From b4e3bb4a72a5dbdf381899d9a04449948b2b5429 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 11:10:40 +0100 Subject: [PATCH 001/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 43 ++++++++++++++++++++++++++++++++ components/.gitignore | 34 +++++++++++++++++++++++++ components/.terraform.lock.hcl | 44 +++++++++++++++++++++++++++++++++ components/locals.tf | 33 +++++++++++++++++++++++++ components/main.tf | 39 +++++++++++++++++++++++++++++ components/provider.tf | 21 ++++++++++++++++ components/variables.tf | 32 ++++++++++++++++++++++++ test-repos.json | 5 ++++ 8 files changed, 251 insertions(+) create mode 100644 .github/workflows/pipeline.yaml create mode 100644 components/.gitignore create mode 100644 components/.terraform.lock.hcl create mode 100644 components/locals.tf create mode 100644 components/main.tf create mode 100644 components/provider.tf create mode 100644 components/variables.tf create mode 100644 test-repos.json diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml new file mode 100644 index 000000000..f3375e13d --- /dev/null +++ b/.github/workflows/pipeline.yaml @@ -0,0 +1,43 @@ +name: Rule Sets Pipeline + +on: + pull_request: + branches: + - adding-gh-workflow-DTSPO-18103 + push: + branches: + - adding-gh-workflow-DTSPO-18103 + +permissions: + id-token: write + contents: read + +jobs: + precheck-sbox: + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Log in to Azure + run: | + az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} + az account set --subscription ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + + - name: Use Terraform + uses: hashicorp/setup-terraform@v1 + + - name: Change directory to Terraform config + run: cd components/lab + + - name: Precheck Terraform + working-directory: components/lab + env: + AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + run: | + terraform init \ + -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" + terraform plan \ + -var="location=UK South" \ + -var="override_action=plan" diff --git a/components/.gitignore b/components/.gitignore new file mode 100644 index 000000000..9b8a46e69 --- /dev/null +++ b/components/.gitignore @@ -0,0 +1,34 @@ +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc diff --git a/components/.terraform.lock.hcl b/components/.terraform.lock.hcl new file mode 100644 index 000000000..d9a377f29 --- /dev/null +++ b/components/.terraform.lock.hcl @@ -0,0 +1,44 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.109.0" + constraints = "3.109.0" + hashes = [ + "h1:tb3a5x6HV4YRxyL3VpdTWe1vsKocKi1HT0KFWnF5ZjM=", + "zh:4324c3df26709c7e669b751259cc5e62c4694ab44370dfcdfe197dcd9261c365", + "zh:4e3e83649240cea7105cd2802d0ae64b143fb543c2f559173feae5a108bc4287", + "zh:74ebf6be1277e9bd357b011026b80fc5ec1c26b70ec7ddd5fcae5e977f9a66ef", + "zh:82cfd3c92035f834a05f4b91d813a059a29ff4157792e36a0b3a224cba8737ae", + "zh:93f05c8ae3555c885c84b82781b2e90774671c321138b7f3c38ecd498009e1d8", + "zh:9b445a9a1544b4b38db10fadbd9ffd5efdded0def54feb9ca593e1bec6fbec5f", + "zh:b21ccd2c1bc691cf2f9876482b6e226d8a37a48de951b168a10f96ba929ebefd", + "zh:b7b7e458eb3c22669e1d36e9ef1886272c10f310501001abce8ae76383014fa5", + "zh:bd3c0cf7caab0a989227934bc60a8ac27131efcf84dd77cb6e32e68374170aee", + "zh:f4b9ccbb28eadf3825f6d7d38a3519379de222f136235a2f21a96c0221d65fb8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f8ef0b4a970ff5edeadfdeed77f9d0682befdca5df4e9b6d9dcfdf9903305b26", + ] +} + +provider "registry.terraform.io/hashicorp/github" { + version = "6.2.2" + hashes = [ + "h1:zi0URfg9FBXCPk918XU6RqV5k6kGVknQQA7p670zmik=", + "zh:43d7e5f1e11d67e38ca717016d209d6d9a6fa03321b489f91984351bfb143b69", + "zh:46e788395034b410bf59dfa43eb748a3d81ecfd23fc442349990fd7d92bd856a", + "zh:5234b7d5c5817ff7ebec29756050708372a071a701e2c8236e714a0bd29ef160", + "zh:74c485a241cc8e8cb99f988d38116fb14e51de896761fc9ca35a34ca5c999a7e", + "zh:7606789521c50937913ea13f851150828b5f9b8804ba80c5b2538c0b019339d8", + "zh:760fb0e74590459689c7159456b6e76f165634f7d0f89f5572d56b57d387f645", + "zh:7979d9085d809bb7d0db2c67e6c3443d1c18d12e51b72220dcb4cc5e883cd64a", + "zh:8bed25d8199bf8b2e7ccf67edc1a4a2fc041bd490b2c11565c669b80be43896c", + "zh:9ff82a6279fb7ae0cd9e44f1e73b64dd2aeca43d4d3096f3f2866b1ebbcb9431", + "zh:a886055ecd63ccb9b880e3c3301c0eca9acb108580d12519617554ae2be9a393", + "zh:c1f20386704919c7964a95daffcb29f494efb061abc28469840df4532833cecf", + "zh:cb6e9c4e33d6a57770073867e174c09c0eed401ee70473a688d20cb1cf0394f7", + "zh:f89ca130cc90b87dc25d036fe8f8cadb6fb53dc33368a032c5cee6275f3bcddc", + "zh:f94a2d1174091f04ed361192cdda9503baa3d161849d4f218c55a96bfb1ea33d", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + ] +} diff --git a/components/locals.tf b/components/locals.tf new file mode 100644 index 000000000..57356c0b9 --- /dev/null +++ b/components/locals.tf @@ -0,0 +1,33 @@ +# locals { +# // List of included repositories, taken directly from the 'repositories' variable +# included_repositories = var.repositories + +# // Create combinations of repositories and branches by flattening a nested loop +# repo_branch_combinations = flatten([ +# // Iterate over each repository in the included_repositories list +# for repo in local.included_repositories : [ +# // For each repository, iterate over each branch in the 'branches' variable +# for branch in var.branches : { +# // Create a map with the repository and branch names +# repo = repo +# branch = branch +# } +# ] +# ]) +# } + +locals { + # Read the repositories from the JSON file + repositories_json = file("${path.module}./test-repos.json") + repositories_data = jsondecode(local.repositories_json) + + # Create combinations of repositories and branches + repo_branch_combinations = flatten([ + for repo in local.repositories_data : [ + for branch in var.branches : { + repo = repo + branch = branch + } + ] + ]) +} \ No newline at end of file diff --git a/components/main.tf b/components/main.tf new file mode 100644 index 000000000..5a335f95c --- /dev/null +++ b/components/main.tf @@ -0,0 +1,39 @@ +# Check if branches exist +data "github_branch" "existing_branches" { + for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } + repository = each.value.repo + branch = each.value.branch +} + +# Apply branch protection rules only if the branch exists +resource "github_branch_protection_v3" "branch_protection" { + for_each = { + for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo + if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null + } + + repository = each.value.repo + branch = each.value.branch + enforce_admins = false # Excludes organisation admins + + required_status_checks { + strict = true + contexts = ["ci/test", "ci/lint"] + } + + required_pull_request_reviews { + dismiss_stale_reviews = true + require_code_owner_reviews = false + required_approving_review_count = 2 # Ensure at least 1 reviewer + } + + restrictions { + users = [] + teams = [] + apps = [] + } +} + +output "existing_branches" { + value = data.github_branch.existing_branches +} \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf new file mode 100644 index 000000000..6a7938421 --- /dev/null +++ b/components/provider.tf @@ -0,0 +1,21 @@ +provider "github" { + token = var.github_token + owner = "hmcts" +} + +terraform { + required_version = ">= 1.3.6" + + # backend "azurerm" { + # } + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.109.0" + } + } +} + +provider "azurerm" { + features {} +} \ No newline at end of file diff --git a/components/variables.tf b/components/variables.tf new file mode 100644 index 000000000..af07cca8c --- /dev/null +++ b/components/variables.tf @@ -0,0 +1,32 @@ +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} + +# variable "repositories" { +# description = "List of repositories to apply branch protection rules" +# type = list(string) +# default = [ +# "rule-set-test-repo", +# "rule-set-test-repo1", +# "rule-set-test-repo2" +# ] +# } + +variable "branches" { + description = "List of branches to apply protection rules" + type = list(string) + default = [ + "master", + "main" + ] +} + +variable "excluded_repositories" { + description = "List of repositories to exclude from branch protection rules" + type = list(string) + default = [ + "repo-to-exclude" + ] +} diff --git a/test-repos.json b/test-repos.json new file mode 100644 index 000000000..a070b0362 --- /dev/null +++ b/test-repos.json @@ -0,0 +1,5 @@ +[ + "rule-set-test-repo", + "rule-set-test-repo1", + "rule-set-test-repo2" +] \ No newline at end of file From d58657be9d0652c2f66c580292a8014f7dbf079e Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 11:11:28 +0100 Subject: [PATCH 002/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f3375e13d..b5fa768ab 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -3,10 +3,10 @@ name: Rule Sets Pipeline on: pull_request: branches: - - adding-gh-workflow-DTSPO-18103 + - rule-sets-DTSPO-17918 push: branches: - - adding-gh-workflow-DTSPO-18103 + - rule-sets-DTSPO-17918 permissions: id-token: write From 35489c7b24140e7e38cb9da9a1927846ce80e432 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 11:12:32 +0100 Subject: [PATCH 003/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b5fa768ab..4994911ff 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -32,7 +32,7 @@ jobs: run: cd components/lab - name: Precheck Terraform - working-directory: components/lab + working-directory: components env: AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} run: | From da14500a813d924ce896a7bb86ed5bab3752a4ce Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 11:13:30 +0100 Subject: [PATCH 004/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 4994911ff..be4d08a6f 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -29,7 +29,7 @@ jobs: uses: hashicorp/setup-terraform@v1 - name: Change directory to Terraform config - run: cd components/lab + run: cd components - name: Precheck Terraform working-directory: components From a101daeb3c004c45aa8eaa37f271301eb1444b08 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 11:19:13 +0100 Subject: [PATCH 005/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index be4d08a6f..7716992ad 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -35,9 +35,11 @@ jobs: working-directory: components env: AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform init \ -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" terraform plan \ -var="location=UK South" \ - -var="override_action=plan" + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" From 0be0c53d9406450a789734c290ad8e64bb755f19 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 11:21:33 +0100 Subject: [PATCH 006/186] adding config + pipeline --- components/variables.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/components/variables.tf b/components/variables.tf index af07cca8c..dc561a078 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -30,3 +30,13 @@ variable "excluded_repositories" { "repo-to-exclude" ] } + +variable "override_action" { + description = "The action to override" + type = string +} + +variable "location" { + description = "The location for the resources" + type = string +} From d49b769d5b5efa3ade6559ee6cd881efc54c78ce Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 13:34:20 +0100 Subject: [PATCH 007/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 17 ++++++++++++---- components/locals.tf | 25 ++++++++++++++++++++++- components/main.tf | 33 ++++++++++++++++++++++++++++-- components/outputs.tf | 7 +++++++ components/provider.tf | 9 +++++++++ components/variables.tf | 36 +++++++++++++++++++++++++++++++-- 6 files changed, 118 insertions(+), 9 deletions(-) create mode 100644 components/outputs.tf diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 7716992ad..78aaf774e 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -25,20 +25,29 @@ jobs: az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} az account set --subscription ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - name: Use Terraform + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - name: Change directory to Terraform config run: cd components - - name: Precheck Terraform + - name: Initialize Terraform + working-directory: components + env: + ARM_ACCESS_KEY: ${{ secrets.AZURE_STORAGE_KEY }} + run: | + terraform init \ + -backend-config="resource_group_name=rule-set-rg" \ + -backend-config="storage_account_name=rulesetsa" \ + -backend-config="container_name=tfstate" \ + -backend-config="key=terraform.tfstate" + + - name: Plan Terraform working-directory: components env: AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform init \ - -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" terraform plan \ -var="location=UK South" \ -var="override_action=plan" \ diff --git a/components/locals.tf b/components/locals.tf index 57356c0b9..4c7f512dd 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -30,4 +30,27 @@ locals { } ] ]) -} \ No newline at end of file +} + +locals { + env_display_names = { + sbox = "Sandbox" + prod = "Production" + nonprod = "Non-Production" + test = "Test" + staging = "staging" + } + common_tags = { + "managedBy" = "DevOps" + "solutionOwner" = "RDO" + "activityName" = "Storage Account" + "dataClassification" = "Internal" + "automation" = "" + "costCentre" = "" + } + enforced_tags = module.tags.common_tags +} + + + + diff --git a/components/main.tf b/components/main.tf index 5a335f95c..f9f868f35 100644 --- a/components/main.tf +++ b/components/main.tf @@ -1,3 +1,32 @@ +module "tags" { + source = "git::https://github.com/hmcts/terraform-module-common-tags.git?ref=master" + environment = var.env + product = var.product + builtFrom = var.builtFrom +} + +resource "azurerm_resource_group" "rg" { + name = var.resource_group_name + location = var.location + tags = module.tags.common_tags +} + +resource "azurerm_storage_account" "sa" { + name = var.storage_account_name + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + tags = module.tags.common_tags +} + +resource "azurerm_storage_container" "tfstate" { + name = "tfstate" + storage_account_name = azurerm_storage_account.sa.name + container_access_type = "private" + +} + # Check if branches exist data "github_branch" "existing_branches" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } @@ -14,7 +43,7 @@ resource "github_branch_protection_v3" "branch_protection" { repository = each.value.repo branch = each.value.branch - enforce_admins = false # Excludes organisation admins + enforce_admins = false # Excludes organisation admins required_status_checks { strict = true @@ -24,7 +53,7 @@ resource "github_branch_protection_v3" "branch_protection" { required_pull_request_reviews { dismiss_stale_reviews = true require_code_owner_reviews = false - required_approving_review_count = 2 # Ensure at least 1 reviewer + required_approving_review_count = 2 # Ensure at least 1 reviewer } restrictions { diff --git a/components/outputs.tf b/components/outputs.tf new file mode 100644 index 000000000..62c76cb79 --- /dev/null +++ b/components/outputs.tf @@ -0,0 +1,7 @@ +output "common_tags" { + value = { + Environment = var.env + Product = var.product + BuiltFrom = var.builtFrom + } +} \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index 6a7938421..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -18,4 +18,13 @@ terraform { provider "azurerm" { features {} +} + +terraform { + backend "azurerm" { + resource_group_name = "rule-set-rg" + storage_account_name = "rulesetsa" + container_name = "tfstate" + key = "terraform.tfstate" + } } \ No newline at end of file diff --git a/components/variables.tf b/components/variables.tf index dc561a078..5fd6093a0 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -17,7 +17,7 @@ variable "github_token" { variable "branches" { description = "List of branches to apply protection rules" type = list(string) - default = [ + default = [ "master", "main" ] @@ -26,7 +26,7 @@ variable "branches" { variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) - default = [ + default = [ "repo-to-exclude" ] } @@ -34,9 +34,41 @@ variable "excluded_repositories" { variable "override_action" { description = "The action to override" type = string + default = "true" } variable "location" { description = "The location for the resources" type = string + default = "UK South" } + +variable "resource_group_name" { + description = "The name of the resource group" + type = string + default = "rule-set-rg" +} + +variable "storage_account_name" { + description = "The name of the storage account" + type = string + default = "rulesetsa" +} + +variable "env" { + description = "The environment for the deployment (e.g., dev, staging, prod)" + type = string + default = "dev" +} + +variable "product" { + description = "The product name or identifier" + type = string + default = "sds-platform" +} + +variable "builtFrom" { + description = "Information about the build source or version" + type = string + default = "https://github.com/hmcts/github-repository-rules" +} \ No newline at end of file From dd625db6cf9d27ac60a9e208f889ac7d75095b4f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 13:37:52 +0100 Subject: [PATCH 008/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 78aaf774e..07d82c179 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -25,30 +25,36 @@ jobs: az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} az account set --subscription ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - name: Setup Terraform + - name: Use Terraform uses: hashicorp/setup-terraform@v1 - name: Change directory to Terraform config run: cd components - - name: Initialize Terraform + - name: Precheck Terraform working-directory: components env: - ARM_ACCESS_KEY: ${{ secrets.AZURE_STORAGE_KEY }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform init \ - -backend-config="resource_group_name=rule-set-rg" \ - -backend-config="storage_account_name=rulesetsa" \ - -backend-config="container_name=tfstate" \ - -backend-config="key=terraform.tfstate" + -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" + terraform plan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" + - name: Plan Terraform working-directory: components env: - AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan \ -var="location=UK South" \ -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" + -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file From 51c52ce108713ee80a3840d249e0b2aa8857e2e7 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 13:57:21 +0100 Subject: [PATCH 009/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 31 ++++++------------------------- 1 file changed, 6 insertions(+), 25 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 07d82c179..f19e11ca8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -21,9 +21,9 @@ jobs: uses: actions/checkout@v2 - name: Log in to Azure - run: | - az login --service-principal -u ${{ secrets.AZURE_CLIENT_ID }} -p ${{ secrets.AZURE_CLIENT_SECRET }} --tenant ${{ secrets.AZURE_TENANT_ID }} - az account set --subscription ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + uses: azure/login@v2 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Use Terraform uses: hashicorp/setup-terraform@v1 @@ -34,27 +34,8 @@ jobs: - name: Precheck Terraform working-directory: components env: - AZURE_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - run: | - terraform init \ - -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" - terraform plan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" - - - - name: Plan Terraform - working-directory: components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform plan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file + terraform init -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" + terraform plan -var="location=UK South" -var="override_action=plan" -var="github_token=${{ secrets.PAT_TOKEN }}" From 41d5809b05202cf7a16b02f25d83a810b19adf65 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 13:59:55 +0100 Subject: [PATCH 010/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f19e11ca8..277674d59 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -39,3 +39,4 @@ jobs: run: | terraform init -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" terraform plan -var="location=UK South" -var="override_action=plan" -var="github_token=${{ secrets.PAT_TOKEN }}" + From 2c691ee026ff366a08801699be16edd62e244c82 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 14:02:03 +0100 Subject: [PATCH 011/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 277674d59..3acf9fc0c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -21,22 +21,40 @@ jobs: uses: actions/checkout@v2 - name: Log in to Azure - uses: azure/login@v2 + uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Use Terraform + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - name: Change directory to Terraform config run: cd components - - name: Precheck Terraform + - name: Initialize Terraform working-directory: components env: - AZURE_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: | + terraform init \ + -backend-config="resource_group_name=rule-set-rg" \ + -backend-config="storage_account_name=rulesetsa" \ + -backend-config="container_name=tfstate" \ + -backend-config="key=terraform.tfstate" + + - name: Plan Terraform + working-directory: components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform init -backend-config="subscription_id=${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}" - terraform plan -var="location=UK South" -var="override_action=plan" -var="github_token=${{ secrets.PAT_TOKEN }}" - + terraform plan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" From bb62a1185252ea9e331edecc0e5674285fa09e06 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 14:05:23 +0100 Subject: [PATCH 012/186] adding config + pipeline --- components/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/main.tf b/components/main.tf index f9f868f35..31b635c78 100644 --- a/components/main.tf +++ b/components/main.tf @@ -53,7 +53,7 @@ resource "github_branch_protection_v3" "branch_protection" { required_pull_request_reviews { dismiss_stale_reviews = true require_code_owner_reviews = false - required_approving_review_count = 2 # Ensure at least 1 reviewer + required_approving_review_count = 1 # Ensure at least 1 reviewer } restrictions { From 4ee73f81aa5d41a1d47ca80b94bd4ae52dfd071c Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 14:09:56 +0100 Subject: [PATCH 013/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3acf9fc0c..97f3d5e65 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -58,3 +58,36 @@ jobs: -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" + + apply: + runs-on: ubuntu-latest + needs: precheck-sbox + if: github.ref == 'refs/heads/rule-sets-DTSPO-17918' # Ensure apply only runs on the target branch + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + + - name: Change directory to Terraform config + run: cd components + + - name: Apply Terraform + working-directory: components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: | + terraform apply -auto-approve \ + -var="location=UK South" \ + -var="override_action=apply" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" From 65c3bf2fe49e5707843af3ec015c1ffe4fa61c4b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 14:12:58 +0100 Subject: [PATCH 014/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 40 ++++----------------------------- 1 file changed, 4 insertions(+), 36 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 97f3d5e65..d065c6a7a 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -13,7 +13,7 @@ permissions: contents: read jobs: - precheck-sbox: + plan-and-apply: runs-on: ubuntu-latest timeout-minutes: 60 steps: @@ -45,7 +45,7 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan Terraform + - name: Plan and Apply Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} @@ -54,40 +54,8 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform plan \ + terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" - - apply: - runs-on: ubuntu-latest - needs: precheck-sbox - if: github.ref == 'refs/heads/rule-sets-DTSPO-17918' # Ensure apply only runs on the target branch - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Log in to Azure - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - - - name: Change directory to Terraform config - run: cd components - - - name: Apply Terraform - working-directory: components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - run: | - terraform apply -auto-approve \ - -var="location=UK South" \ - -var="override_action=apply" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" + terraform apply -auto-approve tfplan From 9d2ba4083789c5bf2cafed64478dcac523c8582b Mon Sep 17 00:00:00 2001 From: ConnorOKane-Kainos <141819576+ConnorOKane-Kainos@users.noreply.github.com> Date: Wed, 3 Jul 2024 14:32:35 +0100 Subject: [PATCH 015/186] Delete components/.terraform.lock.hcl --- components/.terraform.lock.hcl | 44 ---------------------------------- 1 