Merge pull request #6 from nicholas-c/feature/options-cloudfront-comp… #133

Workflow file for this run

.github/workflows/cicd-pipeline.yaml at db95da3

	name: CI/CD Pipeline
	permissions:
	contents: read
	security-events: write
	id-token: write
	actions: write

	on:
	push:
	pull_request:
	branches:
	- main
	types: [opened, synchronize, reopened]

	jobs:
	get-metadata:
	name: "Get Metadata"
	runs-on: ubuntu-latest
	outputs:
	build_datetime: ${{ steps.metadata.outputs.build_datetime }}
	build_timestamp: ${{ steps.metadata.outputs.build_timestamp }}
	build_epoch: ${{ steps.metadata.outputs.build_epoch }}
	terraform_version: ${{ steps.metadata.outputs.terraform_version }}
	steps:
	- uses: actions/checkout@v3

	- id: metadata
	name: Get Metadata
	uses: ./.github/actions/get-metadata

	- id: cloc
	name: Get Lines of Code
	uses: ./.github/actions/cloc-repository

	formatting-checks:
	needs: [get-metadata]
	runs-on: ubuntu-latest
	name: Formatting Checks
	steps:
	- uses: actions/checkout@v3
	with:
	fetch-depth: 0

	- name: Check File Format
	uses: ./.github/actions/check-file-format

	- name: Check Markdown Format
	uses: ./.github/actions/check-markdown-format

	- name: Check Terraform Format
	uses: ./.github/actions/check-terraform-format

	security-scan:
	needs: [get-metadata]
	runs-on: ubuntu-latest
	name: Security Scanning
	steps:
	- uses: actions/checkout@v3
	with:
	fetch-depth: 0

	- name: Scan Dependencies
	uses: ./.github/actions/scan-dependencies

	- name: Scan Secrets
	uses: ./.github/actions/scan-secrets


	checkov:
	name: Checkov
	runs-on: ubuntu-latest
	needs: [formatting-checks, security-scan]

	steps:
	- uses: actions/checkout@v3

	- uses: actions/setup-python@v4
	with:
	python-version: '3.11'

	- name: Install Latest Checkov
	id: install-checkov
	run: pip install --user checkov

	- name: Run Checkov
	id: run-checkov
	run: checkov --directory . -o sarif -s --quiet

	- name: Upload SARIF File
	uses: github/codeql-action/upload-sarif@v2
	if: always() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
	with:
	sarif_file: results.sarif

	tflint:
	name: TFLint
	runs-on: ubuntu-latest
	needs: [formatting-checks, security-scan]

	steps:
	- uses: actions/checkout@v3

	- name: Setup TFLint Cache
	uses: actions/cache@v3
	with:
	path: ~/.tflint.d/plugins
	key: tflint-${{ hashFiles('.tflint.hcl') }}

	- name: Setup TFLint
	uses: terraform-linters/setup-tflint@v3
	with:
	tflint_version: v0.47.0

	- name: Init TFLint
	run: tflint --init
	env:
	GITHUB_TOKEN: ${{ github.token }}

	- name: Run TFLint
	run: tflint -f compact

	build-example-app:
	name: Build Example App
	runs-on: ubuntu-latest
	needs: [tflint, checkov]
	steps:
	- uses: actions/checkout@v3

	- name: Install asdf & tools
	uses: asdf-vm/actions/install@v2

	- name: Install Example Dependencies
	run: make example-install

	- name: Build Example App
	run: make example-build

	- name: Zip OpenNext Deployment Assets
	run: cd example/.open-next && zip -r ../../open-next.zip . -q

	- name: Store Build Artifacts
	uses: actions/upload-artifact@v3
	with:
	name: example-app-opennext-build
	path: open-next.zip

	deploy:
	name: Deploy Example App
	runs-on: ubuntu-latest
	needs: [build-example-app]
	if: success() && github.ref_name == 'main'
	concurrency: example-deploy
	environment:
	name: Example Application
	url: https://terraform-aws-opennext.tools.engineering.england.nhs.uk/

	steps:
	- uses: actions/checkout@v3

	- name: Install asdf & tools
	uses: asdf-vm/actions/install@v2

	- id: aws-credentials
	name: Setup AWS Credentials
	uses: aws-actions/configure-aws-credentials@v2
	with:
	role-to-assume: ${{ secrets.DEPLOYMENT_IAM_ROLE }}
	aws-region: eu-west-2

	- name: Get Current Identity
	run: aws sts get-caller-identity

	- name: Download Build Artifacts
	uses: actions/download-artifact@v3
	with:
	name: example-app-opennext-build

	- name: Unzip Build Artifacts to .open-next folder
	run: unzip -q -d example/.open-next open-next.zip

	- name: Run Terraform Init
	run: terraform -chdir=example/terraform init

	- name: Run Terraform Plan
	run: terraform -chdir=example/terraform plan -out example-app.tfplan

	- name: Store Terraform Plan Artifact
	uses: actions/upload-artifact@v3
	with:
	name: example-app-tfplan-output
	path: example/terraform/example-app.tfplan

	- name: Run Terraform Apply
	run: terraform -chdir=example/terraform apply example-app.tfplan

	- name: Get CloudFront Distribution ID
	id: get_distribution_id
	run: echo "distribution_id=$(terraform -chdir=example/terraform output -raw cloudfront_distribution_id)" >> "$GITHUB_OUTPUT"

	- name: Trigger CloudFront Cache Invalidation
	id: trigger_invalidation
	run: echo "invalidation_id=$(aws cloudfront create-invalidation --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --paths '/*' --output text --query Invalidation.Id)" >> "$GITHUB_OUTPUT"

	- name: Wait for Invalidation
	run: aws cloudfront wait invalidation-completed --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --id ${{ steps.trigger_invalidation.outputs.invalidation_id }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #6 from nicholas-c/feature/options-cloudfront-comp… #133

Workflow file

Merge pull request #6 from nicholas-c/feature/options-cloudfront-comp… #133

Jobs

Run details

Workflow file for this run