Release 2.16.23 (#1556) #343
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Merge to main (Production)" | |
on: | |
# This will be used to dispatch this workflow from the manifest repo when environment variables change | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
paths: | |
- ".github/workflows/infrastructure_version.txt" | |
permissions: | |
id-token: write | |
contents: write | |
pull-requests: write | |
defaults: | |
run: | |
shell: bash | |
env: | |
AWS_REGION: ca-central-1 | |
TF_VAR_new_relic_api_key: ${{ secrets.PRODUCTION_NEW_RELIC_API_KEY }} | |
TF_VAR_new_relic_account_id: ${{ secrets.PRODUCTION_NEW_RELIC_ACCOUNT_ID }} | |
TF_VAR_new_relic_slack_webhook_url: ${{ secrets.PRODUCTION_NEW_RELIC_SLACK_WEBHOOK_URL }} | |
TF_VAR_base_domain: ${{secrets.PRODUCTION_BASE_DOMAIN}} | |
TF_VAR_alt_base_domain: ${{secrets.PRODUCTION_ALT_BASE_DOMAIN}} | |
TF_VAR_dbtools_password: ${{ secrets.PRODUCTION_DBTOOLS_PASSWORD }} | |
TF_VAR_heartbeat_api_key: ${{ secrets.PRODUCTION_HEARTBEAT_API_KEY }} | |
TF_VAR_heartbeat_sms_number: ${{ secrets.PRODUCTION_HEARTBEAT_SMS_NUMBER }} | |
TF_VAR_rds_cluster_password: ${{ secrets.PRODUCTION_RDS_CLUSTER_PASSWORD }} | |
TF_VAR_app_db_user_password: ${{ secrets.PRODUCTION_APP_DB_USER_PASSWORD }} | |
TF_VAR_quicksight_db_user_password: ${{ secrets.PRODUCTION_QUICKSIGHT_DB_USER_PASSWORD }} | |
TF_VAR_cloudwatch_slack_webhook_warning_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }} | |
TF_VAR_cloudwatch_slack_webhook_critical_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }} | |
TF_VAR_cloudwatch_slack_webhook_general_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }} | |
TF_VAR_notify_o11y_google_oauth_client_id: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_ID }} | |
TF_VAR_notify_o11y_google_oauth_client_secret: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_SECRET }} | |
TF_VAR_sentinel_customer_id: ${{ secrets.SENTINEL_CUSTOMER_ID }} | |
TF_VAR_sentinel_shared_key: ${{ secrets.SENTINEL_SHARED_KEY }} | |
TF_VAR_slack_channel_warning_topic: "notification-ops" | |
TF_VAR_slack_channel_critical_topic: "notification-ops" | |
TF_VAR_slack_channel_general_topic: "notification-ops" | |
TF_VAR_sqlalchemy_database_reader_uri: ${{ secrets.PRODUCTION_SQLALCHEMY_DATABASE_READER_URI }} | |
TF_VAR_system_status_admin_url: "https://notification.canada.ca" | |
TF_VAR_system_status_api_url: "https://api.notification.canada.ca" | |
TF_VAR_system_status_bucket_name: "notification-canada-ca-production-system-status" | |
TF_VAR_cloudwatch_opsgenie_alarm_webhook: ${{ secrets.PRODUCTION_CLOUDWATCH_OPSGENIE_ALARM_WEBHOOK }} | |
TF_VAR_new_relic_license_key: ${{ secrets.PRODUCTION_NEW_RELIC_LICENSE_KEY }} | |
TF_VAR_waf_secret: ${{secrets.PRODUCTION_WAF_SECRET}} | |
# Prevents repeated creation of the Slack lambdas if already existing. | |
# See: https://github.com/terraform-aws-modules/terraform-aws-notify-slack/issues/84 | |
TF_RECREATE_MISSING_LAMBDA_PACKAGE: false | |
TF_VAR_client_vpn_access_group_id: ${{ secrets.PRODUCTION_CLIENT_VPN_ACCESS_GROUP_ID }} | |
TF_VAR_client_vpn_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SAML_METADATA }} | |
TF_VAR_client_vpn_self_service_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SELF_SERVICE_SAML_METADATA }} | |
TF_VAR_pr_bot_installation_id: ${{ secrets.NOTIFY_PR_BOT_INSTALLATION_ID_MANIFESTS }} | |
TF_VAR_pr_bot_app_id: ${{ secrets.NOTIFY_PR_BOT_APP_ID }} | |
TF_VAR_pr_bot_private_key: ${{ secrets.NOTIFY_PR_BOT_PRIVATE_KEY }} | |
TF_VAR_budget_sre_bot_webhook: ${{ secrets.PRODUCTION_BUDGET_SRE_BOT_WEBHOOK }} | |
TF_VAR_enable_sentinel_forwarding: true | |
TF_VAR_aws_xray_sdk_enabled: false | |
jobs: | |
terragrunt-apply-common: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply common | |
run: | | |
cd env/production/common | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-ecr: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply ECR | |
run: | | |
cd env/production/ecr | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-ses_receiving_emails: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ecr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply ses_receiving_emails | |
run: | | |
cd env/production/ses_receiving_emails | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-dns: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ses_receiving_emails] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply dns | |
run: | | |
