fix (#1014) #247
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Merge to main (Production)" | |
on: | |
# This will be used to dispatch this workflow from the manifest repo when environment variables change | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
paths: | |
- ".github/workflows/infrastructure_version.txt" | |
defaults: | |
run: | |
shell: bash | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }} | |
AWS_REGION: ca-central-1 | |
TF_VAR_base_domain: ${{secrets.PRODUCTION_BASE_DOMAIN}} | |
TF_VAR_alt_base_domain: ${{secrets.PRODUCTION_ALT_BASE_DOMAIN}} | |
TF_VAR_dbtools_password: ${{ secrets.PRODUCTION_DBTOOLS_PASSWORD }} | |
TF_VAR_heartbeat_api_key: ${{ secrets.PRODUCTION_HEARTBEAT_API_KEY }} | |
TF_VAR_heartbeat_template_id: ${{ secrets.PRODUCTION_HEARTBEAT_TEMPLATE_ID }} | |
TF_VAR_rds_cluster_password: ${{ secrets.PRODUCTION_RDS_CLUSTER_PASSWORD }} | |
TF_VAR_app_db_user_password: ${{ secrets.PRODUCTION_APP_DB_USER_PASSWORD }} | |
TF_VAR_cloudwatch_slack_webhook_warning_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }} | |
TF_VAR_cloudwatch_slack_webhook_critical_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }} | |
TF_VAR_cloudwatch_slack_webhook_general_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }} | |
TF_VAR_notify_o11y_google_oauth_client_id: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_ID }} | |
TF_VAR_notify_o11y_google_oauth_client_secret: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_SECRET }} | |
TF_VAR_sentinel_customer_id: ${{ secrets.SENTINEL_CUSTOMER_ID }} | |
TF_VAR_sentinel_shared_key: ${{ secrets.SENTINEL_SHARED_KEY }} | |
TF_VAR_slack_channel_warning_topic: "notification-ops" | |
TF_VAR_slack_channel_critical_topic: "notification-ops" | |
TF_VAR_slack_channel_general_topic: "notification-ops" | |
TF_VAR_cloudwatch_opsgenie_alarm_webhook: ${{ secrets.PRODUCTION_CLOUDWATCH_OPSGENIE_ALARM_WEBHOOK }} | |
TF_VAR_new_relic_license_key: ${{ secrets.PRODUCTION_NEW_RELIC_LICENSE_KEY }} | |
TF_VAR_waf_secret: ${{secrets.PRODUCTION_WAF_SECRET}} | |
TF_VAR_route_53_zone_arn: /hostedzone/Z07701011ICTZVSX5P68J | |
# Prevents repeated creation of the Slack lambdas if already existing. | |
# See: https://github.com/terraform-aws-modules/terraform-aws-notify-slack/issues/84 | |
TF_RECREATE_MISSING_LAMBDA_PACKAGE: false | |
TF_VAR_blazer_slack_webhook_general_topic: ${{ secrets.PRODUCTION_BLAZER_SLACK_WEBHOOK }} | |
jobs: | |
terraform-apply: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
- name: Set environment variables | |
uses: ./.github/actions/setvars | |
with: | |
envVarFile: ./.env | |
- name: Setup Infrastructure Version | |
# Set the GitHub tag within .github/workflows/infrastructure_version.txt to update the infrastructure | |
# to a new version in production | |
# See https://github.com/cds-snc/notification-terraform/releases | |
run: | | |
INFRASTRUCTURE_VERSION=`cat ./.github/workflows/infrastructure_version.txt` | |
echo "INFRASTRUCTURE_VERSION=$INFRASTRUCTURE_VERSION" >> $GITHUB_ENV | |
- name: Setup Terraform tools | |
uses: cds-snc/terraform-tools-setup@v1 | |
env: # In case you want to override default versions | |
CONFTEST_VERSION: 0.30.0 | |
TERRAFORM_VERSION: 1.6.2 | |
TERRAGRUNT_VERSION: 0.44.4 | |
TF_SUMMARIZE_VERSION: 0.2.3 | |
- name: Inject token authentication | |
run: | | |
git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/" | |
- name: Apply aws/common | |
run: | | |
cd env/production/common | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/ecr | |
run: | | |
cd env/production/ecr | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/ses_receiving_emails | |
run: | | |
cd env/production/ses_receiving_emails | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/ses_to_sqs_email_callbacks | |
run: | | |
cd env/production/ses_to_sqs_email_callbacks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/sns_to_sqs_sms_callbacks | |
run: | | |
cd env/production/sns_to_sqs_sms_callbacks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/dns | |
run: | | |
cd env/production/dns | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/ses_validation_dns_entries | |
run: | | |
cd env/production/ses_validation_dns_entries | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/cloudfront | |
run: | | |
cd env/production/cloudfront | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/eks | |
run: | | |
cd env/production/eks | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/elasticache | |
run: | | |
cd env/production/elasticache | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/rds | |
run: | | |
cd env/production/rds | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/lambda-api | |
run: | | |
cd env/production/lambda-api | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/heartbeat | |
run: | | |
cd env/production/heartbeat | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/database-tools | |
run: | | |
cd env/production/database-tools | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Apply aws/lambda-google-cidr | |
run: | | |
cd env/production/lambda-google-cidr | |
terragrunt apply --terragrunt-non-interactive -auto-approve | |
- name: Slack message on failure | |
if: ${{ failure() }} | |
#checkov:skip=CKV_GHA_3:This is an expected use of curl | |
run: | | |
json='{"blocks":[{"type":"section","text":{"type":"mrkdwn","text":":red: Terraform apply failed: <https://github.com/cds-snc/notification-terraform/actions/runs/${GITHUB_RUN_ID}|Merge to main (Production)>"}}]}' | |
curl -X POST -H 'Content-type: application/json' --data "$json" ${{ secrets.NOTIFY_DEV_SLACK_WEBHOOK }} |