scheduled-baseline.yml

name: "Terraform: scheduled baseline"

on:
  schedule:
    - cron: "30 22 * * 0"
  push:
    branches:
      - main
    paths:
      - '.github/workflows/scheduled-baseline.yml'
      - 'terraform/environments/bootstrap/**'
      - 'terraform/modules/iam_baseline/**'
      - '!**.md'
      - 'scripts/update-sso-permission-sets.sh'
  workflow_dispatch:

env:
  TF_IN_AUTOMATION: true
  AWS_REGION: "eu-west-2"

permissions:
  id-token: write # This is required for requesting the JWT
  contents: read # This is required for actions/checkout

defaults:
  run:
    shell: bash

jobs:
  retrieve-secrets:
    uses: ./.github/workflows/secrets-retrieval.yml
    secrets: inherit
  setup-prerequisites:
    runs-on: ubuntu-latest
    needs: retrieve-secrets
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Decrypt Secrets
        uses: ./.github/actions/decrypt-secrets
        with:
          environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set Account Number
        run: |
          ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ACCOUNT_NUMBER"
          echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
          role-session-name: githubactionsrolesession
          aws-region: ${{ env.AWS_REGION }}
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: "~1"
          terraform_wrapper: false
      - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access
      - id: set-matrix
        name: Set Up Matrix
        run: echo "matrix=$(terraform -chdir=terraform/environments/bootstrap/delegate-access workspace list | sed -e "s/*//" -e "s/^[[:space:]]*//" -e "/default/d" -e "/^$/d" | sort -u | jq -ncR '[inputs]')" >> $GITHUB_OUTPUT
     
  delegate-access:
    strategy:
      fail-fast: false
      matrix:
        workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
    runs-on: ubuntu-latest
    needs: [retrieve-secrets,setup-prerequisites]
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Decrypt Secrets
        uses: ./.github/actions/decrypt-secrets
        with:
          environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }}
          slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set Account Number
        run: |
          ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ACCOUNT_NUMBER"
          echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
          role-session-name: githubactionsrolesession
          aws-region: ${{ env.AWS_REGION }}
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: "~1"
          terraform_wrapper: false
      - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access
      - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/delegate-access
      - name: Persist terraform state to backend
        if: ${{ failure() && hashFiles('terraform/environments/bootstrap/delegate-access/errored.tfstate') != '' }}
        run: |
          bash scripts/terraform-state-push.sh terraform/environments/bootstrap/delegate-access
          if [ $? -eq 0 ]; then
            echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
          fi
      - name: Slack failure notification
        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
          payload: |
            {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
        env:
          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        if: ${{ failure() }}
    env:
     TF_WORKSPACE: ${{ matrix.workspaces }}
     STATE_PUSH_SUCCESSFUL: false

  secure-baselines:
    strategy:
      fail-fast: false
      matrix:
        workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
    runs-on: ubuntu-latest
    needs: [retrieve-secrets,setup-prerequisites, delegate-access]
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Decrypt Secrets
        uses: ./.github/actions/decrypt-secrets
        with:
          environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }}
          slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set Account Number
        run: |
          ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ACCOUNT_NUMBER"
          echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply"
          role-session-name: githubactionsrolesession
          aws-region: ${{ env.AWS_REGION }}
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: "~1"
          terraform_wrapper: false
      - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/secure-baselines
      - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/secure-baselines
      - name: Persist terraform state to backend
        if: ${{ failure() && hashFiles('terraform/environments/bootstrap/secure-baselines/errored.tfstate') != '' }}
        run: |
          bash scripts/terraform-state-push.sh terraform/environments/bootstrap/secure-baselines
          if [ $? -eq 0 ]; then
            echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
          fi
      - name: Slack failure notification
        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
          payload: |
            {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
        env:
          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        if: ${{ failure() }}
    env:
     TF_WORKSPACE: ${{ matrix.workspaces }}
     STATE_PUSH_SUCCESSFUL: false

  single-sign-on:
    strategy:
      fail-fast: false
      matrix:
        workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
    runs-on: ubuntu-latest
    needs: [retrieve-secrets,setup-prerequisites, delegate-access]
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Decrypt Secrets
        uses: ./.github/actions/decrypt-secrets
        with:
          environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }}
          slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set Account Number
        run: |
          ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ACCOUNT_NUMBER"
          echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply"
          role-session-name: githubactionsrolesession
          aws-region: ${{ env.AWS_REGION }}
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: "~1"
          terraform_wrapper: false
      - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/single-sign-on
      - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/single-sign-on
      - name: Persist terraform state to backend
        if: ${{ failure() && hashFiles('terraform/environments/bootstrap/single-sign-on/errored.tfstate') != '' }}
        run: |
          bash scripts/terraform-state-push.sh terraform/environments/bootstrap/single-sign-on
          if [ $? -eq 0 ]; then
            echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
          fi
      - name: Slack failure notification
        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
          payload: |
            {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
        env:
          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        if: ${{ failure() }}
    env:
     TF_WORKSPACE: ${{ matrix.workspaces }}
     STATE_PUSH_SUCCESSFUL: false

  member-bootstrap:
    strategy:
      fail-fast: false
      matrix:
        workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
    runs-on: ubuntu-latest
    needs: [retrieve-secrets,setup-prerequisites, single-sign-on]
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Decrypt Secrets
        uses: ./.github/actions/decrypt-secrets
        with:
          environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }}
          slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set Account Number
        run: |
          ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ACCOUNT_NUMBER"
          echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply"
          role-session-name: githubactionsrolesession
          aws-region: ${{ env.AWS_REGION }}
      - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
        with:
          terraform_version: "~1"
          terraform_wrapper: false
      - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/member-bootstrap
      - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/member-bootstrap
      - name: Persist terraform state to backend
        if: ${{ failure() && hashFiles('terraform/environments/bootstrap/member-bootstrap/errored.tfstate') != '' }}
        run: |
          bash scripts/terraform-state-push.sh terraform/environments/bootstrap/member-bootstrap
          if [ $? -eq 0 ]; then
            echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
          fi
      - name: Slack failure notification
        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
          payload: |
            {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
        env:
          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        if: ${{ failure() }}
    env:
     TF_WORKSPACE: ${{ matrix.workspaces }}
     STATE_PUSH_SUCCESSFUL: false

  update-permission-sets:
    runs-on: ubuntu-latest
    needs: [retrieve-secrets,delegate-access,single-sign-on]
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - name: Decrypt Secrets
        uses: ./.github/actions/decrypt-secrets
        with:
          environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }}
          slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }}
          passphrase: ${{ secrets.PASSPHRASE }}
      - name: Set Account Number
        run: |
          ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ACCOUNT_NUMBER"
          echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Set Root Account Number
        run: |
          ROOT_ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)
          echo "::add-mask::$ROOT_ACCOUNT_NUMBER"
          echo ROOT_ACCOUNT_NUMBER=$ROOT_ACCOUNT_NUMBER >> $GITHUB_ENV
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
        with:
          role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply"
          role-session-name: githubactionsrolesession
          aws-region: ${{ env.AWS_REGION }}
      - name: Update permission sets
        run: |
          aws sts assume-role --role-arn "arn:aws:iam::${ROOT_ACCOUNT_NUMBER}:role/ModernisationPlatformSSOAdministrator" --role-session-name ssoadminrolesession > creds
          $(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')")
          $(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')")
          $(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')")
          grep "ModernisationPlatformSSOAdministrator" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; }
          bash scripts/update-sso-permission-sets.sh
      - name: Slack failure notification
        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
        with:
          payload: |
            {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
        env:
          SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }}
          SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
        if: ${{ failure() }}