chore: downgrade to Zitadel v2.61.1 (#833) #501

Workflow file for this run

.github/workflows/terragrunt-apply-staging.yml at 678ebca

	name: "Terragrunt apply STAGING"

	on:
	workflow_dispatch:
	push:
	branches: [develop]
	paths:
	- "aws/**"
	- "env/common/**"
	- "env/cloud/**"
	- "idp/**"
	- "lambda-code/**"
	- ".github/workflows/terragrunt-apply-staging.yml"

	permissions:
	id-token: write
	contents: read

	env:
	APP_ENV: staging
	APP_DOMAINS: ${{ vars.STAGING_APP_DOMAINS }}
	API_DOMAIN: ${{ vars.STAGING_API_DOMAIN }}
	IDP_DOMAIN: ${{ vars.STAGING_IDP_DOMAIN }}
	AWS_ACCOUNT_ID: ${{ vars.STAGING_AWS_ACCOUNT_ID }}
	AWS_REGION: ca-central-1
	TERRAFORM_VERSION: 1.9.2
	TERRAGRUNT_VERSION: 0.63.2
	TF_INPUT: false
	# API
	FF_API: true
	TF_VAR_zitadel_application_key: ${{ secrets.STAGING_ZITADEL_APPLICATION_KEY }}
	# App
	TF_VAR_ecs_secret_token: ${{ secrets.STAGING_TOKEN_SECRET }}
	TF_VAR_recaptcha_secret: ${{ secrets.STAGING_RECAPTCHA_SITE_SECRET }}
	TF_VAR_recaptcha_public: 6LfJDN4eAAAAAGvdRF7ZnQ7ciqdo1RQnQDFmh0VY
	TF_VAR_notify_callback_bearer_token: ${{ secrets.STAGING_GC_NOTIFY_CALLBACK_BEARER_TOKEN }}
	TF_VAR_notify_api_key: ${{ secrets.STAGING_NOTIFY_API_KEY }}
	TF_VAR_freshdesk_api_key: ${{ secrets.STAGING_FRESHDESK_API_KEY }}
	TF_VAR_sentry_api_key: ${{ secrets.STAGING_SENTRY_API_KEY }}
	TF_VAR_rds_connector_db_password: ${{ secrets.STAGING_DB_PASSWORD_RDS_CONNECTOR }}
	TF_VAR_rds_db_password: ${{ secrets.STAGING_DB_PASSWORD }}
	TF_VAR_slack_webhook: ${{ secrets.STAGING_SLACK_WEBHOOK }}
	TF_VAR_opsgenie_api_key: ${{ secrets.STAGING_OPSGENIE_API_KEY }}
	TF_VAR_gc_temp_token_template_id: b6885d06-d10a-422a-973f-05e274d9aa86
	TF_VAR_gc_template_id: 8d597a1b-a1d6-4e3c-8421-042a2b4158b7
	TF_VAR_cognito_code_template_id: 12a18f84-062c-4a67-8310-bf114af051ea
	TF_VAR_email_address_contact_us: ${{ vars.STAGING_CONTACT_US_EMAIL }}
	TF_VAR_email_address_support: ${{ vars.STAGING_SUPPORT_EMAIL }}
	TF_VAR_zitadel_provider: ${{ vars.STAGING_ZITADEL_PROVIDER }}
	TF_VAR_zitadel_administration_key: ${{ secrets.STAGING_ZITADEL_ADMINISTRATION_KEY }}
	# IdP
	FF_IDP: true
	TF_VAR_idp_database_cluster_admin_username: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_USERNAME }}
	TF_VAR_idp_database_cluster_admin_password: ${{ secrets.STAGING_IDP_DATABASE_CLUSTER_ADMIN_PASSWORD }}
	TF_VAR_zitadel_admin_password: ${{ secrets.STAGING_ZITADEL_ADMIN_PASSWORD }}
	TF_VAR_zitadel_admin_username: ${{ secrets.STAGING_ZITADEL_ADMIN_USERNAME }}
	TF_VAR_zitadel_database_name: ${{ secrets.STAGING_ZITADEL_DATABASE_NAME }}
	TF_VAR_zitadel_database_user_password: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_PASSWORD }}
	TF_VAR_zitadel_database_user_username: ${{ secrets.STAGING_ZITADEL_DATABASE_USER_USERNAME }}
	TF_VAR_zitadel_secret_key: ${{ secrets.STAGING_ZITADEL_SECRET_KEY }}

	jobs:
	# We deploy ECR first to make sure it is available for the 'build-tag-push-lambda-images' job which will be run in parallel with `terragrunt-apply-all-modules`
	terragrunt-apply-ecr-only:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Setup terraform tools
	uses: cds-snc/terraform-tools-setup@v1

	- name: Configure AWS credentials using OIDC
	uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
	role-session-name: TFApply
	aws-region: ${{ env.AWS_REGION }}

	- name: Terragrunt apply ecr
	working-directory: env/cloud/ecr
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	detect-lambda-changes:
	needs: terragrunt-apply-ecr-only
	runs-on: ubuntu-latest
	outputs:
	lambda-to-rebuild: ${{ steps.filter.outputs.changes }}
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Filter
	id: filter
	uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
	with:
	filters: .github/lambda-filter.yml

	detect-idp-changes:
	needs: terragrunt-apply-ecr-only
	runs-on: ubuntu-latest
	outputs:
	changes: ${{ steps.filter.outputs.changes }}
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Filter
	id: filter
	uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
	with:
	filters: \|
	idp:
	- 'idp/**'

	build-tag-push-lambda-images:
	needs: detect-lambda-changes
	if: ${{ needs.detect-lambda-changes.outputs.lambda-to-rebuild != '[]' }}
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	image: ${{ fromJSON(needs.detect-lambda-changes.outputs.lambda-to-rebuild) }}

