From 728f6b6512c66ca46cae9a6996898e9980831b08 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Fri, 3 Oct 2025 13:56:14 +0100 Subject: [PATCH 1/6] fix artifact deployment --- .github/workflows/cicd-2-publish.yaml | 1 + .github/workflows/cicd-3-test-deploy.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index b35f7c76b..263814bd3 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -9,6 +9,7 @@ on: branches: - main - hotfix/* + - fix/bring_back_github_artifacts workflow_dispatch: {} concurrency: diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml index c386c9696..ef0458353 100644 --- a/.github/workflows/cicd-3-test-deploy.yaml +++ b/.github/workflows/cicd-3-test-deploy.yaml @@ -79,6 +79,7 @@ jobs: name: lambda-${{ needs.metadata.outputs.tag }} path: ./build run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} - name: "Terraform Apply (TEST)" env: From 7feeccdacbf0b1d65dd591fd68c71e1d45577e97 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Fri, 3 Oct 2025 13:58:43 +0100 Subject: [PATCH 2/6] comment reg test --- .github/workflows/cicd-3-test-deploy.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cicd-3-test-deploy.yaml b/.github/workflows/cicd-3-test-deploy.yaml index ef0458353..b35845ab4 100644 --- a/.github/workflows/cicd-3-test-deploy.yaml +++ b/.github/workflows/cicd-3-test-deploy.yaml @@ -112,11 +112,11 @@ jobs: s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ --region eu-west-2 - regression-tests: - name: "Regression Tests" - needs: deploy - uses: ./.github/workflows/regression-tests.yml - with: - ENVIRONMENT: "test" - VERSION_NUMBER: "main" - secrets: inherit +# regression-tests: +# name: "Regression Tests" +# needs: deploy +# uses: ./.github/workflows/regression-tests.yml +# with: +# ENVIRONMENT: "test" +# VERSION_NUMBER: "main" +# secrets: inherit From d13661dbed02bca0cdec8be04cbe46c7a5b2e6f9 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Fri, 3 Oct 2025 14:06:17 +0100 Subject: [PATCH 3/6] comment reg test --- .github/workflows/cicd-2-publish.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 263814bd3..a6e70c6e9 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -137,11 +137,11 @@ jobs: title: "Pushed to main" version: "${{ needs.metadata.outputs.version }}" - regression-tests: - name: "Regression Tests" - needs: publish - uses: ./.github/workflows/regression-tests.yml - with: - ENVIRONMENT: "dev" - VERSION_NUMBER: "main" - secrets: inherit +# regression-tests: +# name: "Regression Tests" +# needs: publish +# uses: ./.github/workflows/regression-tests.yml +# with: +# ENVIRONMENT: "dev" +# VERSION_NUMBER: "main" +# secrets: inherit From 3b748baee9bc68c726fdf428a466410e74147851 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Fri, 3 Oct 2025 14:35:19 +0100 Subject: [PATCH 4/6] add remove s3 action --- .../stacks/iams-developer-roles/github_actions_policies.tf | 1 + .../stacks/iams-developer-roles/iams_permissions_boundary.tf | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf index 1fb835a26..4e88c4c61 100644 --- a/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf +++ b/infrastructure/stacks/iams-developer-roles/github_actions_policies.tf @@ -331,6 +331,7 @@ resource "aws_iam_policy" "api_infrastructure" { "ssm:ListTagsForResource", "ssm:PutParameter", "ssm:AddTagsToResource", + "ssm:DeleteParameter", # acm "acm:ListTagsForCertificate", diff --git a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf index 1eff66150..09ba6733d 100644 --- a/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf +++ b/infrastructure/stacks/iams-developer-roles/iams_permissions_boundary.tf @@ -232,7 +232,8 @@ data "aws_iam_policy_document" "permissions_boundary" { "ssm:GetParameters", "ssm:ListTagsForResource", "ssm:PutParameter", - "ssm:AddTagsToResource" + "ssm:AddTagsToResource", + "ssm:DeleteParameter" ] resources = ["*"] From c6ca895eceda0d37f12c5520de80720c41abc557 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:08:34 +0100 Subject: [PATCH 5/6] generate