cd env/production/dns | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-ses_validation_dns_entries: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-dns] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply ses_validation_dns_entries | |
run: | | |
cd env/production/ses_validation_dns_entries | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-cloudfront: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply cloudfront | |
run: | | |
cd env/production/cloudfront | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-eks: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-dns,terragrunt-apply-cloudfront] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply eks | |
run: | | |
cd env/production/eks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-elasticache: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-eks] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply elasticache | |
run: | | |
cd env/production/elasticache | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-rds: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-eks] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply rds | |
run: | | |
cd env/production/rds | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-lambda-api: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr,terragrunt-apply-rds] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply lambda-api | |
run: | | |
cd env/production/lambda-api | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-heartbeat: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ecr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply heartbeat | |
run: | | |
cd env/production/heartbeat | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-database-tools: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-rds] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply database-tools | |
run: | | |
cd env/production/database-tools | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-quicksight: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-rds] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply quicksight | |
run: | | |
cd env/production/quicksight | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-lambda-google-cidr: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply lambda-google-cidr | |
run: | | |
cd env/production/lambda-google-cidr | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-ses_to_sqs_email_callbacks: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ecr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply ses_to_sqs_email_callbacks | |
run: | | |
cd env/production/ses_to_sqs_email_callbacks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-sns_to_sqs_sms_callbacks: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ecr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply sns_to_sqs_sms_callbacks | |
run: | | |
cd env/production/sns_to_sqs_sms_callbacks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-pinpoint_to_sqs_sms_callbacks: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ecr] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply pinpoint_to_sqs_sms_callbacks | |
run: | | |
cd env/production/pinpoint_to_sqs_sms_callbacks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-system_status: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
runs-on: ubuntu-latest | |
needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-rds,terragrunt-apply-eks] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply system_status | |
run: | | |
cd env/production/system_status | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-system_status_static_site: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
needs: [terragrunt-apply-common,terragrunt-apply-system_status] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply aws/system_status_static_site | |
run: | | |
cd env/production/system_status_static_site | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
terragrunt-apply-newrelic: | |
if: | | |
always() && | |
!contains(needs.*.result, 'failure') && | |
!contains(needs.*.result, 'cancelled') | |
needs: [terragrunt-apply-common] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 | |
- name: setup-terraform | |
uses: ./.github/actions/setup-terraform | |
with: | |
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply | |
role_session_name: NotifyTerraformApply | |
- name: Terragrunt apply aws/newrelic | |
run: | | |
cd env/production/newrelic | |
terragrunt apply --terragrunt-non-interactive -auto-approve |