Skip to content

Terraform: scheduled baseline #639

Terraform: scheduled baseline

Terraform: scheduled baseline #639

name: "Terraform: scheduled baseline"
on:
schedule:
- cron: "30 22 * * 0"
push:
branches:
- main
paths:
- '.github/workflows/scheduled-baseline.yml'
- 'terraform/environments/bootstrap/**'
- 'terraform/modules/iam_baseline/**'
- 'scripts/update-sso-permission-sets.sh'
workflow_dispatch:
env:
TF_IN_AUTOMATION: true
AWS_REGION: "eu-west-2"
ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
defaults:
run:
shell: bash
jobs:
setup-prerequisites:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.set-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
with:
terraform_version: "~1"
terraform_wrapper: false
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access
- id: set-matrix
name: Set Up Matrix
run: echo "matrix=$(terraform -chdir=terraform/environments/bootstrap/delegate-access workspace list | sed -e "s/*//" -e "s/^[[:space:]]*//" -e "/default/d" -e "/^$/d" | sort -u | jq -ncR '[inputs]')" >> $GITHUB_OUTPUT
delegate-access:
strategy:
fail-fast: false
matrix:
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
runs-on: ubuntu-latest
needs: setup-prerequisites
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
with:
terraform_version: "~1"
terraform_wrapper: false
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/delegate-access
- name: Persist terraform state to backend
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/delegate-access/errored.tfstate') != '' }}
run: |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/delegate-access
if [ $? -eq 0 ]; then
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }}
env:
TF_WORKSPACE: ${{ matrix.workspaces }}
STATE_PUSH_SUCCESSFUL: false
secure-baselines:
strategy:
fail-fast: false
matrix:
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
runs-on: ubuntu-latest
needs: [setup-prerequisites, delegate-access]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
with:
terraform_version: "~1"
terraform_wrapper: false
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/secure-baselines
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/secure-baselines
- name: Persist terraform state to backend
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/secure-baselines/errored.tfstate') != '' }}
run: |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/secure-baselines
if [ $? -eq 0 ]; then
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }}
env:
TF_WORKSPACE: ${{ matrix.workspaces }}
STATE_PUSH_SUCCESSFUL: false
single-sign-on:
strategy:
fail-fast: false
matrix:
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
runs-on: ubuntu-latest
needs: [setup-prerequisites, delegate-access]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
with:
terraform_version: "~1"
terraform_wrapper: false
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/single-sign-on
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/single-sign-on
- name: Persist terraform state to backend
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/single-sign-on/errored.tfstate') != '' }}
run: |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/single-sign-on
if [ $? -eq 0 ]; then
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }}
env:
TF_WORKSPACE: ${{ matrix.workspaces }}
STATE_PUSH_SUCCESSFUL: false
member-bootstrap:
strategy:
fail-fast: false
matrix:
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }}
runs-on: ubuntu-latest
needs: [setup-prerequisites, single-sign-on]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
with:
terraform_version: "~1"
terraform_wrapper: false
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/member-bootstrap
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/member-bootstrap
- name: Persist terraform state to backend
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/member-bootstrap/errored.tfstate') != '' }}
run: |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/member-bootstrap
if [ $? -eq 0 ]; then
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV
fi
- name: Slack failure notification
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }}
env:
TF_WORKSPACE: ${{ matrix.workspaces }}
STATE_PUSH_SUCCESSFUL: false
update-permission-sets:
runs-on: ubuntu-latest
needs: [delegate-access,single-sign-on]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set Account Number
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Set Root Account Number
run: echo "ROOT_ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
role-session-name: githubactionsrolesession
aws-region: ${{ env.AWS_REGION }}
- name: Update permission sets
run: |
aws sts assume-role --role-arn "arn:aws:iam::${ROOT_ACCOUNT_NUMBER}:role/ModernisationPlatformSSOAdministrator" --role-session-name ssoadminrolesession > creds
$(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')")
$(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')")
$(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')")
grep "ModernisationPlatformSSOAdministrator" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; }
bash scripts/update-sso-permission-sets.sh
- name: Slack failure notification
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
if: ${{ failure() }}