ministryofjustice · mikereiddigital · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025 · Jan 23, 2025
@@ -32,6 +32,8 @@ on:
 
 env:
   TF_IN_AUTOMATION: true
+  TF_DESTROY_THRESHOLD: 2 # Sets a threshold to alert if more than this as resources are shown to be destroyed in the plan output.
+
 jobs:
   fetch-secrets:
     uses: ministryofjustice/modernisation-platform-github-actions/.github/workflows/aws-secrets-management.yml@d9e930d93532b84efdcf7d7b82621506e96a15b0 # v1.0.0
@@ -44,6 +46,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          ref: issue/8695
 
       - name: Decrypt Secrets
         uses: ministryofjustice/modernisation-platform-github-actions/decrypt-secrets@d9e930d93532b84efdcf7d7b82621506e96a15b0 # v1.0.0
@@ -127,6 +131,71 @@ jobs:
         run: |
           bash scripts/terraform-plan.sh ${{ inputs.working-directory }}
 
+      - name: Get Destroy Count
+        if: github.event_name == 'pull_request'
+        id: get_destroy_count
+        env:
+          destroy_threshold: ${{ env.TF_DESTROY_THRESHOLD }}
+          plan_summary: ${{ steps.show.outputs.summary }}
+        run: |
+            bash scripts/get-terraform-destroy-count.sh
+
+      - name: Post Comment on Destroy Count
+        if: github.event_name == 'pull_request'
+        uses: actions/[email protected]
+        env:
+          destroy_count: ${{ steps.get_destroy_count.outputs.destroy_count }}
+          destroy_threshold: ${{ env.TF_DESTROY_THRESHOLD }}
+        with:
+            github-token: ${{ secrets.GITHUB_TOKEN }}
+            script: |
+                const owner = context.repo.owner;
+                const repo = context.repo.repo;
+                const orgName = 'ministryofjustice';
+                const teamSlug = 'modernisation-platform';
+                const destroyCount = parseInt(process.env.destroy_count, 10);
+                const destroyThreshold = parseInt(process.env.destroy_threshold, 10);
+                const summary = `\`${{ steps.show.outputs.summary }}\``;
+                const workflowId = "${{ env.WORKSPACE_NAME }}";
+                const identifier = workflowId ? `_${workflowId}_\n` : `_${{ inputs.workflow_id }}_\n`;
+                if (destroyCount >= destroyThreshold) {
+                  await github.rest.pulls.createReview({
+                    owner: context.repo.owner,
+                    repo: context.repo.repo,
+                    pull_number: context.payload.pull_request.number,
+                    event: 'REQUEST_CHANGES',
+                    body: 'Terraform plan evaluation detected a number of resources are to be deleted. Please review the plan and confirm the changes are expected.'
+                  });
+                }
+
+      - name: Post Warning & Check for Approval
+        id: post_warning_check_approval
+        if: github.event_name == 'pull_request'
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        env:
+          destroy_count: ${{ steps.get_destroy_count.outputs.destroy_count }}
+          destroy_threshold: ${{ env.TF_DESTROY_THRESHOLD }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const orgName = 'ministryofjustice';
+            const teamSlug = 'modernisation-platform';
+            const destroyCount = parseInt(process.env.destroy_count, 10);
+            const destroyThreshold = parseInt(process.env.destroy_threshold, 10);
+            const summary = `\`${{ steps.show.outputs.summary }}\``;
+            const workflowId = "${{ env.WORKSPACE_NAME }}";
+            const identifier = workflowId ? `_${workflowId}_\n` : `_${{ inputs.workflow_id }}_\n`;
+
+            if (destroyCount >= destroyThreshold) {
+              await github.rest.pulls.createReview({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                pull_number: context.payload.pull_request.number,
+                event: 'REQUEST_CHANGES',
+                body: `### :warning: Warning - Large Number of Resources to be Destroyed.\n ${identifier}${summary}\n Please review the plan and confirm the changes are expected.`
+              });
+            }
+
       - name: Post Comment
         if: github.event.ref != 'refs/heads/main'
         uses: actions/github-script@v7