file changed, 44 deletions(-) delete mode 100644 components/.terraform.lock.hcl diff --git a/components/.terraform.lock.hcl b/components/.terraform.lock.hcl deleted file mode 100644 index d9a377f29..000000000 --- a/components/.terraform.lock.hcl +++ /dev/null @@ -1,44 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/azurerm" { - version = "3.109.0" - constraints = "3.109.0" - hashes = [ - "h1:tb3a5x6HV4YRxyL3VpdTWe1vsKocKi1HT0KFWnF5ZjM=", - "zh:4324c3df26709c7e669b751259cc5e62c4694ab44370dfcdfe197dcd9261c365", - "zh:4e3e83649240cea7105cd2802d0ae64b143fb543c2f559173feae5a108bc4287", - "zh:74ebf6be1277e9bd357b011026b80fc5ec1c26b70ec7ddd5fcae5e977f9a66ef", - "zh:82cfd3c92035f834a05f4b91d813a059a29ff4157792e36a0b3a224cba8737ae", - "zh:93f05c8ae3555c885c84b82781b2e90774671c321138b7f3c38ecd498009e1d8", - "zh:9b445a9a1544b4b38db10fadbd9ffd5efdded0def54feb9ca593e1bec6fbec5f", - "zh:b21ccd2c1bc691cf2f9876482b6e226d8a37a48de951b168a10f96ba929ebefd", - "zh:b7b7e458eb3c22669e1d36e9ef1886272c10f310501001abce8ae76383014fa5", - "zh:bd3c0cf7caab0a989227934bc60a8ac27131efcf84dd77cb6e32e68374170aee", - "zh:f4b9ccbb28eadf3825f6d7d38a3519379de222f136235a2f21a96c0221d65fb8", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f8ef0b4a970ff5edeadfdeed77f9d0682befdca5df4e9b6d9dcfdf9903305b26", - ] -} - -provider "registry.terraform.io/hashicorp/github" { - version = "6.2.2" - hashes = [ - "h1:zi0URfg9FBXCPk918XU6RqV5k6kGVknQQA7p670zmik=", - "zh:43d7e5f1e11d67e38ca717016d209d6d9a6fa03321b489f91984351bfb143b69", - "zh:46e788395034b410bf59dfa43eb748a3d81ecfd23fc442349990fd7d92bd856a", - "zh:5234b7d5c5817ff7ebec29756050708372a071a701e2c8236e714a0bd29ef160", - "zh:74c485a241cc8e8cb99f988d38116fb14e51de896761fc9ca35a34ca5c999a7e", - "zh:7606789521c50937913ea13f851150828b5f9b8804ba80c5b2538c0b019339d8", - "zh:760fb0e74590459689c7159456b6e76f165634f7d0f89f5572d56b57d387f645", - "zh:7979d9085d809bb7d0db2c67e6c3443d1c18d12e51b72220dcb4cc5e883cd64a", - "zh:8bed25d8199bf8b2e7ccf67edc1a4a2fc041bd490b2c11565c669b80be43896c", - "zh:9ff82a6279fb7ae0cd9e44f1e73b64dd2aeca43d4d3096f3f2866b1ebbcb9431", - "zh:a886055ecd63ccb9b880e3c3301c0eca9acb108580d12519617554ae2be9a393", - "zh:c1f20386704919c7964a95daffcb29f494efb061abc28469840df4532833cecf", - "zh:cb6e9c4e33d6a57770073867e174c09c0eed401ee70473a688d20cb1cf0394f7", - "zh:f89ca130cc90b87dc25d036fe8f8cadb6fb53dc33368a032c5cee6275f3bcddc", - "zh:f94a2d1174091f04ed361192cdda9503baa3d161849d4f218c55a96bfb1ea33d", - "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", - ] -} From 194d18baa918a18d9a039feecabe463d03e1ae13 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 16:41:02 +0100 Subject: [PATCH 016/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 9 +++++---- components/main.tf | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index d065c6a7a..ab83f0928 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -20,10 +20,12 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - - name: Log in to Azure + - name: Log in to Azure using OIDC uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -56,6 +58,5 @@ jobs: run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" + -var="override_action=plan" terraform apply -auto-approve tfplan diff --git a/components/main.tf b/components/main.tf index 31b635c78..f9f868f35 100644 --- a/components/main.tf +++ b/components/main.tf @@ -53,7 +53,7 @@ resource "github_branch_protection_v3" "branch_protection" { required_pull_request_reviews { dismiss_stale_reviews = true require_code_owner_reviews = false - required_approving_review_count = 1 # Ensure at least 1 reviewer + required_approving_review_count = 2 # Ensure at least 1 reviewer } restrictions { From cc5e384b7d169ddee78d627aecc9d1a3806155bb Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 16:46:08 +0100 Subject: [PATCH 017/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ab83f0928..3a723ccdd 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -47,16 +47,24 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan and Apply Terraform + - name: Plan Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" + + - name: Apply Terraform + working-directory: components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: | terraform apply -auto-approve tfplan From b7dbfa52eadaac9bc563c29b5b31b8f1f6d26093 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 16:47:33 +0100 Subject: [PATCH 018/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3a723ccdd..147a52c83 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -67,4 +67,4 @@ jobs: ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file From 9684ecf5a0b4de34ab3e55422fbba3e9b7a9be4d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 16:52:19 +0100 Subject: [PATCH 019/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- components/provider.tf | 8 ++++---- components/variables.tf | 10 +++++----- 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 147a52c83..3a723ccdd 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -67,4 +67,4 @@ jobs: ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan diff --git a/components/provider.tf b/components/provider.tf index af8277e58..c7c3c1a3e 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,7 +1,7 @@ -provider "github" { - token = var.github_token - owner = "hmcts" -} +# provider "github" { +# token = var.github_token +# owner = "hmcts" +# } terraform { required_version = ">= 1.3.6" diff --git a/components/variables.tf b/components/variables.tf index 5fd6093a0..6d48011c7 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 0c8e04af08e4bd17fce844fde45ff1ba47c421d4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 16:59:42 +0100 Subject: [PATCH 020/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3a723ccdd..8a9f474d8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -37,9 +37,9 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_USE_OIDC: true run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -51,9 +51,9 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_USE_OIDC: true run: | terraform plan -out=tfplan \ -var="location=UK South" \ @@ -63,8 +63,8 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_USE_OIDC: true run: | terraform apply -auto-approve tfplan From 8dec89b2d9960a10713426c4df89d6b4abb87383 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 17:02:17 +0100 Subject: [PATCH 021/186] adding config + pipeline --- components/provider.tf | 8 ++++---- components/variables.tf | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/components/provider.tf b/components/provider.tf index c7c3c1a3e..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,7 +1,7 @@ -# provider "github" { -# token = var.github_token -# owner = "hmcts" -# } +provider "github" { + token = var.github_token + owner = "hmcts" +} terraform { required_version = ">= 1.3.6" diff --git a/components/variables.tf b/components/variables.tf index 6d48011c7..5fd6093a0 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 02c80f9cc4597e39bc8d92abc1216c96a9c14bc1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 17:08:12 +0100 Subject: [PATCH 022/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + components/provider.tf | 8 ++++---- components/variables.tf | 10 +++++----- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 8a9f474d8..360ab00fc 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -16,6 +16,7 @@ jobs: plan-and-apply: runs-on: ubuntu-latest timeout-minutes: 60 + steps: - name: Checkout code uses: actions/checkout@v2 diff --git a/components/provider.tf b/components/provider.tf index af8277e58..c7c3c1a3e 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,7 +1,7 @@ -provider "github" { - token = var.github_token - owner = "hmcts" -} +# provider "github" { +# token = var.github_token +# owner = "hmcts" +# } terraform { required_version = ">= 1.3.6" diff --git a/components/variables.tf b/components/variables.tf index 5fd6093a0..6d48011c7 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 480cb61661946069bf66fbbee94cab931380c5e4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 17:09:35 +0100 Subject: [PATCH 023/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 360ab00fc..96150da29 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -69,3 +69,4 @@ jobs: ARM_USE_OIDC: true run: | terraform apply -auto-approve tfplan + From edc7164c23e48c9e0bb56ff83d241f5ba8e2958c Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 17:11:45 +0100 Subject: [PATCH 024/186] adding config + pipeline --- components/provider.tf | 8 ++++---- components/variables.tf | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/components/provider.tf b/components/provider.tf index c7c3c1a3e..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,7 +1,7 @@ -# provider "github" { -# token = var.github_token -# owner = "hmcts" -# } +provider "github" { + token = var.github_token + owner = "hmcts" +} terraform { required_version = ">= 1.3.6" diff --git a/components/variables.tf b/components/variables.tf index 6d48011c7..5fd6093a0 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} # variable "repositories" { # description = "List of repositories to apply branch protection rules" From d95975bdcfbced800f6faedd0e3d39a5cab6222b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 17:15:03 +0100 Subject: [PATCH 025/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 46 +++++++++++++-------------------- 1 file changed, 18 insertions(+), 28 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 96150da29..250260714 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,6 @@ + name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,66 +8,55 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest timeout-minutes: 60 - steps: - name: Checkout code uses: actions/checkout@v2 - - - name: Log in to Azure using OIDC + + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_USE_OIDC: true run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - - name: Plan Terraform + + - name: Plan and Apply Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_USE_OIDC: true + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" - - - name: Apply Terraform - working-directory: components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_USE_OIDC: true - run: | - terraform apply -auto-approve tfplan - + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" + terraform apply -auto-approve tfplan \ No newline at end of file From 289b1ed5fd179ecd5c4fc98a8c870b104e608e47 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 17:15:54 +0100 Subject: [PATCH 026/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 250260714..779b4231c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -59,4 +59,5 @@ jobs: -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan + \ No newline at end of file From 801fde512ee81b3e5bdb8888f933f0ef3ee3b70a Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 21:53:32 +0100 Subject: [PATCH 027/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 779b4231c..67c92f017 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -13,18 +13,16 @@ permissions: id-token: write contents: read -jobs: - plan-and-apply: - runs-on: ubuntu-latest - timeout-minutes: 60 - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Log in to Azure +jobs: + build-and-deploy: + runs-on: ubuntu-latest + steps: + - name: 'Az CLI login' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -60,4 +58,3 @@ jobs: -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" terraform apply -auto-approve tfplan - \ No newline at end of file From f39dffd57cb0a9b30837f0c4820211871b4e7fb5 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 21:56:11 +0100 Subject: [PATCH 028/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 67c92f017..6d3406f56 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,6 +1,5 @@ - name: Rule Sets Pipeline - + on: pull_request: branches: @@ -8,28 +7,25 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: - build-and-deploy: - runs-on: ubuntu-latest - steps: + build-and-deploy: + runs-on: ubuntu-latest + steps: - name: 'Az CLI login' uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - - name: Change directory to Terraform config - run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -43,7 +39,7 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: From 3893f35e7b91c853cdd5c2d0bd8cdd753c100e4f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 21:58:09 +0100 Subject: [PATCH 029/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6d3406f56..9ebc490c7 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -16,6 +16,9 @@ jobs: build-and-deploy: runs-on: ubuntu-latest steps: + - name: Checkout code + uses: actions/checkout@v2 + - name: 'Az CLI login' uses: azure/login@v1 with: @@ -27,7 +30,7 @@ jobs: uses: hashicorp/setup-terraform@v1 - name: Initialize Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -41,7 +44,7 @@ jobs: -backend-config="key=terraform.tfstate" - name: Plan and Apply Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} From 973b4393c73e9962a4993998fe4ae56b1b5a0cac Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 21:59:16 +0100 Subject: [PATCH 030/186] adding config + pipeline --- components/provider.tf | 8 ++++---- components/variables.tf | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/components/provider.tf b/components/provider.tf index af8277e58..c7c3c1a3e 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,7 +1,7 @@ -provider "github" { - token = var.github_token - owner = "hmcts" -} +# provider "github" { +# token = var.github_token +# owner = "hmcts" +# } terraform { required_version = ">= 1.3.6" diff --git a/components/variables.tf b/components/variables.tf index 5fd6093a0..6d48011c7 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 4ab8e5b2170ca22e773bf17f7dd5b8592a41c0a1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 22:00:46 +0100 Subject: [PATCH 031/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 9ebc490c7..42d2f5b83 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -50,10 +50,9 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" terraform apply -auto-approve tfplan From e8a7d3e6e576ff18689cf2ffc31100953e61d988 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 22:03:41 +0100 Subject: [PATCH 032/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 5 ++--- components/provider.tf | 8 ++++---- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 42d2f5b83..6ac260d87 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -12,7 +12,7 @@ permissions: id-token: write contents: read -jobs: +jobs: build-and-deploy: runs-on: ubuntu-latest steps: @@ -50,9 +50,8 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ + -var="override_action=plan" terraform apply -auto-approve tfplan diff --git a/components/provider.tf b/components/provider.tf index c7c3c1a3e..1b63c6eea 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,7 +1,7 @@ -# provider "github" { -# token = var.github_token -# owner = "hmcts" -# } +provider "github" { + # token = var.github_token + owner = "hmcts" +} terraform { required_version = ">= 1.3.6" From 13f49d55842a90a4a1da91c7865acd66adbe48a1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 22:58:29 +0100 Subject: [PATCH 033/186] adding config + pipeline --- components/variables.tf | 2 +- test-repos.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index 6d48011c7..0e09b7b6d 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -27,7 +27,7 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - "repo-to-exclude" + "rule-set-test-repo3" ] } diff --git a/test-repos.json b/test-repos.json index a070b0362..af92c7759 100644 --- a/test-repos.json +++ b/test-repos.json @@ -1,5 +1,6 @@ [ "rule-set-test-repo", "rule-set-test-repo1", - "rule-set-test-repo2" + "rule-set-test-repo2", + "rule-set-test-repo3" ] \ No newline at end of file From 0dc2b3ff5cc7980abcee4d385f8ac7fbc680df7c Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 23:00:01 +0100 Subject: [PATCH 034/186] adding config + pipeline --- components/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/variables.tf b/components/variables.tf index 0e09b7b6d..6124383f7 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -27,7 +27,7 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - "rule-set-test-repo3" + # "rule-set-test-repo3" ] } From 4873743413173d02a0118455eb113429e55df654 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 23:05:36 +0100 Subject: [PATCH 035/186] adding config + pipeline --- components/main.tf | 53 +++++++++++++++++++++------------------------- test-repos.json | 2 +- 2 files changed, 25 insertions(+), 30 deletions(-) diff --git a/components/main.tf b/components/main.tf index f9f868f35..20d7310c3 100644 --- a/components/main.tf +++ b/components/main.tf @@ -1,35 +1,30 @@ -module "tags" { - source = "git::https://github.com/hmcts/terraform-module-common-tags.git?ref=master" - environment = var.env - product = var.product - builtFrom = var.builtFrom +locals { + # Read the repositories list from the JSON file + repositories_list = jsondecode(file("${path.module}/test-repos.json")) + + # Create a combination of repositories and branches + repo_branch_combinations = flatten([ + for repo in local.repositories_list : [ + for branch in var.branches : { + repo = repo + branch = branch + } + ] + ]) } -resource "azurerm_resource_group" "rg" { - name = var.resource_group_name - location = var.location - tags = module.tags.common_tags -} - -resource "azurerm_storage_account" "sa" { - name = var.storage_account_name - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - account_tier = "Standard" - account_replication_type = "LRS" - tags = module.tags.common_tags -} - -resource "azurerm_storage_container" "tfstate" { - name = "tfstate" - storage_account_name = azurerm_storage_account.sa.name - container_access_type = "private" - +variable "branches" { + description = "List of branches to apply protection rules" + type = list(string) + default = [ + "master", + "main" + ] } # Check if branches exist data "github_branch" "existing_branches" { - for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } + for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } repository = each.value.repo branch = each.value.branch } @@ -43,7 +38,7 @@ resource "github_branch_protection_v3" "branch_protection" { repository = each.value.repo branch = each.value.branch - enforce_admins = false # Excludes organisation admins + enforce_admins = false # Excludes organization admins required_status_checks { strict = true @@ -53,7 +48,7 @@ resource "github_branch_protection_v3" "branch_protection" { required_pull_request_reviews { dismiss_stale_reviews = true require_code_owner_reviews = false - required_approving_review_count = 2 # Ensure at least 1 reviewer + required_approving_review_count = 1 # Ensure at least 1 reviewer } restrictions { @@ -65,4 +60,4 @@ resource "github_branch_protection_v3" "branch_protection" { output "existing_branches" { value = data.github_branch.existing_branches -} \ No newline at end of file +} diff --git a/test-repos.json b/test-repos.json index af92c7759..43cc4364f 100644 --- a/test-repos.json +++ b/test-repos.json @@ -3,4 +3,4 @@ "rule-set-test-repo1", "rule-set-test-repo2", "rule-set-test-repo3" -] \ No newline at end of file +] From 9d3368759ff2072c796fd79ec14da46385f9228d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 23:07:04 +0100 Subject: [PATCH 036/186] adding config + pipeline --- components/main.tf | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/components/main.tf b/components/main.tf index 20d7310c3..f58ba3fd0 100644 --- a/components/main.tf +++ b/components/main.tf @@ -1,27 +1,3 @@ -locals { - # Read the repositories list from the JSON file - repositories_list = jsondecode(file("${path.module}/test-repos.json")) - - # Create a combination of repositories and branches - repo_branch_combinations = flatten([ - for repo in local.repositories_list : [ - for branch in var.branches : { - repo = repo - branch = branch - } - ] - ]) -} - -variable "branches" { - description = "List of branches to apply protection rules" - type = list(string) - default = [ - "master", - "main" - ] -} - # Check if branches exist data "github_branch" "existing_branches" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } From c64194d2c24275fdb15a9489ccee8353da971f64 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 23:08:17 +0100 Subject: [PATCH 037/186] adding config + pipeline --- components/main.tf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/components/main.tf b/components/main.tf index f58ba3fd0..08dc43dda 100644 --- a/components/main.tf +++ b/components/main.tf @@ -1,3 +1,10 @@ +module "tags" { + source = "git::https://github.com/hmcts/terraform-module-common-tags.git?ref=master" + environment = var.env + product = var.product + builtFrom = var.builtFrom +} + # Check if branches exist data "github_branch" "existing_branches" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } @@ -36,4 +43,4 @@ resource "github_branch_protection_v3" "branch_protection" { output "existing_branches" { value = data.github_branch.existing_branches -} +} \ No newline at end of file From e943b43dcba87edbe24e454560caf7753e0b6c00 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Wed, 3 Jul 2024 23:09:42 +0100 Subject: [PATCH 038/186] adding config + pipeline --- components/main.tf | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/components/main.tf b/components/main.tf index 08dc43dda..7728d9314 100644 --- a/components/main.tf +++ b/components/main.tf @@ -5,6 +5,28 @@ module "tags" { builtFrom = var.builtFrom } +resource "azurerm_resource_group" "rg" { + name = var.resource_group_name + location = var.location + tags = module.tags.common_tags +} + +resource "azurerm_storage_account" "sa" { + name = var.storage_account_name + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + tags = module.tags.common_tags +} + +resource "azurerm_storage_container" "tfstate" { + name = "tfstate" + storage_account_name = azurerm_storage_account.sa.name + container_access_type = "private" + +} + # Check if branches exist data "github_branch" "existing_branches" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } From 2b99e1d5b41f57773b778cc33c3d368f859a10cb Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 00:52:17 +0100 Subject: [PATCH 039/186] adding config + pipeline --- components/.terraform.lock.hcl | 44 ++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 components/.terraform.lock.hcl diff --git a/components/.terraform.lock.hcl b/components/.terraform.lock.hcl new file mode 100644 index 000000000..d9a377f29 --- /dev/null +++ b/components/.terraform.lock.hcl @@ -0,0 +1,44 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.109.0" + constraints = "3.109.0" + hashes = [ + "h1:tb3a5x6HV4YRxyL3VpdTWe1vsKocKi1HT0KFWnF5ZjM=", + "zh:4324c3df26709c7e669b751259cc5e62c4694ab44370dfcdfe197dcd9261c365", + "zh:4e3e83649240cea7105cd2802d0ae64b143fb543c2f559173feae5a108bc4287", + "zh:74ebf6be1277e9bd357b011026b80fc5ec1c26b70ec7ddd5fcae5e977f9a66ef", + "zh:82cfd3c92035f834a05f4b91d813a059a29ff4157792e36a0b3a224cba8737ae", + "zh:93f05c8ae3555c885c84b82781b2e90774671c321138b7f3c38ecd498009e1d8", + "zh:9b445a9a1544b4b38db10fadbd9ffd5efdded0def54feb9ca593e1bec6fbec5f", + "zh:b21ccd2c1bc691cf2f9876482b6e226d8a37a48de951b168a10f96ba929ebefd", + "zh:b7b7e458eb3c22669e1d36e9ef1886272c10f310501001abce8ae76383014fa5", + "zh:bd3c0cf7caab0a989227934bc60a8ac27131efcf84dd77cb6e32e68374170aee", + "zh:f4b9ccbb28eadf3825f6d7d38a3519379de222f136235a2f21a96c0221d65fb8", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:f8ef0b4a970ff5edeadfdeed77f9d0682befdca5df4e9b6d9dcfdf9903305b26", + ] +} + +provider "registry.terraform.io/hashicorp/github" { + version = "6.2.2" + hashes = [ + "h1:zi0URfg9FBXCPk918XU6RqV5k6kGVknQQA7p670zmik=", + "zh:43d7e5f1e11d67e38ca717016d209d6d9a6fa03321b489f91984351bfb143b69", + "zh:46e788395034b410bf59dfa43eb748a3d81ecfd23fc442349990fd7d92bd856a", + "zh:5234b7d5c5817ff7ebec29756050708372a071a701e2c8236e714a0bd29ef160", + "zh:74c485a241cc8e8cb99f988d38116fb14e51de896761fc9ca35a34ca5c999a7e", + "zh:7606789521c50937913ea13f851150828b5f9b8804ba80c5b2538c0b019339d8", + "zh:760fb0e74590459689c7159456b6e76f165634f7d0f89f5572d56b57d387f645", + "zh:7979d9085d809bb7d0db2c67e6c3443d1c18d12e51b72220dcb4cc5e883cd64a", + "zh:8bed25d8199bf8b2e7ccf67edc1a4a2fc041bd490b2c11565c669b80be43896c", + "zh:9ff82a6279fb7ae0cd9e44f1e73b64dd2aeca43d4d3096f3f2866b1ebbcb9431", + "zh:a886055ecd63ccb9b880e3c3301c0eca9acb108580d12519617554ae2be9a393", + "zh:c1f20386704919c7964a95daffcb29f494efb061abc28469840df4532833cecf", + "zh:cb6e9c4e33d6a57770073867e174c09c0eed401ee70473a688d20cb1cf0394f7", + "zh:f89ca130cc90b87dc25d036fe8f8cadb6fb53dc33368a032c5cee6275f3bcddc", + "zh:f94a2d1174091f04ed361192cdda9503baa3d161849d4f218c55a96bfb1ea33d", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + ] +} From 0fe8d55a9acec20c56402aadd5419b212e4cda77 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:03:09 +0100 Subject: [PATCH 040/186] adding config + pipeline --- components/variables.tf | 2 +- test-repos.json | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index 6124383f7..933985b0d 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -27,7 +27,7 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - # "rule-set-test-repo3" + "rule-set-test-repo4" ] } diff --git a/test-repos.json b/test-repos.json index 43cc4364f..8c4b37e04 100644 --- a/test-repos.json +++ b/test-repos.json @@ -2,5 +2,6 @@ "rule-set-test-repo", "rule-set-test-repo1", "rule-set-test-repo2", - "rule-set-test-repo3" + "rule-set-test-repo3", + "rule-set-test-repo4" ] From 1526b60be1ffbc74f2bc2b995a72e48d1bf85428 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:06:18 +0100 Subject: [PATCH 041/186] adding config + pipeline --- components/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/variables.tf b/components/variables.tf index 933985b0d..b2f633df3 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -27,7 +27,7 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - "rule-set-test-repo4" + # "rule-set-test-repo4" ] } From a1ecd2a64f7728ac74ef9bfed6f1e3ee5f6a5b6b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:09:35 +0100 Subject: [PATCH 042/186] adding config + pipeline --- components/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/main.tf b/components/main.tf index 7728d9314..c7c2e84ac 100644 --- a/components/main.tf +++ b/components/main.tf @@ -65,4 +65,4 @@ resource "github_branch_protection_v3" "branch_protection" { output "existing_branches" { value = data.github_branch.existing_branches -} \ No newline at end of file +} From e14f702eda9c80e3b2ad9dbeefd4a33a50338616 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:20:06 +0100 Subject: [PATCH 043/186] adding config + pipeline --- components/locals.tf | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index 4c7f512dd..0aa31cb66 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -17,13 +17,18 @@ # } locals { - # Read the repositories from the JSON file - repositories_json = file("${path.module}./test-repos.json") - repositories_data = jsondecode(local.repositories_json) + # Read the repositories list from the JSON file + repositories_list = jsondecode(file("${path.module}/test-repos.json")) - # Create combinations of repositories and branches + # Filter out excluded repositories using a function instead of inline comprehension + included_repositories = [ + for repo in local.repositories_list : repo + if !contains(var.excluded_repositories, repo) + ] + + # Create a combination of repositories and branches repo_branch_combinations = flatten([ - for repo in local.repositories_data : [ + for repo in local.included_repositories : [ for branch in var.branches : { repo = repo branch = branch @@ -32,6 +37,11 @@ locals { ]) } + + + + + locals { env_display_names = { sbox = "Sandbox" From 5b6702167bd2296fadb32507a8ec414726620f77 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:21:38 +0100 Subject: [PATCH 044/186] adding config + pipeline --- components/locals.