mock test --- .github/workflows/cicd-2-publish.yaml | 81 +++++++++-------- .github/workflows/mock_deploy.yaml | 122 ++++++++++++++++++++++++++ 2 files changed, 162 insertions(+), 41 deletions(-) create mode 100644 .github/workflows/mock_deploy.yaml diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index a6e70c6e9..22fa92ad3 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -79,7 +79,6 @@ jobs: - name: "Build lambda artefact" run: | - make dependencies install-python make build - name: "Upload lambda artefact for cross-workflow use" @@ -88,35 +87,35 @@ jobs: name: lambda-${{ needs.metadata.outputs.version }} path: dist/lambda.zip - - name: "Download Built Lambdas" - uses: actions/download-artifact@v5 - with: - name: lambda-${{ needs.metadata.outputs.version }} - path: ./build - - - name: "Configure AWS Credentials" - uses: aws-actions/configure-aws-credentials@v5 - with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role - aws-region: eu-west-2 - - - name: "Terraform Apply" - env: - ENVIRONMENT: dev - WORKSPACE: "default" - TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} - TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} - TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} - TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} - TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} - - run: | - mkdir -p ./build - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" - make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE - echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" - make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE - working-directory: ./infrastructure +# - name: "Download Built Lambdas" +# uses: actions/download-artifact@v5 +# with: +# name: lambda-${{ needs.metadata.outputs.version }} +# path: ./build +# +# - name: "Configure AWS Credentials" +# uses: aws-actions/configure-aws-credentials@v5 +# with: +# role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role +# aws-region: eu-west-2 +# +# - name: "Terraform Apply" +# env: +# ENVIRONMENT: dev +# WORKSPACE: "default" +# TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} +# TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} +# TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} +# TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} +# TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} +# +# run: | +# mkdir -p ./build +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" +# make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" +# make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE +# working-directory: ./infrastructure - name: "Tag the dev deployment" run: | @@ -125,17 +124,17 @@ jobs: git tag ${{ needs.metadata.outputs.version }} git push origin ${{ needs.metadata.outputs.version }} - - name: "Notify Slack on PR merge" - uses: slackapi/slack-github-action@v2.1.1 - with: - webhook: ${{ secrets.SLACK_WEBHOOK_URL }} - webhook-type: webhook-trigger - payload: | - status: "${{ job.status }}" - link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" - Author: "${{ github.actor }}" - title: "Pushed to main" - version: "${{ needs.metadata.outputs.version }}" +# - name: "Notify Slack on PR merge" +# uses: slackapi/slack-github-action@v2.1.1 +# with: +# webhook: ${{ secrets.SLACK_WEBHOOK_URL }} +# webhook-type: webhook-trigger +# payload: | +# status: "${{ job.status }}" +# link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}" +# Author: "${{ github.actor }}" +# title: "Pushed to main" +# version: "${{ needs.metadata.outputs.version }}" # regression-tests: # name: "Regression Tests" diff --git a/.github/workflows/mock_deploy.yaml b/.github/workflows/mock_deploy.yaml new file mode 100644 index 000000000..c64d9ee1d --- /dev/null +++ b/.github/workflows/mock_deploy.yaml @@ -0,0 +1,122 @@ +name: "mock deploy" + +on: + workflow_run: + workflows: ["2. CD | Deploy to Dev"] + types: [completed] + +permissions: + contents: read + id-token: write + actions: read + +jobs: + metadata: + name: "Resolve metadata from triggering run" + runs-on: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + outputs: + terraform_version: ${{ steps.vars.outputs.terraform_version }} + tag: ${{ steps.tag.outputs.name }} + steps: + - name: "Checkout exact commit from CI/CD publish" + uses: actions/checkout@v5 + with: + ref: ${{ github.event.workflow_run.head_sha }} + + - name: "Set CI/CD variables" + id: vars + run: | + echo "terraform_version=$(grep '^terraform' .