-
Notifications
You must be signed in to change notification settings - Fork 3
167 lines (148 loc) · 8.14 KB
/
terragrunt-apply-production.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: "Terragrunt apply PRODUCTION"
on:
push:
branches:
- main
paths:
- "infrastructure/environments.yml"
env:
AWS_REGION: ca-central-1
CONFTEST_VERSION: 0.27.0
TERRAFORM_VERSION: 1.10.2
TERRAGRUNT_VERSION: 0.57.5
TF_INPUT: false
TF_VAR_client_vpn_access_group_id: ${{ secrets.PRODUCTION_CLIENT_VPN_ACCESS_GROUP_ID }}
TF_VAR_client_vpn_saml_metadata: ${{ secrets.PRODUCTION_CLIENT_VPN_SAML_METADATA }}
TF_VAR_database_name: ${{ secrets.PRODUCTION_DATABASE_NAME }}
TF_VAR_database_username: ${{ secrets.PRODUCTION_DATABASE_USERNAME }}
TF_VAR_database_password: ${{ secrets.PRODUCTION_DATABASE_PASSWORD }}
TF_VAR_cloudfront_custom_header_name: ${{ secrets.PRODUCTION_CLOUDFRONT_CUSTOM_HEADER_NAME }}
TF_VAR_cloudfront_custom_header_value: ${{ secrets.PRODUCTION_CLOUDFRONT_CUSTOM_HEADER_VALUE }}
TF_VAR_list_manager_endpoint: ${{ secrets.PRODUCTION_LIST_MANAGER_ENDPOINT }}
TF_VAR_default_list_manager_api_key: ${{ secrets.PRODUCTION_DEFAULT_LIST_MANAGER_API_KEY }}
TF_VAR_default_notify_api_key: ${{ secrets.PRODUCTION_DEFAULT_NOTIFY_API_KEY }}
TF_VAR_encryption_key: ${{ secrets.PRODUCTION_ENCRYPTION_KEY }}
TF_VAR_s3_uploads_bucket: ${{ secrets.PRODUCTION_S3_UPLOADS_BUCKET }}
TF_VAR_s3_uploads_key: ${{ secrets.PRODUCTION_S3_UPLOADS_KEY }}
TF_VAR_s3_uploads_secret: ${{ secrets.PRODUCTION_S3_UPLOADS_SECRET }}
TF_VAR_c3_aws_access_key_id: ${{ secrets.PRODUCTION_C3_AWS_ACCESS_KEY_ID }}
TF_VAR_c3_aws_secret_access_key: ${{ secrets.PRODUCTION_C3_AWS_SECRET_ACCESS_KEY }}
TF_VAR_sentinel_customer_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
TF_VAR_sentinel_shared_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}
TF_VAR_slack_webhook_url: ${{ secrets.PRODUCTION_SLACK_WEBHOOK_URL }}
TF_VAR_wordpress_auth_key: ${{ secrets.PRODUCTION_WORDPRESS_AUTH_KEY }}
TF_VAR_wordpress_secure_auth_key: ${{ secrets.PRODUCTION_WORDPRESS_SECURE_AUTH_KEY }}
TF_VAR_wordpress_logged_in_key: ${{ secrets.PRODUCTION_WORDPRESS_LOGGED_IN_KEY }}
TF_VAR_wordpress_nonce_key: ${{ secrets.PRODUCTION_WORDPRESS_NONCE_KEY }}
TF_VAR_wordpress_auth_salt: ${{ secrets.PRODUCTION_WORDPRESS_AUTH_SALT }}
TF_VAR_wordpress_secure_auth_salt: ${{ secrets.PRODUCTION_WORDPRESS_SECURE_AUTH_SALT }}
TF_VAR_wordpress_logged_in_salt: ${{ secrets.PRODUCTION_WORDPRESS_LOGGED_IN_SALT }}
TF_VAR_wordpress_nonce_salt: ${{ secrets.PRODUCTION_WORDPRESS_NONCE_SALT }}
TF_VAR_jwt_auth_secret_key: ${{ secrets.PRODUCTION_JWT_AUTH_SECRET_KEY }}
TF_VAR_wpml_site_key: ${{ secrets.PRODUCTION_WPML_SITE_KEY }}
TF_VAR_zendesk_api_url: ${{ secrets.ZENDESK_API_URL }}
permissions:
id-token: write
contents: read
jobs:
environments-manifest:
uses: cds-snc/gc-articles/.github/workflows/environments-manifest.yml@main
terragrunt-apply-production:
needs: environments-manifest
runs-on: ubuntu-latest
env:
TARGET_VERSION: ${{ needs.environments-manifest.outputs.PROD_INFRASTRUCTURE }}
PREVIOUS_VERSION: ${{ needs.environments-manifest.outputs.PREV_PROD_INFRASTRUCTURE }}
if: needs.environments-manifest.outputs.CONTAINER_DEPLOYMENT == 'false'
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
ref: ${{ env.TARGET_VERSION }}
- name: Setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- uses: cds-snc/paths-filter@b316143212d841aed668b7b29240c719d603a9b9 # v2.10.4
id: filter
with:
ref: ${{ env.TARGET_VERSION }}
