform/per_account/ref/terraform.tf @@ -4,7 +4,7 @@ terraform { region = "eu-west-2" bucket = "nhse-cpm--terraform-state-v1.0.0" dynamodb_table = "nhse-cpm--terraform-state-lock-v1.0.0" - key = "terraform-state-infrastructure-dev-account-wide" + key = "terraform-state-infrastructure-ref-account-wide" workspace_key_prefix = "nhse-cpm" } diff --git a/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh b/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh index 8959eb5e4..6cbba5369 100644 --- a/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh +++ b/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh @@ -22,7 +22,7 @@ function _destroy_corrupted_workspace() { return 1 fi - dev_acct=$(_get_aws_account_id "$ENV") # TODO Broken by PI-165 + dev_acct=$(_get_aws_account_id "$ENV" "$PROFILE_PREFIX" "$VERSION") role_arn="arn:aws:iam::${dev_acct}:role/${TERRAFORM_ROLE_NAME}" session_name="resource-search-session" duration_seconds=900 From def97dad658591b541c6141b8930c9a07525b4d5 Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Thu, 28 Dec 2023 14:48:04 +0000 Subject: [PATCH 05/12] [feature/PI-165_environments] Remove mgmt, fix env vars bugs --- .github/workflows/_deploy.yml | 7 +--- .../deploy-account-wide-resources-prod.yml | 1 - .../deploy-account-wide-resources.yml | 1 - .../workflows/deploy-parameters-nonprod.yml | 1 - .github/workflows/deploy-parameters-prod.yml | 1 - .../terraform/per_account/mgmt/locals.tf | 5 --- .../terraform/per_account/mgmt/main.tf | 33 ----------------- .../per_account/mgmt/parameters/locals.tf | 5 --- .../per_account/mgmt/parameters/main.tf | 32 ----------------- .../per_account/mgmt/parameters/provider.tf | 20 ----------- .../per_account/mgmt/parameters/terraform.tf | 17 --------- .../per_account/mgmt/parameters/vars.tf | 35 ------------------- .../terraform/per_account/mgmt/provider.tf | 20 ----------- .../terraform/per_account/mgmt/terraform.tf | 18 ---------- .../terraform/per_account/mgmt/vars.tf | 25 ------------- .../destroy/destroy-expired-workspaces.sh | 2 +- .../destroy/destroy-redundant-workspaces.sh | 2 +- .../terraform/terraform-commands.sh | 2 +- .../terraform/terraform-utils.sh | 5 +-- 19 files changed, 7 insertions(+), 225 deletions(-) delete mode 100644 infrastructure/terraform/per_account/mgmt/locals.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/main.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/parameters/locals.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/parameters/main.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/parameters/provider.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/parameters/terraform.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/parameters/vars.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/provider.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/terraform.tf delete mode 100644 infrastructure/terraform/per_account/mgmt/vars.tf diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml index 39dae35b3..c130f96b1 100644 --- a/.github/workflows/_deploy.yml +++ b/.github/workflows/_deploy.yml @@ -13,10 +13,6 @@ on: description: The Terraform scope being deployed type: string required: true - run_smoke_tests: - description: Run smoke tests? - type: boolean - default: true permissions: id-token: write @@ -132,8 +128,7 @@ jobs: - uses: actions/checkout@v4 with: ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }} - - if: inputs.run_smoke_tests == 'true' - uses: ./.github/actions/make/ + - uses: ./.github/actions/make/ with: command: test--smoke requires-aws: true diff --git a/.github/workflows/deploy-account-wide-resources-prod.yml b/.github/workflows/deploy-account-wide-resources-prod.yml index 4df676fdb..6e04369fb 100644 --- a/.github/workflows/deploy-account-wide-resources-prod.yml +++ b/.github/workflows/deploy-account-wide-resources-prod.yml @@ -10,5 +10,4 @@ jobs: account: prod workspace: prod scope: per_account/prod - run_smoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-account-wide-resources.yml b/.github/workflows/deploy-account-wide-resources.yml index 2d24ea07b..b17c1a130 100644 --- a/.github/workflows/deploy-account-wide-resources.yml +++ b/.github/workflows/deploy-account-wide-resources.yml @@ -21,5 +21,4 @@ jobs: account: ${{ inputs.account }} workspace: ${{ inputs.account }} scope: "per_account/${{ inputs.account }}" - run_smoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-parameters-nonprod.yml b/.github/workflows/deploy-parameters-nonprod.yml index af5526592..3cfa75f95 100644 --- a/.github/workflows/deploy-parameters-nonprod.yml +++ b/.github/workflows/deploy-parameters-nonprod.yml @@ -21,5 +21,4 @@ jobs: account: ${{ inputs.account }} workspace: ${{ inputs.account }} scope: "per_account/${{ inputs.account }}/parameters" - run_smoke_testsoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/.github/workflows/deploy-parameters-prod.yml b/.github/workflows/deploy-parameters-prod.yml index 82d3099f7..162a637be 100644 --- a/.github/workflows/deploy-parameters-prod.yml +++ b/.github/workflows/deploy-parameters-prod.yml @@ -10,5 +10,4 @@ jobs: account: prod workspace: prod scope: per_account/prod/parameters - run_smoke_tests: false secrets: inherit # pragma: allowlist secret diff --git a/infrastructure/terraform/per_account/mgmt/locals.tf b/infrastructure/terraform/per_account/mgmt/locals.tf deleted file mode 100644 index 9d2eefbf5..000000000 --- a/infrastructure/terraform/per_account/mgmt/locals.tf +++ /dev/null @@ -1,5 +0,0 @@ -locals { - region = "eu-west-2" - project = "nhse-cpm" - current_time = timestamp() -} diff --git a/infrastructure/terraform/per_account/mgmt/main.tf b/infrastructure/terraform/per_account/mgmt/main.tf deleted file mode 100644 index dd97616dc..000000000 --- a/infrastructure/terraform/per_account/mgmt/main.tf +++ /dev/null @@ -1,33 +0,0 @@ -resource "aws_resourcegroups_group" "resource_group" { - name = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group" - description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group." - tags = { - Name = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group" - CreatedOn = var.updated_date - LastUpdated = var.updated_date - ExpirationDate = var.expiration_date - } - - lifecycle { - ignore_changes = [tags["CreatedOn"]] - } - - resource_query { - query = < Date: Thu, 28 Dec 2023 15:26:28 +0000 Subject: [PATCH 06/12] [feature/PI-165_environments] fix terraform deploy bug --- scripts/infrastructure/terraform/terraform-commands.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/infrastructure/terraform/terraform-commands.sh b/scripts/infrastructure/terraform/terraform-commands.sh index e5d6e8c7c..79f2de34c 100644 --- a/scripts/infrastructure/terraform/terraform-commands.sh +++ b/scripts/infrastructure/terraform/terraform-commands.sh @@ -3,10 +3,11 @@ source ./scripts/infrastructure/terraform/terraform-utils.sh TERRAFORM_COMMAND="$1" -TERRAFORM_WORKSPACE="$2" -TERRAFORM_SCOPE="$3" -PARAMETER_DEPLOY="$4" -TERRAFORM_ARGS="$5" +AWS_ACCOUNT="$2" +TERRAFORM_WORKSPACE="$3" +TERRAFORM_SCOPE="$4" +PARAMETER_DEPLOY="$5" +TERRAFORM_ARGS="$6" AWS_REGION_NAME="eu-west-2" function _terraform() { @@ -40,7 +41,6 @@ function _terraform() { login_account ${login_account} scope ${scope} account ${account} - account_id ${aws_account_id} workspace ${workspace} workspace_type ${workspace_type} workspace_expiration ${workspace_expiration} From 420a4e04c91495f99302c3598babd9474c4c733d Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Thu, 28 Dec 2023 15:36:58 +0000 Subject: [PATCH 07/12] [feature/PI-165_environments] don't use base branch --- .github/workflows/pull-requests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml index 3cdc1078a..2f6063fc6 100644 --- a/.github/workflows/pull-requests.yml +++ b/.github/workflows/pull-requests.yml @@ -135,7 +135,7 @@ jobs: steps: - uses: actions/checkout@v4 with: - ref: ${{ env.BASE_BRANCH_NAME }} + ref: ${{ env.BRANCH_NAME }} # ${{ env.BASE_BRANCH_NAME }} - uses: ./.github/actions/terraform/ with: command: plan From 5dcbd0dce93da85613b0ae2e8a189c946e79933d Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Thu, 28 Dec 2023 16:00:56 +0000 Subject: [PATCH 08/12] [feature/PI-165_environments] revert unused vars --- .../terraform/per_account/dev/vars.tf | 8 ++-- .../terraform/per_account/int/vars.tf | 8 ++-- .../terraform/per_account/prod/vars.tf | 8 ++-- .../terraform/per_account/qa/vars.tf | 8 ++-- .../terraform/per_account/ref/vars.tf | 8 ++-- .../terraform/terraform-commands.sh | 37 ++++++++++++------- 6 files changed, 39 insertions(+), 38 deletions(-) diff --git a/infrastructure/terraform/per_account/dev/vars.tf b/infrastructure/terraform/per_account/dev/vars.tf index 747fba8de..5211b6e94 100644 --- a/infrastructure/terraform/per_account/dev/vars.tf +++ b/infrastructure/terraform/per_account/dev/vars.tf @@ -18,8 +18,6 @@ variable "updated_date" { default = "NEVER" } -variable "lambdas" {} - -variable "layers" {} - -variable "workspace_type" {} +variable "workspace_type" { + default = "PERSISTENT" +} diff --git a/infrastructure/terraform/per_account/int/vars.tf b/infrastructure/terraform/per_account/int/vars.tf index 747fba8de..5211b6e94 100644 --- a/infrastructure/terraform/per_account/int/vars.tf +++ b/infrastructure/terraform/per_account/int/vars.tf @@ -18,8 +18,6 @@ variable "updated_date" { default = "NEVER" } -variable "lambdas" {} - -variable "layers" {} - -variable "workspace_type" {} +variable "workspace_type" { + default = "PERSISTENT" +} diff --git a/infrastructure/terraform/per_account/prod/vars.tf b/infrastructure/terraform/per_account/prod/vars.tf index 747fba8de..5211b6e94 100644 --- a/infrastructure/terraform/per_account/prod/vars.tf +++ b/infrastructure/terraform/per_account/prod/vars.tf @@ -18,8 +18,6 @@ variable "updated_date" { default = "NEVER" } -variable "lambdas" {} - -variable "layers" {} - -variable "workspace_type" {} +variable "workspace_type" { + default = "PERSISTENT" +} diff --git a/infrastructure/terraform/per_account/qa/vars.tf b/infrastructure/terraform/per_account/qa/vars.tf index 747fba8de..5211b6e94 100644 --- a/infrastructure/terraform/per_account/qa/vars.tf +++ b/infrastructure/terraform/per_account/qa/vars.tf @@ -18,8 +18,6 @@ variable "updated_date" { default = "NEVER" } -variable "lambdas" {} - -variable "layers" {} - -variable "workspace_type" {} +variable "workspace_type" { + default = "PERSISTENT" +} diff --git a/infrastructure/terraform/per_account/ref/vars.tf b/infrastructure/terraform/per_account/ref/vars.tf index 747fba8de..5211b6e94 100644 --- a/infrastructure/terraform/per_account/ref/vars.tf +++ b/infrastructure/terraform/per_account/ref/vars.tf @@ -18,8 +18,6 @@ variable "updated_date" { default = "NEVER" } -variable "lambdas" {} - -variable "layers" {} - -variable "workspace_type" {} +variable "workspace_type" { + default = "PERSISTENT" +} diff --git a/scripts/infrastructure/terraform/terraform-commands.sh b/scripts/infrastructure/terraform/terraform-commands.sh index 79f2de34c..39d33e5cd 100644 --- a/scripts/infrastructure/terraform/terraform-commands.sh +++ b/scripts/infrastructure/terraform/terraform-commands.sh @@ -65,7 +65,7 @@ function _terraform() { ;; #---------------- "plan") - _terraform_plan "$workspace" "$var_file" "$plan_file" "$aws_account_id" "$TERRAFORM_ARGS" + _terraform_plan "$workspace" "$var_file" "$plan_file" "$aws_account_id" "$scope" "$TERRAFORM_ARGS" ;; #---------------- "apply") @@ -99,23 +99,34 @@ function _terraform_plan() { local var_file=$2 local plan_file=$3 local aws_account_id=$4 - local args=${@:5} + local scope=$5 + + local args=${@:6} terraform workspace select default terraform init || return 1 terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1 - terraform plan $args \ - -out="$plan_file" \ - -var-file="$var_file" \ - -var "assume_account=${aws_account_id}" \ - -var "assume_role=${terraform_role_name}" \ - -var "updated_date=${current_date}" \ - -var "expiration_date=${expiration_date}" \ - -var "workspace_type=${workspace_type}" \ - -var "lambdas=${lambdas}" \ - -var "layers=${layers}" \ - || return 1 + if [[ "${scope}" = "per_workspace" ]]; then + terraform plan $args \ + -out="$plan_file" \ + -var-file="$var_file" \ + -var "assume_account=${aws_account_id}" \ + -var "assume_role=${terraform_role_name}" \ + -var "updated_date=${current_date}" \ + -var "expiration_date=${expiration_date}" \ + -var "lambdas=${lambdas}" \ + -var "workspace_type=${workspace_type}" \ + -var "layers=${layers}" || return 1 + else + terraform plan $args \ + -out="$plan_file" \ + -var-file="$var_file" \ + -var "assume_account=${aws_account_id}" \ + -var "assume_role=${terraform_role_name}" \ + -var "updated_date=${current_date}" \ + -var "expiration_date=${expiration_date}" || return 1 + fi } function _terraform_apply() { From fc80449b808c153cd3c77ef83e6d06ff8dddc1f2 Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Thu, 28 Dec 2023 16:37:14 +0000 Subject: [PATCH 09/12] [feature/PI-165_environments] Remove mgmt --- .github/workflows/deploy-account-wide-resources.