Terraform: scheduled baseline #639
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Terraform: scheduled baseline" | |
on: | |
schedule: | |
- cron: "30 22 * * 0" | |
push: | |
branches: | |
- main | |
paths: | |
- '.github/workflows/scheduled-baseline.yml' | |
- 'terraform/environments/bootstrap/**' | |
- 'terraform/modules/iam_baseline/**' | |
- 'scripts/update-sso-permission-sets.sh' | |
workflow_dispatch: | |
env: | |
TF_IN_AUTOMATION: true | |
AWS_REGION: "eu-west-2" | |
ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} | |
permissions: | |
id-token: write # This is required for requesting the JWT | |
contents: read # This is required for actions/checkout | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
setup-prerequisites: | |
runs-on: ubuntu-latest | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 | |
with: | |
terraform_version: "~1" | |
terraform_wrapper: false | |
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access | |
- id: set-matrix | |
name: Set Up Matrix | |
run: echo "matrix=$(terraform -chdir=terraform/environments/bootstrap/delegate-access workspace list | sed -e "s/*//" -e "s/^[[:space:]]*//" -e "/default/d" -e "/^$/d" | sort -u | jq -ncR '[inputs]')" >> $GITHUB_OUTPUT | |
delegate-access: | |
strategy: | |
fail-fast: false | |
matrix: | |
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
runs-on: ubuntu-latest | |
needs: setup-prerequisites | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 | |
with: | |
terraform_version: "~1" | |
terraform_wrapper: false | |
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access | |
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/delegate-access | |
- name: Persist terraform state to backend | |
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/delegate-access/errored.tfstate') != '' }} | |
run: | | |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/delegate-access | |
if [ $? -eq 0 ]; then | |
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
fi | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }} | |
env: | |
TF_WORKSPACE: ${{ matrix.workspaces }} | |
STATE_PUSH_SUCCESSFUL: false | |
secure-baselines: | |
strategy: | |
fail-fast: false | |
matrix: | |
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
runs-on: ubuntu-latest | |
needs: [setup-prerequisites, delegate-access] | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 | |
with: | |
terraform_version: "~1" | |
terraform_wrapper: false | |
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/secure-baselines | |
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/secure-baselines | |
- name: Persist terraform state to backend | |
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/secure-baselines/errored.tfstate') != '' }} | |
run: | | |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/secure-baselines | |
if [ $? -eq 0 ]; then | |
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
fi | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }} | |
env: | |
TF_WORKSPACE: ${{ matrix.workspaces }} | |
STATE_PUSH_SUCCESSFUL: false | |
single-sign-on: | |
strategy: | |
fail-fast: false | |
matrix: | |
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
runs-on: ubuntu-latest | |
needs: [setup-prerequisites, delegate-access] | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 | |
with: | |
terraform_version: "~1" | |
terraform_wrapper: false | |
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/single-sign-on | |
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/single-sign-on | |
- name: Persist terraform state to backend | |
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/single-sign-on/errored.tfstate') != '' }} | |
run: | | |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/single-sign-on | |
if [ $? -eq 0 ]; then | |
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
fi | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }} | |
env: | |
TF_WORKSPACE: ${{ matrix.workspaces }} | |
STATE_PUSH_SUCCESSFUL: false | |
member-bootstrap: | |
strategy: | |
fail-fast: false | |
matrix: | |
workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
runs-on: ubuntu-latest | |
needs: [setup-prerequisites, single-sign-on] | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 | |
with: | |
terraform_version: "~1" | |
terraform_wrapper: false | |
- run: bash scripts/terraform-init.sh terraform/environments/bootstrap/member-bootstrap | |
- run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/member-bootstrap | |
- name: Persist terraform state to backend | |
if: ${{ failure() && hashFiles('terraform/environments/bootstrap/member-bootstrap/errored.tfstate') != '' }} | |
run: | | |
bash scripts/terraform-state-push.sh terraform/environments/bootstrap/member-bootstrap | |
if [ $? -eq 0 ]; then | |
echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
fi | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() && !env.STATE_PUSH_SUCCESSFUL }} | |
env: | |
TF_WORKSPACE: ${{ matrix.workspaces }} | |
STATE_PUSH_SUCCESSFUL: false | |
update-permission-sets: | |
runs-on: ubuntu-latest | |
needs: [delegate-access,single-sign-on] | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Set Account Number | |
run: echo "ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Set Root Account Number | |
run: echo "ROOT_ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" | |
role-session-name: githubactionsrolesession | |
aws-region: ${{ env.AWS_REGION }} | |
- name: Update permission sets | |
run: | | |
aws sts assume-role --role-arn "arn:aws:iam::${ROOT_ACCOUNT_NUMBER}:role/ModernisationPlatformSSOAdministrator" --role-session-name ssoadminrolesession > creds | |
$(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')") | |
$(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')") | |
grep "ModernisationPlatformSSOAdministrator" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; } | |
bash scripts/update-sso-permission-sets.sh | |
- name: Slack failure notification | |
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0 | |
with: | |
payload: | | |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
if: ${{ failure() }} |