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT + + - name: "Resolve the dev-* tag for this commit" + id: tag + run: | + git fetch --tags --force + SHA="${{ github.event.workflow_run.head_sha }}" + TAG=$(git tag --points-at "$SHA" | grep '^dev-' | head -n1 || true) + if [ -z "$TAG" ]; then + echo "No dev-* tag found on $SHA" >&2 + exit 1 + fi + echo "name=$TAG" >> $GITHUB_OUTPUT + echo "Resolved tag: $TAG" + + deploy: + name: "Deploy to TEST (approval required)" + runs-on: ubuntu-latest + needs: [metadata] + environment: test + timeout-minutes: 10080 + permissions: + id-token: write + contents: read + steps: + - name: "Acquire deploy lock" + uses: softprops/turnstyle@v3 + with: + poll-interval-seconds: 10 + + - name: "Checkout same commit" + uses: actions/checkout@v5 + with: + ref: ${{ github.event.workflow_run.head_sha }} + +# - name: "Setup Terraform" +# uses: hashicorp/setup-terraform@v3 +# with: +# terraform_version: ${{ needs.metadata.outputs.terraform_version }} + + - name: "Configure AWS Credentials" + uses: aws-actions/configure-aws-credentials@v5 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role + aws-region: eu-west-2 + + - name: "Download lambda artefact from dev workflow" + uses: actions/download-artifact@v5 + with: + name: lambda-${{ needs.metadata.outputs.tag }} + path: ./build + run-id: ${{ github.event.workflow_run.id }} + github-token: ${{ github.token }} + +# - name: "Terraform Apply (TEST)" +# env: +# ENVIRONMENT: test +# WORKSPACE: "default" +# TF_VAR_API_CA_CERT: ${{ secrets.API_CA_CERT }} +# TF_VAR_API_CLIENT_CERT: ${{ secrets.API_CLIENT_CERT }} +# TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} +# TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} +# TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} +# run: | +# mkdir -p ./build +# echo "Deploying tag: ${{ needs.metadata.outputs.tag }}" +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply" +# make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE +# echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply" +# make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE +# working-directory: ./infrastructure +# +# - name: "Extract S3 bucket name from Terraform output" +# id: tf_output +# run: | +# BUCKET=$(terraform output -raw lambda_artifact_bucket) +# echo "bucket_name=$BUCKET" >> $GITHUB_OUTPUT +# working-directory: ./infrastructure/stacks/api-layer +# +# - name: "Upload lambda artifact to S3" +# run: | +# aws s3 cp ./build/lambda.zip \ +# s3://${{ steps.tf_output.outputs.bucket_name }}/artifacts/${{ needs.metadata.outputs.tag }}/lambda.zip \ +# --region eu-west-2 + +# regression-tests: +# name: "Regression Tests" +# needs: deploy +# uses: ./.github/workflows/regression-tests.yml +# with: +# ENVIRONMENT: "test" +# VERSION_NUMBER: "main" +# secrets: inherit From b472f99959fe2d3514579a78765ea99cddd49213 Mon Sep 17 00:00:00 2001 From: karthikeyannhs <174426205+Karthikeyannhs@users.noreply.github.com> Date: Fri, 3 Oct 2025 15:09:48 +0100 Subject: [PATCH 6/6] generate mock test --- .github/workflows/cicd-2-publish.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cicd-2-publish.yaml b/.github/workflows/cicd-2-publish.yaml index 22fa92ad3..9fb14a32e 100644 --- a/.github/workflows/cicd-2-publish.yaml +++ b/.github/workflows/cicd-2-publish.yaml @@ -79,6 +79,7 @@ jobs: - name: "Build lambda artefact" run: | + make dependencies install-python make build - name: "Upload lambda artefact for cross-workflow use"