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy-account-wide-resources.yml b/.github/workflows/deploy-account-wide-resources.yml index b17c1a130..0d5502d38 100644 --- a/.github/workflows/deploy-account-wide-resources.yml +++ b/.github/workflows/deploy-account-wide-resources.yml @@ -13,7 +13,6 @@ on: - qa - int - ref - - mgmt jobs: deploy: uses: ./.github/workflows/_deploy.yml From 82e961a54f467d66adc5d6ab628f2bafac08d743 Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Thu, 28 Dec 2023 16:48:55 +0000 Subject: [PATCH 10/12] [feature/PI-165_environments] Remove always from smoke test --- .github/workflows/_deploy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml index c130f96b1..a2107ac17 100644 --- a/.github/workflows/_deploy.yml +++ b/.github/workflows/_deploy.yml @@ -123,7 +123,6 @@ jobs: test--smoke: needs: [get-branch-from-workflow-file, terraform--apply] runs-on: [self-hosted, ci] - if: always() steps: - uses: actions/checkout@v4 with: From 19f82e95f52baccf7ff24396fcde038f0d33dbba Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Fri, 29 Dec 2023 11:24:03 +0000 Subject: [PATCH 11/12] [feature/PI-165-environments] add cache scoping to deployments --- .github/workflows/_deploy.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml index a2107ac17..92bdb33f2 100644 --- a/.github/workflows/_deploy.yml +++ b/.github/workflows/_deploy.yml @@ -22,7 +22,7 @@ permissions: env: ACCOUNT: ${{ inputs.account }} WORKSPACE: ${{ inputs.workspace }} - CACHE_NAME: ${{ inputs.workspace }}-cache + CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }} SCOPE: ${{ inputs.scope }} # SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }} CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }} @@ -60,6 +60,7 @@ jobs: command: build save-to-cache: "true" restore-from-cache: "false" + cache-suffix: ${{ env.CACHE_NAME }} helpers--truststore-pull: needs: [get-branch-from-workflow-file, build] @@ -87,6 +88,7 @@ jobs: scope: ${{ env.SCOPE }} restore-from-cache: "true" save-to-cache: "true" + cache-suffix: ${{ env.CACHE_NAME }} terraform--plan: needs: [get-branch-from-workflow-file, terraform--init] @@ -103,6 +105,7 @@ jobs: scope: ${{ env.SCOPE }} restore-from-cache: "true" save-to-cache: "true" + cache-suffix: ${{ env.CACHE_NAME }} terraform--apply: needs: [get-branch-from-workflow-file, terraform--plan] @@ -119,6 +122,7 @@ jobs: scope: ${{ env.SCOPE }} restore-from-cache: "true" save-to-cache: "true" + cache-suffix: ${{ env.CACHE_NAME }} test--smoke: needs: [get-branch-from-workflow-file, terraform--apply] From 0cbbcb26465603cd70e88c8882c3ed395009ec83 Mon Sep 17 00:00:00 2001 From: Joel Klinger Date: Fri, 29 Dec 2023 14:23:21 +0000 Subject: [PATCH 12/12] [feature/PI-165-environments] fix workspace destroy --- scripts/infrastructure/destroy/destroy-redundant-workspaces.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh b/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh index 1d72cc555..993299970 100644 --- a/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh +++ b/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh @@ -76,7 +76,7 @@ function _destroy_redundant_workspaces() { # Print the matching object names for workspace in "${matching_objects[@]}"; do echo "Attempting to destroy workspace: $workspace" - bash ./scripts/infrastructure/terraform/terraform-commands.sh destroy $workspace "per_workspace" "" "-input=false -auto-approve -no-color" + bash ./scripts/infrastructure/terraform/terraform-commands.sh "destroy" "ref" $workspace "per_workspace" "" "-input=false -auto-approve -no-color" done }