Skip to content

chore: GCForms release v3.23.1 #2866

chore: GCForms release v3.23.1

chore: GCForms release v3.23.1 #2866

name: "Terragrunt plan PRODUCTION"
on:
pull_request:
branches:
- "develop"
paths:
- "version.txt"
permissions:
id-token: write
contents: read
pull-requests: write
env:
APP_ENV: production
APP_DOMAINS: ${{ vars.PRODUCTION_APP_DOMAINS }}
API_DOMAIN: ${{ vars.PRODUCTION_API_DOMAIN }}
IDP_DOMAIN: ${{ vars.PRODUCTION_IDP_DOMAIN }}
AWS_ACCOUNT_ID: ${{ vars.PRODUCTION_AWS_ACCOUNT_ID }}
AWS_REGION: ca-central-1
CONFTEST_VERSION: 0.46.0
TERRAFORM_VERSION: 1.9.2
TERRAGRUNT_VERSION: 0.63.2
TF_INPUT: false
# API
FF_API: true
TF_VAR_zitadel_application_key: ${{ secrets.PRODUCTION_ZITADEL_APPLICATION_KEY }}
# App
TF_VAR_ecs_secret_token: ${{ secrets.PRODUCTION_TOKEN_SECRET }}
TF_VAR_recaptcha_secret: ${{ secrets.PRODUCTION_RECAPTCHA_SITE_SECRET }}
TF_VAR_recaptcha_public: 6LfuLrQnAAAAAK9Df3gem4XLMRVY2Laq6t2fhZhZ
TF_VAR_notify_callback_bearer_token: ${{ secrets.PRODUCTION_GC_NOTIFY_CALLBACK_BEARER_TOKEN }}
TF_VAR_notify_api_key: ${{ secrets.PRODUCTION_NOTIFY_API_KEY }}
TF_VAR_freshdesk_api_key: ${{ secrets.PRODUCTION_FRESHDESK_API_KEY }}
TF_VAR_rds_connector_db_password: ${{ secrets.PRODUCTION_DB_PASSWORD_RDS_CONNECTOR }}
TF_VAR_rds_db_password: ${{ secrets.PRODUCTION_DB_PASSWORD }}
TF_VAR_slack_webhook: ${{ secrets.PRODUCTION_SLACK_WEBHOOK }}
TF_VAR_opsgenie_api_key: ${{ secrets.PRODUCTION_OPSGENIE_API_KEY }}
TF_VAR_gc_temp_token_template_id: 61cec9c4-64ca-4e4d-b4d2-a0e931c44422
TF_VAR_gc_template_id: 92096ac6-1cc5-40ae-9052-fffdb8439a90
TF_VAR_cognito_code_template_id: 8dde39b6-05b9-43ce-807f-c2364ed3bdb6
TF_VAR_email_address_contact_us: ${{ vars.PRODUCTION_CONTACT_US_EMAIL }}
TF_VAR_email_address_support: ${{ vars.PRODUCTION_SUPPORT_EMAIL }}
TF_VAR_zitadel_provider: ${{ vars.PRODUCTION_ZITADEL_PROVIDER }}
# IdP
FF_IDP: true
TF_VAR_idp_database_cluster_admin_username: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
TF_VAR_idp_database_cluster_admin_password: ${{ secrets.PRODUCTION_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
TF_VAR_zitadel_admin_password: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_PASSWORD }}
TF_VAR_zitadel_admin_username: ${{ secrets.PRODUCTION_ZITADEL_ADMIN_USERNAME }}
TF_VAR_zitadel_database_name: ${{ secrets.PRODUCTION_ZITADEL_DATABASE_NAME }}
TF_VAR_zitadel_database_user_password: ${{ secrets.PRODUCTION_ZITADEL_DATABASE_USER_PASSWORD }}
TF_VAR_zitadel_database_user_username: ${{ secrets.PRODUCTION_ZITADEL_DATABASE_USER_USERNAME }}
TF_VAR_zitadel_secret_key: ${{ secrets.PRODUCTION_ZITADEL_SECRET_KEY }}
jobs:
get-version:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.get-version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Get version to deploy
id: get-version
uses: ./.github/workflows/get-version
with:
is-tagged: ${{ !startsWith(github.head_ref, 'release-please--') }} # If not the release PR branch, assume it is a revert PR
generate-lambda-functions-matrix:
needs: get-version
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.VERSION }}
- name: Generate matrix
id: generate-matrix
run: |
LAMBDA_ARRAY=$(echo $(cat ./.github/production-lambda-functions.conf) | sed 's/ //g' )
echo "matrix=$LAMBDA_ARRAY" >> $GITHUB_OUTPUT
outputs:
lambda-functions-matrix: ${{ steps.generate-matrix.outputs.matrix }}
test-lambda-code:
needs: [get-version, generate-lambda-functions-matrix]
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.generate-lambda-functions-matrix.outputs.lambda-functions-matrix) }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.VERSION }}
- name: Test Lambda code
uses: ./.github/workflows/test-lambda-code
with:
lambda-directory: lambda-code/${{ matrix.image }}
lambda-name: ${{ matrix.image }}
build-lambda-images:
needs: [get-version, generate-lambda-functions-matrix]
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.generate-lambda-functions-matrix.outputs.lambda-functions-matrix) }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.VERSION }}
- name: Build Lambda images
uses: ./.github/workflows/build-lambda-images
with:
lambda-directory: lambda-code/${{ matrix.image }}
lambda-name: ${{ matrix.image }}
build-idp-image:
needs: get-version
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.VERSION }}
- name: Build IdP image
working-directory: idp
run: |
make build
terragrunt-plan:
needs: get-version