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index 0aa31cb66..44677f217 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -20,9 +20,9 @@ locals { # Read the repositories list from the JSON file repositories_list = jsondecode(file("${path.module}/test-repos.json")) - # Filter out excluded repositories using a function instead of inline comprehension + # Filter out excluded repositories included_repositories = [ - for repo in local.repositories_list : repo + for repo in local.repositories_list : repo if !contains(var.excluded_repositories, repo) ] @@ -42,6 +42,7 @@ locals { + locals { env_display_names = { sbox = "Sandbox" From 739322ee119651852a968a870cc1c4dc86573a95 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:23:21 +0100 Subject: [PATCH 045/186] adding config + pipeline --- components/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/locals.tf b/components/locals.tf index 44677f217..4494ddf81 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -18,7 +18,7 @@ locals { # Read the repositories list from the JSON file - repositories_list = jsondecode(file("${path.module}/test-repos.json")) + repositories_list = jsondecode(file("${path.module}../test-repos.json")) # Filter out excluded repositories included_repositories = [ From 50fc558d736b4ac51d85df1b927c90e0222ba5f4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:27:38 +0100 Subject: [PATCH 046/186] adding config + pipeline --- components/locals.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/components/locals.tf b/components/locals.tf index 4494ddf81..65b0ed0e4 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -18,7 +18,7 @@ locals { # Read the repositories list from the JSON file - repositories_list = jsondecode(file("${path.module}../test-repos.json")) + repositories_list = jsondecode(file("${path.module}/../test-repos.json")) # Filter out excluded repositories included_repositories = [ @@ -43,6 +43,7 @@ locals { + locals { env_display_names = { sbox = "Sandbox" From eb77d9c58e132ea634e900ec3c55d931e5a1043d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:32:03 +0100 Subject: [PATCH 047/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- components/locals.tf | 5 ----- components/main.tf | 6 +++--- test-repos.json | 5 +++-- 4 files changed, 7 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6ac260d87..3b6d9c848 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -12,7 +12,7 @@ permissions: id-token: write contents: read -jobs: +jobs: build-and-deploy: runs-on: ubuntu-latest steps: diff --git a/components/locals.tf b/components/locals.tf index 65b0ed0e4..117f54e60 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -39,11 +39,6 @@ locals { - - - - - locals { env_display_names = { sbox = "Sandbox" diff --git a/components/main.tf b/components/main.tf index c7c2e84ac..31b635c78 100644 --- a/components/main.tf +++ b/components/main.tf @@ -29,7 +29,7 @@ resource "azurerm_storage_container" "tfstate" { # Check if branches exist data "github_branch" "existing_branches" { - for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } + for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } repository = each.value.repo branch = each.value.branch } @@ -43,7 +43,7 @@ resource "github_branch_protection_v3" "branch_protection" { repository = each.value.repo branch = each.value.branch - enforce_admins = false # Excludes organization admins + enforce_admins = false # Excludes organisation admins required_status_checks { strict = true @@ -65,4 +65,4 @@ resource "github_branch_protection_v3" "branch_protection" { output "existing_branches" { value = data.github_branch.existing_branches -} +} \ No newline at end of file diff --git a/test-repos.json b/test-repos.json index 8c4b37e04..79ebd790c 100644 --- a/test-repos.json +++ b/test-repos.json @@ -3,5 +3,6 @@ "rule-set-test-repo1", "rule-set-test-repo2", "rule-set-test-repo3", - "rule-set-test-repo4" -] + "rule-set-test-repo4" + ] + \ No newline at end of file From 317125a81f2f61f63b448ad40ca4419957c08868 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:34:53 +0100 Subject: [PATCH 048/186] adding config + pipeline --- components/locals.tf | 1 + components/main.tf | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/components/locals.tf b/components/locals.tf index 117f54e60..b3977a27b 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -39,6 +39,7 @@ locals { + locals { env_display_names = { sbox = "Sandbox" diff --git a/components/main.tf b/components/main.tf index 31b635c78..cf2a0f1d4 100644 --- a/components/main.tf +++ b/components/main.tf @@ -65,4 +65,4 @@ resource "github_branch_protection_v3" "branch_protection" { output "existing_branches" { value = data.github_branch.existing_branches -} \ No newline at end of file +} From a622162abe7b2765253a59528436b63754fe08b8 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:41:39 +0100 Subject: [PATCH 049/186] adding config + pipeline --- components/locals.tf | 54 ++++++++++++++++++++--------------------- components/outputs.tf | 10 +++++++- components/variables.tf | 20 ++++++++------- 3 files changed, 47 insertions(+), 37 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index b3977a27b..c19ea4c56 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -1,35 +1,14 @@ -# locals { -# // List of included repositories, taken directly from the 'repositories' variable -# included_repositories = var.repositories - -# // Create combinations of repositories and branches by flattening a nested loop -# repo_branch_combinations = flatten([ -# // Iterate over each repository in the included_repositories list -# for repo in local.included_repositories : [ -# // For each repository, iterate over each branch in the 'branches' variable -# for branch in var.branches : { -# // Create a map with the repository and branch names -# repo = repo -# branch = branch -# } -# ] -# ]) -# } - locals { - # Read the repositories list from the JSON file - repositories_list = jsondecode(file("${path.module}/../test-repos.json")) - - # Filter out excluded repositories - included_repositories = [ - for repo in local.repositories_list : repo - if !contains(var.excluded_repositories, repo) - ] + // List of included repositories, taken directly from the 'repositories' variable + included_repositories = var.repositories - # Create a combination of repositories and branches + // Create combinations of repositories and branches by flattening a nested loop repo_branch_combinations = flatten([ + // Iterate over each repository in the included_repositories list for repo in local.included_repositories : [ + // For each repository, iterate over each branch in the 'branches' variable for branch in var.branches : { + // Create a map with the repository and branch names repo = repo branch = branch } @@ -37,6 +16,27 @@ locals { ]) } +# locals { +# # Read the repositories list from the JSON file +# repositories_list = jsondecode(file("${path.module}/../test-repos.json")) + +# # Filter out excluded repositories +# included_repositories = [ +# for repo in local.repositories_list : repo +# if !contains(var.excluded_repositories, repo) +# ] + +# # Create a combination of repositories and branches +# repo_branch_combinations = flatten([ +# for repo in local.included_repositories : [ +# for branch in var.branches : { +# repo = repo +# branch = branch +# } +# ] +# ]) +# } + diff --git a/components/outputs.tf b/components/outputs.tf index 62c76cb79..6faa09aa3 100644 --- a/components/outputs.tf +++ b/components/outputs.tf @@ -4,4 +4,12 @@ output "common_tags" { Product = var.product BuiltFrom = var.builtFrom } -} \ No newline at end of file +} + +output "included_repositories" { + value = local.included_repositories +} + +output "repo_branch_combinations" { + value = local.repo_branch_combinations +} diff --git a/components/variables.tf b/components/variables.tf index b2f633df3..21c4342e4 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -4,15 +4,17 @@ # sensitive = true # } -# variable "repositories" { -# description = "List of repositories to apply branch protection rules" -# type = list(string) -# default = [ -# "rule-set-test-repo", -# "rule-set-test-repo1", -# "rule-set-test-repo2" -# ] -# } +variable "repositories" { + description = "List of repositories to apply branch protection rules" + type = list(string) + default = [ + "rule-set-test-repo", + "rule-set-test-repo1", + "rule-set-test-repo2", + "rule-set-test-repo3", + "rule-set-test-repo4" + ] +} variable "branches" { description = "List of branches to apply protection rules" From 1cfc096d90b1092a8e171c81ba73d4dda6a32c60 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:45:28 +0100 Subject: [PATCH 050/186] adding config + pipeline --- components/outputs.tf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/components/outputs.tf b/components/outputs.tf index 6faa09aa3..0dffb93fa 100644 --- a/components/outputs.tf +++ b/components/outputs.tf @@ -13,3 +13,10 @@ output "included_repositories" { output "repo_branch_combinations" { value = local.repo_branch_combinations } + +output "valid_branch_combinations" { + value = { + for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo + if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null + } +} From 29eab8cba16afc322f32604abee409243d08d754 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:54:29 +0100 Subject: [PATCH 051/186] adding config + pipeline --- components/locals.tf | 54 ++++++++++++++++++++++---------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index c19ea4c56..b3977a27b 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -1,35 +1,14 @@ -locals { - // List of included repositories, taken directly from the 'repositories' variable - included_repositories = var.repositories - - // Create combinations of repositories and branches by flattening a nested loop - repo_branch_combinations = flatten([ - // Iterate over each repository in the included_repositories list - for repo in local.included_repositories : [ - // For each repository, iterate over each branch in the 'branches' variable - for branch in var.branches : { - // Create a map with the repository and branch names - repo = repo - branch = branch - } - ] - ]) -} - # locals { -# # Read the repositories list from the JSON file -# repositories_list = jsondecode(file("${path.module}/../test-repos.json")) - -# # Filter out excluded repositories -# included_repositories = [ -# for repo in local.repositories_list : repo -# if !contains(var.excluded_repositories, repo) -# ] +# // List of included repositories, taken directly from the 'repositories' variable +# included_repositories = var.repositories -# # Create a combination of repositories and branches +# // Create combinations of repositories and branches by flattening a nested loop # repo_branch_combinations = flatten([ +# // Iterate over each repository in the included_repositories list # for repo in local.included_repositories : [ +# // For each repository, iterate over each branch in the 'branches' variable # for branch in var.branches : { +# // Create a map with the repository and branch names # repo = repo # branch = branch # } @@ -37,6 +16,27 @@ locals { # ]) # } +locals { + # Read the repositories list from the JSON file + repositories_list = jsondecode(file("${path.module}/../test-repos.json")) + + # Filter out excluded repositories + included_repositories = [ + for repo in local.repositories_list : repo + if !contains(var.excluded_repositories, repo) + ] + + # Create a combination of repositories and branches + repo_branch_combinations = flatten([ + for repo in local.included_repositories : [ + for branch in var.branches : { + repo = repo + branch = branch + } + ] + ]) +} + From c8304f6eb3c4cc41f40b221974be077a6a8236f9 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:58:37 +0100 Subject: [PATCH 052/186] adding config + pipeline --- components/outputs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/components/outputs.tf b/components/outputs.tf index 0dffb93fa..63dd1f39a 100644 --- a/components/outputs.tf +++ b/components/outputs.tf @@ -14,9 +14,14 @@ output "repo_branch_combinations" { value = local.repo_branch_combinations } +output "existing_branches" { + value = data.github_branch.existing_branches +} + output "valid_branch_combinations" { value = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null } } + From f21930565f8fe6a46dbeb252f3bd1c5d8c917727 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 10:59:48 +0100 Subject: [PATCH 053/186] adding config + pipeline --- components/outputs.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/components/outputs.tf b/components/outputs.tf index 63dd1f39a..42ba2f2ed 100644 --- a/components/outputs.tf +++ b/components/outputs.tf @@ -14,10 +14,6 @@ output "repo_branch_combinations" { value = local.repo_branch_combinations } -output "existing_branches" { - value = data.github_branch.existing_branches -} - output "valid_branch_combinations" { value = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo From e44b485a6ce04d9e0efcaa633e36aa2d2fccd438 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:02:04 +0100 Subject: [PATCH 054/186] adding config + pipeline --- components/variables.tf | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index 21c4342e4..6fa302c98 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,21 +1,21 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } - -variable "repositories" { - description = "List of repositories to apply branch protection rules" - type = list(string) - default = [ - "rule-set-test-repo", - "rule-set-test-repo1", - "rule-set-test-repo2", - "rule-set-test-repo3", - "rule-set-test-repo4" - ] +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true } +# variable "repositories" { +# description = "List of repositories to apply branch protection rules" +# type = list(string) +# default = [ +# "rule-set-test-repo", +# "rule-set-test-repo1", +# "rule-set-test-repo2", +# "rule-set-test-repo3", +# "rule-set-test-repo4" +# ] +# } + variable "branches" { description = "List of branches to apply protection rules" type = list(string) From d6d30c9ad145d933b6d341bf8f9ceb65781bf97e Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:04:33 +0100 Subject: [PATCH 055/186] adding config + pipeline --- components/provider.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/provider.tf b/components/provider.tf index 1b63c6eea..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - # token = var.github_token + token = var.github_token owner = "hmcts" } From 44fc5c52ccae590bb5e7662915694cc6fb809a90 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:08:52 +0100 Subject: [PATCH 056/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 32 +++++++++++++------------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3b6d9c848..9060c2d79 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -12,25 +12,24 @@ permissions: id-token: write contents: read -jobs: - build-and-deploy: +jobs: + plan-and-apply: runs-on: ubuntu-latest + timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - name: 'Az CLI login' + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - name: Initialize Terraform - working-directory: ./components + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -43,15 +42,10 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan and Apply Terraform - working-directory: ./components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: | - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" - terraform apply -auto-approve tfplan + - name: Plan Terraform + working-directory: components + run: terraform plan -out=tfplan -var-file="terraform.tfvars" + + - name: Apply Terraform + working-directory: components + run: terraform apply -auto-approve tfplan From 4ffebd4fac7d19efb395d489f4691e0619f3bcb4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:10:51 +0100 Subject: [PATCH 057/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 9060c2d79..66ad88d0f 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -20,10 +20,13 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - - name: Log in to Azure + - name: 'Log in to Azure' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From b722418f535a9d518dba130b550429b493be4a6c Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:13:18 +0100 Subject: [PATCH 058/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 5 +---- components/variables.tf | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 66ad88d0f..df71ea78a 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -23,10 +23,7 @@ jobs: - name: 'Log in to Azure' uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 diff --git a/components/variables.tf b/components/variables.tf index 6fa302c98..87929d985 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -36,7 +36,7 @@ variable "excluded_repositories" { variable "override_action" { description = "The action to override" type = string - default = "true" + default = "plan" } variable "location" { From 1dd44a0487e6aeeaa98dc11fa55f99ae4f85f4b9 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:15:13 +0100 Subject: [PATCH 059/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index df71ea78a..c4f9d1b24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -48,4 +48,4 @@ jobs: - name: Apply Terraform working-directory: components - run: terraform apply -auto-approve tfplan + run: terraform apply -auto-approve tfplan \ No newline at end of file From 0ba2451c812e275d3e4ea89adae4c58235889bc3 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:19:15 +0100 Subject: [PATCH 060/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index c4f9d1b24..f940a0c51 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -30,11 +30,6 @@ jobs: - name: Initialize Terraform working-directory: components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -42,10 +37,14 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan Terraform - working-directory: components - run: terraform plan -out=tfplan -var-file="terraform.tfvars" - - - name: Apply Terraform + - name: Plan and Apply Terraform working-directory: components - run: terraform apply -auto-approve tfplan \ No newline at end of file + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: | + terraform plan -out=tfplan -var-file="terraform.tfvars" + terraform apply -auto-approve tfplan From 3a295920d3905878388a5293562817f7172ca95b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:22:53 +0100 Subject: [PATCH 061/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f940a0c51..a4a08c40b 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -20,16 +20,21 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - - name: 'Log in to Azure' - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Log in to Azure + run: | + az login --service-principal -u ${{ secrets.ARM_CLIENT_ID }} -p ${{ secrets.ARM_CLIENT_SECRET }} --tenant ${{ secrets.ARM_TENANT_ID }} + az account set --subscription ${{ secrets.ARM_SUBSCRIPTION_ID }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - name: Initialize Terraform working-directory: components + env: + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -40,10 +45,10 @@ jobs: - name: Plan and Apply Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan -var-file="terraform.tfvars" From e09a65a15daff69157302f342a7f4a8f904726ed Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:25:59 +0100 Subject: [PATCH 062/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index a4a08c40b..70c964a06 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -20,20 +20,26 @@ jobs: - name: Checkout code uses: actions/checkout@v2 - - name: Log in to Azure + - name: 'Az CLI login' run: | - az login --service-principal -u ${{ secrets.ARM_CLIENT_ID }} -p ${{ secrets.ARM_CLIENT_SECRET }} --tenant ${{ secrets.ARM_TENANT_ID }} - az account set --subscription ${{ secrets.ARM_SUBSCRIPTION_ID }} + az login --service-principal \ + -u ${{ secrets.ARM_CLIENT_ID }} \ + -p ${{ secrets.ARM_CLIENT_SECRET }} \ + --tenant ${{ secrets.ARM_TENANT_ID }} + az account set --subscription ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 + - name: Change directory to Terraform config + run: cd components + - name: Initialize Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} run: | terraform init \ @@ -47,9 +53,12 @@ jobs: env: ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform plan -out=tfplan -var-file="terraform.tfvars" + terraform plan -out=tfplan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" terraform apply -auto-approve tfplan From 7f7583b2d10b0abd2ba5bc55a321e1f0ed7892a1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:28:35 +0100 Subject: [PATCH 063/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 41 +++++++++++++++------------------ 1 file changed, 19 insertions(+), 22 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 70c964a06..96b8b6d24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,46 +19,43 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - - - name: 'Az CLI login' - run: | - az login --service-principal \ - -u ${{ secrets.ARM_CLIENT_ID }} \ - -p ${{ secrets.ARM_CLIENT_SECRET }} \ - --tenant ${{ secrets.ARM_TENANT_ID }} - az account set --subscription ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file From b47c4b2935ffc69c570687f719ffe2ef1475dc3e Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:33:40 +0100 Subject: [PATCH 064/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 +-- test-repos.json | 3 ++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 96b8b6d24..6aac1bcca 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -57,5 +57,4 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan \ No newline at end of file + -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file diff --git a/test-repos.json b/test-repos.json index 79ebd790c..4211e0262 100644 --- a/test-repos.json +++ b/test-repos.json @@ -3,6 +3,7 @@ "rule-set-test-repo1", "rule-set-test-repo2", "rule-set-test-repo3", - "rule-set-test-repo4" + "rule-set-test-repo4", + "rule-set-test-repo5" ] \ No newline at end of file From 189d1a0d2473b162bb32fb23d641cf73bcd992ff Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:35:41 +0100 Subject: [PATCH 065/186] adding config + pipeline --- components/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/variables.tf b/components/variables.tf index 87929d985..99580e375 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -29,7 +29,7 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - # "rule-set-test-repo4" + "rule-set-test-repo5" ] } From fc15b769a19bd84ac6b90312bee2ad5623e01d88 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:46:50 +0100 Subject: [PATCH 066/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 25 +++++++++++++------------ components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 19 insertions(+), 18 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6aac1bcca..070513057 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,18 +19,20 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -44,7 +46,7 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: @@ -52,9 +54,8 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file + -var="override_action=plan" + terraform apply -auto-approve tfplan diff --git a/components/provider.tf b/components/provider.tf index af8277e58..1b63c6eea 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - token = var.github_token + # token = var.github_token owner = "hmcts" } diff --git a/components/variables.tf b/components/variables.tf index 99580e375..df839f65a 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 07f1b4540474ca2799e6cecc2e2b25fb76ad5ccd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:48:11 +0100 Subject: [PATCH 067/186] adding config + pipeline --- components/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/variables.tf b/components/variables.tf index df839f65a..1f5a923bc 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -29,7 +29,7 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - "rule-set-test-repo5" + # "rule-set-test-repo5" ] } From 39b3258b8c6f11799a07d87c2e68528b85ed37e7 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:50:14 +0100 Subject: [PATCH 068/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 25 ++++++++++++------------- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 18 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 070513057..6aac1bcca 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,20 +19,18 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -46,7 +44,7 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: @@ -54,8 +52,9 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" - terraform apply -auto-approve tfplan + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index 1b63c6eea..