chore: GCForms release v3.27.0 #2910
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Terragrunt plan PRODUCTION" | |
on: | |
pull_request: | |
branches: | |
- main | |
paths: | |
- "version.txt" | |
permissions: | |
id-token: write | |
contents: read | |
pull-requests: write | |
env: | |
APP_ENV: production | |
APP_DOMAINS: ${{ vars.PRODUCTION_APP_DOMAINS }} | |
API_DOMAIN: ${{ vars.PRODUCTION_API_DOMAIN }} | |
IDP_DOMAIN: ${{ vars.PRODUCTION_IDP_DOMAIN }} | |
AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }} | |
AWS_REGION: ca-central-1 | |
CONFTEST_VERSION: 0.46.0 | |
TERRAFORM_VERSION: 1.9.8 | |
TERRAGRUNT_VERSION: 0.69.0 | |
TF_INPUT: false | |
# API | |
TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }} | |
# App | |
TF_VAR_ecs_secret_token: ${{ secrets.PRODUCTION_TOKEN_SECRET }} | |
TF_VAR_recaptcha_secret: ${{ secrets.PRODUCTION_RECAPTCHA_SITE_SECRET }} | |
TF_VAR_recaptcha_public: 6LfuLrQnAAAAAK9Df3gem4XLMRVY2Laq6t2fhZhZ | |
TF_VAR_notify_callback_bearer_token: ${{ secrets.PRODUCTION_GC_NOTIFY_CALLBACK_BEARER_TOKEN }} | |
TF_VAR_notify_api_key: ${{ secrets.PRODUCTION_NOTIFY_API_KEY }} | |
TF_VAR_freshdesk_api_key: ${{ secrets.PRODUCTION_FRESHDESK_API_KEY }} | |
TF_VAR_rds_connector_db_password: ${{ secrets.PRODUCTION_DB_PASSWORD_RDS_CONNECTOR }} | |
TF_VAR_rds_db_password: ${{ secrets.PRODUCTION_DB_PASSWORD }} | |
TF_VAR_slack_webhook: ${{ secrets.PRODUCTION_SLACK_WEBHOOK }} | |
TF_VAR_opsgenie_api_key: ${{ secrets.PRODUCTION_OPSGENIE_API_KEY }} | |
TF_VAR_gc_temp_token_template_id: 61cec9c4-64ca-4e4d-b4d2-a0e931c44422 | |
TF_VAR_gc_template_id: 92096ac6-1cc5-40ae-9052-fffdb8439a90 | |
TF_VAR_cognito_code_template_id: 8dde39b6-05b9-43ce-807f-c2364ed3bdb6 | |
TF_VAR_email_address_contact_us: ${{ vars.PRODUCTION_CONTACT_US_EMAIL }} | |
TF_VAR_email_address_support: ${{ vars.PRODUCTION_SUPPORT_EMAIL }} | |
TF_VAR_zitadel_provider: ${{ vars.PRODUCTION_ZITADEL_PROVIDER }} | |
TF_VAR_zitadel_administration_key: ${{ secrets.PRODUCTION_ZITADEL_ADMINISTRATION_KEY }} | |
# IdP | |
TF_VAR_idp_database_cluster_admin_username: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }} | |
TF_VAR_idp_database_cluster_admin_password: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }} | |
TF_VAR_zitadel_admin_password: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_PASSWORD }} | |
TF_VAR_zitadel_admin_username: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_USERNAME }} | |
TF_VAR_zitadel_database_name: ${{ secrets.PRODUCTION_ZITADEL_DATABASE_NAME }} | |
TF_VAR_zitadel_database_user_password: ${{ secrets.PRODUCTION_ZITADEL_DATABASE_USER_PASSWORD }} | |
TF_VAR_zitadel_database_user_username: ${{ secrets.PRODUCTION_ZITADEL_DATABASE_USER_USERNAME }} | |
TF_VAR_zitadel_secret_key: ${{ secrets.PRODUCTION_ZITADEL_SECRET_KEY }} | |
jobs: | |
get-version: | |
runs-on: ubuntu-latest | |
outputs: | |
version: ${{ steps.get-version.outputs.version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Get version to deploy | |
id: get-version | |
uses: ./.github/workflows/get-version | |
with: | |
is-tagged: ${{ !startsWith(github.head_ref, 'release-please--') }} # If not the release PR branch, assume it is a revert PR | |
generate-lambda-functions-matrix: | |
needs: get-version | |
runs-on: ubuntu-latest | |
env: | |
VERSION: ${{ needs.get-version.outputs.version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ env.VERSION }} | |
- name: Generate matrix | |
id: generate-matrix | |
run: | | |
LAMBDA_ARRAY=$(echo $(cat ./.github/production-lambda-functions.conf) | sed 's/ //g' ) | |
echo "matrix=$LAMBDA_ARRAY" >> $GITHUB_OUTPUT | |
outputs: | |
lambda-functions-matrix: ${{ steps.generate-matrix.outputs.matrix }} | |
test-lambda-code: | |
needs: [get-version, generate-lambda-functions-matrix] | |
runs-on: ubuntu-latest | |
env: | |
VERSION: ${{ needs.get-version.outputs.version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJSON(needs.generate-lambda-functions-matrix.outputs.lambda-functions-matrix) }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ env.VERSION }} | |
- name: Test Lambda code | |
uses: ./.github/workflows/test-lambda-code | |
with: | |
lambda-directory: lambda-code/${{ matrix.image }} | |
lambda-name: ${{ matrix.image }} | |
build-lambda-images: | |
needs: [get-version, generate-lambda-functions-matrix] | |
runs-on: ubuntu-latest | |
env: | |
VERSION: ${{ needs.get-version.outputs.version }} | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJSON(needs.generate-lambda-functions-matrix.outputs.lambda-functions-matrix) }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ env.VERSION }} | |
- name: Build Lambda images | |
uses: ./.github/workflows/build-lambda-images | |
with: | |
lambda-directory: lambda-code/${{ matrix.image }} | |
lambda-name: ${{ matrix.image }} | |
build-idp-image: | |
needs: get-version | |
runs-on: ubuntu-latest | |
env: | |
