Skip to content

release 2.6.8 (#1184) #280

release 2.6.8 (#1184)

release 2.6.8 (#1184) #280

name: "Merge to main (Production)"
on:
# This will be used to dispatch this workflow from the manifest repo when environment variables change
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/workflows/infrastructure_version.txt"
defaults:
run:
shell: bash
env:
AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
AWS_REGION: ca-central-1
TF_VAR_base_domain: ${{secrets.PRODUCTION_BASE_DOMAIN}}
TF_VAR_alt_base_domain: ${{secrets.PRODUCTION_ALT_BASE_DOMAIN}}
TF_VAR_dbtools_password: ${{ secrets.PRODUCTION_DBTOOLS_PASSWORD }}
TF_VAR_heartbeat_api_key: ${{ secrets.PRODUCTION_HEARTBEAT_API_KEY }}
TF_VAR_heartbeat_sms_number: ${{ secrets.PRODUCTION_HEARTBEAT_SMS_NUMBER }}
TF_VAR_rds_cluster_password: ${{ secrets.PRODUCTION_RDS_CLUSTER_PASSWORD }}
TF_VAR_app_db_user_password: ${{ secrets.PRODUCTION_APP_DB_USER_PASSWORD }}
TF_VAR_quicksight_db_user_password: ${{ secrets.PRODUCTION_QUICKSIGHT_DB_USER_PASSWORD }}
TF_VAR_cloudwatch_slack_webhook_warning_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_cloudwatch_slack_webhook_critical_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_cloudwatch_slack_webhook_general_topic: ${{ secrets.PRODUCTION_CLOUDWATCH_SLACK_WEBHOOK }}
TF_VAR_notify_o11y_google_oauth_client_id: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_ID }}
TF_VAR_notify_o11y_google_oauth_client_secret: ${{ secrets.NOTIFY_O11Y_GOOGLE_OAUTH_CLIENT_SECRET }}
TF_VAR_sentinel_customer_id: ${{ secrets.SENTINEL_CUSTOMER_ID }}
TF_VAR_sentinel_shared_key: ${{ secrets.SENTINEL_SHARED_KEY }}
TF_VAR_slack_channel_warning_topic: "notification-ops"
TF_VAR_slack_channel_critical_topic: "notification-ops"
TF_VAR_slack_channel_general_topic: "notification-ops"
TF_VAR_sqlalchemy_database_reader_uri: ${{ secrets.PRODUCTION_SQLALCHEMY_DATABASE_READER_URI }}
TF_VAR_system_status_admin_url: "https://notification.canada.ca"
TF_VAR_system_status_api_url: "https://api.notification.canada.ca"
TF_VAR_system_status_bucket_name: "notification-canada-ca-production-system-status"
TF_VAR_cloudwatch_opsgenie_alarm_webhook: ${{ secrets.PRODUCTION_CLOUDWATCH_OPSGENIE_ALARM_WEBHOOK }}
TF_VAR_new_relic_license_key: ${{ secrets.PRODUCTION_NEW_RELIC_LICENSE_KEY }}
TF_VAR_waf_secret: ${{secrets.PRODUCTION_WAF_SECRET}}
TF_VAR_route_53_zone_arn: /hostedzone/Z07701011ICTZVSX5P68J
# Prevents repeated creation of the Slack lambdas if already existing.
# See: https://github.com/terraform-aws-modules/terraform-aws-notify-slack/issues/84
TF_RECREATE_MISSING_LAMBDA_PACKAGE: false
TF_VAR_client_vpn_access_group_id: ${{ secrets.PRODUCTION_CLIENT_VPN_ACCESS_GROUP_ID }}
TF_VAR_client_vpn_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SAML_METADATA }}
TF_VAR_client_vpn_self_service_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SELF_SERVICE_SAML_METADATA }}
jobs:
terraform-apply:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
- name: Set environment variables
uses: ./.github/actions/setvars
with:
envVarFile: ./.env
- name: Setup Infrastructure Version
# Set the GitHub tag within .github/workflows/infrastructure_version.txt to update the infrastructure
# to a new version in production
# See https://github.com/cds-snc/notification-terraform/releases
run: |
INFRASTRUCTURE_VERSION=`cat ./.github/workflows/infrastructure_version.txt`
echo "INFRASTRUCTURE_VERSION=$INFRASTRUCTURE_VERSION" >> $GITHUB_ENV
- name: Setup Terraform tools
uses: cds-snc/terraform-tools-setup@v1
env: # In case you want to override default versions
CONFTEST_VERSION: 0.30.0
TERRAFORM_VERSION: 1.6.2
TERRAGRUNT_VERSION: 0.44.4
TF_SUMMARIZE_VERSION: 0.2.3
- name: Inject token authentication
run: |
git config --global url."https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/".insteadOf "https://github.com/"
- name: Apply aws/common
run: |
cd env/production/common
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ecr
run: |
cd env/production/ecr
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ses_receiving_emails
run: |
cd env/production/ses_receiving_emails
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ses_to_sqs_email_callbacks
run: |
cd env/production/ses_to_sqs_email_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/sns_to_sqs_sms_callbacks
run: |
cd env/production/sns_to_sqs_sms_callbacks
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/dns
run: |
cd env/production/dns
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/ses_validation_dns_entries
run: |
cd env/production/ses_validation_dns_entries
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/cloudfront
run: |
cd env/production/cloudfront
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/eks
run: |
cd env/production/eks
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/elasticache
run: |
cd env/production/elasticache
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/rds
run: |
cd env/production/rds
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/lambda-api
run: |
cd env/production/lambda-api
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/heartbeat
run: |
cd env/production/heartbeat
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/database-tools
run: |
cd env/production/database-tools
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/quicksight
run: |
cd env/production/quicksight
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/lambda-google-cidr
run: |
cd env/production/lambda-google-cidr
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/system_status
run: |
cd env/production/system_status
terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Apply aws/system_status_static_site
run: |
cd env/production/system_status_static_site
terragrunt apply --terragrunt-non-interactive -auto-approve