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - # token = var.github_token + token = var.github_token owner = "hmcts" } diff --git a/components/variables.tf b/components/variables.tf index 1f5a923bc..df060b83f 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 13300c292a978ac268ffd4aa75fd6077f2b3dd2b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 11:57:18 +0100 Subject: [PATCH 069/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 30 +++++++++++++++++------------- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 23 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6aac1bcca..24abd90b8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,30 +7,35 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest timeout-minutes: 60 + env: + ACTIONS_STEP_DEBUG: true + ACTIONS_RUNNER_DEBUG: true steps: - name: Checkout code uses: actions/checkout@v2 - - - name: Log in to Azure + + - name: 'Az CLI login' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -44,7 +49,7 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: @@ -52,9 +57,8 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file + -var="override_action=plan" + terraform apply -auto-approve tfplan diff --git a/components/provider.tf b/components/provider.tf index af8277e58..1b63c6eea 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - token = var.github_token + # token = var.github_token owner = "hmcts" } diff --git a/components/variables.tf b/components/variables.tf index df060b83f..1f5a923bc 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From b226657bb13ed10a84f2da0ca46c30b75462b95a Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:21:01 +0100 Subject: [PATCH 070/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 24abd90b8..9099e9760 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -16,19 +16,17 @@ jobs: plan-and-apply: runs-on: ubuntu-latest timeout-minutes: 60 - env: - ACTIONS_STEP_DEBUG: true - ACTIONS_RUNNER_DEBUG: true steps: - name: Checkout code uses: actions/checkout@v2 - - name: 'Az CLI login' + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} + client-id: ${{ secrets.AZURE_CLIENT_ID_OIDC }} + tenant-id: ${{ secrets.AZURE_TENANT_ID_OIDC }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + allow-no-subscriptions: true - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -39,10 +37,10 @@ jobs: - name: Initialize Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_OIDC }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET_OIDC }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID_OIDC }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -53,12 +51,11 @@ jobs: - name: Plan and Apply Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_OIDC }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET_OIDC }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID_OIDC }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan From ff1aabae7ecaef2cee217c97847143e8d681aecc Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:26:42 +0100 Subject: [PATCH 071/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 9099e9760..78957750f 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -26,7 +26,6 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID_OIDC }} tenant-id: ${{ secrets.AZURE_TENANT_ID_OIDC }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - allow-no-subscriptions: true - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From 1a48d4b52d2014901ed63426e9ac04e9f022bb65 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:30:15 +0100 Subject: [PATCH 072/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 35 ++++++++++++++++----------------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 78957750f..56dbdec04 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,42 +19,41 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID_OIDC }} - tenant-id: ${{ secrets.AZURE_TENANT_ID_OIDC }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_OIDC }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET_OIDC }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID_OIDC }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID_OIDC }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET_OIDC }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID_OIDC }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" + -var="override_action=plan" \ + terraform apply -auto-approve tfplan \ No newline at end of file From 729ebee5410df366f16b0d25c3adc3e29e952d06 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:33:31 +0100 Subject: [PATCH 073/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 35 ++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 56dbdec04..d38ed74b6 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,18 +19,20 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -44,8 +46,8 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - - name: Plan and Apply Terraform + + - name: Plan Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} @@ -55,5 +57,14 @@ jobs: run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ - terraform apply -auto-approve tfplan \ No newline at end of file + -var="override_action=plan" + + - name: Apply Terraform + working-directory: components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: | + terraform apply -auto-approve tfplan From d02b271ede3df18ac62d72843d56312c7c6eebe9 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:37:12 +0100 Subject: [PATCH 074/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index d38ed74b6..2c5303d58 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -67,4 +67,4 @@ jobs: ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: | - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file From 782d647122f134cf661b8189962009b3bae7f6df Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:40:00 +0100 Subject: [PATCH 075/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 35 ++++++++++++--------------------- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 19 insertions(+), 28 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 2c5303d58..96b8b6d24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,20 +19,18 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -46,25 +44,18 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - - name: Plan Terraform + + - name: Plan and Apply Terraform working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" - - - name: Apply Terraform - working-directory: components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: | + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" terraform apply -auto-approve tfplan \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index 1b63c6eea..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - # token = var.github_token + token = var.github_token owner = "hmcts" } diff --git a/components/variables.tf b/components/variables.tf index 1f5a923bc..df060b83f 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 3673d692844f201c9758f83b35abebdbdeca382a Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:49:07 +0100 Subject: [PATCH 076/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 +-- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 96b8b6d24..fc8b3bbd9 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -52,10 +52,9 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" terraform apply -auto-approve tfplan \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index af8277e58..1b63c6eea 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - token = var.github_token + # token = var.github_token owner = "hmcts" } diff --git a/components/variables.tf b/components/variables.tf index df060b83f..1f5a923bc 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 14018f5b23a06ee164d17284d6bf15071f289415 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:50:35 +0100 Subject: [PATCH 077/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 21 ++++++++++----------- 1 file changed, 10 insertions(+), 11 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index fc8b3bbd9..05f5124b3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -11,28 +11,28 @@ on: permissions: id-token: write contents: read + packages: write + actions: write jobs: - plan-and-apply: + build-and-deploy: runs-on: ubuntu-latest - timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - name: Log in to Azure + - name: 'Az CLI login' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - name: Change directory to Terraform config - run: cd components - - name: Initialize Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -46,15 +46,14 @@ jobs: -backend-config="key=terraform.tfstate" - name: Plan and Apply Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ + -var="override_action=plan" terraform apply -auto-approve tfplan \ No newline at end of file From 287b61420a5d79ecc55727cacadf81ae8cd489be Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 12:57:50 +0100 Subject: [PATCH 078/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 05f5124b3..ae7d70930 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -56,4 +56,5 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan + \ No newline at end of file From 556036356cd846c50ea15c0c83f5f6832bd5640d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 14:58:08 +0100 Subject: [PATCH 079/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 24 ++++++++++++------------ components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ae7d70930..6aac1bcca 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -11,28 +11,28 @@ on: permissions: id-token: write contents: read - packages: write - actions: write jobs: - build-and-deploy: + plan-and-apply: runs-on: ubuntu-latest + timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - name: 'Az CLI login' + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 + - name: Change directory to Terraform config + run: cd components + - name: Initialize Terraform - working-directory: ./components + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -46,15 +46,15 @@ jobs: -backend-config="key=terraform.tfstate" - name: Plan and Apply Terraform - working-directory: ./components + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" - terraform apply -auto-approve tfplan - \ No newline at end of file + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index 1b63c6eea..af8277e58 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - # token = var.github_token + token = var.github_token owner = "hmcts" } diff --git a/components/variables.tf b/components/variables.tf index 1f5a923bc..df060b83f 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} # variable "repositories" { # description = "List of repositories to apply branch protection rules" From 4e6dcbe787c337b6dd3d474e5481da8d5944d733 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 15:02:02 +0100 Subject: [PATCH 080/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 24 ++++++++++++------------ components/provider.tf | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6aac1bcca..ae7d70930 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -11,28 +11,28 @@ on: permissions: id-token: write contents: read + packages: write + actions: write jobs: - plan-and-apply: + build-and-deploy: runs-on: ubuntu-latest - timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - name: Log in to Azure + - name: 'Az CLI login' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - name: Change directory to Terraform config - run: cd components - - name: Initialize Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -46,15 +46,15 @@ jobs: -backend-config="key=terraform.tfstate" - name: Plan and Apply Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" \ No newline at end of file + -var="override_action=plan" + terraform apply -auto-approve tfplan + \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index af8277e58..1b63c6eea 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,5 +1,5 @@ provider "github" { - token = var.github_token + # token = var.github_token owner = "hmcts" } From d4b52e374f07fa1b91c843f018032bf208a66176 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 15:03:54 +0100 Subject: [PATCH 081/186] adding config + pipeline --- components/variables.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index df060b83f..1f5a923bc 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } # variable "repositories" { # description = "List of repositories to apply branch protection rules" From e3fa42e374931875e8c76a10ac30d4b8c8a5ce12 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 15:19:11 +0100 Subject: [PATCH 082/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ae7d70930..05f5124b3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -56,5 +56,4 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan - \ No newline at end of file + terraform apply -auto-approve tfplan \ No newline at end of file From 2b4b241f6a11dd1f7e329296da7240169ce50c16 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 15:25:23 +0100 Subject: [PATCH 083/186] adding config + pipeline --- components/main.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/components/main.tf b/components/main.tf index cf2a0f1d4..1aef5276e 100644 --- a/components/main.tf +++ b/components/main.tf @@ -34,6 +34,11 @@ data "github_branch" "existing_branches" { branch = each.value.branch } +# Output existing branches for debugging +output "existing_branches" { + value = data.github_branch.existing_branches +} + # Apply branch protection rules only if the branch exists resource "github_branch_protection_v3" "branch_protection" { for_each = { @@ -63,6 +68,7 @@ resource "github_branch_protection_v3" "branch_protection" { } } + output "existing_branches" { value = data.github_branch.existing_branches } From d6e4595bd9bcb1b34e0564ebb13c3e5e5fa104dd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 15:26:38 +0100 Subject: [PATCH 084/186] adding config + pipeline --- components/main.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/components/main.tf b/components/main.tf index 1aef5276e..3530aaeb3 100644 --- a/components/main.tf +++ b/components/main.tf @@ -67,8 +67,3 @@ resource "github_branch_protection_v3" "branch_protection" { apps = [] } } - - -output "existing_branches" { - value = data.github_branch.existing_branches -} From 5cc826242e5d9729af991f50740913dd959dae92 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 16:06:41 +0100 Subject: [PATCH 085/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 13 +++++++++++-- components/locals.tf | 3 --- components/provider.tf | 30 +++++++++++++----------------- 3 files changed, 24 insertions(+), 22 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 05f5124b3..186a05bd3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -45,7 +45,7 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan and Apply Terraform + - name: Plan Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} @@ -56,4 +56,13 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan \ No newline at end of file + + - name: Apply Terraform + working-directory: ./components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: | + terraform apply -auto-approve tfplan diff --git a/components/locals.tf b/components/locals.tf index b3977a27b..7218dc51d 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -37,9 +37,6 @@ locals { ]) } - - - locals { env_display_names = { sbox = "Sandbox" diff --git a/components/provider.tf b/components/provider.tf index 1b63c6eea..a63c4f046 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -1,30 +1,26 @@ +provider "azurerm" { + features {} +} + provider "github" { - # token = var.github_token owner = "hmcts" + # token = var.github_token } terraform { - required_version = ">= 1.3.6" - - # backend "azurerm" { - # } - required_providers { - azurerm = { - source = "hashicorp/azurerm" - version = "3.109.0" - } - } -} + required_version = ">= 1.4.0" -provider "azurerm" { - features {} -} - -terraform { backend "azurerm" { resource_group_name = "rule-set-rg" storage_account_name = "rulesetsa" container_name = "tfstate" key = "terraform.tfstate" } + + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.109.0" + } + } } \ No newline at end of file From cf4a1904285cc86aa4b78909d298190a4aaf8990 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 16:37:05 +0100 Subject: [PATCH 086/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 35 +++++++++++++-------------------- components/provider.tf | 2 +- components/variables.tf | 22 +++++---------------- 3 files changed, 20 insertions(+), 39 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 186a05bd3..96b8b6d24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -11,28 +11,28 @@ on: permissions: id-token: write contents: read - packages: write - actions: write jobs: - build-and-deploy: + plan-and-apply: runs-on: ubuntu-latest + timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - name: 'Az CLI login' + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + creds: ${{ secrets.AZURE_CREDENTIALS }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 + - name: Change directory to Terraform config + run: cd components + - name: Initialize Terraform - working-directory: ./components + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -45,24 +45,17 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan Terraform - working-directory: ./components + - name: Plan and Apply Terraform + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" - - - name: Apply Terraform - working-directory: ./components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: | - terraform apply -auto-approve tfplan + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" + terraform apply -auto-approve tfplan \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index a63c4f046..fdd7c23eb 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - # token = var.github_token + token = var.github_token } terraform { diff --git a/components/variables.tf b/components/variables.tf index 1f5a923bc..3716fe3bd 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,20 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } - -# variable "repositories" { -# description = "List of repositories to apply branch protection rules" -# type = list(string) -# default = [ -# "rule-set-test-repo", -# "rule-set-test-repo1", -# "rule-set-test-repo2", -# "rule-set-test-repo3", -# "rule-set-test-repo4" -# ] -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} variable "branches" { description = "List of branches to apply protection rules" From dfc2e241fe7c6dd88bdfe0e2f864ffa65ad24b7d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 16:47:32 +0100 Subject: [PATCH 087/186] adding config + pipeline --- test-repos.