From e9d251790a81dfa5661634c712ab7c772edd88a0 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Wed, 1 Oct 2025 09:14:23 +0100 Subject: [PATCH 1/2] NRL-1594 Remove previous extra env variable --- .github/workflows/pr-env-deploy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml index 72f68f1c9..918ee1ead 100644 --- a/.github/workflows/pr-env-deploy.yml +++ b/.github/workflows/pr-env-deploy.yml @@ -288,8 +288,6 @@ jobs: - name: Configure Dev Account Credentials uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1 - env: - DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} with: aws-region: eu-west-2 role-chaining: true From 93eca141c88457ae0550471f0aaa33d32ae137d8 Mon Sep 17 00:00:00 2001 From: "Axel Garcia K." Date: Wed, 1 Oct 2025 10:32:55 +0100 Subject: [PATCH 2/2] NRL-1594 Fix other variable expensions in run workflows --- .github/workflows/activate-stack.yml | 9 ++- .github/workflows/persistent-environment.yml | 61 +++++++++++++------ .github/workflows/pr-env-deploy.yml | 6 +- .github/workflows/pr-env-destroy.yml | 6 +- .github/workflows/rollback-stack.yml | 14 +++-- .../workflows/update-lambda-permissions.yml | 49 ++++++++++----- 6 files changed, 102 insertions(+), 43 deletions(-) diff --git a/.github/workflows/activate-stack.yml b/.github/workflows/activate-stack.yml index 1593fa171..b5137a0fd 100644 --- a/.github/workflows/activate-stack.yml +++ b/.github/workflows/activate-stack.yml @@ -45,9 +45,14 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} - name: Get current environment config + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - poetry run python ./scripts/get_env_config.py all ${{ inputs.environment }} + poetry run python ./scripts/get_env_config.py all $ENVIRONMENT - name: Activate Stack + env: + STACK_NAME: ${{ inputs.stack_name }} + ENVIRONMENT: ${{ inputs.environment }} run: | - poetry run python ./scripts/activate_stack.py ${{ inputs.stack_name }} ${{ inputs.environment }} + poetry run python ./scripts/activate_stack.py $STACK_NAME $ENVIRONMENT diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml index e19e46fef..3559e39dd 100644 --- a/.github/workflows/persistent-environment.yml +++ b/.github/workflows/persistent-environment.yml @@ -52,9 +52,11 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Add S3 Permissions to Lambda + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) - inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) + account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) + inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack} - name: Save Build Artifacts @@ -96,8 +98,10 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Retrieve Server Certificates + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) + account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) make truststore-pull-server ENV=${account} - name: Download build artifacts @@ -114,8 +118,10 @@ jobs: fail-on-cache-miss: true - name: Terraform Init + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) + inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) terraform -chdir=terraform/infrastructure init terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \ terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} @@ -123,8 +129,9 @@ jobs: - name: Terraform Plan env: DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} + ENVIRONMENT: ${{ inputs.environment }} run: | - inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) + inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ --var assume_role_arn=${DEPLOY_ROLE_ARN} \ @@ -132,10 +139,12 @@ jobs: -out tfplan - name: Save Terraform Plan + env: + ENVIRONMENT: ${{ inputs.environment }} run: | terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt - aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan - aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt + aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan + aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt terraform-apply: name: Terraform Apply - ${{ inputs.environment }} @@ -175,16 +184,22 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} - name: Download Terraform Plan artifact - run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan + env: + ENVIRONMENT: ${{ inputs.environment }} + run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan - name: Retrieve Server Certificates + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) + account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) make truststore-pull-server ENV=${account} - name: Terraform Init + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) + inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) terraform -chdir=terraform/infrastructure init terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \ terraform -chdir=terraform/infrastructure workspace select ${inactive_stack} @@ -193,15 +208,19 @@ jobs: run: terraform -chdir=terraform/infrastructure apply tfplan - name: Update environment config version + env: + ENVIRONMENT: ${{ inputs.environment }} run: | deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version) - poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} ${{ inputs.environment }} + poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} $ENVIRONMENT - name: Smoke Test + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) + account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) make ENV=${account} truststore-pull-client - make ENV=${{ inputs.environment }} test-smoke-internal + make ENV=$ENVIRONMENT test-smoke-internal activate-stack: name: Activate - ${{ inputs.environment }} @@ -228,9 +247,11 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} - name: Activate Stack + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) - poetry run python ./scripts/activate_stack.py ${inactive_stack} ${{ inputs.environment }} + inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) + poetry run python ./scripts/activate_stack.py ${inactive_stack} $ENVIRONMENT post-release-verify: name: Verify - ${{ inputs.environment }} @@ -257,8 +278,10 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} - name: "Smoke Test" + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - make ENV=${{ inputs.environment }} test-smoke-public + make ENV=$ENVIRONMENT test-smoke-public rollback-stack: name: Rollback - ${{ inputs.environment }} @@ -286,6 +309,8 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} - name: Deactivate Stack + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) - poetry run python ./scripts/activate_stack.py ${inactive_stack_name} ${{ inputs.environment }} + inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) + poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml index 918ee1ead..7a0f13128 100644 --- a/.github/workflows/pr-env-deploy.yml +++ b/.github/workflows/pr-env-deploy.yml @@ -23,16 +23,18 @@ jobs: environment: pull-request steps: - name: Set a ID based on the branch name + env: + PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} id: set_environment_id run: | JIRA_TICKET=$( - echo '${{ github.event.pull_request.head.ref }}' | \ + echo "$PR_HEAD_REF" | \ grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \ sed 's/-//g' | \ tr '[:upper:]' '[:lower:]' || \ true ) - BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6) + BRANCH_HASH=$(echo "$PR_HEAD_REF${{ github.event.pull_request.id }}" | sha256sum | head -c 6) if [ -z "$JIRA_TICKET" ]; then echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml index 59ac89286..8c9c76900 100644 --- a/.github/workflows/pr-env-destroy.yml +++ b/.github/workflows/pr-env-destroy.yml @@ -23,16 +23,18 @@ jobs: runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }} steps: - name: Set a ID based on the branch name + env: + PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} id: set_environment_id run: | JIRA_TICKET=$( - echo '${{ github.event.pull_request.head.ref }}' | \ + echo "$PR_HEAD_REF" | \ grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \ sed 's/-//g' | \ tr '[:upper:]' '[:lower:]' || \ true ) - BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6) + BRANCH_HASH=$(echo "$PR_HEAD_REF${{ github.event.pull_request.id }}" | sha256sum | head -c 6) if [ -z "$JIRA_TICKET" ]; then echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT diff --git a/.github/workflows/rollback-stack.yml b/.github/workflows/rollback-stack.yml index 3ceff7a55..2d2a31ae8 100644 --- a/.github/workflows/rollback-stack.yml +++ b/.github/workflows/rollback-stack.yml @@ -40,14 +40,20 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}} - name: Get current environment config + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - poetry run python ./scripts/get_env_config.py all ${{ inputs.environment }} + poetry run python ./scripts/get_env_config.py all $ENVIRONMENT - name: Rollback + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }}) - poetry run python ./scripts/activate_stack.py ${inactive_stack_name} ${{ inputs.environment }} + inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT) + poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT - name: "Smoke Test" + env: + ENVIRONMENT: ${{ inputs.environment }} run: | - make ENV=${{ inputs.environment }} test-smoke-public + make ENV=$ENVIRONMENT test-smoke-public diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml index d14fe4253..c7017724d 100644 --- a/.github/workflows/update-lambda-permissions.yml +++ b/.github/workflows/update-lambda-permissions.yml @@ -50,12 +50,16 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Terraform Init + env: + STACK_NAME: ${{ inputs.stack_name }} run: | terraform -chdir=terraform/infrastructure init - terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ - terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} + terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \ + terraform -chdir=terraform/infrastructure workspace select $STACK_NAME - name: Check deployed version matches build version + env: + STRICT_VERSIONING: ${{ inputs.strict_versioning }} run: | this_version="$(./scripts/get-current-info.sh | jq -r .version)" deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)" @@ -66,7 +70,7 @@ jobs: then echo "${this_version} does not match deployed version: ${deployed_version}" 1>&2 - if [ "${{ inputs.strict_versioning }}" == "true" ]; then + if [ "$STRICT_VERSIONING" == "true" ]; then echo "Strict version checking failed, cancelling workflow" 1>&2 exit 1 fi @@ -98,9 +102,12 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Create lambda permissions layer + env: + ENVIRONMENT: ${{ inputs.environment }} + STACK_NAME: ${{ inputs.stack_name }} run: | - account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) - make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }} + account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) + make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=$STACK_NAME - name: Save NRLF permissions in cache uses: actions/cache/save@v4 @@ -137,9 +144,12 @@ jobs: role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }} - name: Pull deployed lambda artifacts + env: + ENVIRONMENT: ${{ inputs.environment }} + STACK_NAME: ${{ inputs.stack_name }} run: | - account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) - ./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }} + account=$(echo "$ENVIRONMENT" | cut -d '-' -f1) + ./scripts/pull-lambda-code-for-stack.sh $STACK_NAME - name: Save lambda artifacts in cache uses: actions/cache/save@v4 @@ -187,26 +197,31 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Terraform Init + env: + STACK_NAME: ${{ inputs.stack_name }} run: | terraform -chdir=terraform/infrastructure init - terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ - terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} + terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \ + terraform -chdir=terraform/infrastructure workspace select $STACK_NAME - name: Terraform Plan env: DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }} + STACK_NAME: ${{ inputs.stack_name }} run: | terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ --var assume_role_arn=${DEPLOY_ROLE_ARN} \ - --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ + --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py $STACK_NAME) \ --out tfplan - name: Save Terraform Plan + env: + ENVIRONMENT: ${{ inputs.environment }} run: | terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt - aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan - aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt + aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan + aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt terraform-apply: name: Apply permissions @@ -248,13 +263,17 @@ jobs: role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} - name: Download Terraform Plan artifact - run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan + env: + ENVIRONMENT: ${{ inputs.environment }} + run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan - name: Terraform Init + env: + STACK_NAME: ${{ inputs.stack_name }} run: | terraform -chdir=terraform/infrastructure init - terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ - terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} + terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \ + terraform -chdir=terraform/infrastructure workspace select $STACK_NAME - name: Terraform Apply run: |