update tf plan job to display a plan for key rotation. make key rotat…

…ion job action configurable, plans by default
CDCgov · Mar 13, 2024 · 1534551 · 1534551
1 parent 43acdd6
commit 1534551
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 80 deletions.
diff --git a/.github/actions/key-replace/action.yml b/.github/actions/key-replace/action.yml
@@ -22,6 +22,10 @@ inputs:
   okta_api_token:
     description: Okta API token
     required: true
+  terraform_action:
+    description: Terraform Action ( plan | apply )
+    default: plan
+    required: false
 
 runs:
   using: composite
@@ -42,7 +46,7 @@ runs:
         OKTA_API_TOKEN: ${{ inputs.okta_api_token }}
       shell: bash
       run: make init-${{ inputs.deploy_env }}
-    - name: Terraform Key Rotation
+    - name: Terraform Key Rotation Plan
       working-directory: ./ops
       env: # all Azure interaction is through Terraform
         ARM_CLIENT_ID: ${{ inputs.terraform_arm_client_id }}
@@ -51,4 +55,4 @@ runs:
         ARM_TENANT_ID: ${{ inputs.terraform_arm_tenant_id }}
         OKTA_API_TOKEN: ${{ inputs.okta_api_token }}
       shell: bash
-      run: terraform -chdir=${{ inputs.deploy_env }}/persistent apply -auto-approve -lock-timeout=30m -replace="module.keys.random_password.db_administrator_password" -target="module.keys.random_password.db_administrator_password"
+      run: terraform -chdir=${{ inputs.deploy_env }}/persistent ${{ inputs.terraform_action }} -auto-approve -lock-timeout=30m -replace="module.keys.random_password.db_administrator_password" -target="module.keys.random_password.db_administrator_password"
diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml
diff --git a/.github/workflows/deployDev.yml b/.github/workflows/deployDev.yml
@@ -70,26 +70,9 @@ jobs:
           okta_url: https://hhs-prime.oktapreview.com
           okta_client_id: ${{ vars.OKTA_CLIENT_ID }}
 
-  key_rotation:
-    runs-on: ubuntu-latest
-    needs: [build_frontend, build_docker]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/key-replace
-        name: Replace keys
-        if: inputs.replace_keys == 'true'
-        with:
-          azure_creds: ${{ secrets.AZURE_CREDENTIALS }}
-          deploy_env: ${{ inputs.deploy_env }}
-          terraform_arm_client_id: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
-          terraform_arm_client_secret: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
-          terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
-          terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
-          okta_api_token: ${{ secrets.OKTA_API_TOKEN_NONPROD }}
-
   prerelease:
     runs-on: ubuntu-latest
-    needs: [build_frontend, build_docker, replace_keys]
+    needs: [build_frontend, build_docker]
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/key-replace
@@ -103,6 +86,7 @@ jobs:
           terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
           terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
           okta_api_token: ${{ secrets.OKTA_API_TOKEN_NONPROD }}
+          terraform_action: apply
       - uses: ./.github/actions/tf-deploy
         name: Deploy with Terraform
         with:

diff --git a/.github/workflows/terraformPlan.yml b/.github/workflows/terraformPlan.yml
@@ -74,33 +74,25 @@ jobs:
           deploy-env: ${{ matrix.env }}
       - name: Terraform plan
         run: make plan-${{ matrix.env }}
-
-  terraform_plan_replace_secrets:
-    needs: matrix_prep
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix: ${{fromJson(needs.matrix_prep.outputs.matrix)}}
-    defaults:
-      run:
-        working-directory: ./ops
-    steps:
-      - uses: actions/checkout@v4
-      - uses: azure/login@v2
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-      - name: Use prod Okta token if required
+      - name: Terraform key rotation prod plan
         if: ${{ matrix.env == 'prod' || matrix.env == 'stg' || matrix.env == 'training' }}
-        run: |
-          echo "OKTA_API_TOKEN=${{ secrets.OKTA_API_TOKEN }}" >> "$GITHUB_ENV"
-      - uses: hashicorp/[email protected]
+        uses: ./.github/actions/key-replace
         with:
-          terraform_version: 1.3.3
-      - name: Terraform Init
-        run: make init-${{ matrix.env }}
-      - name: Build ReportStream function app
-        uses: ./.github/actions/build-reportstream-functions
+          azure_creds: ${{ secrets.AZURE_CREDENTIALS }}
+          deploy_env: ${{ matrix.env }}
+          terraform_arm_client_id: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+          terraform_arm_client_secret: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+          terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+          terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+          okta_api_token: ${{ secrets.OKTA_API_TOKEN }}
+      - name: Terraform key rotation plan
+        if: ${{ matrix.env != 'prod' && matrix.env != 'stg' && matrix.env != 'training' }}
+        uses: ./.github/actions/key-replace
         with:
-          deploy-env: ${{ matrix.env }}
-      - name: Terraform plan
-        run: make plan-${{ matrix.env }}
+          azure_creds: ${{ secrets.AZURE_CREDENTIALS }}
+          deploy_env: ${{ matrix.env }}
+          terraform_arm_client_id: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+          terraform_arm_client_secret: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+          terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+          terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+          okta_api_token: ${{ secrets.OKTA_API_TOKEN_NONPROD }}