.github/workflows/workflow_destroy_pr_environment.yml

name: "[Workflow] Destroy PR Environment"

on:
  pull_request:
    branches:
      - main
    types:
      - closed

permissions:
  id-token: write
  contents: read
  security-events: none
  pull-requests: read
  actions: none
  checks: none
  deployments: none
  issues: none
  packages: none
  repository-projects: none
  statuses: none

defaults:
  run:
    shell: bash

jobs:
  fetch_s3_av_version:
    name: Fetch the S3 AV Zip version tag
    runs-on: ubuntu-latest
    steps:
      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          aws-region: eu-west-1
          role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ssm-get-parameter
          role-duration-seconds: 900
          role-session-name: GithubActionsSSMGetParameter
      - name: Pull S3 AV Zip tag
        id: pull_s3_av_tag
        run: |
          key="/opg-s3-antivirus/zip-version-main"
          value=$(aws ssm get-parameter --name "$key" --query 'Parameter.Value' --output text 2>/dev/null || true)
          echo "Using $key: $value"
          echo "tag=${value}" >> $GITHUB_OUTPUT
    outputs:
      s3_av_scanner_zip_tag: ${{ steps.pull_s3_av_tag.outputs.tag }}

  generate_environment_workspace_name:
    runs-on: ubuntu-latest
    steps:
      - name: Generate workspace name
        id: name_workspace
        run: |
          workspace=${{ github.event.pull_request.number }}
          workspace=${workspace//-}
          workspace=${workspace//_}
          workspace=${workspace//\/}
          workspace=${workspace:0:11}
          workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]')
          echo "name=${workspace}" >> $GITHUB_OUTPUT
          echo ${workspace}
    outputs:
          environment_workspace_name: ${{ steps.name_workspace.outputs.name }}

  cleanup_workspace:
    runs-on: ubuntu-latest
    needs: [ generate_environment_workspace_name, fetch_s3_av_version ]
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: get lambda function zips
        working-directory: ./terraform/environment/region/modules/s3_antivirus/
        run: |
          echo "Pulling AV lambda version: ${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}" >> $GITHUB_STEP_SUMMARY
          wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip -O lambda_layer.zip
          wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip.sha256sum -O lambda_layer.zip.sha256sum
          sha256sum -c "lambda_layer.zip.sha256sum"
          echo "Lambda Layer Zip SHA256 Hash: $(cat lambda_layer.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY

          wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip -O myFunction.zip
          wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip.sha256sum -O myFunction.zip.sha256sum
          sha256sum -c "myFunction.zip.sha256sum"
          echo "Lambda Function Zip SHA256 Hash: $(cat myFunction.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY

      - name: Configure AWS Credentials For Terraform
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
          aws-region: eu-west-1
          role-duration-seconds: 3600
          role-session-name: OPGModernisingLPATerraformGithubAction

      - uses: webfactory/ssh-agent@v0.9.0
        with:
          ssh-private-key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}

      - name: Setup Workspace Manager
        run: |
          wget https://github.com/ministryofjustice/opg-terraform-workspace-manager/releases/download/v0.3.2/opg-terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz
          sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin
          sudo chmod +x /usr/local/bin/terraform-workspace-manager
          terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=1 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci

      - name: Parse terraform version
        id: tf_version_setup
        working-directory: ./terraform/environment
        run: |
          if [ -f ./versions.tf ]; then
            terraform_version=$(cat ./versions.tf | ../../scripts/terraform-version.sh)
            echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY
            echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT
          fi

      - name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]"
        run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]"
        working-directory: ./terraform/environment
      - uses: hashicorp/setup-terraform@v3.1.2
        with:
          terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}
          terraform_wrapper: false

      - name: Terraform Init
        run: terraform init -input=false
        working-directory: ./terraform/environment

      - name: Destroy PR environment and Terraform workspace
        working-directory: ./terraform/environment
        env:
          TF_VAR_pagerduty_api_key:  ${{ secrets.PAGERDUTY_API_KEY }}

        run: |
          terraform workspace select -or-create=true ${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}
          terraform destroy -auto-approve
          terraform workspace select default
          terraform workspace delete ${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}
      - name: Remove protection for environment workspace
        run: |
          terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=0 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci
      - name: Configure AWS Credentials For AWS CLI
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          role-to-assume: arn:aws:iam::653761790766:role/modernising-lpa-github-actions-cloudwatch-log-group-delete
          aws-region: eu-west-1
          role-duration-seconds: 900
          role-session-name: OPGModernisingLPALogGroupDeleteGithubAction
      - name: Remove container insights log group
        run: |
          aws logs delete-log-group --log-group-name /aws/ecs/containerinsights/${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}/performance
      - name: Configure AWS Credentials For opensearch
        uses: aws-actions/configure-aws-credentials@v4.0.2
        with:
          role-to-assume: arn:aws:iam::653761790766:role/modernising-lpa-github-actions-opensearch-delete-index
          aws-region: eu-west-1
          role-duration-seconds: 900
          role-session-name: OPGModernisingOpensearchIndexDeleteGithubAction
      - name: Delete opensearch index lpas_v2_${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}
        run: |
            pip install awscurl==0.33
            response=$(awscurl \
              "${{ secrets.DEVELOPMENT_OPENSEARCH_COLLECTION_ENDPOINT }}/lpas_v2_${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}" \
              --request DELETE \
              --region eu-west-1 \
              --service aoss)
              if [[ $response == *'"acknowledged":true'* ]]; then
                echo "Request successful."
              elif [[ $response == *'"status":404'* ]]; then
                echo "Request successful but index not found."
              else
                exit 1
              fi