@@ -0,0 +1,45 @@
+
+#!/bin/bash
+
+set -o pipefail
+
+# This script reads the terraform plan summary and gets the count of resources to be destroyed and sets it to the variable destroy_count.
+# It also runs some checks to ensure that the values for the count and the threshold are valid.
+
+# Checks that PLAN_DESTROY_CHECK is set. Without this the script will fail so we force an exit.
+if [ -z "$plan_summary" ]; then
+    echo "Plan Summary is not set"
+    exit 1
+fi
+
+# This looks for the summary output for no changes & exits the script if found.
+if echo "$plan_summary" | grep -q "No changes. Your infrastructure matches the configuration."; then
+    echo "No changes. Your infrastructure matches the configuration."
+    destroy_count=0
+    exit 0
+fi
+
+destroy_count=$(echo "$plan_summary" | grep -oE 'Plan: [0-9]+ to add, [0-9]+ to change, [0-9]+ to destroy.' | awk '{print $8}')
+
+echo "destroy_threshold=$destroy_threshold"
+echo "destroy_count=$destroy_count"
+
+# These tests will force an exit of the script if the values are not valid as we don't want to proceed if invalid.
+if ! [[ "$destroy_threshold" =~ ^[0-9]+$ ]]; then
+    echo "Invalid destroy_threshold value: $destroy_threshold"
+    exit 1
+elif ! [[ "$destroy_count" =~ ^[0-9]+$ ]]; then
+    echo "Invalid destroy_count value: $destroy_count"
+    exit 1
+fi
+
+# These checks will print a warning if the destroy count is above the threshold. Useful for trouble-shooting.
+if [ "$destroy_count" -gt "$destroy_threshold" ]; then
+    echo "Warning: There are $destroy_count resources to be destroyed in this plan."
+elif [ "$destroy_count" -gt 0 ]; then
+    echo "There are $destroy_count resources to be destroyed, which is below the set threshold of $DESTROY_THRESHOLD."
+else
+    echo "No resources to be destroyed"
+fi
+
+echo "destroy_count=$destroy_count" >> $GITHUB_OUTPUT
@@ -1,91 +1,91 @@
 # Shared Elastic container repositories
-module "maat_api_ecr_repo" {
-  source = "../../modules/app-ecr-repo"
-
-  app_name = "maat-cd-api"
-
-  push_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
-    local.environment_management.account_ids["maat-development"]
-  ]
-
-  pull_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
-    local.environment_management.account_ids["maat-development"],
-    local.environment_management.account_ids["maat-test"],
-    local.environment_management.account_ids["maat-preproduction"],
-    local.environment_management.account_ids["maat-production"]
-  ]
-
-  # Tags
-  tags_common = local.tags
-}
-
-module "maat_ecr_repo" {
-  source = "../../modules/app-ecr-repo"
-
-  app_name = "maat"
-
-  push_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
-    local.environment_management.account_ids["maat-development"]
-  ]
-
-  pull_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
-    local.environment_management.account_ids["maat-development"],
-    local.environment_management.account_ids["maat-test"],
-    local.environment_management.account_ids["maat-preproduction"],
-    local.environment_management.account_ids["maat-production"]
-  ]
-
-  # Tags
-  tags_common = local.tags
-}
-
-module "performance_hub_ecr_repo" {
-  source = "../../modules/app-ecr-repo"
-
-  app_name = "performance-hub"
-
-  push_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["performance-hub-development"]}:role/modernisation-platform-oidc-cicd",
-    "arn:aws:iam::${local.environment_management.account_ids["performance-hub-preproduction"]}:role/modernisation-platform-oidc-cicd",
-    "arn:aws:iam::${local.environment_management.account_ids["performance-hub-production"]}:role/modernisation-platform-oidc-cicd"
-  ]
-
-  pull_principals = [
-    local.environment_management.account_ids["performance-hub-development"],
-    local.environment_management.account_ids["performance-hub-preproduction"],
-    local.environment_management.account_ids["performance-hub-production"]
-  ]
-
-  # Tags
