Skip to content
Merge to main (Staging)

Beginning Of Notify Dev (#957) #663

Sign in to view logs

Beginning Of Notify Dev (#957)

Beginning Of Notify Dev (#957) #663

Workflow file for this run

.github/workflows/merge_to_main_staging.yml at ab73c57
name: "Merge to main (Staging)"
on:
# This will be used to dispatch this workflow from the manifest repo when environment variables change
workflow_dispatch:
push:
branches:
- main
paths:
- ".env"
- "aws/**"
- "env/staging/**"
- ".github/workflows/merge_to_main_staging.yml"
defaults:
run:
shell: bash
env:
AWS_ACCESS_KEY_ID: ${{ secrets.STAGING_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.STAGING_AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ca-central-1
TF_VAR_base_domain: ${{secrets.STAGING_BASE_DOMAIN}}
TF_VAR_alt_base_domain: ${{secrets.STAGING_ALT_BASE_DOMAIN}}
TF_VAR_dbtools_password: ${{ secrets.STAGING_DBTOOLS_PASSWORD }}
TF_VAR_heartbeat_api_key: ${{ secrets.STAGING_HEARTBEAT_API_KEY }}
TF_VAR_heartbeat_template_id: ${{ secrets.STAGING_HEARTBEAT_TEMPLATE_ID }}
TF_VAR_rds_cluster_password: ${{ secrets.STAGING_RDS_CLUSTER_PASSWORD }}
TF_VAR_app_db_user_password: ${{ secrets.STAGING_APP_DB_USER_PASSWORD }}
TF_VAR_quicksight_db_user_password: ${{ secrets.STAGING_QUICKSIGHT_DB_USER_PASSWORD }}
TF_VAR_cloudwatch_slack_webhook_warning_topic: ${{ secrets.STAGING_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_cloudwatch_slack_webhook_critical_topic: ${{ secrets.STAGING_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_cloudwatch_slack_webhook_general_topic: ${{ secrets.STAGING_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_notify_o11y_google_oauth_client_id: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_ID }}
TF_VAR_notify_o11y_google_oauth_client_secret: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_SECRET }}
TF_VAR_sentinel_customer_id: ${{ secrets.SENTINEL_CUSTOMER_ID }}
TF_VAR_sentinel_shared_key: ${{ secrets.SENTINEL_SHARED_KEY }}
TF_VAR_slack_channel_warning_topic: "notification-staging-ops"
TF_VAR_slack_channel_critical_topic: "notification-staging-ops"
TF_VAR_slack_channel_general_topic: "notification-staging-ops"
TF_VAR_cloudwatch_opsgenie_alarm_webhook: ""
TF_VAR_new_relic_license_key: ${{ secrets.STAGING_NEW_RELIC_LICENSE_KEY }}
TF_VAR_perf_test_phone_number: ${{ secrets.PERF_TEST_PHONE_NUMBER }}
TF_VAR_perf_test_email: ${{ secrets.PERF_TEST_EMAIL }}
TF_VAR_perf_test_domain: ${{ secrets.PERF_TEST_DOMAIN }}
TF_VAR_perf_test_auth_header: ${{ secrets.PERF_TEST_AUTH_HEADER }}
TF_VAR_waf_secret: ${{secrets.STAGING_WAF_SECRET}}
# Prevents repeated creation of the Slack lambdas if already existing.
# See: https://github.com/terraform-aws-modules/terraform-aws-notify-slack/issues/84
TF_RECREATE_MISSING_LAMBDA_PACKAGE: false
TF_VAR_blazer_slack_webhook_general_topic: ${{ secrets.STAGING_BLAZER_SLACK_WEBHOOK }}
jobs:
terraform-apply:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
# Fetches entire history, so we can analyze commits since last tag
fetch-depth: 0
- name: Set environment variables
uses: ./.github/actions/setvars
with:
envVarFile: ./.env
- name: Setup Terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Apply aws/common
run: |
cd env/staging/common
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ecr
run: |
cd env/staging/ecr
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ses_receiving_emails
run: |
cd env/staging/ses_receiving_emails
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/dns
run: |
cd env/staging/dns
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ses_validation_dns_entries
run: |
cd env/staging/ses_validation_dns_entries
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/cloudfront
run: |
cd env/staging/cloudfront
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/eks
run: |
cd env/staging/eks
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/elasticache
run: |
cd env/staging/elasticache
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/rds
run: |
cd env/staging/rds
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/lambda-api
run: |
cd env/staging/lambda-api
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/lambda-admin-pr
run: |
cd env/staging/lambda-admin-pr
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/performance-test
run: |
cd env/staging/performance-test
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/heartbeat
run: |
cd env/staging/heartbeat
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/database-tools
run: |
cd env/staging/database-tools
terragrunt apply --terragrunt-non-interactive -auto-approve
# - name: Apply aws/quicksight
# run: |
# cd env/staging/quicksight
# terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/lambda-google-cidr
run: |
cd env/staging/lambda-google-cidr
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ses_to_sqs_email_callbacks
run: |
cd env/staging/ses_to_sqs_email_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/sns_to_sqs_sms_callbacks
run: |
cd env/staging/sns_to_sqs_sms_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Bump version and push tag
if: github.event_name != 'workflow_dispatch' # We don't want to tag new versions when launched via workflow_dispatch since only environment variables changed
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
release_branches: main
- name: Slack message on failure
if: ${{ failure() }}
#checkov:skip=CKV_GHA_3:This is an expected use of curl
run: |
json='{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":":red: Terraform apply failed: <https://github.com/cds-snc/notification-terraform/actions/runs/${GITHUB_RUN_ID}|Merge to main (Staging)>"}}]}'
curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.NOTIFY_DEV_SLACK_WEBHOOK }}