-
Notifications
You must be signed in to change notification settings - Fork 1
148 lines (145 loc) · 6.73 KB
/
deploy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Deploy
on:
workflow_call:
inputs:
dry-run:
description: Toggle true if no infrastructure should be altered (runs `terraform plan` instead of `apply`)
type: boolean
default: false
required: false
environment:
description: >
The environment to which the application should be deployed. Must be one of development/staging/production
and must match the terraform_workspace input.
type: string
required: true
terraform_workspace:
description: >
The Terraform workspace to which infrastructure should be deployed. Must be one of dev/staging/production and
must match the environment input.
type: string
required: true
trello_list_id:
description: The Trello list to which CloudWatch alert cards should be added
required: true
type: string
version:
description: The version of the artifacts/infrastructure to deploy.
required: true
type: string
secrets:
alert_email_address:
description: The email address to which CloudWatch alerts should be sent
required: true
aws_access_key_id:
required: true
aws_secret_access_key:
required: true
db_password:
description: Password for the Postgres transactional database
required: true
gov_notify_api_key:
description: API key for the Gov Notifications API used to send emails
required: true
webapp_azure_ad_client_secret:
description: Permits Webapp to authenticate and communicate with Service
required: true
webapp_azure_b2c_client_secret:
description: Allows AccountHolders to use Azure B2C to authenticate with the Webapp
required: true
webapp_azure_b2c_next_auth_jwt_secret:
required: true
service_basic_auth_username:
description: The basic auth username used to secure non-essential endpoints
required: true
service_basic_auth_password:
description: The basic auth password used to secure non-essential endpoints
required: true
aws_account_number:
description: The account number in which infrastructure should be deployed
required: true
trello_api_key:
description: API key for the CloudWatch alarm -> Trello integration
required: true
trello_board_email_address:
description: Email address for the Beacons Support user in Trello
required: true
trello_token:
description: Token for the CloudWatch alarm -> Trello integration
required: true
opensearch_master_user_name:
description: The username for the master user on OpenSearch
required: true
opensearch_master_user_password:
description: The password for the master user on OpenSearch
required: true
opensearch_proxy_sso_client_id:
description: The ID of the app registration in Azure AD used for authenticating users at the load balancer
required: true
opensearch_proxy_sso_client_secret:
description: The Azure AD client secret required for authenticating OpenSearch users at the load balancer
required: true
microsoft_graph_client_id:
description: The Azure AD B2C client id required for the beacons service API to call Microsoft Graph
required: true
microsoft_graph_client_secret:
description: The Azure AD B2C client secret required for the beacons service API to call Microsoft Graph
required: true
microsoft_graph_b2c_tenant_id:
description: The Azure AD B2C tenant id required for the beacons service API to call Microsoft Graph
required: true
microsoft_graph_b2c_tenant_name:
description: The Azure AD B2C tenant name required for the beacons service API to call Microsoft Graph
required: true
defaults:
run:
working-directory: terraform
jobs:
deploy:
name: Deploy
runs-on: ubuntu-latest
environment: ${{ inputs.environment }}
env:
AWS_ACCESS_KEY_ID: ${{ secrets.aws_access_key_id }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.aws_secret_access_key }}
TF_WORKSPACE: ${{ inputs.terraform_workspace }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.version }}
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.0.0
- name: Terraform init
run: terraform init
- name: Terraform validate
run: terraform validate
- name: Terraform deploy
if: always() # Prevent terraform deploy from being interrupted and causing state lock issues
env:
TF_VAR_trello_list_id: ${{ inputs.trello_list_id }}
TF_VAR_alert_email_address: ${{ secrets.alert_email_address }}
TF_VAR_db_password: ${{ secrets.db_password }}
TF_VAR_gov_notify_api_key: ${{ secrets.gov_notify_api_key }}
TF_VAR_webapp_image_tag: ${{ inputs.version }}
TF_VAR_webapp_azure_ad_client_secret: ${{ secrets.webapp_azure_ad_client_secret }}
TF_VAR_webapp_azure_b2c_client_secret: ${{ secrets.webapp_azure_b2c_client_secret }}
TF_VAR_webapp_azure_b2c_next_auth_jwt_secret: ${{ secrets.webapp_azure_b2c_next_auth_jwt_secret }}
TF_VAR_service_image_tag: ${{ inputs.version }}
TF_VAR_service_basic_auth_username: ${{ secrets.service_basic_auth_username }}
TF_VAR_service_basic_auth_password: ${{ secrets.service_basic_auth_password }}
TF_VAR_backoffice_image_tag: ${{ inputs.version }}
TF_VAR_aws_account_number: ${{ secrets.aws_account_number }}
TF_VAR_trello_api_key: ${{ secrets.trello_api_key }}
TF_VAR_trello_board_email_address: ${{ secrets.trello_board_email_address }}
TF_VAR_trello_token: ${{ secrets.trello_token }}
TF_VAR_opensearch_proxy_image_tag: ${{ inputs.version }}
TF_VAR_opensearch_master_user_name: ${{ secrets.opensearch_master_user_name }}
TF_VAR_opensearch_master_user_password: ${{ secrets.opensearch_master_user_password }}
TF_VAR_opensearch_proxy_sso_client_id: ${{ secrets.opensearch_proxy_sso_client_id }}
TF_VAR_opensearch_proxy_sso_client_secret: ${{ secrets.opensearch_proxy_sso_client_secret }}
TF_VAR_microsoft_graph_client_id: ${{ secrets.microsoft_graph_client_id }}
TF_VAR_microsoft_graph_client_secret: ${{ secrets.microsoft_graph_client_secret }}
TF_VAR_microsoft_graph_b2c_tenant_id: ${{ secrets.microsoft_graph_b2c_tenant_id }}
TF_VAR_microsoft_graph_b2c_tenant_name: ${{ secrets.microsoft_graph_b2c_tenant_name }}
run: terraform apply -input=false -auto-approve -var-file=${{ inputs.terraform_workspace }}.tfvars