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test-repos.json b/test-repos.json index 4211e0262..5cdbd59f7 100644 --- a/test-repos.json +++ b/test-repos.json @@ -4,6 +4,7 @@ "rule-set-test-repo2", "rule-set-test-repo3", "rule-set-test-repo4", - "rule-set-test-repo5" + "rule-set-test-repo5", + "rule-set-test-repo6" ] \ No newline at end of file From 2cf388b1b7f2e6cf1a434a81318c204ee66f6d6b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 22:32:47 +0100 Subject: [PATCH 088/186] adding config + pipeline --- test-repos.json | 1 + 1 file changed, 1 insertion(+) diff --git a/test-repos.json b/test-repos.json index 5cdbd59f7..dae6ee9d8 100644 --- a/test-repos.json +++ b/test-repos.json @@ -7,4 +7,5 @@ "rule-set-test-repo5", "rule-set-test-repo6" ] + \ No newline at end of file From 4697522eec2868f450e02c69a1184757287ba7dc Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 22:43:08 +0100 Subject: [PATCH 089/186] adding config + pipeline --- components/locals.tf | 2 +- components/provider.tf | 8 ++++---- components/variables.tf | 4 +++- test-repos.json | 6 ++++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index 7218dc51d..92ec36176 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -22,7 +22,7 @@ locals { # Filter out excluded repositories included_repositories = [ - for repo in local.repositories_list : repo + for repo in local.repositories_list : repo if !contains(var.excluded_repositories, repo) ] diff --git a/components/provider.tf b/components/provider.tf index fdd7c23eb..d3fed8bd5 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -11,10 +11,10 @@ terraform { required_version = ">= 1.4.0" backend "azurerm" { - resource_group_name = "rule-set-rg" - storage_account_name = "rulesetsa" - container_name = "tfstate" - key = "terraform.tfstate" + resource_group_name = "rule-set-rg" + storage_account_name = "rulesetsa" + container_name = "tfstate" + key = "terraform.tfstate" } required_providers { diff --git a/components/variables.tf b/components/variables.tf index 3716fe3bd..637d831fa 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -18,13 +18,15 @@ variable "excluded_repositories" { type = list(string) default = [ # "rule-set-test-repo5" + "rule-set-test-repo7", + "rule-set-test-repo8" ] } variable "override_action" { description = "The action to override" type = string - default = "plan" + default = "plan" } variable "location" { diff --git a/test-repos.json b/test-repos.json index dae6ee9d8..4e3f4fdec 100644 --- a/test-repos.json +++ b/test-repos.json @@ -5,7 +5,9 @@ "rule-set-test-repo3", "rule-set-test-repo4", "rule-set-test-repo5", - "rule-set-test-repo6" + "rule-set-test-repo6", + "rule-set-test-repo7", + "rule-set-test-repo8" ] - + \ No newline at end of file From 4584a3ba43c035fbe07ab710844921dab344a4b4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 22:44:29 +0100 Subject: [PATCH 090/186] adding config + pipeline --- components/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/variables.tf b/components/variables.tf index 637d831fa..0a8a6b03e 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -18,7 +18,7 @@ variable "excluded_repositories" { type = list(string) default = [ # "rule-set-test-repo5" - "rule-set-test-repo7", + # "rule-set-test-repo7", "rule-set-test-repo8" ] } From d245d3f7b6c709b9d37fe02b865ebcbff5589fb1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 22:57:40 +0100 Subject: [PATCH 091/186] adding config + pipeline --- components/main.tf | 42 ++++++++++-------------------------------- 1 file changed, 10 insertions(+), 32 deletions(-) diff --git a/components/main.tf b/components/main.tf index 3530aaeb3..497ea3b72 100644 --- a/components/main.tf +++ b/components/main.tf @@ -1,30 +1,6 @@ -module "tags" { - source = "git::https://github.com/hmcts/terraform-module-common-tags.git?ref=master" - environment = var.env - product = var.product - builtFrom = var.builtFrom -} - -resource "azurerm_resource_group" "rg" { - name = var.resource_group_name - location = var.location - tags = module.tags.common_tags -} - -resource "azurerm_storage_account" "sa" { - name = var.storage_account_name - resource_group_name = azurerm_resource_group.rg.name - location = azurerm_resource_group.rg.location - account_tier = "Standard" - account_replication_type = "LRS" - tags = module.tags.common_tags -} - -resource "azurerm_storage_container" "tfstate" { - name = "tfstate" - storage_account_name = azurerm_storage_account.sa.name - container_access_type = "private" - +# Output existing branches for debugging +output "existing_branches" { + value = data.github_branch.existing_branches } # Check if branches exist @@ -34,11 +10,6 @@ data "github_branch" "existing_branches" { branch = each.value.branch } -# Output existing branches for debugging -output "existing_branches" { - value = data.github_branch.existing_branches -} - # Apply branch protection rules only if the branch exists resource "github_branch_protection_v3" "branch_protection" { for_each = { @@ -66,4 +37,11 @@ resource "github_branch_protection_v3" "branch_protection" { teams = [] apps = [] } + + lifecycle { + ignore_changes = [ + # Allows the branch protection rules to reapply in the case of a rule being deleted. + etag + ] + } } From c43ca920b2afad839b7cc8ac72949571827d5af1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 22:59:23 +0100 Subject: [PATCH 092/186] adding config + pipeline --- components/main.tf | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/components/main.tf b/components/main.tf index 497ea3b72..dfcd7074e 100644 --- a/components/main.tf +++ b/components/main.tf @@ -1,3 +1,32 @@ +module "tags" { + source = "git::https://github.com/hmcts/terraform-module-common-tags.git?ref=master" + environment = var.env + product = var.product + builtFrom = var.builtFrom +} + +resource "azurerm_resource_group" "rg" { + name = var.resource_group_name + location = var.location + tags = module.tags.common_tags +} + +resource "azurerm_storage_account" "sa" { + name = var.storage_account_name + resource_group_name = azurerm_resource_group.rg.name + location = azurerm_resource_group.rg.location + account_tier = "Standard" + account_replication_type = "LRS" + tags = module.tags.common_tags +} + +resource "azurerm_storage_container" "tfstate" { + name = "tfstate" + storage_account_name = azurerm_storage_account.sa.name + container_access_type = "private" + +} + # Output existing branches for debugging output "existing_branches" { value = data.github_branch.existing_branches @@ -40,7 +69,7 @@ resource "github_branch_protection_v3" "branch_protection" { lifecycle { ignore_changes = [ - # Allows the branch protection rules to reapply in the case of a rule being deleted. + # Ignore changes to the branch protection rules etag ] } From c0d3bbb9638ff63e49a56ec8ba09cc6e3d388605 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:03:31 +0100 Subject: [PATCH 093/186] adding config + pipeline --- components/locals.tf | 2 +- components/main.tf | 15 +++++++-------- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index 92ec36176..7218dc51d 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -22,7 +22,7 @@ locals { # Filter out excluded repositories included_repositories = [ - for repo in local.repositories_list : repo + for repo in local.repositories_list : repo if !contains(var.excluded_repositories, repo) ] diff --git a/components/main.tf b/components/main.tf index dfcd7074e..849bc383f 100644 --- a/components/main.tf +++ b/components/main.tf @@ -32,18 +32,17 @@ output "existing_branches" { value = data.github_branch.existing_branches } -# Check if branches exist -data "github_branch" "existing_branches" { - for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } - repository = each.value.repo - branch = each.value.branch -} +# # Check if branches exist +# data "github_branch" "existing_branches" { +# for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } +# repository = each.value.repo +# branch = each.value.branch +# } # Apply branch protection rules only if the branch exists resource "github_branch_protection_v3" "branch_protection" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo - if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null } repository = each.value.repo @@ -73,4 +72,4 @@ resource "github_branch_protection_v3" "branch_protection" { etag ] } -} +} \ No newline at end of file From 226a30dfd0cec138e6385315f41a46f1c89a351f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:04:51 +0100 Subject: [PATCH 094/186] adding config + pipeline --- components/main.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/components/main.tf b/components/main.tf index 849bc383f..8425d50b1 100644 --- a/components/main.tf +++ b/components/main.tf @@ -32,12 +32,12 @@ output "existing_branches" { value = data.github_branch.existing_branches } -# # Check if branches exist -# data "github_branch" "existing_branches" { -# for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } -# repository = each.value.repo -# branch = each.value.branch -# } +# Check if branches exist +data "github_branch" "existing_branches" { + for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } + repository = each.value.repo + branch = each.value.branch +} # Apply branch protection rules only if the branch exists resource "github_branch_protection_v3" "branch_protection" { From 9492425beded999f55bf2b3cb01c6285cffb7740 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:11:36 +0100 Subject: [PATCH 095/186] adding config + pipeline --- components/main.tf | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/components/main.tf b/components/main.tf index 8425d50b1..8fd9b8c52 100644 --- a/components/main.tf +++ b/components/main.tf @@ -27,11 +27,6 @@ resource "azurerm_storage_container" "tfstate" { } -# Output existing branches for debugging -output "existing_branches" { - value = data.github_branch.existing_branches -} - # Check if branches exist data "github_branch" "existing_branches" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } @@ -43,6 +38,7 @@ data "github_branch" "existing_branches" { resource "github_branch_protection_v3" "branch_protection" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo + if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null } repository = each.value.repo @@ -65,11 +61,4 @@ resource "github_branch_protection_v3" "branch_protection" { teams = [] apps = [] } - - lifecycle { - ignore_changes = [ - # Ignore changes to the branch protection rules - etag - ] - } } \ No newline at end of file From d48a99f51e82e9e6b60af5a95116c7a8718a6765 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:18:41 +0100 Subject: [PATCH 096/186] adding config + pipeline --- components/main.tf | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/components/main.tf b/components/main.tf index 8fd9b8c52..0011ac0b0 100644 --- a/components/main.tf +++ b/components/main.tf @@ -27,9 +27,15 @@ resource "azurerm_storage_container" "tfstate" { } +# Check if repositories exist +data "github_repository" "existing_repos" { + for_each = { for repo in local.included_repositories : repo => repo } + name = each.value +} + # Check if branches exist data "github_branch" "existing_branches" { - for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo } + for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo if contains(keys(data.github_repository.existing_repos), combo.repo) } repository = each.value.repo branch = each.value.branch } @@ -61,4 +67,4 @@ resource "github_branch_protection_v3" "branch_protection" { teams = [] apps = [] } -} \ No newline at end of file +} From e81a1f608a72ab4405f7cebc51b24109bfc20079 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:22:43 +0100 Subject: [PATCH 097/186] adding config + pipeline --- components/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/components/main.tf b/components/main.tf index 0011ac0b0..237a4d166 100644 --- a/components/main.tf +++ b/components/main.tf @@ -40,11 +40,12 @@ data "github_branch" "existing_branches" { branch = each.value.branch } -# Apply branch protection rules only if the branch exists +# Apply branch protection rules only if the branch exists and is not already protected resource "github_branch_protection_v3" "branch_protection" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo - if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null + if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null && + try(github_branch_protection_v3.branch_protection["${combo.repo}:${combo.branch}"].branch, null) == null } repository = each.value.repo From 1e6a7a9de1510562e9de367548ab72aea9a46d6e Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:33:45 +0100 Subject: [PATCH 098/186] adding config + pipeline --- components/check_branch_protection.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 components/check_branch_protection.sh diff --git a/components/check_branch_protection.sh b/components/check_branch_protection.sh new file mode 100644 index 000000000..147f314a8 --- /dev/null +++ b/components/check_branch_protection.sh @@ -0,0 +1,21 @@ +#!/bin/bash + +# Read the repositories from the JSON file +repositories=$(jq -r '.[]' test-repos.json) + +# Define the branches you want to check +branches=("master" "main") # Add more branches if needed + +# Loop over each repo and branch +for repo in $repositories; do + for branch in "${branches[@]}"; do + # Check if the branch protection rule exists + if gh api repos/$repo/branches/$branch/protection; then + echo "Branch protection rule exists for $repo:$branch" + else + echo "Branch protection rule does not exist for $repo:$branch" + # Run your Terraform code here to create the branch protection rule + terraform apply -var="repo=$repo" -var="branch=$branch" + fi + done +done From 7846ed5f5ea1dac04ae8aab4468cece05107fa5f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:33:56 +0100 Subject: [PATCH 099/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 96b8b6d24..db0dabed1 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -27,6 +27,20 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v1 + + - name: Install jq and gh + run: | + sudo apt-get update + sudo apt-get install -y jq + sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key C99B11DEB97541F0 + sudo apt-add-repository https://cli.github.com/packages + sudo apt-get update + sudo apt-get install -y gh + + - name: Run branch protection script + run: ./check_branch_protection.sh + env: + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - name: Change directory to Terraform config run: cd components @@ -58,4 +72,4 @@ jobs: -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan From d349f4cd6b250a4c494147c8f4ae3b48b3c319bd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:37:29 +0100 Subject: [PATCH 100/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index db0dabed1..93c8b74bd 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -28,14 +28,9 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - name: Install jq and gh + - name: Install gh run: | - sudo apt-get update - sudo apt-get install -y jq - sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key C99B11DEB97541F0 - sudo apt-add-repository https://cli.github.com/packages - sudo apt-get update - sudo apt-get install -y gh + curl -sSL https://github.com/cli/cli/releases/download/v2.4.5/gh_2.4.5_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.5_linux_amd64/bin/gh - name: Run branch protection script run: ./check_branch_protection.sh From 5782f27bff96bf965fe9d02e47bcefa6017bd358 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:38:33 +0100 Subject: [PATCH 101/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 93c8b74bd..fbc2af680 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -30,7 +30,7 @@ jobs: - name: Install gh run: | - curl -sSL https://github.com/cli/cli/releases/download/v2.4.5/gh_2.4.5_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.5_linux_amd64/bin/gh + curl -sSL https://github.com/cli/cli/releases/download/v2.4.0/gh_2.4.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.0_linux_amd64/bin/gh - name: Run branch protection script run: ./check_branch_protection.sh From ac2bd1804a2ffb1cc807a038a746f913448c14f6 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:39:34 +0100 Subject: [PATCH 102/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index fbc2af680..67eac0570 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -33,7 +33,7 @@ jobs: curl -sSL https://github.com/cli/cli/releases/download/v2.4.0/gh_2.4.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.0_linux_amd64/bin/gh - name: Run branch protection script - run: ./check_branch_protection.sh + run: check_branch_protection.sh env: GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} From 4a6c9311553174c2dd462896510b3791ae152ef0 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:43:29 +0100 Subject: [PATCH 103/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 67eac0570..f20bc802c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -33,7 +33,7 @@ jobs: curl -sSL https://github.com/cli/cli/releases/download/v2.4.0/gh_2.4.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.0_linux_amd64/bin/gh - name: Run branch protection script - run: check_branch_protection.sh + run: ./components/check_branch_protection.sh env: GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} From 8ca524c0d81a1c08620e363d7c477c92b15fd2cf Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:46:09 +0100 Subject: [PATCH 104/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f20bc802c..b8b8a07fb 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -32,6 +32,9 @@ jobs: run: | curl -sSL https://github.com/cli/cli/releases/download/v2.4.0/gh_2.4.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.0_linux_amd64/bin/gh + - name: Change script permissions + run: chmod +x ./components/check_branch_protection.sh + - name: Run branch protection script run: ./components/check_branch_protection.sh env: From f09b10a530bb8994f489cdcd639152636e99c274 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:52:05 +0100 Subject: [PATCH 105/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b8b8a07fb..684a14b07 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -36,9 +36,13 @@ jobs: run: chmod +x ./components/check_branch_protection.sh - name: Run branch protection script - run: ./components/check_branch_protection.sh + run: | + chmod +x ./components/check_branch_protection.sh + ./components/check_branch_protection.sh env: GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + TF_CLI_ARGS_apply: "-auto-approve" + - name: Change directory to Terraform config run: cd components From 2dcfd146f54003ef90ec7773ebf439717612e6b5 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:53:28 +0100 Subject: [PATCH 106/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 18 +----------------- components/check_branch_protection.sh | 21 --------------------- 2 files changed, 1 insertion(+), 38 deletions(-) delete mode 100644 components/check_branch_protection.sh diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 684a14b07..96b8b6d24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -27,22 +27,6 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - - name: Install gh - run: | - curl -sSL https://github.com/cli/cli/releases/download/v2.4.0/gh_2.4.0_linux_amd64.tar.gz | sudo tar xz -C /usr/local/bin --strip-components=2 gh_2.4.0_linux_amd64/bin/gh - - - name: Change script permissions - run: chmod +x ./components/check_branch_protection.sh - - - name: Run branch protection script - run: | - chmod +x ./components/check_branch_protection.sh - ./components/check_branch_protection.sh - env: - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - TF_CLI_ARGS_apply: "-auto-approve" - - name: Change directory to Terraform config run: cd components @@ -74,4 +58,4 @@ jobs: -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file diff --git a/components/check_branch_protection.sh b/components/check_branch_protection.sh deleted file mode 100644 index 147f314a8..000000000 --- a/components/check_branch_protection.sh +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -# Read the repositories from the JSON file -repositories=$(jq -r '.[]' test-repos.json) - -# Define the branches you want to check -branches=("master" "main") # Add more branches if needed - -# Loop over each repo and branch -for repo in $repositories; do - for branch in "${branches[@]}"; do - # Check if the branch protection rule exists - if gh api repos/$repo/branches/$branch/protection; then - echo "Branch protection rule exists for $repo:$branch" - else - echo "Branch protection rule does not exist for $repo:$branch" - # Run your Terraform code here to create the branch protection rule - terraform apply -var="repo=$repo" -var="branch=$branch" - fi - done -done From 43ac7ff16a17bac58772209ff5ed070e1897f20f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Thu, 4 Jul 2024 23:56:36 +0100 Subject: [PATCH 107/186] adding config + pipeline --- components/main.tf | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/components/main.tf b/components/main.tf index 237a4d166..de168a32d 100644 --- a/components/main.tf +++ b/components/main.tf @@ -40,12 +40,11 @@ data "github_branch" "existing_branches" { branch = each.value.branch } -# Apply branch protection rules only if the branch exists and is not already protected +# Apply branch protection rules only if the branch exists resource "github_branch_protection_v3" "branch_protection" { for_each = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo - if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null && - try(github_branch_protection_v3.branch_protection["${combo.repo}:${combo.branch}"].branch, null) == null + if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null } repository = each.value.repo @@ -68,4 +67,4 @@ resource "github_branch_protection_v3" "branch_protection" { teams = [] apps = [] } -} +} \ No newline at end of file From 5fbde25ce194e6f75bc669fcdc6aaeb17d6755e0 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 00:50:46 +0100 Subject: [PATCH 108/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 96b8b6d24..2a91dcc45 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -23,8 +23,11 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + enable-AzPSSession: true + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -35,9 +38,8 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -49,13 +51,10 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan \ No newline at end of file + -var="override_action=plan" + terraform apply -auto-approve tfplan From f344746b099c2d6e58bbf39b33a56db07e91b695 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 00:53:41 +0100 Subject: [PATCH 109/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 2a91dcc45..1036c6a47 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -25,7 +25,7 @@ jobs: with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} enable-AzPSSession: true - name: Setup Terraform From a4c6db419ed028ccab6188d776ffda9aeb74a51e Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:00:56 +0100 Subject: [PATCH 110/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1036c6a47..1b2acdd7c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -26,7 +26,7 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - enable-AzPSSession: true + enable-AzPSSession: false # Disabling this to avoid potential issues - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From b7b06c6c172304b1b4b7060c6c116e6ab8318473 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:03:19 +0100 Subject: [PATCH 111/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1b2acdd7c..59a5cdf18 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -25,8 +25,8 @@ jobs: with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - enable-AzPSSession: false # Disabling this to avoid potential issues + subscription-id: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} + enable-AzPSSession: false - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -38,8 +38,9 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -51,8 +52,9 @@ jobs: working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ From 760596054263b98e1341c2804d7b85252f598b93 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:07:36 +0100 Subject: [PATCH 112/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 59a5cdf18..5d9392c5a 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,11 +7,11 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: plan-and-apply: runs-on: ubuntu-latest @@ -19,7 +19,7 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: @@ -27,13 +27,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} enable-AzPSSession: false - + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Change directory to Terraform config run: cd components - + - name: Initialize Terraform working-directory: components env: @@ -47,7 +47,7 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: components env: From ddb08c0cb7373a37d55fb76e7c6c426330f52fcd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:09:03 +0100 Subject: [PATCH 113/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 5d9392c5a..b8e678758 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -25,8 +25,8 @@ jobs: with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} - enable-AzPSSession: false + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + allow-no-subscriptions: true - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -40,7 +40,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -54,7 +54,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ From 61f2eaa5126ab5cec6f112a5f4e8258e3eb87ca8 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:14:34 +0100 Subject: [PATCH 114/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b8e678758..8b7216c8e 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -60,3 +60,4 @@ jobs: -var="location=UK South" \ -var="override_action=plan" terraform apply -auto-approve tfplan + From b1cb231d7a338e3eeaf4bb0301c8aaa91bfadaaf Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:15:40 +0100 Subject: [PATCH 115/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 8b7216c8e..14d7a9b6d 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -26,7 +26,7 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - allow-no-subscriptions: true + enable-AzPSSession: false - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -40,7 +40,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -54,10 +54,9 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" terraform apply -auto-approve tfplan - From c9d67fd13dde956cfca5f210928c6a8ab76b3a0c Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:18:04 +0100 Subject: [PATCH 116/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 14d7a9b6d..41c7f92e5 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -26,7 +26,6 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - enable-AzPSSession: false - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -40,7 +39,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -54,7 +53,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_AZURE_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ From 31882b9ad1c5c1c08d796cbfe51b05b048cdd41d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:24:10 +0100 Subject: [PATCH 117/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 41c7f92e5..b8e678758 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -26,6 +26,7 @@ jobs: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + allow-no-subscriptions: true - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From 47c395c199afff1e9a005967ca78c47f5a8f3ba7 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:25:18 +0100 Subject: [PATCH 118/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 37 +++++++++++++++------------------ 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b8e678758..05f5124b3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,56 +7,53 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + packages: write + actions: write + jobs: - plan-and-apply: + build-and-deploy: runs-on: ubuntu-latest - timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - - name: Log in to Azure + + - name: 'Az CLI login' uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - allow-no-subscriptions: true - + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - - name: Change directory to Terraform config - run: cd components - + - name: Initialize Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform - working-directory: components + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file From 76b10a0eaf708b535c48e4995e60d676207be4ef Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:26:53 +0100 Subject: [PATCH 119/186] adding config + pipeline --- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/provider.tf b/components/provider.tf index d3fed8bd5..1737c4061 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - token = var.github_token + # token = var.github_token } terraform { diff --git a/components/variables.tf b/components/variables.tf index 0a8a6b03e..26e892485 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } variable "branches" { description = "List of branches to apply protection rules" From e41a0b18231a6e2bf33607a27ce0b6311c7668e7 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 01:29:11 +0100 Subject: [PATCH 120/186] adding config + pipeline --- test-repos.