base: ${{ env.PREVIOUS_VERSION }}
filters: |
common:
- '.github/workflows/terragrunt-apply-production.yml'
- 'infrastructure/terragrunt/env/common/**'
- 'infrastructure/terragrunt/env/terragrunt.hcl'
- 'infrastructure/terragrunt/env/prod/env_vars.hcl'
alarms:
- 'infrastructure/terragrunt/aws/alarms/**'
- 'infrastructure/terragrunt/env/prod/alarms/**'
database:
- 'infrastructure/terragrunt/aws/database/**'
- 'infrastructure/terragrunt/env/prod/database/**'
ecr:
- 'infrastructure/terragrunt/aws/ecr/**'
- 'infrastructure/terragrunt/env/prod/ecr/**'
ecs:
- 'infrastructure/terragrunt/aws/ecs/**'
- 'infrastructure/terragrunt/env/prod/ecs/**'
hosted-zone:
- 'infrastructure/terragrunt/aws/hosted-zone/**'
- 'infrastructure/terragrunt/env/prod/hosted-zone/**'
load-balancer:
- 'infrastructure/terragrunt/aws/load-balancer/**'
- 'infrastructure/terragrunt/env/prod/load-balancer/**'
network:
- 'infrastructure/terragrunt/aws/network/**'
- 'infrastructure/terragrunt/env/prod/network/**'
storage:
- 'infrastructure/terragrunt/aws/storage/**'
- 'infrastructure/terragrunt/env/prod/storage/**'
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::472286471787:role/gc-articles-apply
role-session-name: TFApply
aws-region: ${{ env.AWS_REGION }}
# No dependencies
- name: Terragrunt apply network
if: ${{ steps.filter.outputs.network == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/network
run: terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Terragrunt apply hosted-zone
if: ${{ steps.filter.outputs.hosted-zone == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/hosted-zone
run: terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Terragrunt apply ecr
if: ${{ steps.filter.outputs.ecr == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/ecr
run: terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Terragrunt apply storage
if: ${{ steps.filter.outputs.storage == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/storage
run: terragrunt apply --terragrunt-non-interactive -auto-approve
# Network dependency
- name: Terragrunt apply database
if: ${{ steps.filter.outputs.database == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/database
run: terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Terragrunt apply load-balancer
if: ${{ steps.filter.outputs.load-balancer == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/load-balancer
run: terragrunt apply --terragrunt-non-interactive -auto-approve
# Load-balancer & database dependency
- name: Terragrunt apply ecs
if: ${{ steps.filter.outputs.ecs == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/ecs
run: terragrunt apply --terragrunt-non-interactive -auto-approve
# Depends on everything
- name: Terragrunt apply alarms
if: ${{ steps.filter.outputs.alarms == 'true' || steps.filter.outputs.common == 'true' }}
working-directory: infrastructure/terragrunt/env/prod/alarms
run: terragrunt apply --terragrunt-non-interactive -auto-approve
- name: Report deployment to Sentinel
if: always()
uses: cds-snc/sentinel-forward-data-action@main
with:
input_data: '{"product": "articles", "sha": "${{ github.sha }}", "version": "Infrastructure ${{ env.TARGET_VERSION }}", "repository": "${{ github.repository }}", "environment": "production", "status": "${{ job.status }}"}'
log_type: CDS_Product_Deployment_Data
log_analytics_workspace_id: ${{ secrets.LOG_ANALYTICS_WORKSPACE_ID }}
log_analytics_workspace_key: ${{ secrets.LOG_ANALYTICS_WORKSPACE_KEY }}