VERSION: ${{ needs.get-version.outputs.version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ env.VERSION }} | |
- name: Build IdP image | |
working-directory: idp | |
run: | | |
make build | |
terragrunt-plan: | |
needs: get-version | |
runs-on: ubuntu-latest | |
env: | |
VERSION: ${{ needs.get-version.outputs.version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ env.VERSION }} | |
# Setup Terraform, Terragrunt, and Conftest | |
- name: Setup terraform tools | |
uses: cds-snc/terraform-tools-setup@v1 | |
- name: Configure AWS credentials using OIDC | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-plan | |
role-session-name: TFPlan | |
aws-region: ${{ env.AWS_REGION }} | |
# No dependencies | |
- name: Terragrunt plan ecr | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/ecr" | |
comment-delete: "true" | |
comment-title: "Production: ecr" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan hosted_zone | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/hosted_zone" | |
comment-delete: "true" | |
comment-title: "Production: hosted_zone" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan kms | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/kms" | |
comment-delete: "true" | |
comment-title: "Production: kms" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan oidc_roles | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/oidc_roles" | |
comment-delete: "true" | |
comment-title: "Production: oidc_roles" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan sqs | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/sqs" | |
comment-delete: "true" | |
comment-title: "Production: sqs" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan secrets | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/secrets" | |
comment-delete: "true" | |
comment-title: "Production: secrets" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan s3 | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/s3" | |
comment-delete: "true" | |
comment-title: "Production: s3" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
# Depends on S3 | |
- name: Terragrunt plan file_scanning | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/file_scanning" | |
comment-delete: "true" | |
comment-title: "Production: file_scanning" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
# Depends on kms | |
- name: Terragrunt plan sns | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/sns" | |
comment-delete: "true" | |
comment-title: "Production: sns" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan cognito | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/cognito" | |
comment-delete: "true" | |
comment-title: "Production: cognito" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan network | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/network" | |
comment-delete: "true" | |
comment-title: "Production: network" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan dynamodb | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/dynamodb" | |
comment-delete: "true" | |
comment-title: "Production: dynamodb" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
# Depends on network | |
- name: Terragrunt plan load_balancer | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/load_balancer" | |
comment-delete: "true" | |
comment-title: "Production: load_balancer" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan redis | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/redis" | |
comment-delete: "true" | |
comment-title: "Production: redis" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan rds | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/rds" | |
comment-delete: "true" | |
comment-title: "Production: rds" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan idp | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/idp" | |
comment-delete: "true" | |
comment-title: "Production: idp" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
# Depends on everything | |
- name: Terragrunt plan app | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/app" | |
comment-delete: "true" | |
comment-title: "Production: app" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan api | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/api" | |
comment-delete: "true" | |
comment-title: "Production: api" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan lambdas | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/lambdas" | |
comment-delete: "true" | |
comment-title: "Production: lambdas" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" | |
- name: Terragrunt plan alarms | |
uses: cds-snc/terraform-plan@25afd759b2ada46a94b011fab7a81963c4f3a61a # v3.3.0 | |
with: | |
directory: "env/cloud/alarms" | |
comment-delete: "true" | |
comment-title: "Production: alarms" | |
github-token: "${{ secrets.GITHUB_TOKEN }}" | |
terragrunt: "true" |