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test-repos.json b/test-repos.json index 4e3f4fdec..caad0b3cc 100644 --- a/test-repos.json +++ b/test-repos.json @@ -7,7 +7,8 @@ "rule-set-test-repo5", "rule-set-test-repo6", "rule-set-test-repo7", - "rule-set-test-repo8" + "rule-set-test-repo8", + "rule-set-test-repo9" ] \ No newline at end of file From 2a27fa91a9e8480209ad8cbd8a4e4773f3b7a600 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:14:25 +0100 Subject: [PATCH 121/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 20 +++++++++++--------- components/main.tf | 6 ++++++ 2 files changed, 17 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 05f5124b3..47b3c6f4f 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,30 +7,30 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read packages: write actions: write - + jobs: build-and-deploy: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - + - name: 'Az CLI login' uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + - name: Initialize Terraform working-directory: ./components env: @@ -44,7 +44,7 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - + - name: Plan and Apply Terraform working-directory: ./components env: @@ -52,8 +52,10 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ - -var="override_action=plan" - terraform apply -auto-approve tfplan \ No newline at end of file + -var="override_action=plan" \ + -var="github_token=${{ secrets.GITHUB_TOKEN }}" + terraform apply -auto-approve tfplan diff --git a/components/main.tf b/components/main.tf index de168a32d..5525c501b 100644 --- a/components/main.tf +++ b/components/main.tf @@ -11,6 +11,12 @@ resource "azurerm_resource_group" "rg" { tags = module.tags.common_tags } +resource "azurerm_resource_group" "rg" { + name = "test" + location = var.location + tags = module.tags.common_tags +} + resource "azurerm_storage_account" "sa" { name = var.storage_account_name resource_group_name = azurerm_resource_group.rg.name From 4af0110ad0f7d7dbe84ef88857539df236208762 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:15:14 +0100 Subject: [PATCH 122/186] adding config + pipeline --- components/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/main.tf b/components/main.tf index 5525c501b..9f5dcdf9d 100644 --- a/components/main.tf +++ b/components/main.tf @@ -5,7 +5,7 @@ module "tags" { builtFrom = var.builtFrom } -resource "azurerm_resource_group" "rg" { +resource "azurerm_resource_group" "rg-test" { name = var.resource_group_name location = var.location tags = module.tags.common_tags From 0de8801dc000a20bd6e2aee3a05404c74dab5a06 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:17:50 +0100 Subject: [PATCH 123/186] adding config + pipeline --- components/variables.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index 26e892485..0a8a6b03e 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} variable "branches" { description = "List of branches to apply protection rules" From f272ff1679b05196abfa6e4e8563c6e8d347a9b1 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:39:38 +0100 Subject: [PATCH 124/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 - components/main.tf | 9 +-------- components/variables.tf | 10 +++++----- 3 files changed, 6 insertions(+), 14 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 47b3c6f4f..6b54e83ad 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -58,4 +58,3 @@ jobs: -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.GITHUB_TOKEN }}" - terraform apply -auto-approve tfplan diff --git a/components/main.tf b/components/main.tf index 9f5dcdf9d..7dfee8246 100644 --- a/components/main.tf +++ b/components/main.tf @@ -5,14 +5,8 @@ module "tags" { builtFrom = var.builtFrom } -resource "azurerm_resource_group" "rg-test" { - name = var.resource_group_name - location = var.location - tags = module.tags.common_tags -} - resource "azurerm_resource_group" "rg" { - name = "test" + name = var.resource_group_name location = var.location tags = module.tags.common_tags } @@ -30,7 +24,6 @@ resource "azurerm_storage_container" "tfstate" { name = "tfstate" storage_account_name = azurerm_storage_account.sa.name container_access_type = "private" - } # Check if repositories exist diff --git a/components/variables.tf b/components/variables.tf index 0a8a6b03e..26e892485 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } variable "branches" { description = "List of branches to apply protection rules" From f39fee3092880af4195f05648ab342cb8bc03171 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:41:08 +0100 Subject: [PATCH 125/186] adding config + pipeline --- components/variables.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index 26e892485..0a8a6b03e 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} variable "branches" { description = "List of branches to apply protection rules" From 8a5de5002f6d544820faeccf58cac0791e5c5b77 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:45:16 +0100 Subject: [PATCH 126/186] adding config + pipeline --- components/outputs.tf | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/components/outputs.tf b/components/outputs.tf index 42ba2f2ed..1b8e1ace9 100644 --- a/components/outputs.tf +++ b/components/outputs.tf @@ -6,18 +6,18 @@ output "common_tags" { } } -output "included_repositories" { - value = local.included_repositories -} +# output "included_repositories" { +# value = local.included_repositories +# } -output "repo_branch_combinations" { - value = local.repo_branch_combinations -} +# output "repo_branch_combinations" { +# value = local.repo_branch_combinations +# } -output "valid_branch_combinations" { - value = { - for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo - if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null - } -} +# output "valid_branch_combinations" { +# value = { +# for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo +# if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null +# } +# } From 44d006f048c61cc57eaea5af5a68869df923beb2 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:47:49 +0100 Subject: [PATCH 127/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 14 +++++++++++++- components/provider.tf | 2 +- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 6b54e83ad..07400c8cb 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -38,6 +38,7 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -45,7 +46,7 @@ jobs: -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - name: Plan and Apply Terraform + - name: Plan Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} @@ -58,3 +59,14 @@ jobs: -var="location=UK South" \ -var="override_action=plan" \ -var="github_token=${{ secrets.GITHUB_TOKEN }}" + + - name: Apply Terraform + working-directory: ./components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + terraform apply -auto-approve tfplan diff --git a/components/provider.tf b/components/provider.tf index 1737c4061..d3fed8bd5 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - # token = var.github_token + token = var.github_token } terraform { From f9ce920b26f127d9729d05ddaa6f9e9b3d960da0 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:50:10 +0100 Subject: [PATCH 128/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 07400c8cb..1505113dd 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -69,4 +69,4 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file From 5043737621317c1ba9d7244d76b92dd172e1940b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 11:56:48 +0100 Subject: [PATCH 129/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1505113dd..08915bab2 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -13,6 +13,9 @@ permissions: contents: read packages: write actions: write + checks: write + pull-requests: write + statuses: write jobs: build-and-deploy: @@ -69,4 +72,4 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan From b366ecf92ae77ff6e3ecc53042224d00a0b7bc45 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:27:43 +0100 Subject: [PATCH 130/186] adding config + pipeline --- components/provider.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/provider.tf b/components/provider.tf index d3fed8bd5..8cc820705 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -23,4 +23,4 @@ terraform { version = "3.109.0" } } -} \ No newline at end of file +} From 07b5317b519765126b489a41767d5058246bed53 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:29:44 +0100 Subject: [PATCH 131/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 08915bab2..e759670e5 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -41,7 +41,7 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ @@ -56,7 +56,7 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform plan -out=tfplan \ -var="location=UK South" \ @@ -70,6 +70,6 @@ jobs: ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform apply -auto-approve tfplan From 8da493df3daf9607c1bfda7a76f23995c39a8ec5 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:31:15 +0100 Subject: [PATCH 132/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 52 ++++++++++++--------------------- 1 file changed, 19 insertions(+), 33 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index e759670e5..96b8b6d24 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,50 +7,46 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - packages: write - actions: write - checks: write - pull-requests: write - statuses: write - + jobs: - build-and-deploy: + plan-and-apply: runs-on: ubuntu-latest + timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - - name: 'Az CLI login' + + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - + + - name: Change directory to Terraform config + run: cd components + - name: Initialize Terraform - working-directory: ./components + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | terraform init \ -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - - name: Plan Terraform - working-directory: ./components + + - name: Plan and Apply Terraform + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -61,15 +57,5 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" \ - -var="github_token=${{ secrets.GITHUB_TOKEN }}" - - - name: Apply Terraform - working-directory: ./components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - run: | - terraform apply -auto-approve tfplan + -var="github_token=${{ secrets.PAT_TOKEN }}" + terraform apply -auto-approve tfplan \ No newline at end of file From bb19213d240e913c40eb7e9210cd31aac7424a0a Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:37:59 +0100 Subject: [PATCH 133/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 77 +++++++++++++++++++++++---------- 1 file changed, 55 insertions(+), 22 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 96b8b6d24..b15f51d16 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,46 +7,79 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + jobs: - plan-and-apply: + plan: runs-on: ubuntu-latest timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - - name: Change directory to Terraform config - run: cd components - - - name: Initialize Terraform - working-directory: components + with: + terraform_version: 1.5.7 + + - name: Initialize and Plan Terraform + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform init \ - -backend-config="resource_group_name=rule-set-rg" \ + terraform init -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - - name: Plan and Apply Terraform - working-directory: components + terraform plan -out=tfplan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" + + - name: Upload Terraform plan + uses: actions/upload-artifact@v2 + with: + name: tfplan + path: components/tfplan + + apply: + runs-on: ubuntu-latest + needs: plan + timeout-minutes: 60 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.5.7 + + - name: Download Terraform plan + uses: actions/download-artifact@v2 + with: + name: tfplan + path: components + + - name: Initialize and Apply Terraform + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -54,8 +87,8 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" - terraform apply -auto-approve tfplan \ No newline at end of file + terraform init -backend-config="resource_group_name=rule-set-rg" \ + -backend-config="storage_account_name=rulesetsa" \ + -backend-config="container_name=tfstate" \ + -backend-config="key=terraform.tfstate" + terraform apply -auto-approve tfplan From 5121c653832e56fdc78e506f8d136464b2e136e4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:45:07 +0100 Subject: [PATCH 134/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 78 ++++++++++----------------------- 1 file changed, 22 insertions(+), 56 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b15f51d16..e6db9b210 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,88 +7,54 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + packages: write + actions: write + jobs: - plan: + build-and-deploy: runs-on: ubuntu-latest - timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - - name: Log in to Azure + + - name: 'Az CLI login' uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.5.7 - - - name: Initialize and Plan Terraform + + - name: Initialize Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform init -backend-config="resource_group_name=rule-set-rg" \ + terraform init \ + -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" - - - name: Upload Terraform plan - uses: actions/upload-artifact@v2 - with: - name: tfplan - path: components/tfplan - - apply: - runs-on: ubuntu-latest - needs: plan - timeout-minutes: 60 - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Log in to Azure - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.5.7 - - - name: Download Terraform plan - uses: actions/download-artifact@v2 - with: - name: tfplan - path: components - - - name: Initialize and Apply Terraform + + - name: Plan and Apply Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform init -backend-config="resource_group_name=rule-set-rg" \ - -backend-config="storage_account_name=rulesetsa" \ - -backend-config="container_name=tfstate" \ - -backend-config="key=terraform.tfstate" + terraform plan -out=tfplan \ + -var="location=UK South" \ + -var="override_action=plan" terraform apply -auto-approve tfplan + \ No newline at end of file From 6a27d09456260e3d0fe3c96eeb8e3e54c53bd6a2 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:47:30 +0100 Subject: [PATCH 135/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 +-- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 3 files changed, 7 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index e6db9b210..05f5124b3 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -56,5 +56,4 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan - \ No newline at end of file + terraform apply -auto-approve tfplan \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index 8cc820705..37b4aaf22 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - token = var.github_token + # token = var.github_token } terraform { diff --git a/components/variables.tf b/components/variables.tf index 0a8a6b03e..26e892485 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } variable "branches" { description = "List of branches to apply protection rules" From d139f27f40258dc33585443d948b232d6a5f6b4a Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 12:52:07 +0100 Subject: [PATCH 136/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 05f5124b3..ae7d70930 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -56,4 +56,5 @@ jobs: terraform plan -out=tfplan \ -var="location=UK South" \ -var="override_action=plan" - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan + \ No newline at end of file From 3a4b1a5f391557f7fac55c6d3f62ed27b579da33 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:12:43 +0100 Subject: [PATCH 137/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 86 ++++++++++++++++++++++++--------- 1 file changed, 64 insertions(+), 22 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ae7d70930..f8cae840c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,54 +7,96 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - packages: write - actions: write - + jobs: - build-and-deploy: + plan: runs-on: ubuntu-latest + timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - - - name: 'Az CLI login' + + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Generate GitHub Token + id: generate_token + run: | + echo "GITHUB_TOKEN=$(curl -s -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: Bearer ${{ secrets.GH_API_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/token | jq -r .token)" >> $GITHUB_ENV + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - - name: Initialize Terraform + with: + terraform_version: 1.5.7 + + - name: Initialize and Plan Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} run: | - terraform init \ - -backend-config="resource_group_name=rule-set-rg" \ + terraform init -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - - - name: Plan and Apply Terraform + terraform plan -out=tfplan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ env.GITHUB_TOKEN }}" + + - name: Upload Terraform plan + uses: actions/upload-artifact@v2 + with: + name: tfplan + path: components/tfplan + + apply: + runs-on: ubuntu-latest + needs: plan + timeout-minutes: 60 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Log in to Azure + uses: azure/login@v1 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.5.7 + + - name: Download Terraform plan + uses: actions/download-artifact@v2 + with: + name: tfplan + path: components + + - name: Initialize and Apply Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} run: | - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" + terraform init -backend-config="resource_group_name=rule-set-rg" \ + -backend-config="storage_account_name=rulesetsa" \ + -backend-config="container_name=tfstate" \ + -backend-config="key=terraform.tfstate" terraform apply -auto-approve tfplan - \ No newline at end of file From b88b5760d65812604e1a5c0333510222a6ea65ca Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:14:39 +0100 Subject: [PATCH 138/186] adding config + pipeline --- components/variables.tf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/components/variables.tf b/components/variables.tf index 26e892485..0a8a6b03e 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} variable "branches" { description = "List of branches to apply protection rules" From 08f30e20a3b6c00ea2731b8414a0c74d482641cc Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:16:14 +0100 Subject: [PATCH 139/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f8cae840c..5147e20ea 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -99,4 +99,4 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - terraform apply -auto-approve tfplan + terraform apply -auto-approve tfplan \ No newline at end of file From d60ac420350ad80e32d6a2f9996e0766d60d43dd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:17:42 +0100 Subject: [PATCH 140/186] adding config + pipeline --- components/provider.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/provider.tf b/components/provider.tf index 37b4aaf22..8cc820705 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - # token = var.github_token + token = var.github_token } terraform { From 8ce61468163f81093ad88467259857b1b9a5a4b4 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:20:52 +0100 Subject: [PATCH 141/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 5147e20ea..02acc94e8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -11,6 +11,10 @@ on: permissions: id-token: write contents: read + actions: write + checks: write + pull-requests: write + statuses: write jobs: plan: @@ -23,15 +27,20 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Generate GitHub Token id: generate_token - run: | - echo "GITHUB_TOKEN=$(curl -s -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: Bearer ${{ secrets.GH_API_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/token | jq -r .token)" >> $GITHUB_ENV + uses: actions/github-script@v6 + with: + script: | + const token = await github.rest.actions.createWorkflowAccessToken({ + owner: context.repo.owner, + repo: context.repo.repo + }); + core.exportVariable('GITHUB_TOKEN', token.data.token); - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -73,7 +82,9 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - name: Setup Terraform uses: hashicorp/setup-terraform@v1 @@ -99,4 +110,4 @@ jobs: -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - terraform apply -auto-approve tfplan \ No newline at end of file + terraform apply -auto-approve tfplan From 6869a4e49ea895ff39ad66f9798c58eff9711d9d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:24:27 +0100 Subject: [PATCH 142/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 02acc94e8..0c4cc1f80 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -33,14 +33,12 @@ jobs: - name: Generate GitHub Token id: generate_token - uses: actions/github-script@v6 - with: - script: | - const token = await github.rest.actions.createWorkflowAccessToken({ - owner: context.repo.owner, - repo: context.repo.repo - }); - core.exportVariable('GITHUB_TOKEN', token.data.token); + run: | + GH_TOKEN=$(curl -s -X POST \ + -H "Accept: application/vnd.github.v3+json" \ + -H "Authorization: Bearer ${{ secrets.GH_API_TOKEN }}" \ + https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/token | jq -r .token) + echo "GITHUB_TOKEN=$GH_TOKEN" >> $GITHUB_ENV - name: Setup Terraform uses: hashicorp/setup-terraform@v1 From 4996a36d414936c4ecff19d38c9547d948729fee Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:28:35 +0100 Subject: [PATCH 143/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 0c4cc1f80..53931886c 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -31,12 +31,13 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + # Generate a short-lived GitHub token using the stored PAT - name: Generate GitHub Token id: generate_token run: | GH_TOKEN=$(curl -s -X POST \ -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: Bearer ${{ secrets.GH_API_TOKEN }}" \ + -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \ https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/token | jq -r .token) echo "GITHUB_TOKEN=$GH_TOKEN" >> $GITHUB_ENV From 806061b55af9349545b10d8f568860bc3d905876 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 13:30:19 +0100 Subject: [PATCH 144/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 98 ++++++++------------------------- 1 file changed, 24 insertions(+), 74 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 53931886c..4d654adc8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,106 +7,56 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - actions: write - checks: write - pull-requests: write - statuses: write - + jobs: - plan: + plan-and-apply: runs-on: ubuntu-latest timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - # Generate a short-lived GitHub token using the stored PAT - - name: Generate GitHub Token - id: generate_token - run: | - GH_TOKEN=$(curl -s -X POST \ - -H "Accept: application/vnd.github.v3+json" \ - -H "Authorization: Bearer ${{ secrets.PAT_TOKEN }}" \ - https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/token | jq -r .token) - echo "GITHUB_TOKEN=$GH_TOKEN" >> $GITHUB_ENV - + creds: ${{ secrets.AZURE_CREDENTIALS }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.5.7 - - - name: Initialize and Plan Terraform - working-directory: ./components + + - name: Change directory to Terraform config + run: cd components + + - name: Initialize Terraform + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} run: | - terraform init -backend-config="resource_group_name=rule-set-rg" \ + terraform init \ + -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ -backend-config="key=terraform.tfstate" - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ env.GITHUB_TOKEN }}" - - - name: Upload Terraform plan - uses: actions/upload-artifact@v2 - with: - name: tfplan - path: components/tfplan - - apply: - runs-on: ubuntu-latest - needs: plan - timeout-minutes: 60 - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Log in to Azure - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.5.7 - - - name: Download Terraform plan - uses: actions/download-artifact@v2 - with: - name: tfplan - path: components - - - name: Initialize and Apply Terraform - working-directory: ./components + + - name: Plan and Apply Terraform + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform init -backend-config="resource_group_name=rule-set-rg" \ - -backend-config="storage_account_name=rulesetsa" \ - -backend-config="container_name=tfstate" \ - -backend-config="key=terraform.tfstate" + terraform plan -out=tfplan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" terraform apply -auto-approve tfplan + \ No newline at end of file From 2dc238779df448c2e9bcff76397aa502f960aec3 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:18:07 +0100 Subject: [PATCH 145/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 93 ++++++++++++++++++++++++--------- components/provider.tf | 2 + 2 files changed, 71 insertions(+), 24 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 4d654adc8..cd0270fe1 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,5 +1,5 @@ name: Rule Sets Pipeline - + on: pull_request: branches: @@ -7,46 +7,90 @@ on: push: branches: - rule-sets-DTSPO-17918 - + permissions: id-token: write contents: read - + actions: write + checks: write + pull-requests: write + statuses: write + jobs: - plan-and-apply: + plan: runs-on: ubuntu-latest timeout-minutes: 60 steps: - name: Checkout code uses: actions/checkout@v2 - + - name: Log in to Azure uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v1 - - - name: Change directory to Terraform config - run: cd components - - - name: Initialize Terraform - working-directory: components + with: + terraform_version: 1.5.7 + + - name: Initialize and Plan Terraform + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + TF_LOG: DEBUG run: | - terraform init \ - -backend-config="resource_group_name=rule-set-rg" \ + terraform init -backend-config="resource_group_name=rule-set-rg" \ -backend-config="storage_account_name=rulesetsa" \ -backend-config="container_name=tfstate" \ - -backend-config="key=terraform.tfstate" - - - name: Plan and Apply Terraform - working-directory: components + -backend-config="key=terraform.tfstate" \ + -backend-config="use_oidc=true" \ + -backend-config="use_azuread_auth=true" + terraform plan -out=tfplan \ + -var="location=UK South" \ + -var="override_action=plan" \ + -var="github_token=${{ secrets.PAT_TOKEN }}" + + - name: Upload Terraform plan + uses: actions/upload-artifact@v2 + with: + name: tfplan + path: components/tfplan + + apply: + runs-on: ubuntu-latest + needs: plan + timeout-minutes: 60 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Log in to Azure + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + terraform_version: 1.5.7 + + - name: Download Terraform plan + uses: actions/download-artifact@v2 + with: + name: tfplan + path: components + + - name: Initialize and Apply Terraform + working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} @@ -54,9 +98,10 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: | - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" + terraform init -backend-config="resource_group_name=rule-set-rg" \ + -backend-config="storage_account_name=rulesetsa" \ + -backend-config="container_name=tfstate" \ + -backend-config="key=terraform.tfstate" \ + -backend-config="use_oidc=true" \ + -backend-config="use_azuread_auth=true" terraform apply -auto-approve tfplan - \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index 8cc820705..e45baa1bb 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -15,6 +15,8 @@ terraform { storage_account_name = "rulesetsa" container_name = "tfstate" key = "terraform.tfstate" + use_oidc = true + use_azuread_auth = true } required_providers { From cb8a6d7e1cdb6b34431bc4329ef5954aaf24ea9f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:26:29 +0100 Subject: [PATCH 146/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 139 ++++++++++++-------------------- components/provider.tf | 2 +- components/variables.tf | 10 +-- 3 files changed, 58 insertions(+), 93 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index cd0270fe1..f23f9e041 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,107 +1,72 @@ -name: Rule Sets Pipeline +name: Pull Request on: pull_request: branches: - - rule-sets-DTSPO-17918 - push: - branches: - - rule-sets-DTSPO-17918 + - main -permissions: - id-token: write - contents: read - actions: write - checks: write - pull-requests: write - statuses: write +env: + TF_LOG: INFO -jobs: - plan: +permissions: + id-token: write + issues: write + pull-requests: write + contents: read +jobs: + pr-infra-check: runs-on: ubuntu-latest - timeout-minutes: 60 steps: - - name: Checkout code - uses: actions/checkout@v2 + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 - - name: Log in to Azure - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + # Install the latest version of Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + + # Log into Azure with OIDC integration + - name: 'Az CLI login' + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.5.7 + # Run az commands to confirm sub access + - name: 'Run az commands' + run: | + az account show - - name: Initialize and Plan Terraform + - name: Initialize and Plan Terraform working-directory: ./components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - TF_LOG: DEBUG - run: | - terraform init -backend-config="resource_group_name=rule-set-rg" \ - -backend-config="storage_account_name=rulesetsa" \ - -backend-config="container_name=tfstate" \ - -backend-config="key=terraform.tfstate" \ - -backend-config="use_oidc=true" \ - -backend-config="use_azuread_auth=true" - terraform plan -out=tfplan \ - -var="location=UK South" \ - -var="override_action=plan" \ - -var="github_token=${{ secrets.PAT_TOKEN }}" - - - name: Upload Terraform plan - uses: actions/upload-artifact@v2 - with: - name: tfplan - path: components/tfplan - - apply: - runs-on: ubuntu-latest - needs: plan - timeout-minutes: 60 - steps: - - name: Checkout code - uses: actions/checkout@v2 - - name: Log in to Azure - uses: azure/login@v1 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + + # Run a Terraform fmt + - name: Terraform format + id: fmt + run: terraform fmt -check - - name: Setup Terraform - uses: hashicorp/setup-terraform@v1 - with: - terraform_version: 1.5.7 + # Run a Terraform validate + - name: Terraform validate + id: validate + if: success() || failure() + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform validate -no-color - - name: Download Terraform plan - uses: actions/download-artifact@v2 - with: - name: tfplan - path: components - - - name: Initialize and Apply Terraform - working-directory: ./components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - run: | - terraform init -backend-config="resource_group_name=rule-set-rg" \ - -backend-config="storage_account_name=rulesetsa" \ - -backend-config="container_name=tfstate" \ - -backend-config="key=terraform.tfstate" \ - -backend-config="use_oidc=true" \ - -backend-config="use_azuread_auth=true" - terraform apply -auto-approve tfplan + # Run a Terraform plan + - name: Terraform plan + id: plan + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform plan -no-color \ No newline at end of file diff --git a/components/provider.tf b/components/provider.tf index e45baa1bb..8e54901ef 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - token = var.github_token + # token = var.github_token } terraform { diff --git a/components/variables.tf b/components/variables.tf index 0a8a6b03e..26e892485 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -variable "github_token" { - description = "GitHub token to use for authentication." - type = string - sensitive = true -} +# variable "github_token" { +# description = "GitHub token to use for authentication." +# type = string +# sensitive = true +# } variable "branches" { description = "List of branches to apply protection rules" From b628f740eca2c5e0ff03e3d3978d79aedfb58e81 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:27:35 +0100 Subject: [PATCH 147/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index f23f9e041..905bf3be1 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -3,7 +3,7 @@ name: Pull Request on: pull_request: branches: - - main + - rule-sets-DTSPO-17918 env: TF_LOG: INFO From 16a5ba5c4618e3d23747ec46ee743a4ad80e150d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:33:55 +0100 Subject: [PATCH 148/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 42 +++++++++++---------------------- 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 905bf3be1..7ec8e9c42 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -1,7 +1,7 @@ -name: Pull Request +name: Push on: - pull_request: + push: branches: - rule-sets-DTSPO-17918 @@ -10,11 +10,9 @@ env: permissions: id-token: write - issues: write - pull-requests: write contents: read jobs: - pr-infra-check: + deploy-infra: runs-on: ubuntu-latest steps: # Checkout the repository to the GitHub Actions runner @@ -38,35 +36,23 @@ jobs: run: | az account show - - name: Initialize and Plan Terraform - working-directory: ./components - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - - - # Run a Terraform fmt - - name: Terraform format - id: fmt - run: terraform fmt -check - - # Run a Terraform validate - - name: Terraform validate - id: validate - if: success() || failure() + # Run Terraform init + - name: Terraform Init + id: init env: + STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} + CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} + RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform validate -no-color + run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" - # Run a Terraform plan - - name: Terraform plan - id: plan + # Run a Terraform apply + - name: Terraform apply + id: apply env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform plan -no-color \ No newline at end of file + run: terraform apply -auto-approve \ No newline at end of file From 4f1fcbd22a3b1388fbeb610c1ee8167a0e4aa446 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:36:08 +0100 Subject: [PATCH 149/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 7ec8e9c42..56a90f132 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -9,8 +9,9 @@ env: TF_LOG: INFO permissions: - id-token: write - contents: read + id-token: write + contents: read + jobs: deploy-infra: runs-on: ubuntu-latest @@ -29,7 +30,7 @@ jobs: with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_ID }} # Run az commands to confirm sub access - name: 'Run az commands' @@ -44,7 +45,7 @@ jobs: CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" @@ -53,6 +54,6 @@ jobs: id: apply env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_ID }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform apply -auto-approve \ No newline at end of file + run: terraform apply -auto-approve From 2383c7661b828d8312f362de7a2ef6c96b201229 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:38:09 +0100 Subject: [PATCH 150/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 56a90f132..a7596e7df 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -30,7 +30,7 @@ jobs: with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} # Run az commands to confirm sub access - name: 'Run az commands' @@ -45,15 +45,27 @@ jobs: CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" + + + # Run a Terraform plan + - name: Terraform plan + id: plan + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform plan -no-color + + # Run a Terraform apply - name: Terraform apply id: apply env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform apply -auto-approve From 9ee058515b266ebc60204db81f82b593913ffdd6 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:41:25 +0100 Subject: [PATCH 151/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index a7596e7df..1e5c346f0 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -52,6 +52,7 @@ jobs: # Run a Terraform plan - name: Terraform plan + working-directory: ./components id: plan env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} @@ -63,6 +64,7 @@ jobs: # Run a Terraform apply - name: Terraform apply + working-directory: ./components id: apply env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} From e11ef2ee0ff0f82e0175cecde2150d156086f428 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:44:46 +0100 Subject: [PATCH 152/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1e5c346f0..5063896f4 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -52,13 +52,13 @@ jobs: # Run a Terraform plan - name: Terraform plan + run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" working-directory: ./components id: plan env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform plan -no-color From b2c1afe1170bf132af9bb9d680d49f272d92f199 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:46:14 +0100 Subject: [PATCH 153/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 5063896f4..a32eddd89 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -37,9 +37,10 @@ jobs: run: | az account show - # Run Terraform init - - name: Terraform Init - id: init + # Run Terraform init and plan + - name: Terraform Init and Plan + id: plan + working-directory: ./components env: STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} @@ -47,20 +48,9 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" - - - # Run a Terraform plan - - name: Terraform plan - run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" - working-directory: ./components - id: plan - env: - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} - ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - - + run: | + terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" + terraform plan -out=tfplan # Run a Terraform apply - name: Terraform apply @@ -70,4 +60,4 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform apply -auto-approve + run: terraform apply -auto-approve tfplan From bd325b269cb2009313c84c65423c5b7cdfe3a5da Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:48:12 +0100 Subject: [PATCH 154/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index a32eddd89..ed2b9224e 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -37,6 +37,17 @@ jobs: run: | az account show + # Echo environment variables to debug + - name: Echo environment variables + run: | + echo "STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}" + echo "CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}" + echo "RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}" + env: + STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} + CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} + RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} + # Run Terraform init and plan - name: Terraform Init and Plan id: plan From ddab577a732fe1f61a3ea31fcb3dd81c3b674a4d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:51:01 +0100 Subject: [PATCH 155/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index ed2b9224e..a32eddd89 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -37,17 +37,6 @@ jobs: run: | az account show - # Echo environment variables to debug - - name: Echo environment variables - run: | - echo "STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}" - echo "CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}" - echo "RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}" - env: - STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} - CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} - RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} - # Run Terraform init and plan - name: Terraform Init and Plan id: plan From ba648e3d17d8a99adab8d4c17c23d1d3aa7b9297 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:55:23 +0100 Subject: [PATCH 156/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 40 ++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index a32eddd89..a1e1ee463 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -5,26 +5,24 @@ on: branches: - rule-sets-DTSPO-17918 -env: - TF_LOG: INFO - permissions: id-token: write contents: read + actions: write # Allow the action to create temporary tokens + +env: + TF_LOG: INFO jobs: deploy-infra: runs-on: ubuntu-latest steps: - # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 - # Install the latest version of Terraform CLI - name: Setup Terraform uses: hashicorp/setup-terraform@v2 - - # Log into Azure with OIDC integration + - name: 'Az CLI login' uses: azure/login@v1 with: @@ -32,12 +30,33 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - # Run az commands to confirm sub access - name: 'Run az commands' run: | az account show - # Run Terraform init and plan + - name: Generate GitHub Token + id: generate_token + uses: actions/github-script@v6 + with: + script: | + const token = await github.rest.actions.createWorkflowAccessToken({ + owner: context.repo.owner, + repo: context.repo.repo + }); + return token.token; + + - name: Echo environment variables + run: | + echo "STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}" + echo "CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}" + echo "RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}" + echo "GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}" + env: + STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} + CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} + RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + - name: Terraform Init and Plan id: plan working-directory: ./components @@ -48,11 +67,11 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: | terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" terraform plan -out=tfplan - # Run a Terraform apply - name: Terraform apply working-directory: ./components id: apply @@ -60,4 +79,5 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} run: terraform apply -auto-approve tfplan From 5d32a5bc745a5dbc2aac3b8ceccff2c5b4226226 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 14:58:13 +0100 Subject: [PATCH 157/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 19 ++++--------------- 1 file changed, 4 insertions(+), 15 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index a1e1ee463..b588a8da4 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -34,28 +34,17 @@ jobs: run: | az account show - - name: Generate GitHub Token - id: generate_token - uses: actions/github-script@v6 - with: - script: | - const token = await github.rest.actions.createWorkflowAccessToken({ - owner: context.repo.owner, - repo: context.repo.repo - }); - return token.token; - - name: Echo environment variables run: | echo "STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}" echo "CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}" echo "RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}" - echo "GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}" + echo "GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}" # This will print the token value env: STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Terraform Init and Plan id: plan @@ -67,7 +56,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" terraform plan -out=tfplan @@ -79,5 +68,5 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: terraform apply -auto-approve tfplan From b125f79b1a5614491eb3ac20219c3af482964eff Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:03:24 +0100 Subject: [PATCH 158/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 30 ++++++++++++++++++------------ 1 file changed, 18 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b588a8da4..999e36d90 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -8,12 +8,12 @@ on: permissions: id-token: write contents: read - actions: write # Allow the action to create temporary tokens + actions: write env: TF_LOG: INFO -jobs: +jobs: deploy-infra: runs-on: ubuntu-latest steps: @@ -34,17 +34,23 @@ jobs: run: | az account show - - name: Echo environment variables + - name: Debug Repositories and Branches run: | - echo "STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}" - echo "CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}" - echo "RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}" - echo "GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}" # This will print the token value - env: - STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} - CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} - RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + echo "Checking Repositories and Branches" + echo ${{ toJSON(fromJSON(file(steps.workspace))['test-repos.json']) }} + for repo in $(jq -r '.[]' test-repos.json); do + echo "Checking repository: $repo" + curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo + + for branch in main master; do + echo "Checking branch: $branch in repository: $repo" + curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo/branches/$branch + done + done - name: Terraform Init and Plan id: plan From 62e7331cd1ac905e567aa28d082325679eae3828 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:06:29 +0100 Subject: [PATCH 159/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 999e36d90..b59c98142 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -34,11 +34,15 @@ jobs: run: | az account show + - name: Install jq + run: | + sudo apt-get install jq -y + - name: Debug Repositories and Branches run: | echo "Checking Repositories and Branches" - echo ${{ toJSON(fromJSON(file(steps.workspace))['test-repos.json']) }} - for repo in $(jq -r '.[]' test-repos.json); do + cat ./components/test-repos.json + for repo in $(jq -r '.[]' ./components/test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ From 0c802f4231696efb3c6dd97ba8944eec08a406c7 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:08:21 +0100 Subject: [PATCH 160/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b59c98142..35479b100 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -41,8 +41,8 @@ jobs: - name: Debug Repositories and Branches run: | echo "Checking Repositories and Branches" - cat ./components/test-repos.json - for repo in $(jq -r '.[]' ./components/test-repos.json); do + cat ../test-repos.json + for repo in $(jq -r '.[]' ../test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ From c8188fbaf00ec9018f75ba6b67a40a8286c1eb9e Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:09:09 +0100 Subject: [PATCH 161/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 35479b100..5838b3ca0 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -41,8 +41,8 @@ jobs: - name: Debug Repositories and Branches run: | echo "Checking Repositories and Branches" - cat ../test-repos.json - for repo in $(jq -r '.[]' ../test-repos.json); do + cat ./test-repos.json + for repo in $(jq -r '.[]' ./test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ From a430dd2aa1425c4e42820d7d03415311a1dcae28 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:15:34 +0100 Subject: [PATCH 162/186] adding config + pipeline --- components/provider.tf | 2 +- components/variables.tf | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/components/provider.tf b/components/provider.tf index 8e54901ef..e45baa1bb 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -4,7 +4,7 @@ provider "azurerm" { provider "github" { owner = "hmcts" - # token = var.github_token + token = var.github_token } terraform { diff --git a/components/variables.tf b/components/variables.tf index 26e892485..0a8a6b03e 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -1,8 +1,8 @@ -# variable "github_token" { -# description = "GitHub token to use for authentication." -# type = string -# sensitive = true -# } +variable "github_token" { + description = "GitHub token to use for authentication." + type = string + sensitive = true +} variable "branches" { description = "List of branches to apply protection rules" From fb8fae2998d6017424106fcb6fe8b584d85ee4ce Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:17:55 +0100 Subject: [PATCH 163/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 5838b3ca0..b9dedaf5a 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -80,3 +80,4 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: terraform apply -auto-approve tfplan + From 99c37023723b55cd475fc7f670fe7d4a24fd800f Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:21:32 +0100 Subject: [PATCH 164/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b9dedaf5a..dd08ca652 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -44,13 +44,13 @@ jobs: cat ./test-repos.json for repo in $(jq -r '.