Release v3.23.0 #379
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Terragrunt plan PRODUCTION" | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - "infrastructure/environments.yml" | |
| env: | |
| AWS_REGION: ca-central-1 | |
| CONFTEST_VERSION: 0.27.0 | |
| TERRAFORM_VERSION: 1.9.8 | |
| TERRAGRUNT_VERSION: 0.57.5 | |
| TF_INPUT: false | |
| TF_VAR_client_vpn_access_group_id: ${{ secrets.PRODUCTION_CLIENT_VPN_ACCESS_GROUP_ID }} | |
| TF_VAR_client_vpn_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SAML_METADATA }} | |
| TF_VAR_database_name: ${{ secrets.PRODUCTION_DATABASE_NAME }} | |
| TF_VAR_database_username: ${{ secrets.PRODUCTION_DATABASE_USERNAME }} | |
| TF_VAR_database_password: ${{ secrets.PRODUCTION_DATABASE_PASSWORD }} | |
| TF_VAR_cloudfront_custom_header_name: ${{ secrets.PRODUCTION_CLOUDFRONT_CUSTOM_HEADER_NAME }} | |
| TF_VAR_cloudfront_custom_header_value: ${{ secrets.PRODUCTION_CLOUDFRONT_CUSTOM_HEADER_VALUE }} | |
| TF_VAR_list_manager_endpoint: ${{ secrets.PRODUCTION_LIST_MANAGER_ENDPOINT }} | |
| TF_VAR_default_list_manager_api_key: ${{ secrets.PRODUCTION_DEFAULT_LIST_MANAGER_API_KEY }} | |
| TF_VAR_default_notify_api_key: ${{ secrets.PRODUCTION_DEFAULT_NOTIFY_API_KEY }} | |
| TF_VAR_encryption_key: ${{ secrets.PRODUCTION_ENCRYPTION_KEY }} | |
| TF_VAR_s3_uploads_bucket: ${{ secrets.PRODUCTION_S3_UPLOADS_BUCKET }} | |
| TF_VAR_s3_uploads_key: ${{ secrets.PRODUCTION_S3_UPLOADS_KEY }} | |
| TF_VAR_s3_uploads_secret: ${{ secrets.PRODUCTION_S3_UPLOADS_SECRET }} | |
| TF_VAR_c3_aws_access_key_id: ${{ secrets.PRODUCTION_C3_AWS_ACCESS_KEY_ID }} | |
| TF_VAR_c3_aws_secret_access_key: ${{ secrets.PRODUCTION_C3_AWS_SECRET_ACCESS_KEY }} | |
| TF_VAR_sentinel_customer_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }} | |
| TF_VAR_sentinel_shared_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }} | |
| TF_VAR_slack_webhook_url: ${{ secrets.PRODUCTION_SLACK_WEBHOOK_URL }} | |
| TF_VAR_wordpress_auth_key: ${{ secrets.PRODUCTION_WORDPRESS_AUTH_KEY }} | |
| TF_VAR_wordpress_secure_auth_key: ${{ secrets.PRODUCTION_WORDPRESS_SECURE_AUTH_KEY }} | |
| TF_VAR_wordpress_logged_in_key: ${{ secrets.PRODUCTION_WORDPRESS_LOGGED_IN_KEY }} | |
| TF_VAR_wordpress_nonce_key: ${{ secrets.PRODUCTION_WORDPRESS_NONCE_KEY }} | |
| TF_VAR_wordpress_auth_salt: ${{ secrets.PRODUCTION_WORDPRESS_AUTH_SALT }} | |
| TF_VAR_wordpress_secure_auth_salt: ${{ secrets.PRODUCTION_WORDPRESS_SECURE_AUTH_SALT }} | |
| TF_VAR_wordpress_logged_in_salt: ${{ secrets.PRODUCTION_WORDPRESS_LOGGED_IN_SALT }} | |
| TF_VAR_wordpress_nonce_salt: ${{ secrets.PRODUCTION_WORDPRESS_NONCE_SALT }} | |
| TF_VAR_jwt_auth_secret_key: ${{ secrets.PRODUCTION_JWT_AUTH_SECRET_KEY }} | |
| TF_VAR_wpml_site_key: ${{ secrets.PRODUCTION_WPML_SITE_KEY }} | |
| TF_VAR_zendesk_api_url: ${{ secrets.ZENDESK_API_URL }} | |
| permissions: | |
| id-token: write | |
| contents: read | |
| pull-requests: write | |
| jobs: | |
| environments-manifest: | |
| uses: cds-snc/gc-articles/.github/workflows/environments-manifest.yml@main | |
| terragrunt-plan-production: | |
| needs: environments-manifest | |
| runs-on: ubuntu-latest | |
| env: | |
| TARGET_VERSION: ${{ needs.environments-manifest.outputs.PROD_INFRASTRUCTURE }} | |
| PREVIOUS_VERSION: ${{ needs.environments-manifest.outputs.PREV_PROD_INFRASTRUCTURE }} | |
| if: needs.environments-manifest.outputs.CONTAINER_DEPLOYMENT == 'false' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| ref: ${{ env.TARGET_VERSION }} | |
| - name: Setup terraform tools | |
| uses: cds-snc/terraform-tools-setup@v1 | |
| - uses: cds-snc/paths-filter@b316143212d841aed668b7b29240c719d603a9b9 # v2.10.4 | |
| id: filter | |
| with: | |
| ref: ${{ env.TARGET_VERSION }} | |
| base: ${{ env.PREVIOUS_VERSION }} | |
| filters: | | |
| common: | |
