Skip to content

Bump Terraform Provider versions (#13) #165

Bump Terraform Provider versions (#13)

Bump Terraform Provider versions (#13) #165

name: CI/CD Pipeline
permissions:
contents: read
security-events: write
id-token: write
actions: write
on:
push:
pull_request:
branches:
- main
types: [opened, synchronize, reopened]
jobs:
get-metadata:
name: "Get Metadata"
runs-on: ubuntu-latest
outputs:
build_datetime: ${{ steps.metadata.outputs.build_datetime }}
build_timestamp: ${{ steps.metadata.outputs.build_timestamp }}
build_epoch: ${{ steps.metadata.outputs.build_epoch }}
terraform_version: ${{ steps.metadata.outputs.terraform_version }}
steps:
- uses: actions/checkout@v3
- id: metadata
name: Get Metadata
uses: ./.github/actions/get-metadata
- id: cloc
name: Get Lines of Code
uses: ./.github/actions/cloc-repository
formatting-checks:
needs: [get-metadata]
runs-on: ubuntu-latest
name: Formatting Checks
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Check File Format
uses: ./.github/actions/check-file-format
- name: Check Markdown Format
uses: ./.github/actions/check-markdown-format
- name: Check Terraform Format
uses: ./.github/actions/check-terraform-format
security-scan:
needs: [get-metadata]
runs-on: ubuntu-latest
name: Security Scanning
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Scan Dependencies
uses: ./.github/actions/scan-dependencies
- name: Scan Secrets
uses: ./.github/actions/scan-secrets
checkov:
name: Checkov
runs-on: ubuntu-latest
needs: [formatting-checks, security-scan]
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Latest Checkov
id: install-checkov
run: pip install --user checkov
- name: Run Checkov
id: run-checkov
run: checkov --directory . -o sarif -s --quiet
- name: Upload SARIF File
uses: github/codeql-action/upload-sarif@v2
if: always() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
with:
sarif_file: results.sarif
tflint:
name: TFLint
runs-on: ubuntu-latest
needs: [formatting-checks, security-scan]
steps:
- uses: actions/checkout@v3
- name: Setup TFLint Cache
uses: actions/cache@v3
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- name: Setup TFLint
uses: terraform-linters/setup-tflint@v3
with:
tflint_version: v0.47.0
- name: Init TFLint
run: tflint --init
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Run TFLint
run: tflint -f compact
build-example-app:
name: Build Example App
runs-on: ubuntu-latest
needs: [tflint, checkov]
steps:
- uses: actions/checkout@v3
- name: Install asdf & tools
uses: asdf-vm/actions/install@v2
- name: Install Example Dependencies
run: make example-install
- name: Build Example App
run: make example-build
- name: Zip OpenNext Deployment Assets
run: cd example/.open-next && zip -r ../../open-next.zip . -q
- name: Store Build Artifacts
uses: actions/upload-artifact@v3
with:
name: example-app-opennext-build
path: open-next.zip
deploy:
name: Deploy Example App
runs-on: ubuntu-latest
needs: [build-example-app]
if: success() && github.ref_name == 'main'
concurrency: example-deploy
environment:
name: Example Application
url: https://terraform-aws-opennext.tools.engineering.england.nhs.uk/
steps:
- uses: actions/checkout@v3
- name: Install asdf & tools
uses: asdf-vm/actions/install@v2
- id: aws-credentials
name: Setup AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.DEPLOYMENT_IAM_ROLE }}
aws-region: eu-west-2
- name: Get Current Identity
run: aws sts get-caller-identity
- name: Download Build Artifacts
uses: actions/download-artifact@v3
with:
name: example-app-opennext-build
- name: Unzip Build Artifacts to .open-next folder
run: unzip -q -d example/.open-next open-next.zip
- name: Run Terraform Init
run: terraform -chdir=example/terraform init
- name: Run Terraform Plan
run: terraform -chdir=example/terraform plan -out example-app.tfplan
- name: Store Terraform Plan Artifact
uses: actions/upload-artifact@v3
with:
name: example-app-tfplan-output
path: example/terraform/example-app.tfplan
- name: Run Terraform Apply
run: terraform -chdir=example/terraform apply example-app.tfplan
- name: Get CloudFront Distribution ID
id: get_distribution_id
run: echo "distribution_id=$(terraform -chdir=example/terraform output -raw cloudfront_distribution_id)" >> "$GITHUB_OUTPUT"
- name: Trigger CloudFront Cache Invalidation
id: trigger_invalidation
run: echo "invalidation_id=$(aws cloudfront create-invalidation --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --paths '/*' --output text --query Invalidation.Id)" >> "$GITHUB_OUTPUT"
- name: Wait for Invalidation
run: aws cloudfront wait invalidation-completed --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --id ${{ steps.trigger_invalidation.outputs.invalidation_id }}