	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Build Lambda images
	uses: ./.github/workflows/build-lambda-images
	with:
	lambda-directory: lambda-code/${{ matrix.image }}
	lambda-name: ${{ matrix.image }}

	- name: Tag and push Lambda images
	uses: ./.github/workflows/tag-and-push-docker-images
	with:
	aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
	aws-role-session-name: TFApply
	aws-region: ${{ env.AWS_REGION }}
	image-name: ${{ matrix.image }}
	image-tag: ${{ github.sha }}

	build-tag-push-idp-image:
	needs: detect-idp-changes
	if: ${{ needs.detect-idp-changes.outputs.changes != '[]' }}
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Build IdP image
	working-directory: idp
	run: \|
	make build

	- name: Tag and push IdP image
	uses: ./.github/workflows/tag-and-push-docker-images
	with:
	aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
	aws-role-session-name: TFApply
	aws-region: ${{ env.AWS_REGION }}
	image-name: idp/zitadel
	image-tag: ${{ github.sha }}
	repository-suffix: ""

	terragrunt-apply-all-modules:
	needs: [build-tag-push-lambda-images, build-tag-push-idp-image]
	if: ${{ !failure() && !cancelled() }}
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Setup terraform tools
	uses: cds-snc/terraform-tools-setup@v1

	- name: Configure AWS credentials using OIDC
	uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
	with:
	role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
	role-session-name: TFApply
	aws-region: ${{ env.AWS_REGION }}

	- name: Terragrunt apply hosted_zone
	working-directory: env/cloud/hosted_zone
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply kms
	working-directory: env/cloud/kms
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply oidc_roles
	working-directory: env/cloud/oidc_roles
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply sqs
	working-directory: env/cloud/sqs
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply secrets
	working-directory: env/cloud/secrets
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply s3
	working-directory: env/cloud/s3
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	# Depends on S3
	- name: Terragrunt apply file_scanning
	working-directory: env/cloud/file_scanning
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	# Depends on kms
	- name: Terragrunt apply sns
	working-directory: env/cloud/sns
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply cognito
	working-directory: env/cloud/cognito
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply network
	working-directory: env/cloud/network
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply dynamodb
	working-directory: env/cloud/dynamodb
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	# Depends on network
	- name: Terragrunt apply load_balancer
	working-directory: env/cloud/load_balancer
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply redis
	working-directory: env/cloud/redis
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply rds
	working-directory: env/cloud/rds
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply idp
	working-directory: env/cloud/idp
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	# Depends on everything
	- name: Terragrunt apply app
	working-directory: env/cloud/app
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply api
	working-directory: env/cloud/api
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply lambdas
	working-directory: env/cloud/lambdas
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply alarms
	working-directory: env/cloud/alarms
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply load_testing
	working-directory: env/cloud/load_testing
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	- name: Terragrunt apply pr_review
	working-directory: env/cloud/pr_review
	run: terragrunt apply --terragrunt-non-interactive -auto-approve

	update-lambda-function-image:
	needs: [detect-lambda-changes, terragrunt-apply-all-modules]
	if: ${{ needs.detect-lambda-changes.outputs.lambda-to-rebuild != '[]' && !failure() && !cancelled() }}
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	image: ${{ fromJSON(needs.detect-lambda-changes.outputs.lambda-to-rebuild) }}
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Request Lambda functions to use new image
	uses: ./.github/workflows/request-lambda-functions-to-use-new-image
	with:
	aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
	aws-role-session-name: TFApply
	aws-region: ${{ env.AWS_REGION }}
	lambda-name: ${{ matrix.image }}
	image-tag: ${{ github.sha }}

	update-idp-ecs-service-image:
	needs: [detect-idp-changes, terragrunt-apply-all-modules]
	if: ${{ needs.detect-idp-changes.outputs.changes != '[]' && !failure() && !cancelled() }}
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

	- name: Update IdP ESC service to use new image
	uses: ./.github/workflows/request-ecs-service-to-use-new-image
	with:
	aws-role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/forms-terraform-apply
	aws-role-session-name: TFApply
	aws-region: ${{ env.AWS_REGION }}
	ecs-cluster-name: idp
	ecs-service-name: zitadel
	ecs-task-def-name: zitadel
	image-tag: "idp/zitadel:${{ github.sha }}"

	notify-on-error:
	needs:
	[
	terragrunt-apply-ecr-only,
	build-tag-push-lambda-images,
	build-tag-push-idp-image,
	terragrunt-apply-all-modules,
	update-lambda-function-image,
	update-idp-ecs-service-image,
	]
	if: ${{ failure() && !cancelled() }}
	runs-on: ubuntu-latest
	steps:
	- name: Send error message on Slack
	env:
	WORKFLOW_URL: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
	WORKFLOW_NAME: "${{ github.workflow }}"
	run: \|
	json='{"channel":"#forms-staging-events", "blocks":[{"type":"section","text":{"type":"mrkdwn","text":":red: GitHub workflow failed: <${{ env.WORKFLOW_URL }}\|${{ env.WORKFLOW_NAME }}>"}}]}'
	curl -X POST -H 'Content-type: application/json' --data "$json" "https://hooks.slack.com${{ secrets.STAGING_SLACK_WEBHOOK }}"
	shell: bash

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: downgrade to Zitadel v2.61.1 (#833) #501

Workflow file

chore: downgrade to Zitadel v2.61.1 (#833) #501

Jobs

Run details

Workflow file for this run