JASPER-223: Deploy JASPER application to Test (#102)

* - Refactor build/publish infra GHA to simplify logic for building, scanning and deploying infra resources - Updated initial stack to be part of the main stack file to preserve single state file - Added db subnet group for rds - Updated openshift jobs to allow to target different environment * - Deleted unused github action files - Added logic to set default env variable when GHA is triggered by pull request * Set default value for working dir * More cleanup of unused folders * Limit the Court File Search and Case Details endpoint to Provincial files only * Added detailed comments about the CourtLevel updates --------- Co-authored-by: Ronaldo Macapobre <[email protected]>
bcgov · Dec 17, 2024 · 837f39e · 837f39e
1 parent c2cf592
commit 837f39e
Show file tree

Hide file tree

Showing 41 changed files with 806 additions and 652 deletions.
diff --git a/.github/workflows/aws-bootstrap-template.yml b/.github/workflows/aws-bootstrap-template.yml
diff --git a/.github/workflows/aws-template-terraform.yml b/.github/workflows/aws-template-terraform.yml
diff --git a/.github/workflows/build-infra.yml b/.github/workflows/build-infra.yml
@@ -21,23 +21,89 @@ on:
           - test
           - prod
 
-jobs:
-  build-initial:
-    uses: ./.github/workflows/aws-template-terraform.yml
-    with:
-      CONTEXT_FOLDER: "./infrastructure/cloud/environments/initial"
-      CHANGE_FOLDER_NAME: environments/${{ inputs.environment || 'dev' }}
-      ENVIRONMENT_NAME: ${{ inputs.environment || 'dev' }}
-      APPLY_TF_CODE: false
-    secrets: inherit
+env:
+  WORKING_DIRECTORY: "./infrastructure/cloud/environments/${{ inputs.environment }}"
 
+jobs:
   build:
-    needs: [build-initial]
-    uses: ./.github/workflows/aws-template-terraform.yml
-    with:
-      CONTEXT_FOLDER: "./infrastructure/cloud/environments/${{ inputs.environment || 'dev' }}"
-      CHANGE_FOLDER_NAME: environments/${{ inputs.environment || 'dev' }}
-      ENVIRONMENT_NAME: ${{ inputs.environment || 'dev' }}
-      APPLY_TF_CODE: false
-    secrets: inherit
-
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ inputs.environment || 'dev' }}
+    env:
+      TF_VAR_app_name: ${{ vars.APP_NAME }}
+      TF_VAR_environment: ${{ vars.ENVIRONMENT_NAME }}
+      TF_VAR_kms_key_name: ${{ vars.KMS_KEY_NAME }}
+      TF_VAR_vpc_id: ${{ vars.VPC_ID }}
+      TF_VAR_lambda_memory_size: ${{ vars.LAMBDA_MEMORY_SIZE }}
+    permissions:
+      id-token: write
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Determine environment
+        id: determine-environment
+        run: |
+          if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
+            echo "environment=${{ github.event.inputs.environment }}" >> $GITHUB_ENV
+          else
+            echo "environment=dev" >> $GITHUB_ENV
+            echo "WORKING_DIRECTORY=${{ env.WORKING_DIRECTORY }}/dev" >> $GITHUB_ENV
+          fi
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: tfsec
+        uses: aquasecurity/[email protected]
+        with:
+          sarif_file: tfsec.sarif
+          working_directory: ${{ env.WORKING_DIRECTORY }}
+          tfsec_args: "--tfvars-file=${{ env.WORKING_DIRECTORY }}/${{ env.environment }}.tfvars"
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: tfsec.sarif
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-skip-session-tagging: true
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: ${{ vars.AWS_ROLE_ARN }}
+          role-duration-seconds: 1800
+          role-session-name: ci-deployment
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.9.0
+
+      - name: Terraform Init
+        id: init
+        run: |
+          terraform init -input=false -backend-config=backend.tfvars -var-file=${{ env.environment }}.tfvars
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+      - name: Terraform Plan (Initial Stack)
+        id: plan-initial
+        run: |
+          terraform plan -target=module.initial -no-color -input=false -var-file=${{ env.environment }}.tfvars
+        continue-on-error: true
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+      - name: Terraform Plan (Initial) Status
+        if: steps.plan-initial.outcome == 'failure'
+        run: exit 1
+
+      - name: Terraform Plan (Main Stack)
+        id: plan-main
+        run: |
+          terraform plan -no-color -input=false -var-file=${{ env.environment }}.tfvars
+        continue-on-error: true
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+      - name: Terraform Plan (Main) Status
+        if: steps.plan-main.outcome == 'failure'
+        run: exit 1
diff --git a/.github/workflows/deploy-infra-sandbox.yml b/.github/workflows/deploy-infra-sandbox.yml