From 06d912ebb76e605920396ae88fb1bdbe5bad9e14 Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Mon, 18 Aug 2025 17:05:56 +0100
Subject: [PATCH 1/2] removing test from available envs and added a new
 workflow instead

---
 .github/workflows/cicd-3-deploy.yaml |   1 -
 .github/workflows/cicd-4-test.yaml   | 130 +++++++++++++++++++++------
 2 files changed, 101 insertions(+), 30 deletions(-)

diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml
index 82ccc1052..96e2fe61c 100644
--- a/.github/workflows/cicd-3-deploy.yaml
+++ b/.github/workflows/cicd-3-deploy.yaml
@@ -19,7 +19,6 @@ on:
         required: true
         type: choice
         options:
-          - test
           - preprod
           - prod
       release_type:
diff --git a/.github/workflows/cicd-4-test.yaml b/.github/workflows/cicd-4-test.yaml
index 77a49abba..0b52e84e0 100644
--- a/.github/workflows/cicd-4-test.yaml
+++ b/.github/workflows/cicd-4-test.yaml
@@ -1,57 +1,129 @@
-name: "CI/CD E2E Tests"
+# Deploys a given tag to test environment
+# Does not tag or create a release
+
+name: "CI/CD deploy to TEST"
+
+concurrency:
+  group: terraform-deploy-${{ github.event.inputs.environment }}
+  cancel-in-progress: false
 
 on:
   workflow_dispatch:
     inputs:
+      tag:
+        description: "This is the tag that is going to be deployed"
+        required: true
+        default: "latest"
       environment:
-        description: Target environment
+        description: "Target environment (e.g., test, preprod or prod)"
         required: true
+        default: "test"
         type: choice
-        options: [dev, test, preprod]
+        options:
+          - test
 
 jobs:
-  listS3:
+  metadata:
+    name: "Set CI/CD metadata"
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    outputs:
+      build_datetime: ${{ steps.variables.outputs.build_datetime }}
+      build_timestamp: ${{ steps.variables.outputs.build_timestamp }}
+      build_epoch: ${{ steps.variables.outputs.build_epoch }}
+      nodejs_version: ${{ steps.variables.outputs.nodejs_version }}
+      python_version: ${{ steps.variables.outputs.python_version }}
+      terraform_version: ${{ steps.variables.outputs.terraform_version }}
+      version: ${{ steps.variables.outputs.version }}
+      tag: ${{ steps.variables.outputs.tag }}
+    steps:
+      - name: "Checkout tag"
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.event.inputs.tag }}
+
+      - name: "Set CI/CD variables"
+        id: variables
+        run: |
+          datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
+          echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
+          echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+          echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+          echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
+          # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
+          echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
+          echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
+      - name: "List variables"
+        run: |
+          export BUILD_DATETIME="${{ steps.variables.outputs.build_datetime }}"
+          export BUILD_TIMESTAMP="${{ steps.variables.outputs.build_timestamp }}"
+          export BUILD_EPOCH="${{ steps.variables.outputs.build_epoch }}"
+          export NODEJS_VERSION="${{ steps.variables.outputs.nodejs_version }}"
+          export PYTHON_VERSION="${{ steps.variables.outputs.python_version }}"
+          export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
+          export VERSION="${{ steps.variables.outputs.version }}"
+          export TAG="${{ steps.variables.outputs.tag }}"
+          make list-variables
+  deploy:
+    name: "Deploy to an environment"
     runs-on: ubuntu-latest
+    needs: [metadata]
     environment: ${{ inputs.environment }}
+    timeout-minutes: 30
     permissions:
       id-token: write
-      contents: read
-
+      contents: write
     steps:
-      - name: Checkout
-        uses: actions/checkout@v5
+      - name: "Setup Terraform"
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ needs.metadata.outputs.terraform_version }}
 
-      - name: Set up Python
+      - name: "Set up Python"
         uses: actions/setup-python@v5
         with:
-          python-version: "3.11"
+          python-version: "3.13"
 
-      - name: Install Poetry
-        run: |
-          curl -sSL https://install.python-poetry.org | python3 -
-          export PATH="$HOME/.local/bin:$PATH"
+      - name: "Checkout Repository"
+        uses: actions/checkout@v5
 
-      - name: Install dependencies with Poetry
+      - name: "Build lambda artefact"
         run: |
-          poetry install --no-root
+          make dependencies install-python
+          make build
+
+      - name: "Upload lambda artefact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: lambda
+          path: dist/lambda.zip
 
-      - name: Configure AWS Credentials
+      - name: "Download Built Lambdas"
+        uses: actions/download-artifact@v5
+        with:
+          name: lambda
+          path: ./build
+
+      - name: "Configure AWS Credentials"
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
           aws-region: eu-west-2
 
-      - name: List S3 bucket
-        run: |
-          aws s3 ls s3://eligibility-signposting-api-${{ inputs.environment }}-tfstate
+      - name: "Terraform Apply"
+        env:
+          ENVIRONMENT: ${{ inputs.environment }}
+          WORKSPACE: "default"
+          TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }}
+          TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }}
+          TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }}
 
-      - name: Run Behave tests
         run: |
-          mkdir -p reports
-          poetry run behave --format json --outfile reports/behave-report.json
-
-      - name: Upload Behave test results
-        uses: actions/upload-artifact@v4
-        with:
-          name: behave-test-results
-          path: reports/
+          mkdir -p ./build
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
+        working-directory: ./infrastructure

From e3ee08e2976051b43a1d1f66959555475c3777da Mon Sep 17 00:00:00 2001
From: TOEL2 <tom.eldridge1@nhs.net>
Date: Mon, 18 Aug 2025 17:11:46 +0100
Subject: [PATCH 2/2] removing test from available envs and added a new
 workflow instead

---
 .github/workflows/cicd-4-test.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cicd-4-test.yaml b/.github/workflows/cicd-4-test.yaml
index 0b52e84e0..721e66124 100644
--- a/.github/workflows/cicd-4-test.yaml
+++ b/.github/workflows/cicd-4-test.yaml
@@ -15,7 +15,7 @@ on:
         required: true
         default: "latest"
       environment:
-        description: "Target environment (e.g., test, preprod or prod)"
+        description: "Target environment (test only)
         required: true
         default: "test"
         type: choice