[NRL-793] Complete update-lambda-permissions workflow and pull-lambda-code-for-stack.sh script

mattdean3-nhs · mattdean3-nhs · commit f27eeaa80d1f · 2024-09-17T12:34:19.000+01:00
diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml
@@ -26,7 +26,7 @@ permissions:
 
 jobs:
   build-permissions:
-    name: Building permissions package for ${{ inputs.environment }}
+    name: Build permissions for ${{ inputs.environment }}
     runs-on: [self-hosted, ci]
     environment: ${{ inputs.environment }}
 
@@ -73,35 +73,140 @@ jobs:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
 
-  apply-permissions:
-    name: Applying permissions to ${{ inputs.environment }}
+  pull-deployed-lambdas:
+    name: Pull deployed lambdas for ${{ inputs.environment }}
     runs-on: [self-hosted, ci]
     environment: ${{ inputs.environment }}
 
-    needs: build-permissions
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
+
+      - name: Configure Account Role
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-chaining: true
+          role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }}
+          role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }}
+
+      - name: Pull deployed lambda artifacts
+        run: |
+          account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1)
+          ./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }}
+
+      - name: Save lambda artifacts in cache
+        uses: actions/cache/save@v4
+        with:
+          key: ${{ github.run_id }}-pulled-lambda-artifacts
+          path: dist/*.zip
+
+  terraform-plan:
+    name: Plan changes to ${{ inputs.environment }}
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    needs: [build-permissions, pull-deployed-lambdas]
 
     steps:
       - name: Git clone - ${{ github.ref }}
         uses: actions/checkout@v4
         with:
           ref: ${{ github.ref }}
 
+      - name: Restore pulled lambda artifacts
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ github.run_id }}-pulled-lambda-artifacts
+          path: ./dist
+          fail-on-cache-miss: true
+
       - name: Restore NRLF permissions cache
         uses: actions/cache/restore@v4
         with:
           key: ${{ github.run_id }}-nrlf-permissions
           path: dist/nrlf_permissions.zip
           fail-on-cache-miss: true
 
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
+
       - name: Terraform Init
         run: |
           terraform -chdir=terraform/infrastructure init
           terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
               terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
 
-      - name: Terraform Apply
+      - name: Terraform Plan
         run: |
-          terraform -chdir=terraform/infrastructure apply -auto-approve \
+          terraform -chdir=terraform/infrastructure plan \
               --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \
               --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \
               --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \
+              --out tfplan
+
+      - name: Save Terraform Plan
+        run: |
+          terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt
+          aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan
+          aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt
+
+  terraform-apply:
+    name: Apply permissions to ${{ inputs.environment }}
+    runs-on: [self-hosted, ci]
+    environment: ${{ inputs.environment }}
+
+    needs: terraform-plan
+
+    steps:
+      - name: Git clone - ${{ github.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.ref }}
+
+      - name: Restore pulled lambda artifacts
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ github.run_id }}-pulled-lambda-artifacts
+          path: ./dist
+          fail-on-cache-miss: true
+
+      - name: Restore NRLF permissions cache
+        uses: actions/cache/restore@v4
+        with:
+          key: ${{ github.run_id }}-nrlf-permissions
+          path: dist/nrlf_permissions.zip
+          fail-on-cache-miss: true
+
+      - name: Configure Management Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.MGMT_ROLE_ARN }}
+          role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }}
+
+      - name: Download Terraform Plan artifact
+        run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan
+
+      - name: Terraform Init
+        run: |
+          terraform -chdir=terraform/infrastructure init
+          terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \
+              terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }}
+
+      - name: Terraform Apply
+        run: |
+          terraform -chdir=terraform/infrastructure apply tfplan
diff --git a/scripts/pull-lambda-code-for-stack.sh b/scripts/pull-lambda-code-for-stack.sh
@@ -9,40 +9,57 @@ stack_name="$1"
 function pull_lambda_code(){
     local api_name="$1"
     local endpoint_name="$2"
-    local lambda_name="nhds-nrlf--${stack_name}--API-${api_name}--${endpoint_name}"
+    local lambda_name="nhsd-nrlf--${stack_name}--api--${api_name}--${endpoint_name}"
 
-    echo "Downloading code for lambda ${lambda_name}...."
+    echo -n "- Downloading code for lambda ${lambda_name}.... "
     code_url="$(aws lambda get-function  --function-name ${lambda_name} | jq -r .Code.Location)"
-    curl "${code_url}" > "${DIST_DIR}/${api_name}-${endpoint_name}.zip"
+    curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${api_name}-${endpoint_name}.zip"
+    echo "✅"
 }
 
 function pull_layer_code(){
     local name="$1"
-    local layer_name="nhds-nrlf--${stack_name}--${name}"
+    local layer_name="nhsd-nrlf--${stack_name}--${name}"
     local layer_version="$(aws lambda list-layer-versions --layer-name ${layer_name} | jq -r '.LayerVersions[0].Version')"
-    local layer_pkg_name="$(echo ${layer_name} | tr '-' '_').zip"
+    local layer_pkg_name="$(echo ${name} | tr '-' '_').zip"
 
-    echo "Downloading code for layer ${layer_name} version ${layer_version}...."
+    echo -n "- Downloading code for layer ${layer_name} version ${layer_version}...."
     code_url="$(aws lambda get-layer-version --layer-name ${layer_name} --version-number ${layer_version} | jq -r .Content.Location)"
-    curl "${code_url}" > "${DIST_DIR}/${layer_pkg_name}"
+    curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${layer_pkg_name}"
+    echo "✅"
 }
 
 mkdir -p "${DIST_DIR}"
 
+echo
 echo "Pulling code for consumer API lambdas...."
 for endpoint_name in $(ls api/consumer)
 do
+    if [ ! -d "api/consumer/${endpoint_name}" ]; then
+        continue
+    fi
+
     pull_lambda_code "consumer" "${endpoint_name}"
 done
 
+echo
 echo "Pulling code for producer API lambdas...."
 for endpoint_name in $(ls api/producer)
 do
+    if [ ! -d "api/producer/${endpoint_name}" ]; then
+        continue
+    fi
+
     pull_lambda_code "producer" "${endpoint_name}"
 done
 
+echo
 echo "Pulling code for layers...."
 for layer_name in nrlf dependency-layer nrlf-permissions
 do
     pull_layer_code "${layer_name}"
 done
+
+echo
+echo "✅ Done. Code is in ${DIST_DIR}"
+echo
