Skip to content

Merge pull request #5249 from ministryofjustice/datasync-perms-oidc #1922

Merge pull request #5249 from ministryofjustice/datasync-perms-oidc

Merge pull request #5249 from ministryofjustice/datasync-perms-oidc #1922

name: "Terraform: New environment"
on:
push:
branches:
- main
paths:
- '.github/workflows/new-environment.yml'
- 'terraform/environments/*.tf'
- 'environments/**.json'
- 'terraform/environments/bootstrap/**'
pull_request:
branches:
- main
types: [opened, edited, reopened, synchronize]
paths:
- '.github/workflows/new-environment.yml'
- 'terraform/environments/*.tf'
- 'environments/**.json'
workflow_dispatch:
env:
TF_IN_AUTOMATION: true
AWS_REGION: "eu-west-2"
ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
defaults:
run:
shell: bash
jobs:
check-environments-deployment-plan:
runs-on: ubuntu-latest
if: github.ref != 'refs/heads/main' && github.event_name != 'workflow_dispatch'
env:
TF_VAR_github_token: ${{ secrets.TERRAFORM_GITHUB_TOKEN }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: Run terraform plan for root terraform/environments
run: |
terraform --version
# Test if this is a PR or PULL event
#USE IF RUNNING IN GITHUB ACTIONS
if [ ! -z ${{ github.event.pull_request.number }} ]
then
#USE IF USING ACT
# if [ ! -z ${PULL_REQUEST_NUMBER} ]
# then
#CONFIGURE TERRAFORM
bash scripts/terraform-init.sh terraform/environments
#RUN TERRAFORM PLAN
PLAN=`bash scripts/terraform-plan.sh terraform/environments | tee /dev/stderr | grep '^Plan: \|^No changes.'`
PLAN="> TERRAFORM PLAN RESULT - ACCOUNTS-TO-CREATE/MODIFY/DELETE -
${PLAN}"
bash scripts/update-pr-comments.sh "${PLAN}"
fi
env:
SECRET: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ secrets.GITHUB_REPOSITORY }}
PULL_REQUEST_NUMBER: ${{ github.event.pull_request.number }}
create-environment:
runs-on: ubuntu-latest
if: github.event.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
env:
TF_VAR_github_token: ${{ secrets.TERRAFORM_GITHUB_TOKEN }}
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: Run terraform init in terraform/environments
run: bash scripts/terraform-init.sh terraform/environments
- name: Run terraform plan in terraform/environments
run: bash scripts/terraform-plan.sh terraform/environments
- name: Run terraform apply in terraform/environments
run: bash scripts/terraform-apply.sh terraform/environments
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}
provision-workspaces:
runs-on: ubuntu-latest
if: github.event.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
needs: [create-environment]
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: Provision workspaces in terraform/environments/bootstrap/*
run: bash scripts/provision-terraform-workspaces.sh bootstrap
- name: Provision workspaces in terraform/environments/*
run: bash scripts/provision-terraform-workspaces.sh all-environments
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}
delegate-access:
runs-on: ubuntu-latest
if: github.event.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
needs: [provision-workspaces]
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: get new account(s)
id: new_account
run: |
echo "files=$(cat <<EOF
$(git diff --no-commit-id --name-only --diff-filter=AM -r @^ | awk '{print $1}' | grep ".json" | grep -a "environments//*" | uniq | cut -f2-4 -d"/" | sed 's/.\{5\}$//')
EOF
)" >> $GITHUB_OUTPUT
- name: Run delegate access
run: |
accounts=(${{ steps.new_account.outputs.files }})
if [ ! -z ${accounts} ]
then
for i in "${accounts[@]}"
do
echo "[+] Running delegate-access baseline for account ${i}"
bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access
bash scripts/setup-baseline.sh terraform/environments/bootstrap/delegate-access "${i}" plan
bash scripts/setup-baseline.sh terraform/environments/bootstrap/delegate-access "${i}" apply
done
else
echo "[+] There were no AWS member accounts to process"
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}
secure-baselines:
runs-on: ubuntu-latest
if: github.event.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
needs: [delegate-access]
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: get new account(s)
id: new_account
run: |
echo "files=$(cat <<EOF
$(git diff --no-commit-id --name-only --diff-filter=AM -r @^ | awk '{print $1}' | grep ".json" | grep -a "environments//*" | uniq | cut -f2-4 -d"/" | sed 's/.\{5\}$//')
EOF
)" >> $GITHUB_OUTPUT
- name: Run secure baselines
run: |
accounts=(${{ steps.new_account.outputs.files }})
if [ ! -z ${accounts} ]
then
for i in "${accounts[@]}"
do
echo "[+] Running secure baseline for account ${i}"
bash scripts/terraform-init.sh terraform/environments/bootstrap/secure-baselines
bash scripts/setup-baseline.sh terraform/environments/bootstrap/secure-baselines "${i}" plan
bash scripts/setup-baseline.sh terraform/environments/bootstrap/secure-baselines "${i}" apply
done
else
echo "[+] There were no AWS member accounts to process"
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}
single-sign-on:
runs-on: ubuntu-latest
if: github.event.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
needs: [provision-workspaces, delegate-access]
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: get new account(s)
id: new_account
run: |
echo "files=$(cat <<EOF
$(git diff --no-commit-id --name-only --diff-filter=AM -r @^ | awk '{print $1}' | grep ".json" | grep -a "environments//*" | uniq | cut -f2-4 -d"/" | sed 's/.\{5\}$//')
EOF
)" >> $GITHUB_OUTPUT
- name: Run single sign on
run: |
accounts=(${{ steps.new_account.outputs.files }})
if [ ! -z ${accounts} ]
then
for i in "${accounts[@]}"
do
echo "[+] Running single sign on baseline for account ${i}"
bash scripts/terraform-init.sh terraform/environments/bootstrap/single-sign-on
bash scripts/setup-baseline.sh terraform/environments/bootstrap/single-sign-on "${i}" plan
bash scripts/setup-baseline.sh terraform/environments/bootstrap/single-sign-on "${i}" apply
done
else
echo "[+] There were no AWS member accounts to process"
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}
member-bootstrap:
runs-on: ubuntu-latest
if: github.event.ref == 'refs/heads/main' || github.event_name == 'workflow_dispatch'
needs: [single-sign-on]
steps:
- uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3
with:
terraform_version: "~1"
terraform_wrapper: false
- name: get new account(s)
id: new_account
run: |
echo "files=$(cat <<EOF
$(git diff --no-commit-id --name-only --diff-filter=AM -r @^ | awk '{print $1}' | grep ".json" | grep -a "environments//*" | uniq | cut -f2-4 -d"/" | sed 's/.\{5\}$//')
EOF
)" >> $GITHUB_OUTPUT
- name: Run secure baselines
run: |
accounts=(${{ steps.new_account.outputs.files }})
if [ ! -z ${accounts} ]
then
for i in "${accounts[@]}"
do
echo "[+] Running secure baseline for account ${i}"
bash scripts/terraform-init.sh terraform/environments/bootstrap/member-bootstrap
bash scripts/setup-baseline.sh terraform/environments/bootstrap/member-bootstrap "${i}" plan
bash scripts/setup-baseline.sh terraform/environments/bootstrap/member-bootstrap "${i}" apply
done
else
echo "[+] There were no AWS member accounts to process"
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}