[]' ./test-repos.json); do echo "Checking repository: $repo" - curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/hmcts/$repo for branch in main master; do echo "Checking branch: $branch in repository: $repo" - curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/hmcts/$repo/branches/$branch done @@ -66,7 +66,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN}} run: | terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" terraform plan -out=tfplan @@ -78,6 +78,6 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: terraform apply -auto-approve tfplan From 90ef29304a3cade717284480adcdb1b22a4a2c17 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:23:08 +0100 Subject: [PATCH 165/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index dd08ca652..b4daf88c8 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -81,3 +81,4 @@ jobs: GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} run: terraform apply -auto-approve tfplan + From f825123817582619361152372c9632fb54bc5920 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:27:40 +0100 Subject: [PATCH 166/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 59 ++++++++++----------------------- 1 file changed, 18 insertions(+), 41 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b4daf88c8..1c8d4408d 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -5,15 +5,14 @@ on: branches: - rule-sets-DTSPO-17918 +env: + TF_LOG: INFO + permissions: id-token: write contents: read - actions: write -env: - TF_LOG: INFO - -jobs: +jobs: deploy-infra: runs-on: ubuntu-latest steps: @@ -34,31 +33,8 @@ jobs: run: | az account show - - name: Install jq - run: | - sudo apt-get install jq -y - - - name: Debug Repositories and Branches - run: | - echo "Checking Repositories and Branches" - cat ./test-repos.json - for repo in $(jq -r '.[]' ./test-repos.json); do - echo "Checking repository: $repo" - curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/hmcts/$repo - - for branch in main master; do - echo "Checking branch: $branch in repository: $repo" - curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/hmcts/$repo/branches/$branch - done - done - - - name: Terraform Init and Plan - id: plan - working-directory: ./components + - name: Terraform Init + working-directory: components env: STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} @@ -66,19 +42,20 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN}} - run: | - terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" - terraform plan -out=tfplan + run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" + + - name: Terraform Plan + working-directory: components + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform plan -var-file="components/terraform.tfvars" - - name: Terraform apply - working-directory: ./components - id: apply + - name: Terraform Apply + working-directory: components env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - run: terraform apply -auto-approve tfplan - - + run: terraform apply -var-file="components/terraform.tfvars" -auto-approve From 695f55dd495ae0b4a925e08a726f2962b59932aa Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:28:56 +0100 Subject: [PATCH 167/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 1c8d4408d..7cddc34f1 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -58,4 +58,4 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform apply -var-file="components/terraform.tfvars" -auto-approve + run: terraform apply -var-file="components/terraform.tfvars" -auto-approve \ No newline at end of file From 945c7192986489613c87539559716d8c91534994 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:32:09 +0100 Subject: [PATCH 168/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 7cddc34f1..766028de0 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -50,7 +50,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform plan -var-file="components/terraform.tfvars" + run: terraform plan -var-file="terraform.tfvars" - name: Terraform Apply working-directory: components @@ -58,4 +58,4 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform apply -var-file="components/terraform.tfvars" -auto-approve \ No newline at end of file + run: terraform apply -var-file="terraform.tfvars" -auto-approve From d34aa89456e5ff5230f210d37d0974296f9fbeed Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:35:34 +0100 Subject: [PATCH 169/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 766028de0..455457379 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -33,6 +33,10 @@ jobs: run: | az account show + # Debug step to list files in components directory + - name: List files in components directory + run: ls -la components + - name: Terraform Init working-directory: components env: @@ -50,7 +54,8 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform plan -var-file="terraform.tfvars" + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: terraform plan -var="github_token=${{ secrets.PAT_TOKEN }}" - name: Terraform Apply working-directory: components @@ -58,4 +63,5 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform apply -var-file="terraform.tfvars" -auto-approve + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: terraform apply -var="github_token=${{ secrets.PAT_TOKEN }}" -auto-approve From 3f5b854618f58946c38dfe710f93d6a05af808fd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:41:02 +0100 Subject: [PATCH 170/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 455457379..b66913d2b 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -33,9 +33,29 @@ jobs: run: | az account show - # Debug step to list files in components directory - - name: List files in components directory - run: ls -la components + + - name: Install jq + run: | + sudo apt-get install jq -y + + - name: Debug Repositories and Branches + run: | + echo "Checking Repositories and Branches" + cat ./components/test-repos.json + for repo in $(jq -r '.[]' ./components/test-repos.json); do + echo "Checking repository: $repo" + curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo + + for branch in main master; do + echo "Checking branch: $branch in repository: $repo" + curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo/branches/$branch + done + done + - name: Terraform Init working-directory: components From 4634d797055465aff5e7990c4c12787bb4e12183 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:44:27 +0100 Subject: [PATCH 171/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 40 ++++++++++++++++----------------- 1 file changed, 19 insertions(+), 21 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index b66913d2b..26a2a8d67 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -12,7 +12,7 @@ permissions: id-token: write contents: read -jobs: +jobs: deploy-infra: runs-on: ubuntu-latest steps: @@ -33,29 +33,27 @@ jobs: run: | az account show + - name: Install jq + run: | + sudo apt-get install jq -y + + - name: List all Repositories and Branches from JSON file + run: | + echo "Checking Repositories and Branches" + cat ./components/test-repos.json + for repo in $(jq -r '.[]' ./components/test-repos.json); do + echo "Checking repository: $repo" + curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo - - name: Install jq - run: | - sudo apt-get install jq -y - - - name: Debug Repositories and Branches - run: | - echo "Checking Repositories and Branches" - cat ./components/test-repos.json - for repo in $(jq -r '.[]' ./components/test-repos.json); do - echo "Checking repository: $repo" - curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ + for branch in main master; do + echo "Checking branch: $branch in repository: $repo" + curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/hmcts/$repo - - for branch in main master; do - echo "Checking branch: $branch in repository: $repo" - curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ - -H "Accept: application/vnd.github.v3+json" \ - https://api.github.com/repos/hmcts/$repo/branches/$branch - done + https://api.github.com/repos/hmcts/$repo/branches/$branch done - + done - name: Terraform Init working-directory: components From c9d4678dc4c98f2df29b78cef81c7c65a781336a Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:45:38 +0100 Subject: [PATCH 172/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 26a2a8d67..c43d0de36 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -40,7 +40,7 @@ jobs: - name: List all Repositories and Branches from JSON file run: | echo "Checking Repositories and Branches" - cat ./components/test-repos.json + cat ./test-repos.json for repo in $(jq -r '.[]' ./components/test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ From ff140e9271596ed00e9a97432fa27e874accc9c5 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Fri, 5 Jul 2024 15:58:16 +0100 Subject: [PATCH 173/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index c43d0de36..afeb9a5be 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -41,7 +41,7 @@ jobs: run: | echo "Checking Repositories and Branches" cat ./test-repos.json - for repo in $(jq -r '.[]' ./components/test-repos.json); do + for repo in $(jq -r '.[]' ./test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ From ccc077fc3601edbc37d3742bf181dc0322c781bd Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 22:35:24 +0100 Subject: [PATCH 174/186] adding config + pipeline --- .github/workflows/pr.yaml | 75 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 .github/workflows/pr.yaml diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml new file mode 100644 index 000000000..3410ea60f --- /dev/null +++ b/.github/workflows/pr.yaml @@ -0,0 +1,75 @@ +name: Pull Request + +on: + pull_request: + branches: + - rule-sets-DTSPO-17918 + +env: + TF_LOG: INFO + +permissions: + id-token: write + issues: write + pull-requests: write + contents: read +jobs: + pr-infra-check: + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Install the latest version of Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + + # Log into Azure with OIDC integration + - name: 'Az CLI login' + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + + # Run az commands to confirm sub access + - name: 'Run az commands' + run: | + az account show + + # Run Terraform init + - name: Terraform Init + id: init + env: + STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} + CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} + RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" + + # Run a Terraform fmt + - name: Terraform format + id: fmt + run: terraform fmt -check + + # Run a Terraform validate + - name: Terraform validate + id: validate + if: success() || failure() + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform validate -no-color + + # Run a Terraform plan + - name: Terraform plan + id: plan + env: + ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} + ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + run: terraform plan -no-color \ No newline at end of file From b3045b7384a2ddce66ba3f252d9dbe2ecb0c9dc9 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 22:36:57 +0100 Subject: [PATCH 175/186] adding config + pipeline --- .github/workflows/pr.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 3410ea60f..c561bd990 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -3,7 +3,7 @@ name: Pull Request on: pull_request: branches: - - rule-sets-DTSPO-17918 + - master env: TF_LOG: INFO From 7ad12f1bb228dac9cecf2fa2ba82f48ab2b9bd38 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 22:39:28 +0100 Subject: [PATCH 176/186] adding config + pipeline --- .github/workflows/pr.yaml | 3 +++ components/locals.tf | 2 +- components/provider.tf | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index c561bd990..96321fa79 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -52,11 +52,13 @@ jobs: # Run a Terraform fmt - name: Terraform format + working-directory: components id: fmt run: terraform fmt -check # Run a Terraform validate - name: Terraform validate + working-directory: components id: validate if: success() || failure() env: @@ -67,6 +69,7 @@ jobs: # Run a Terraform plan - name: Terraform plan + working-directory: components id: plan env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} diff --git a/components/locals.tf b/components/locals.tf index 7218dc51d..92ec36176 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -22,7 +22,7 @@ locals { # Filter out excluded repositories included_repositories = [ - for repo in local.repositories_list : repo + for repo in local.repositories_list : repo if !contains(var.excluded_repositories, repo) ] diff --git a/components/provider.tf b/components/provider.tf index e45baa1bb..e55ffe53e 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -15,8 +15,8 @@ terraform { storage_account_name = "rulesetsa" container_name = "tfstate" key = "terraform.tfstate" - use_oidc = true - use_azuread_auth = true + use_oidc = true + use_azuread_auth = true } required_providers { From 21f0b3664ad83404415dc3c4789cb4c8da10898b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 22:47:16 +0100 Subject: [PATCH 177/186] adding config + pipeline --- .github/workflows/pr.yaml | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 96321fa79..a3c8caad6 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -9,23 +9,21 @@ env: TF_LOG: INFO permissions: - id-token: write - issues: write - pull-requests: write - contents: read + id-token: write + issues: write + pull-requests: write + contents: read + jobs: pr-infra-check: runs-on: ubuntu-latest steps: - # Checkout the repository to the GitHub Actions runner - name: Checkout uses: actions/checkout@v3 - # Install the latest version of Terraform CLI - name: Setup Terraform uses: hashicorp/setup-terraform@v2 - # Log into Azure with OIDC integration - name: 'Az CLI login' uses: azure/login@v1 with: @@ -33,14 +31,12 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - # Run az commands to confirm sub access - name: 'Run az commands' run: | az account show - # Run Terraform init - name: Terraform Init - id: init + working-directory: components env: STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }} CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} @@ -50,24 +46,20 @@ jobs: ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" - # Run a Terraform fmt - name: Terraform format working-directory: components id: fmt run: terraform fmt -check - # Run a Terraform validate - name: Terraform validate working-directory: components id: validate - if: success() || failure() env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform validate -no-color - # Run a Terraform plan - name: Terraform plan working-directory: components id: plan @@ -75,4 +67,5 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform plan -no-color \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} + run: terraform plan -var="github_token=${{ secrets.PAT_TOKEN }}" -no-color \ No newline at end of file From ae9dc2259458809725dd88ea2ca55c75447ce23d Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 22:54:49 +0100 Subject: [PATCH 178/186] adding config + pipeline --- .github/workflows/pr.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index a3c8caad6..79948f7f3 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -58,7 +58,7 @@ jobs: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - run: terraform validate -no-color + run: terraform validate - name: Terraform plan working-directory: components @@ -68,4 +68,4 @@ jobs: ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} - run: terraform plan -var="github_token=${{ secrets.PAT_TOKEN }}" -no-color \ No newline at end of file + run: terraform plan -var="github_token=${{ secrets.PAT_TOKEN }}" From 1a890c09e0c69fc6928caf5e4a4d50f74b50f45c Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:05:16 +0100 Subject: [PATCH 179/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index afeb9a5be..3a3a06c96 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -3,7 +3,7 @@ name: Push on: push: branches: - - rule-sets-DTSPO-17918 + - master env: TF_LOG: INFO @@ -12,7 +12,7 @@ permissions: id-token: write contents: read -jobs: +jobs: deploy-infra: runs-on: ubuntu-latest steps: @@ -36,17 +36,17 @@ jobs: - name: Install jq run: | sudo apt-get install jq -y - - - name: List all Repositories and Branches from JSON file + + - name: Debug Repositories and Branches run: | echo "Checking Repositories and Branches" - cat ./test-repos.json - for repo in $(jq -r '.[]' ./test-repos.json); do + cat ./components/test-repos.json + for repo in $(jq -r '.[]' ./components/test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ https://api.github.com/repos/hmcts/$repo - + for branch in main master; do echo "Checking branch: $branch in repository: $repo" curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ From 696066de45bcb0a2bf50d24b7e0d6da709fe6506 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:09:06 +0100 Subject: [PATCH 180/186] adding config + pipeline --- .github/workflows/pr.yaml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 79948f7f3..f3949854e 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -35,6 +35,29 @@ jobs: run: | az account show + + - name: Install jq + run: | + sudo apt-get install jq -y + + - name: Debug Repositories and Branches + run: | + echo "Checking Repositories and Branches" + cat ./components/test-repos.json + for repo in $(jq -r '.[]' ./components/test-repos.json); do + echo "Checking repository: $repo" + curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo + + for branch in main master; do + echo "Checking branch: $branch in repository: $repo" + curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ + -H "Accept: application/vnd.github.v3+json" \ + https://api.github.com/repos/hmcts/$repo/branches/$branch + done + done + - name: Terraform Init working-directory: components env: From efad249daacc4fcd4c7284c59f7a14270e802fc2 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:11:06 +0100 Subject: [PATCH 181/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 6 +----- .github/workflows/pr.yaml | 10 +++------- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 3a3a06c96..860fd21bf 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -29,15 +29,11 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - name: 'Run az commands' - run: | - az account show - - name: Install jq run: | sudo apt-get install jq -y - - name: Debug Repositories and Branches + - name: List Repositories and Branches run: | echo "Checking Repositories and Branches" cat ./components/test-repos.json diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index f3949854e..90895cb8e 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -31,16 +31,12 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - name: 'Run az commands' - run: | - az account show - - - name: Install jq - run: | + - name: Install jq + run: | sudo apt-get install jq -y - - name: Debug Repositories and Branches + - name: List Repositories and Branches run: | echo "Checking Repositories and Branches" cat ./components/test-repos.json From 06ff5a7700c518594f1c132020e2a27a7ef0fb56 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:17:24 +0100 Subject: [PATCH 182/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 4 ++-- .github/workflows/pr.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 860fd21bf..77e13c416 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -36,8 +36,8 @@ jobs: - name: List Repositories and Branches run: | echo "Checking Repositories and Branches" - cat ./components/test-repos.json - for repo in $(jq -r '.[]' ./components/test-repos.json); do + cat ./test-repos.json + for repo in $(jq -r '.[]' ./test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 90895cb8e..0ea7e5e9a 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -39,8 +39,8 @@ jobs: - name: List Repositories and Branches run: | echo "Checking Repositories and Branches" - cat ./components/test-repos.json - for repo in $(jq -r '.[]' ./components/test-repos.json); do + cat ./test-repos.json + for repo in $(jq -r '.[]' ./test-repos.json); do echo "Checking repository: $repo" curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \ -H "Accept: application/vnd.github.v3+json" \ From 3b70304546f9b49e81fe0f8d7c2ed61e1d98a613 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:44:37 +0100 Subject: [PATCH 183/186] adding config + pipeline --- components/provider.tf | 2 -- 1 file changed, 2 deletions(-) diff --git a/components/provider.tf b/components/provider.tf index e55ffe53e..8cc820705 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -15,8 +15,6 @@ terraform { storage_account_name = "rulesetsa" container_name = "tfstate" key = "terraform.tfstate" - use_oidc = true - use_azuread_auth = true } required_providers { From 5f94a84e05dab6fbdef127d55de6c39409d7a80b Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:48:24 +0100 Subject: [PATCH 184/186] adding config + pipeline --- .github/workflows/pr.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 0ea7e5e9a..46455e1f0 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -31,10 +31,8 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - - name: Install jq - run: | - sudo apt-get install jq -y + run: sudo apt-get install jq -y - name: List Repositories and Branches run: | @@ -61,6 +59,7 @@ jobs: CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }} RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }} ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME" @@ -75,6 +74,7 @@ jobs: id: validate env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} run: terraform validate @@ -84,6 +84,7 @@ jobs: id: plan env: ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }} From fa69b521ce7b8c334c8522f2f27ef1f70311aa21 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:51:57 +0100 Subject: [PATCH 185/186] adding config + pipeline --- .github/workflows/pipeline.yaml | 2 ++ .github/workflows/pr.yaml | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml index 77e13c416..81934dbac 100644 --- a/.github/workflows/pipeline.yaml +++ b/.github/workflows/pipeline.yaml @@ -22,6 +22,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v2 + # Log into Azure with OIDC integration - name: 'Az CLI login' uses: azure/login@v1 with: @@ -33,6 +34,7 @@ jobs: run: | sudo apt-get install jq -y + # List all the repos and branches that the rules are going to be applied on - name: List Repositories and Branches run: | echo "Checking Repositories and Branches" diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml index 46455e1f0..433249102 100644 --- a/.github/workflows/pr.yaml +++ b/.github/workflows/pr.yaml @@ -23,17 +23,19 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v2 - + + # Log into Azure with OIDC integration - name: 'Az CLI login' uses: azure/login@v1 with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }} - + - name: Install jq run: sudo apt-get install jq -y + # List all the repos and branches that the rules are going to be applied on - name: List Repositories and Branches run: | echo "Checking Repositories and Branches" From 0c5a65b81371c87665cd3612a1973c8165b2e533 Mon Sep 17 00:00:00 2001 From: Connor O'Kane Date: Sun, 7 Jul 2024 23:56:09 +0100 Subject: [PATCH 186/186] adding config + pipeline --- components/locals.tf | 18 ------------------ components/outputs.tf | 15 --------------- components/provider.tf | 2 +- components/variables.tf | 2 -- 4 files changed, 1 insertion(+), 36 deletions(-) diff --git a/components/locals.tf b/components/locals.tf index 92ec36176..6c7421ca4 100644 --- a/components/locals.tf +++ b/components/locals.tf @@ -1,21 +1,3 @@ -# locals { -# // List of included repositories, taken directly from the 'repositories' variable -# included_repositories = var.repositories - -# // Create combinations of repositories and branches by flattening a nested loop -# repo_branch_combinations = flatten([ -# // Iterate over each repository in the included_repositories list -# for repo in local.included_repositories : [ -# // For each repository, iterate over each branch in the 'branches' variable -# for branch in var.branches : { -# // Create a map with the repository and branch names -# repo = repo -# branch = branch -# } -# ] -# ]) -# } - locals { # Read the repositories list from the JSON file repositories_list = jsondecode(file("${path.module}/../test-repos.json")) diff --git a/components/outputs.tf b/components/outputs.tf index 1b8e1ace9..d3d652a2c 100644 --- a/components/outputs.tf +++ b/components/outputs.tf @@ -6,18 +6,3 @@ output "common_tags" { } } -# output "included_repositories" { -# value = local.included_repositories -# } - -# output "repo_branch_combinations" { -# value = local.repo_branch_combinations -# } - -# output "valid_branch_combinations" { -# value = { -# for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo -# if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null -# } -# } - diff --git a/components/provider.tf b/components/provider.tf index 8cc820705..1594f51ae 100644 --- a/components/provider.tf +++ b/components/provider.tf @@ -8,7 +8,7 @@ provider "github" { } terraform { - required_version = ">= 1.4.0" + required_version = ">= 1.5.7" backend "azurerm" { resource_group_name = "rule-set-rg" diff --git a/components/variables.tf b/components/variables.tf index 0a8a6b03e..89b2e6d53 100644 --- a/components/variables.tf +++ b/components/variables.tf @@ -17,8 +17,6 @@ variable "excluded_repositories" { description = "List of repositories to exclude from branch protection rules" type = list(string) default = [ - # "rule-set-test-repo5" - # "rule-set-test-repo7", "rule-set-test-repo8" ] }