Skip to content

NRL-1594 Further sonarcloud fixes #1052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
axelkrastek1-nhs merged 2 commits into from
Oct 2, 2025
Merged

NRL-1594 Further sonarcloud fixes #1052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e9d2517
NRL-1594 Remove previous extra env variable
axelkrastek1-nhs Oct 1, 2025
93eca14
NRL-1594 Fix other variable expensions in run workflows
axelkrastek1-nhs Oct 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions .github/workflows/activate-stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,9 +45,14 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}

- name: Get current environment config
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
poetry run python ./scripts/get_env_config.py all ${{ inputs.environment }}
poetry run python ./scripts/get_env_config.py all $ENVIRONMENT

- name: Activate Stack
env:
STACK_NAME: ${{ inputs.stack_name }}
ENVIRONMENT: ${{ inputs.environment }}
run: |
poetry run python ./scripts/activate_stack.py ${{ inputs.stack_name }} ${{ inputs.environment }}
poetry run python ./scripts/activate_stack.py $STACK_NAME $ENVIRONMENT
61 changes: 43 additions & 18 deletions .github/workflows/persistent-environment.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,11 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Add S3 Permissions to Lambda
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${inactive_stack}

- name: Save Build Artifacts
Expand Down Expand Up @@ -96,8 +98,10 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Retrieve Server Certificates
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
make truststore-pull-server ENV=${account}

- name: Download build artifacts
Expand All @@ -114,28 +118,33 @@ jobs:
fail-on-cache-miss: true

- name: Terraform Init
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \
terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}

- name: Terraform Plan
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
ENVIRONMENT: ${{ inputs.environment }}
run: |
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${DEPLOY_ROLE_ARN} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${inactive_stack}) \
-out tfplan

- name: Save Terraform Plan
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt

terraform-apply:
name: Terraform Apply - ${{ inputs.environment }}
Expand Down Expand Up @@ -175,16 +184,22 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}

- name: Download Terraform Plan artifact
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
env:
ENVIRONMENT: ${{ inputs.environment }}
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan

- name: Retrieve Server Certificates
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
make truststore-pull-server ENV=${account}

- name: Terraform Init
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${inactive_stack} || \
terraform -chdir=terraform/infrastructure workspace select ${inactive_stack}
Expand All @@ -193,15 +208,19 @@ jobs:
run: terraform -chdir=terraform/infrastructure apply tfplan

- name: Update environment config version
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version)
poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} ${{ inputs.environment }}
poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} $ENVIRONMENT

- name: Smoke Test
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
make ENV=${account} truststore-pull-client
make ENV=${{ inputs.environment }} test-smoke-internal
make ENV=$ENVIRONMENT test-smoke-internal

activate-stack:
name: Activate - ${{ inputs.environment }}
Expand All @@ -228,9 +247,11 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}

- name: Activate Stack
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
poetry run python ./scripts/activate_stack.py ${inactive_stack} ${{ inputs.environment }}
inactive_stack=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
poetry run python ./scripts/activate_stack.py ${inactive_stack} $ENVIRONMENT

post-release-verify:
name: Verify - ${{ inputs.environment }}
Expand All @@ -257,8 +278,10 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}

- name: "Smoke Test"
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
make ENV=${{ inputs.environment }} test-smoke-public
make ENV=$ENVIRONMENT test-smoke-public

rollback-stack:
name: Rollback - ${{ inputs.environment }}
Expand Down Expand Up @@ -286,6 +309,8 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}

- name: Deactivate Stack
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
poetry run python ./scripts/activate_stack.py ${inactive_stack_name} ${{ inputs.environment }}
inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT
8 changes: 4 additions & 4 deletions .github/workflows/pr-env-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,18 @@ jobs:
environment: pull-request
steps:
- name: Set a ID based on the branch name
env:
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
id: set_environment_id
run: |
JIRA_TICKET=$(
echo '${{ github.event.pull_request.head.ref }}' | \
echo "$PR_HEAD_REF" | \
grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \
sed 's/-//g' | \
tr '[:upper:]' '[:lower:]' || \
true
)
BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6)
BRANCH_HASH=$(echo "$PR_HEAD_REF${{ github.event.pull_request.id }}" | sha256sum | head -c 6)

if [ -z "$JIRA_TICKET" ]; then
echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT
Expand Down Expand Up @@ -288,8 +290,6 @@ jobs:

