From 15345512d3f048fe6f56317d10fc8088c9a5ee9e Mon Sep 17 00:00:00 2001
From: Alis Akers <alismxwll@gmail.com>
Date: Wed, 13 Mar 2024 16:50:25 -0700
Subject: [PATCH] update tf plan job to display a plan for key rotation. make
 key rotation job action configurable, plans by default

---
 .github/actions/key-replace/action.yml |  8 +++--
 .github/workflows/comment.yml          | 33 ------------------
 .github/workflows/deployDev.yml        | 20 ++---------
 .github/workflows/terraformPlan.yml    | 46 +++++++++++---------------
 4 files changed, 27 insertions(+), 80 deletions(-)
 delete mode 100644 .github/workflows/comment.yml

diff --git a/.github/actions/key-replace/action.yml b/.github/actions/key-replace/action.yml
index eecfba77ce..2979c80b21 100644
--- a/.github/actions/key-replace/action.yml
+++ b/.github/actions/key-replace/action.yml
@@ -22,6 +22,10 @@ inputs:
   okta_api_token:
     description: Okta API token
     required: true
+  terraform_action:
+    description: Terraform Action ( plan | apply )
+    default: plan
+    required: false
 
 runs:
   using: composite
@@ -42,7 +46,7 @@ runs:
         OKTA_API_TOKEN: ${{ inputs.okta_api_token }}
       shell: bash
       run: make init-${{ inputs.deploy_env }}
-    - name: Terraform Key Rotation
+    - name: Terraform Key Rotation Plan
       working-directory: ./ops
       env: # all Azure interaction is through Terraform
         ARM_CLIENT_ID: ${{ inputs.terraform_arm_client_id }}
@@ -51,4 +55,4 @@ runs:
         ARM_TENANT_ID: ${{ inputs.terraform_arm_tenant_id }}
         OKTA_API_TOKEN: ${{ inputs.okta_api_token }}
       shell: bash
-      run: terraform -chdir=${{ inputs.deploy_env }}/persistent apply -auto-approve -lock-timeout=30m -replace="module.keys.random_password.db_administrator_password" -target="module.keys.random_password.db_administrator_password"
+      run: terraform -chdir=${{ inputs.deploy_env }}/persistent ${{ inputs.terraform_action }} -auto-approve -lock-timeout=30m -replace="module.keys.random_password.db_administrator_password" -target="module.keys.random_password.db_administrator_password"
diff --git a/.github/workflows/comment.yml b/.github/workflows/comment.yml
deleted file mode 100644
index 953286faf8..0000000000
--- a/.github/workflows/comment.yml
+++ /dev/null
@@ -1,33 +0,0 @@
-      - name: Find Comment
-        uses: peter-evans/find-comment@v2
-        id: fc
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-author: 'github-actions[bot]'
-          body-includes: Terraform Plan Output
-
-      - name: Create comment
-        if: steps.fc.outputs.comment-id == ''
-        uses: peter-evans/create-or-update-comment@v3
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          body: |
-            **Terraform Plan Output**
-
-            ```diff
-            ${{ steps.plan.outputs.tfplan_persistent }}
-            ${{ steps.plan.outputs.tfplan }}
-            ```
-
-      - name: Update comment
-        if: steps.fc.outputs.comment-id != ''
-        uses: peter-evans/create-or-update-comment@v3
-        with:
-          comment-id: ${{ steps.fc.outputs.comment-id }}
-          body: |
-            **Terraform Plan Output**
-
-            ```diff
-            ${{ steps.plan.outputs.tfplan_persistent }}
-            ${{ steps.plan.outputs.tfplan }}
-            ```
\ No newline at end of file
diff --git a/.github/workflows/deployDev.yml b/.github/workflows/deployDev.yml
index 8a8ff238c1..3bc20941f8 100644
--- a/.github/workflows/deployDev.yml
+++ b/.github/workflows/deployDev.yml
@@ -70,26 +70,9 @@ jobs:
           okta_url: https://hhs-prime.oktapreview.com
           okta_client_id: ${{ vars.OKTA_CLIENT_ID }}
 
-  key_rotation:
-    runs-on: ubuntu-latest
-    needs: [build_frontend, build_docker]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/key-replace
-        name: Replace keys
-        if: inputs.replace_keys == 'true'
-        with:
-          azure_creds: ${{ secrets.AZURE_CREDENTIALS }}
-          deploy_env: ${{ inputs.deploy_env }}
-          terraform_arm_client_id: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
-          terraform_arm_client_secret: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
-          terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
-          terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
-          okta_api_token: ${{ secrets.OKTA_API_TOKEN_NONPROD }}
-
   prerelease:
     runs-on: ubuntu-latest
-    needs: [build_frontend, build_docker, replace_keys]
+    needs: [build_frontend, build_docker]
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/key-replace
@@ -103,6 +86,7 @@ jobs:
           terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
           terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
           okta_api_token: ${{ secrets.OKTA_API_TOKEN_NONPROD }}
+          terraform_action: apply
       - uses: ./.github/actions/tf-deploy
         name: Deploy with Terraform
         with:
diff --git a/.github/workflows/terraformPlan.yml b/.github/workflows/terraformPlan.yml
index 888664f217..6b39b908d3 100644
--- a/.github/workflows/terraformPlan.yml
+++ b/.github/workflows/terraformPlan.yml
@@ -74,33 +74,25 @@ jobs:
           deploy-env: ${{ matrix.env }}
       - name: Terraform plan
         run: make plan-${{ matrix.env }}
-
-  terraform_plan_replace_secrets:
-    needs: matrix_prep
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix: ${{fromJson(needs.matrix_prep.outputs.matrix)}}
-    defaults:
-      run:
-        working-directory: ./ops
-    steps:
-      - uses: actions/checkout@v4
-      - uses: azure/login@v2
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-      - name: Use prod Okta token if required
+      - name: Terraform key rotation prod plan
         if: ${{ matrix.env == 'prod' || matrix.env == 'stg' || matrix.env == 'training' }}
-        run: |
-          echo "OKTA_API_TOKEN=${{ secrets.OKTA_API_TOKEN }}" >> "$GITHUB_ENV"
-      - uses: hashicorp/setup-terraform@v3.0.0
+        uses: ./.github/actions/key-replace
         with:
-          terraform_version: 1.3.3
-      - name: Terraform Init
-        run: make init-${{ matrix.env }}
-      - name: Build ReportStream function app
-        uses: ./.github/actions/build-reportstream-functions
+          azure_creds: ${{ secrets.AZURE_CREDENTIALS }}
+          deploy_env: ${{ matrix.env }}
+          terraform_arm_client_id: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+          terraform_arm_client_secret: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+          terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+          terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+          okta_api_token: ${{ secrets.OKTA_API_TOKEN }}
+      - name: Terraform key rotation plan
+        if: ${{ matrix.env != 'prod' && matrix.env != 'stg' && matrix.env != 'training' }}
+        uses: ./.github/actions/key-replace
         with:
-          deploy-env: ${{ matrix.env }}
-      - name: Terraform plan
-        run: make plan-${{ matrix.env }}
+          azure_creds: ${{ secrets.AZURE_CREDENTIALS }}
+          deploy_env: ${{ matrix.env }}
+          terraform_arm_client_id: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+          terraform_arm_client_secret: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+          terraform_arm_subscription_id: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+          terraform_arm_tenant_id: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+          okta_api_token: ${{ secrets.OKTA_API_TOKEN_NONPROD }}