runs-on: ubuntu-latest
env:
VERSION: ${{ needs.get-version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.VERSION }}
# Setup Terraform, Terragrunt, and Conftest
- name: Setup terraform tools
uses: cds-snc/terraform-tools-setup@v1
- name: Configure AWS credentials using OIDC
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-plan
role-session-name: TFPlan
aws-region: ${{ env.AWS_REGION }}
# No dependencies
- name: Terragrunt plan ecr
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/ecr"
comment-delete: "true"
comment-title: "Production: ecr"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan hosted_zone
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/hosted_zone"
comment-delete: "true"
comment-title: "Production: hosted_zone"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan kms
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/kms"
comment-delete: "true"
comment-title: "Production: kms"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan oidc_roles
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/oidc_roles"
comment-delete: "true"
comment-title: "Production: oidc_roles"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan sqs
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/sqs"
comment-delete: "true"
comment-title: "Production: sqs"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan secrets
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/secrets"
comment-delete: "true"
comment-title: "Production: secrets"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan s3
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/s3"
comment-delete: "true"
comment-title: "Production: s3"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
# Depends on S3
- name: Terragrunt plan file_scanning
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/file_scanning"
comment-delete: "true"
comment-title: "Production: file_scanning"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
# Depends on kms
- name: Terragrunt plan sns
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/sns"
comment-delete: "true"
comment-title: "Production: sns"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan cognito
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/cognito"
comment-delete: "true"
comment-title: "Production: cognito"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan network
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/network"
comment-delete: "true"
comment-title: "Production: network"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan dynamodb
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/dynamodb"
comment-delete: "true"
comment-title: "Production: dynamodb"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
# Depends on network
- name: Terragrunt plan load_balancer
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/load_balancer"
comment-delete: "true"
comment-title: "Production: load_balancer"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan redis
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/redis"
comment-delete: "true"
comment-title: "Production: redis"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan rds
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/rds"
comment-delete: "true"
comment-title: "Production: rds"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan idp
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/idp"
comment-delete: "true"
comment-title: "Production: idp"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
# Depends on everything
- name: Terragrunt plan app
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/app"
comment-delete: "true"
comment-title: "Production: app"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan api
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/api"
comment-delete: "true"
comment-title: "Production: api"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan lambdas
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/lambdas"
comment-delete: "true"
comment-title: "Production: lambdas"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"
- name: Terragrunt plan alarms
uses: cds-snc/terraform-plan@4719878d72d1b0078e0bce2e7571e854e79903b8 # v3.2.2
with:
directory: "env/cloud/alarms"
comment-delete: "true"
comment-title: "Production: alarms"
github-token: "${{ secrets.GITHUB_TOKEN }}"
terragrunt: "true"