- name: Configure Dev Account Credentials
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a #v4.3.1
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
with:
aws-region: eu-west-2
role-chaining: true
Expand Down
6 changes: 4 additions & 2 deletions .github/workflows/pr-env-destroy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,16 +23,18 @@ jobs:
runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
steps:
- name: Set a ID based on the branch name
env:
PR_HEAD_REF: ${{ github.event.pull_request.head.ref }}
id: set_environment_id
run: |
JIRA_TICKET=$(
echo '${{ github.event.pull_request.head.ref }}' | \
echo "$PR_HEAD_REF" | \
grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \
sed 's/-//g' | \
tr '[:upper:]' '[:lower:]' || \
true
)
BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6)
BRANCH_HASH=$(echo "$PR_HEAD_REF${{ github.event.pull_request.id }}" | sha256sum | head -c 6)

if [ -z "$JIRA_TICKET" ]; then
echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT
Expand Down
14 changes: 10 additions & 4 deletions .github/workflows/rollback-stack.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,14 +40,20 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id}}

- name: Get current environment config
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
poetry run python ./scripts/get_env_config.py all ${{ inputs.environment }}
poetry run python ./scripts/get_env_config.py all $ENVIRONMENT

- name: Rollback
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack ${{ inputs.environment }})
poetry run python ./scripts/activate_stack.py ${inactive_stack_name} ${{ inputs.environment }}
inactive_stack_name=$(poetry run python ./scripts/get_env_config.py inactive-stack $ENVIRONMENT)
poetry run python ./scripts/activate_stack.py ${inactive_stack_name} $ENVIRONMENT

- name: "Smoke Test"
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
make ENV=${{ inputs.environment }} test-smoke-public
make ENV=$ENVIRONMENT test-smoke-public
49 changes: 34 additions & 15 deletions .github/workflows/update-lambda-permissions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,12 +50,16 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Terraform Init
env:
STACK_NAME: ${{ inputs.stack_name }}
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \
terraform -chdir=terraform/infrastructure workspace select $STACK_NAME

- name: Check deployed version matches build version
env:
STRICT_VERSIONING: ${{ inputs.strict_versioning }}
run: |
this_version="$(./scripts/get-current-info.sh | jq -r .version)"
deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)"
Expand All @@ -66,7 +70,7 @@ jobs:
then
echo "${this_version} does not match deployed version: ${deployed_version}" 1>&2

if [ "${{ inputs.strict_versioning }}" == "true" ]; then
if [ "$STRICT_VERSIONING" == "true" ]; then
echo "Strict version checking failed, cancelling workflow" 1>&2
exit 1
fi
Expand Down Expand Up @@ -98,9 +102,12 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Create lambda permissions layer
env:
ENVIRONMENT: ${{ inputs.environment }}
STACK_NAME: ${{ inputs.stack_name }}
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }}
account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=$STACK_NAME

- name: Save NRLF permissions in cache
uses: actions/cache/save@v4
Expand Down Expand Up @@ -137,9 +144,12 @@ jobs:
role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }}

- name: Pull deployed lambda artifacts
env:
ENVIRONMENT: ${{ inputs.environment }}
STACK_NAME: ${{ inputs.stack_name }}
run: |
account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }}
account=$(echo "$ENVIRONMENT" | cut -d '-' -f1)
./scripts/pull-lambda-code-for-stack.sh $STACK_NAME

- name: Save lambda artifacts in cache
uses: actions/cache/save@v4
Expand Down Expand Up @@ -187,26 +197,31 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Terraform Init
env:
STACK_NAME: ${{ inputs.stack_name }}
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \
terraform -chdir=terraform/infrastructure workspace select $STACK_NAME

- name: Terraform Plan
env:
DEPLOY_ROLE_ARN: ${{ secrets.DEPLOY_ROLE_ARN }}
STACK_NAME: ${{ inputs.stack_name }}
run: |
terraform -chdir=terraform/infrastructure plan \
--var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
--var assume_role_arn=${DEPLOY_ROLE_ARN} \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
--var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py $STACK_NAME) \
--out tfplan

- name: Save Terraform Plan
env:
ENVIRONMENT: ${{ inputs.environment }}
run: |
terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan
aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan.txt

terraform-apply:
name: Apply permissions
Expand Down Expand Up @@ -248,13 +263,17 @@ jobs:
role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}

- name: Download Terraform Plan artifact
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
env:
ENVIRONMENT: ${{ inputs.environment }}
run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/$ENVIRONMENT/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan

- name: Terraform Init
env:
STACK_NAME: ${{ inputs.stack_name }}
run: |
terraform -chdir=terraform/infrastructure init
terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
terraform -chdir=terraform/infrastructure workspace new $STACK_NAME || \
terraform -chdir=terraform/infrastructure workspace select $STACK_NAME

- name: Terraform Apply
run: |
Expand Down