Merge branch 'main' into sms-send-rate-dashboard

cds-snc · Oct 17, 2024 · 7b4767b · 7b4767b
2 parents 0df8aed + b7edbf0
commit 7b4767b
Show file tree

Hide file tree

Showing 14 changed files with 1,094 additions and 71 deletions.
diff --git a/.github/workflows/merge_to_main_staging.yml b/.github/workflows/merge_to_main_staging.yml
@@ -760,20 +760,34 @@ jobs:
           cd env/${{env.ENVIRONMENT}}/newrelic
           terragrunt apply --terragrunt-non-interactive -auto-approve
 
-  bump-version-and-push-tag:
+  terragrunt-apply-manifest_secrets:
     if: |
-        always() &&
-        github.event_name != 'workflow_dispatch' &&
-        !contains(needs.*.result, 'failure') &&
-        !contains(needs.*.result, 'cancelled')
-    runs-on: ubuntu-latest
-    needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-dns,terragrunt-apply-ses_validation_dns_entries,terragrunt-apply-cloudfront,terragrunt-apply-eks,terragrunt-apply-elasticache,terragrunt-apply-rds,terragrunt-apply-lambda-api,terragrunt-apply-lambda-admin-pr,terragrunt-apply-performance-test,terragrunt-apply-heartbeat,terragrunt-apply-database-tools,terragrunt-apply-quicksight,terragrunt-apply-lambda-google-cidr,terragrunt-apply-ses_to_sqs_email_callbacks,terragrunt-apply-sns_to_sqs_sms_callbacks,terragrunt-apply-pinpoint_to_sqs_sms_callbacks,terragrunt-apply-system_status,terragrunt-apply-ses_receiving_emails,terragrunt-apply-system_status_static_site,terragrunt-apply-newrelic]
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    needs: [terragrunt-apply-rds]
+    runs-on: ubuntu-latest  
+
     steps:
       - name: Checkout
         uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
 
-      - name: bump-version-and-push-tag
-        uses: mathieudutour/github-tag-action@bcb832838e1612ff92089d914bccc0fd39458223 # v4.6
+      - name: setup-terraform
+        uses: ./.github/actions/setup-terraform
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          release_branches: main          
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
+          role_session_name: NotifyTerraformApply        
+
+      - name: Install 1Pass CLI
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws
+          cd aws
+          op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars   
+
+      - name: terragrunt apply manifest_secrets
+        run: |
+          cd env/${{env.ENVIRONMENT}}/manifest_secrets
+          terragrunt apply --terragrunt-non-interactive -auto-approve      
+ 
diff --git a/.github/workflows/terragrunt_plan_staging.yml b/.github/workflows/terragrunt_plan_staging.yml
@@ -46,6 +46,7 @@ jobs:
       system_status: ${{ steps.filter.outputs.system_status }}
       system_status_static_site: ${{ steps.filter.outputs.system_status_static_site }}
       newrelic: ${{ steps.filter.outputs.newrelic }}
+      manifest_secrets: ${{ steps.filter.outputs.manifest_secrets }}
 
     steps:
       - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
@@ -120,6 +121,9 @@ jobs:
             newrelic:
               - 'aws/newrelic/**'
               - 'env/${{env.ENVIRONMENT}}/newrelic/**'
+            manifest_secrets:
+              - 'aws/manifest_secrets/**'
+              - 'env/${{env.ENVIRONMENT}}/manifest_secrets/**'
 
   terragrunt-plan-common:
     runs-on: ubuntu-latest  
@@ -876,3 +880,36 @@ jobs:
           terragrunt: "true"
           terraform-init: |
             -upgrade
+
+  terragrunt-plan-manifest_secrets:
+    if: |
+      always() &&
+      !contains(needs.*.result, 'failure') &&
+      !contains(needs.*.result, 'cancelled')
+    needs: [terragrunt-plan-rds]
+    runs-on: ubuntu-latest  
+    env:
+      COMPONENT: "manifest_secrets"
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: ./.github/actions/setup-terraform
+        with:
+          role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-plan
+          role_session_name: NotifyTerraformPlan
+      - name: Install 1Pass CLI and Download TFVars
+        run: |
+          curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
+          sudo dpkg -i 1pass.deb
+          sudo mkdir -p aws && cd aws
+          op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars          
+      - name: Terragrunt plan ${{env.COMPONENT}}
+        uses: cds-snc/terraform-plan@7f4ce4a4bdffaba639d32a45272804e37a569408 # v3.0.6
+        with:
+          directory: "env/${{env.ENVIRONMENT}}/${{env.COMPONENT}}"
+          comment-delete: "true"
+          comment-title: "${{env.ENVIRONMENT}}: ${{env.COMPONENT}}"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          terragrunt: "true"
+          terraform-init: |
+            -upgrade
diff --git a/aws/.checkov.yml b/aws/.checkov.yml
@@ -21,4 +21,5 @@ skip-check:
   - CKV_AWS_91  # TODO: Load balancer enable access logging
   - CKV2_AWS_8  # TODO: RDS investigate if Query Logging can be enabled
   - CKV2_AWS_27 # TODO: RDS investigate how to setup AWS Backup plan
-  - CKV_TF_1 # You cannot reference commit hashes on terraform registry. 
+  - CKV_TF_1 # You cannot reference commit hashes on terraform registry. 
+  - CKV2_AWS_57