feat: updated keys and Dev* deployment workflow

.github/workflows/deployDev.yml

@@ -26,7 +26,16 @@ on:
         options:
           - "false"
           - "true"
-
+  workflow_call:
+    inputs:
+      deploy_env:
+        description: 'The environment to deploy to'
+        required: true
+        type: string
+      replace_keys:
+        description: 'Replace keys'
+        default: "false"
+        type: string
 env:
   NODE_VERSION: 18
 

.github/workflows/terraformPlan.yml

@@ -1,77 +1,42 @@
 name: Ad-hoc Terraform Plan
-run-name: Terraform plan ${{ inputs.env }} by @${{ github.actor }}
 
 on:
   workflow_dispatch:
     inputs:
       env:
-        description: 'The environment to deploy to'
+        description: "Environment target"
         required: true
-        type: choice
-        options:
-          - dev
-          - dev2
-          - dev3
-          - dev4
-          - dev5
-          - dev6
-          - dev7
-          - pentest
-          - test
-          - demo
-          - training
-          - stg
-          - prod
-          - all
-
-env:
-  ARM_CLIENT_ID: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
-  ARM_CLIENT_SECRET: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
-  ARM_SUBSCRIPTION_ID: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
-  ARM_TENANT_ID: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
-  OKTA_API_TOKEN: ${{ secrets.OKTA_API_TOKEN_NONPROD }}
+        default: "prod" 
 
 jobs:
-  matrix_prep:
-    runs-on: ubuntu-latest
-    outputs:
-      matrix: ${{ steps.set_matrix.outputs.matrix }}
-    steps:
-    - uses: actions/checkout@v4
-    - id: set_matrix
-      run: |
-        if [[ "${{ inputs.env }}" == "all" ]]; then
-          matrix=[{\"env\":\"dev\"},{\"env\":\"dev2\"},{\"env\":\"dev3\"},{\"env\":\"dev4\"},{\"env\":\"dev5\"},{\"env\":\"dev6\"},{\"env\":\"dev7\"},{\"env\":\"pentest\"},{\"env\":\"test\"},{\"env\":\"demo\"},{\"env\":\"training\"},{\"env\":\"stg\"},{\"env\":\"prod\"}]
-        else
-          matrix=[{\"env\":\"${{ inputs.env }}\"}]
-        fi               
-        echo "matrix={\"include\":$(echo $matrix)}" >> $GITHUB_OUTPUT
-  terraform_plan:
-    needs: matrix_prep
+  terraform-plan:
     runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix: ${{fromJson(needs.matrix_prep.outputs.matrix)}}
     defaults:
       run:
         working-directory: ./ops
+    env: # all Azure interaction is through Terraform
+      ARM_CLIENT_ID: ${{ secrets.TERRAFORM_ARM_CLIENT_ID }}
+      ARM_CLIENT_SECRET: ${{ secrets.TERRAFORM_ARM_CLIENT_SECRET }}
+      ARM_SUBSCRIPTION_ID: ${{ secrets.TERRAFORM_ARM_SUBSCRIPTION_ID }}
+      ARM_TENANT_ID: ${{ secrets.TERRAFORM_ARM_TENANT_ID }}
+      OKTA_API_TOKEN: ${{ secrets.OKTA_API_TOKEN_NONPROD }}
     steps:
       - uses: actions/checkout@v4
       - uses: azure/login@v1
         with:
           creds: ${{ secrets.AZURE_CREDENTIALS }}
       - name: Use prod Okta token if required
-        if: ${{ matrix.env == 'prod' || matrix.env == 'stg' || matrix.env == 'training' }}
+        if: ${{ github.event.inputs.env == 'prod' || github.event.inputs.env == 'stg' }}
         run: |
           echo "OKTA_API_TOKEN=${{ secrets.OKTA_API_TOKEN }}" >> "$GITHUB_ENV"
       - uses: hashicorp/[email protected]
         with:
           terraform_version: 1.3.3
       - name: Terraform Init
-        run: make init-${{ matrix.env }}
+        run: make init-${{ github.event.inputs.env }}
       - name: Build ReportStream function app
         uses: ./.github/actions/build-reportstream-functions
         with:
-          deploy-env: ${{ matrix.env }}
+          deploy-env: ${{env.DEPLOY_ENV}}
       - name: Terraform plan
-        run: make plan-${{ matrix.env }}
+        run: make plan-${{ github.event.inputs.env }}

.github/workflows/testingWorkflow.yml

@@ -25,6 +25,19 @@ permissions:
   packages: write
 
 jobs:
+  key_rotation:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - deploy_env: dev
+          - deploy_env: dev0
+    with:
+      deploy_env: ${{ matrix.deploy_env }}
+      replace_keys: "true"
+    uses: ./.github/workflows/deployDev.yml
+    secrets: inherit
+
 # Check for changes in the backend, cypress, database, frontend, and nginx directories
   workflow_changes:
     with:

.github/workflows/updateKeysAndDeployDev.yml

@@ -0,0 +1,46 @@
+name: Update keys and deploy Dev*
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 * * * *"
+
+permissions:
+  packages: write
+
+jobs:
+  key_rotation:
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - deploy_env: dev
+          # - deploy_env: dev2
+          # - deploy_env: dev3
+          # - deploy_env: dev4
+          # - deploy_env: dev5
+          # - deploy_env: dev6
+          # - deploy_env: dev7
+          # - deploy_env: pentest
+    with:
+      deploy_env: ${{ matrix.deploy_env }}
+      replace_keys: "true"
+    uses: ./.github/workflows/deployDev.yml
+    secrets: inherit
+
+  # update_keys_and_deploy_prod:
+  #   if: never()
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       include:
+  #         - deploy_env: test
+  #         - deploy_env: demo
+  #         - deploy_env: training
+  #         - deploy_env: stg
+  #         - deploy_env: prod
+  #   with:
+  #     deploy_env: ${{ matrix.deploy_env }}
+  #     replace_keys: "true"
+  #   uses: ./.github/workflows/deployDev.yml
+  #   secrets: inherit

ops/demo/main.tf

@@ -8,20 +8,6 @@ locals {
     environment    = local.env
     resource_group = "${local.project}-${local.name}-${local.env}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 # Frontend React App

ops/demo/persistent/main.tf

@@ -13,20 +13,6 @@ locals {
     environment    = local.env
     resource_group = "${local.project}-${local.name}-${local.env}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 module "monitoring" {
@@ -79,7 +65,6 @@ module "db_alerting" {
   action_group_ids = [
     data.terraform_remote_state.global.outputs.pagerduty_non_prod_action_id
   ]
-  cdc_tags = local.cdc_tags
 }
 
 module "vnet" {

ops/dev/alerts.tf

@@ -34,5 +34,4 @@ module "metric_alerts" {
   function_id = module.report_stream_reporting_functions.azurerm_linux_function_app_id
 
   database_id = data.terraform_remote_state.persistent_dev.outputs.postgres_server_id
-  cdc_tags    = local.cdc_tags
 }

ops/dev/api.tf

@@ -64,7 +64,6 @@ module "simple_report_api" {
     # this shadows (and overrides) an identical declaration in application.yaml
     # SPRING_JPA_PROPERTIES_HIBERNATE_DEFAULT_SCHEMA = "public"
   }
-  cdc_tags = local.cdc_tags
 }
 
 module "report_stream_reporting_functions" {
@@ -76,5 +75,4 @@ module "report_stream_reporting_functions" {
   depends_on = [
     azurerm_storage_account.app
   ]
-  cdc_tags = local.cdc_tags
 }

ops/dev/main.tf

@@ -8,20 +8,6 @@ locals {
     environment    = local.env
     resource_group = "${local.project}-${local.name}-${local.env}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 # Frontend React App
@@ -113,7 +99,6 @@ module "app_gateway" {
 
   firewall_policy_id = module.web_application_firewall.web_application_firewall_id
   tags               = local.management_tags
-  cdc_tags           = local.cdc_tags
 }
 
 module "nat_gateway" {

ops/dev/metabase.tf

@@ -34,5 +34,4 @@ module "metabase_service" {
   depends_on = [
     module.metabase_database
   ]
-  cdc_tags = local.cdc_tags
 }

ops/dev/persistent/main.tf

@@ -12,20 +12,6 @@ locals {
     environment    = local.env
     resource_group = "${local.project}-${local.name}-${local.env_level}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 module "monitoring" {
@@ -77,7 +63,6 @@ module "db_alerting" {
   action_group_ids = [
     data.terraform_remote_state.global.outputs.pagerduty_non_prod_action_id
   ]
-  cdc_tags = local.cdc_tags
 }
 
 module "vnet" {

ops/dev2/main.tf

@@ -10,20 +10,6 @@ locals {
     # environments should use the "local.env_level" convention where possible.
     resource_group = "${local.project}-${local.name}-${local.env_level}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 # Frontend React App

ops/dev2/metabase.tf

@@ -34,5 +34,4 @@ module "metabase_service" {
   depends_on = [
     module.metabase_database
   ]
-  cdc_tags = local.cdc_tags
 }

ops/dev2/persistent/main.tf

@@ -14,20 +14,6 @@ locals {
     # environments should use the "local.env_level" convention where possible.
     resource_group = "${local.project}-${local.name}-${local.env_level}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 module "monitoring" {
@@ -79,7 +65,6 @@ module "db_alerting" {
   action_group_ids = [
     data.terraform_remote_state.global.outputs.pagerduty_non_prod_action_id
   ]
-  cdc_tags = local.cdc_tags
 }
 
 module "vnet" {

ops/dev3/main.tf

@@ -10,20 +10,6 @@ locals {
     # environments should use the "local.env_level" convention where possible.
     resource_group = "${local.project}-${local.name}-${local.env_level}"
   }
-  cdc_tags = {
-    business_steward    = "[email protected]"
-    center              = "DDPHSS"
-    environment         = local.env
-    escid               = "3205"
-    funding_source      = "TBD"
-    pii_data            = "false"
-    security_compliance = "moderate"
-    security_steward    = "[email protected],[email protected],[email protected],[email protected]"
-    support_group       = "OMHS"
-    system              = "prim"
-    technical_steward   = "[email protected],[email protected],[email protected],[email protected]"
-    zone                = "EXTRANET"
-  }
 }
 
 # Frontend React App

ops/dev3/metabase.tf

@@ -34,5 +34,4 @@ module "metabase_service" {
   depends_on = [
     module.metabase_database
   ]
-  cdc_tags = local.cdc_tags
 }