| - '.github/workflows/terragrunt-plan-production.yml' | |
| - 'infrastructure/terragrunt/env/common/**' | |
| - 'infrastructure/terragrunt/env/terragrunt.hcl' | |
| - 'infrastructure/terragrunt/env/prod/env_vars.hcl' | |
| alarms: | |
| - 'infrastructure/terragrunt/aws/alarms/**' | |
| - 'infrastructure/terragrunt/env/prod/alarms/**' | |
| database: | |
| - 'infrastructure/terragrunt/aws/database/**' | |
| - 'infrastructure/terragrunt/env/prod/database/**' | |
| ecr: | |
| - 'infrastructure/terragrunt/aws/ecr/**' | |
| - 'infrastructure/terragrunt/env/prod/ecr/**' | |
| ecs: | |
| - 'infrastructure/terragrunt/aws/ecs/**' | |
| - 'infrastructure/terragrunt/env/prod/ecs/**' | |
| hosted-zone: | |
| - 'infrastructure/terragrunt/aws/hosted-zone/**' | |
| - 'infrastructure/terragrunt/env/prod/hosted-zone/**' | |
| load-balancer: | |
| - 'infrastructure/terragrunt/aws/load-balancer/**' | |
| - 'infrastructure/terragrunt/env/prod/load-balancer/**' | |
| network: | |
| - 'infrastructure/terragrunt/aws/network/**' | |
| - 'infrastructure/terragrunt/env/prod/network/**' | |
| storage: | |
| - 'infrastructure/terragrunt/aws/storage/**' | |
| - 'infrastructure/terragrunt/env/prod/storage/**' | |
| - name: Configure AWS credentials using OIDC | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: arn:aws:iam::472286471787:role/gc-articles-plan | |
| role-session-name: TFPlan | |
| aws-region: ${{ env.AWS_REGION }} | |
| # No dependencies | |
| - name: Terragrunt plan network | |
| if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/network" | |
| comment-delete: "true" | |
| comment-title: "Production: network" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| - name: Terragrunt plan hosted-zone | |
| if: ${{ steps.filter.outputs.hosted-zone == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/hosted-zone" | |
| comment-delete: "true" | |
| comment-title: "Production: hosted-zone" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| - name: Terragrunt plan ecr | |
| if: ${{ steps.filter.outputs.ecr == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/ecr" | |
| comment-delete: "true" | |
| comment-title: "Production: ecr" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| - name: Terragrunt plan storage | |
| if: ${{ steps.filter.outputs.storage == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/storage" | |
| comment-delete: "true" | |
| comment-title: "Production: storage" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| # Network dependency | |
| - name: Terragrunt plan database | |
| if: ${{ steps.filter.outputs.database == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/database" | |
| comment-delete: "true" | |
| comment-title: "Production: database" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| - name: Terragrunt plan load-balancer | |
| if: ${{ steps.filter.outputs.load-balancer == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/load-balancer" | |
| comment-delete: "true" | |
| comment-title: "Production: load-balancer" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| # Load-balancer & database dependency | |
| - name: Terragrunt plan ecs | |
| if: ${{ steps.filter.outputs.ecs == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/ecs" | |
| comment-delete: "true" | |
| comment-title: "Production: ecs" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" | |
| # Depends on everything | |
| - name: Terragrunt plan alarms | |
| if: ${{ steps.filter.outputs.alarms == 'true' || steps.filter.outputs.common == 'true' }} | |
| uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
| with: | |
| directory: "infrastructure/terragrunt/env/prod/alarms" | |
| comment-delete: "true" | |
| comment-title: "Production: alarms" | |
| github-token: "${{ secrets.GITHUB_TOKEN }}" | |
| terragrunt: "true" |