-  tags_common = local.tags
-}
-
-module "mlra_ecr_repo" {
-  source = "../../modules/app-ecr-repo"
-
-  app_name = "mlra"
-
-  push_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["mlra-development"]}:role/modernisation-platform-oidc-cicd",
-    local.environment_management.account_ids["mlra-development"]
-  ]
-
-  pull_principals = [
-    "arn:aws:iam::${local.environment_management.account_ids["mlra-development"]}:role/modernisation-platform-oidc-cicd",
-    local.environment_management.account_ids["mlra-development"],
-    local.environment_management.account_ids["mlra-test"],
-    local.environment_management.account_ids["mlra-preproduction"],
-    local.environment_management.account_ids["mlra-production"],
-    local.environment_management.account_ids["apex-development"]
-  ]
-
-  # Tags
-  tags_common = local.tags
-}
+# module "maat_api_ecr_repo" {
+#   source = "../../modules/app-ecr-repo"
+
+#   app_name = "maat-cd-api"
+
+#   push_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
+#     local.environment_management.account_ids["maat-development"]
+#   ]
+
+#   pull_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
+#     local.environment_management.account_ids["maat-development"],
+#     local.environment_management.account_ids["maat-test"],
+#     local.environment_management.account_ids["maat-preproduction"],
+#     local.environment_management.account_ids["maat-production"]
+#   ]
+
+#   # Tags
+#   tags_common = local.tags
+# }
+
+# module "maat_ecr_repo" {
+#   source = "../../modules/app-ecr-repo"
+
+#   app_name = "maat"
+
+#   push_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
+#     local.environment_management.account_ids["maat-development"]
+#   ]
+
+#   pull_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["maat-development"]}:role/modernisation-platform-oidc-cicd",
+#     local.environment_management.account_ids["maat-development"],
+#     local.environment_management.account_ids["maat-test"],
+#     local.environment_management.account_ids["maat-preproduction"],
+#     local.environment_management.account_ids["maat-production"]
+#   ]
+
+#   # Tags
+#   tags_common = local.tags
+# }
+
+# module "performance_hub_ecr_repo" {
+#   source = "../../modules/app-ecr-repo"
+
+#   app_name = "performance-hub"
+
+#   push_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["performance-hub-development"]}:role/modernisation-platform-oidc-cicd",
+#     "arn:aws:iam::${local.environment_management.account_ids["performance-hub-preproduction"]}:role/modernisation-platform-oidc-cicd",
+#     "arn:aws:iam::${local.environment_management.account_ids["performance-hub-production"]}:role/modernisation-platform-oidc-cicd"
+#   ]
+
+#   pull_principals = [
+#     local.environment_management.account_ids["performance-hub-development"],
+#     local.environment_management.account_ids["performance-hub-preproduction"],
+#     local.environment_management.account_ids["performance-hub-production"]
+#   ]
+
+#   # Tags
+#   tags_common = local.tags
+# }
+
+# module "mlra_ecr_repo" {
+#   source = "../../modules/app-ecr-repo"
+
+#   app_name = "mlra"
+
+#   push_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["mlra-development"]}:role/modernisation-platform-oidc-cicd",
+#     local.environment_management.account_ids["mlra-development"]
+#   ]
+
+#   pull_principals = [
+#     "arn:aws:iam::${local.environment_management.account_ids["mlra-development"]}:role/modernisation-platform-oidc-cicd",
+#     local.environment_management.account_ids["mlra-development"],
+#     local.environment_management.account_ids["mlra-test"],
+#     local.environment_management.account_ids["mlra-preproduction"],
+#     local.environment_management.account_ids["mlra-production"],
+#     local.environment_management.account_ids["apex-development"]
+#   ]
+
+#   # Tags
+#   tags_common = local.tags
+# }
 
 # ECR repo holding the APEX application container image
 module "apex_ecr_repo" {