From 67e470cc98d2e23191cd09774bfe5ae97eef5750 Mon Sep 17 00:00:00 2001 From: Edd Almond <102675624+eddalmond1@users.noreply.github.com> Date: Wed, 21 Jan 2026 17:01:53 +0000 Subject: [PATCH 1/3] using existing make commands --- .github/workflows/release-candidate.yml | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml index 6649a4f31..2d76fc623 100644 --- a/.github/workflows/release-candidate.yml +++ b/.github/workflows/release-candidate.yml @@ -103,9 +103,9 @@ jobs: - name: "Get S3 bucket name" id: bucket run: | - cd infrastructure/stacks/api-layer - terraform init -backend=true - BUCKET=$(terraform output -raw lambda_artifact_bucket) + cd infrastructure + make terraform env=dev stack=api-layer tf-command=init workspace=default + BUCKET=$(terraform -chdir=./stacks/api-layer output -raw lambda_artifact_bucket) echo "name=$BUCKET" >> $GITHUB_OUTPUT echo "📦 S3 Bucket: $BUCKET" @@ -237,8 +237,9 @@ jobs: - name: "Get test S3 bucket" id: test_bucket run: | - cd infrastructure/stacks/api-layer - BUCKET=$(terraform output -raw lambda_artifact_bucket) + cd infrastructure + make terraform env=test stack=api-layer tf-command=init workspace=default + BUCKET=$(terraform -chdir=./stacks/api-layer output -raw lambda_artifact_bucket) echo "name=$BUCKET" >> $GITHUB_OUTPUT - name: "Upload lambda to test S3" @@ -381,8 +382,9 @@ jobs: - name: "Get preprod S3 bucket" id: preprod_bucket run: | - cd infrastructure/stacks/api-layer - BUCKET=$(terraform output -raw lambda_artifact_bucket) + cd infrastructure + make terraform env=preprod stack=api-layer tf-command=init workspace=default + BUCKET=$(terraform -chdir=./stacks/api-layer output -raw lambda_artifact_bucket) echo "name=$BUCKET" >> $GITHUB_OUTPUT - name: "Upload lambda to preprod S3" From 963426b81997f2604b8d34142beed83f68e9e51f Mon Sep 17 00:00:00 2001 From: Edd Almond <102675624+eddalmond1@users.noreply.github.com> Date: Mon, 26 Jan 2026 16:10:16 +0000 Subject: [PATCH 2/3] eli-606 switching to just use the lambda we built initially --- .github/workflows/release-candidate.yml | 83 ++++++++++--------------- 1 file changed, 34 insertions(+), 49 deletions(-) diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml index 2d76fc623..2a55d7f04 100644 --- a/.github/workflows/release-candidate.yml +++ b/.github/workflows/release-candidate.yml @@ -124,6 +124,25 @@ jobs: echo "exists=false" >> $GITHUB_OUTPUT fi + - name: "Download artifact for workflow reuse" + if: steps.check.outputs.exists == 'true' + run: | + TAG="${{ needs.validate.outputs.dev_tag }}" + BUCKET="${{ steps.bucket.outputs.name }}" + mkdir -p ./dist + aws s3 cp \ + "s3://$BUCKET/artifacts/$TAG/lambda.zip" \ + ./dist/lambda.zip \ + --region eu-west-2 + + - name: "Upload lambda artifact" + if: steps.check.outputs.exists == 'true' + uses: actions/upload-artifact@v4 + with: + name: lambda-${{ needs.validate.outputs.dev_tag }} + path: dist/lambda.zip + if-no-files-found: error + rebuild-artifact: name: "Rebuild and upload artifact (if missing)" runs-on: ubuntu-latest @@ -165,6 +184,13 @@ jobs: --region eu-west-2 echo "✅ Uploaded artifact to s3://$BUCKET/artifacts/$TAG/lambda.zip" + - name: "Upload lambda artifact" + uses: actions/upload-artifact@v4 + with: + name: lambda-${{ needs.validate.outputs.dev_tag }} + path: dist/lambda.zip + if-no-files-found: error + deploy-to-test: name: "Deploy to Test (optional)" runs-on: ubuntu-latest @@ -189,21 +215,11 @@ jobs: with: terraform_version: $(grep '^terraform' .tool-versions | cut -f2 -d' ') - - name: "Configure AWS Credentials (dev) - to download artifact" - uses: aws-actions/configure-aws-credentials@v5 + - name: "Download lambda artifact" + uses: actions/download-artifact@v4 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role - aws-region: eu-west-2 - - - name: "Download lambda from S3 (dev bucket)" - run: | - TAG="${{ needs.validate.outputs.dev_tag }}" - BUCKET="${{ needs.verify-artifact.outputs.s3_bucket }}" - mkdir -p ./dist - aws s3 cp \ - "s3://$BUCKET/artifacts/$TAG/lambda.zip" \ - ./dist/lambda.zip \ - --region eu-west-2 + name: lambda-${{ needs.validate.outputs.dev_tag }} + path: dist - name: "Configure AWS Credentials (test)" uses: aws-actions/configure-aws-credentials@v5 @@ -296,42 +312,11 @@ jobs: with: terraform_version: $(grep '^terraform' .tool-versions | cut -f2 -d' ') - - name: "Determine source bucket (test or dev)" - id: source - run: | - if [[ "${{ inputs.deploy_to_test }}" == "true" ]]; then - echo "environment=test" >> $GITHUB_OUTPUT - else - echo "environment=dev" >> $GITHUB_OUTPUT - fi - - - name: "Configure AWS Credentials (source) - to download artifact" - uses: aws-actions/configure-aws-credentials@v5 + - name: "Download lambda artifact" + uses: actions/download-artifact@v4 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role - aws-region: eu-west-2 - - - name: "Get source S3 bucket" - id: source_bucket - env: - ENV: ${{ steps.source.outputs.environment }} - run: | - cd infrastructure - make terraform env=$ENV stack=api-layer tf-command=init workspace=default - cd stacks/api-layer - BUCKET=$(terraform output -raw lambda_artifact_bucket) - echo "name=$BUCKET" >> $GITHUB_OUTPUT - echo "📦 Source bucket ($ENV): $BUCKET" - - - name: "Download lambda from source S3" - run: | - TAG="${{ needs.validate.outputs.dev_tag }}" - BUCKET="${{ steps.source_bucket.outputs.name }}" - mkdir -p ./dist - aws s3 cp \ - "s3://$BUCKET/artifacts/$TAG/lambda.zip" \ - ./dist/lambda.zip \ - --region eu-west-2 + name: lambda-${{ needs.validate.outputs.dev_tag }} + path: dist - name: "Configure AWS Credentials (preprod)" uses: aws-actions/configure-aws-credentials@v5 From a7022eb87e3453dd34efb486927ea84cbef90b02 Mon Sep 17 00:00:00 2001 From: Edd Almond <102675624+eddalmond1@users.noreply.github.com> Date: Tue, 27 Jan 2026 15:23:17 +0000 Subject: [PATCH 3/3] eli-606 adding missing TF_VAR --- .github/workflows/release-candidate.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml index 2a55d7f04..5457e842c 100644 --- a/.github/workflows/release-candidate.yml +++ b/.github/workflows/release-candidate.yml @@ -236,6 +236,7 @@ jobs: TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} + TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }} run: | mkdir -p ./build echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to TEST" @@ -333,6 +334,7 @@ jobs: TF_VAR_API_PRIVATE_KEY_CERT: ${{ secrets.API_PRIVATE_KEY_CERT }} TF_VAR_SPLUNK_HEC_TOKEN: ${{ secrets.SPLUNK_HEC_TOKEN }} TF_VAR_SPLUNK_HEC_ENDPOINT: ${{ secrets.SPLUNK_HEC_ENDPOINT }} + TF_VAR_OPERATOR_EMAILS: ${{ vars.SECRET_ROTATION_OPERATOR_EMAILS }} run: | mkdir -p ./build echo "🚀 Deploying ${{ needs.validate.outputs.dev_tag }} to PREPROD"