Skip to content

Release 2.16.23 (#1556) #343

Release 2.16.23 (#1556)

Release 2.16.23 (#1556) #343

name: "Merge to main (Production)"
on:
# This will be used to dispatch this workflow from the manifest repo when environment variables change
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/workflows/infrastructure_version.txt"
permissions:
id-token: write
contents: write
pull-requests: write
defaults:
run:
shell: bash
env:
AWS_REGION: ca-central-1
TF_VAR_new_relic_api_key: ${{ secrets.PRODUCTION_NEW_RELIC_API_KEY }}
TF_VAR_new_relic_account_id: ${{ secrets.PRODUCTION_NEW_RELIC_ACCOUNT_ID }}
TF_VAR_new_relic_slack_webhook_url: ${{ secrets.PRODUCTION_NEW_RELIC_SLACK_WEBHOOK_URL }}
TF_VAR_base_domain: ${{secrets.PRODUCTION_BASE_DOMAIN}}
TF_VAR_alt_base_domain: ${{secrets.PRODUCTION_ALT_BASE_DOMAIN}}
TF_VAR_dbtools_password: ${{ secrets.PRODUCTION_DBTOOLS_PASSWORD }}
TF_VAR_heartbeat_api_key: ${{ secrets.PRODUCTION_HEARTBEAT_API_KEY }}
TF_VAR_heartbeat_sms_number: ${{ secrets.PRODUCTION_HEARTBEAT_SMS_NUMBER }}
TF_VAR_rds_cluster_password: ${{ secrets.PRODUCTION_RDS_CLUSTER_PASSWORD }}
TF_VAR_app_db_user_password: ${{ secrets.PRODUCTION_APP_DB_USER_PASSWORD }}
TF_VAR_quicksight_db_user_password: ${{ secrets.PRODUCTION_QUICKSIGHT_DB_USER_PASSWORD }}
TF_VAR_cloudwatch_slack_webhook_warning_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_cloudwatch_slack_webhook_critical_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_cloudwatch_slack_webhook_general_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_notify_o11y_google_oauth_client_id: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_ID }}
TF_VAR_notify_o11y_google_oauth_client_secret: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_SECRET }}
TF_VAR_sentinel_customer_id: ${{ secrets.SENTINEL_CUSTOMER_ID }}
TF_VAR_sentinel_shared_key: ${{ secrets.SENTINEL_SHARED_KEY }}
TF_VAR_slack_channel_warning_topic: "notification-ops"
TF_VAR_slack_channel_critical_topic: "notification-ops"
TF_VAR_slack_channel_general_topic: "notification-ops"
TF_VAR_sqlalchemy_database_reader_uri: ${{ secrets.PRODUCTION_SQLALCHEMY_DATABASE_READER_URI }}
TF_VAR_system_status_admin_url: "https://notification.canada.ca"
TF_VAR_system_status_api_url: "https://api.notification.canada.ca"
TF_VAR_system_status_bucket_name: "notification-canada-ca-production-system-status"
TF_VAR_cloudwatch_opsgenie_alarm_webhook: ${{ secrets.PRODUCTION_CLOUDWATCH_OPSGENIE_ALARM_WEBHOOK }}
TF_VAR_new_relic_license_key: ${{ secrets.PRODUCTION_NEW_RELIC_LICENSE_KEY }}
TF_VAR_waf_secret: ${{secrets.PRODUCTION_WAF_SECRET}}
# Prevents repeated creation of the Slack lambdas if already existing.
# See: https://github.com/terraform-aws-modules/terraform-aws-notify-slack/issues/84
TF_RECREATE_MISSING_LAMBDA_PACKAGE: false
TF_VAR_client_vpn_access_group_id: ${{ secrets.PRODUCTION_CLIENT_VPN_ACCESS_GROUP_ID }}
TF_VAR_client_vpn_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SAML_METADATA }}
TF_VAR_client_vpn_self_service_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SELF_SERVICE_SAML_METADATA }}
TF_VAR_pr_bot_installation_id: ${{ secrets.NOTIFY_PR_BOT_INSTALLATION_ID_MANIFESTS }}
TF_VAR_pr_bot_app_id: ${{ secrets.NOTIFY_PR_BOT_APP_ID }}
TF_VAR_pr_bot_private_key: ${{ secrets.NOTIFY_PR_BOT_PRIVATE_KEY }}
TF_VAR_budget_sre_bot_webhook: ${{ secrets.PRODUCTION_BUDGET_SRE_BOT_WEBHOOK }}
TF_VAR_enable_sentinel_forwarding: true
TF_VAR_aws_xray_sdk_enabled: false
jobs:
terragrunt-apply-common:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply common
run: |
cd env/production/common
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-ecr:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply ECR
run: |
cd env/production/ecr
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-ses_receiving_emails:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ecr]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply ses_receiving_emails
run: |
cd env/production/ses_receiving_emails
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-dns:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ses_receiving_emails]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply dns
run: |
cd env/production/dns
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-ses_validation_dns_entries:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-dns]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply ses_validation_dns_entries
run: |
cd env/production/ses_validation_dns_entries
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-cloudfront:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply cloudfront
run: |
cd env/production/cloudfront
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-eks:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-dns,terragrunt-apply-cloudfront]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply eks
run: |
cd env/production/eks
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-elasticache:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-eks]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply elasticache
run: |
cd env/production/elasticache
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-rds:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-eks]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply rds
run: |
cd env/production/rds
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-lambda-api:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr,terragrunt-apply-rds]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply lambda-api
run: |
cd env/production/lambda-api
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-heartbeat:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ecr]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply heartbeat
run: |
cd env/production/heartbeat
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-database-tools:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-rds]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply database-tools
run: |
cd env/production/database-tools
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-quicksight:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-rds]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply quicksight
run: |
cd env/production/quicksight
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-lambda-google-cidr:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply lambda-google-cidr
run: |
cd env/production/lambda-google-cidr
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-ses_to_sqs_email_callbacks:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ecr]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply ses_to_sqs_email_callbacks
run: |
cd env/production/ses_to_sqs_email_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-sns_to_sqs_sms_callbacks:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ecr]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply sns_to_sqs_sms_callbacks
run: |
cd env/production/sns_to_sqs_sms_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-pinpoint_to_sqs_sms_callbacks:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ecr]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply pinpoint_to_sqs_sms_callbacks
run: |
cd env/production/pinpoint_to_sqs_sms_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-system_status:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
runs-on: ubuntu-latest
needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-rds,terragrunt-apply-eks]
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply system_status
run: |
cd env/production/system_status
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-system_status_static_site:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-apply-common,terragrunt-apply-system_status]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply aws/system_status_static_site
run: |
cd env/production/system_status_static_site
terragrunt apply --terragrunt-non-interactive -auto-approve
terragrunt-apply-newrelic:
if: |
always() &&
!contains(needs.*.result, 'failure') &&
!contains(needs.*.result, 'cancelled')
needs: [terragrunt-apply-common]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: setup-terraform
uses: ./.github/actions/setup-terraform
with:
role_to_assume: arn:aws:iam::296255494825:role/notification-terraform-apply
role_session_name: NotifyTerraformApply
- name: Terragrunt apply aws/newrelic
run: |
cd env/production/newrelic
terragrunt apply --terragrunt-non-interactive -auto-approve