Merge pull request #8612 from ministryofjustice/fix/slack-failure-not… #869
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Terraform: scheduled baseline" | |
| on: | |
| schedule: | |
| - cron: "30 22 * * 0" | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - '.github/workflows/scheduled-baseline.yml' | |
| - 'terraform/environments/bootstrap/**' | |
| - 'terraform/modules/iam_baseline/**' | |
| - '!**.md' | |
| - 'scripts/update-sso-permission-sets.sh' | |
| workflow_dispatch: | |
| env: | |
| TF_IN_AUTOMATION: true | |
| AWS_REGION: "eu-west-2" | |
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| defaults: | |
| run: | |
| shell: bash | |
| jobs: | |
| retrieve-secrets: | |
| uses: ./.github/workflows/secrets-retrieval.yml | |
| secrets: inherit | |
| setup-prerequisites: | |
| runs-on: ubuntu-latest | |
| needs: retrieve-secrets | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Decrypt Secrets | |
| uses: ./.github/actions/decrypt-secrets | |
| with: | |
| environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: "~1" | |
| terraform_wrapper: false | |
| - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access | |
| - id: set-matrix | |
| name: Set Up Matrix | |
| run: echo "matrix=$(terraform -chdir=terraform/environments/bootstrap/delegate-access workspace list | sed -e "s/*//" -e "s/^[[:space:]]*//" -e "/default/d" -e "/^$/d" | sort -u | jq -ncR '[inputs]')" >> $GITHUB_OUTPUT | |
| delegate-access: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
| runs-on: ubuntu-latest | |
| needs: [retrieve-secrets,setup-prerequisites] | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Decrypt Secrets | |
| uses: ./.github/actions/decrypt-secrets | |
| with: | |
| environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }} | |
| slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/ModernisationPlatformGithubActionsRole" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: "~1" | |
| terraform_wrapper: false | |
| - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/delegate-access | |
| - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/delegate-access | |
| - name: Persist terraform state to backend | |
| if: ${{ failure() && hashFiles('terraform/environments/bootstrap/delegate-access/errored.tfstate') != '' }} | |
| run: | | |
| bash scripts/terraform-state-push.sh terraform/environments/bootstrap/delegate-access | |
| if [ $? -eq 0 ]; then | |
| echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
| fi | |
| - name: Slack failure notification | |
| uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 | |
| with: | |
| webhook-type: incoming-webhook | |
| payload: | | |
| {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} | |
| if: ${{ failure() }} | |
| env: | |
| TF_WORKSPACE: ${{ matrix.workspaces }} | |
| STATE_PUSH_SUCCESSFUL: false | |
| secure-baselines: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
| runs-on: ubuntu-latest | |
| needs: [retrieve-secrets,setup-prerequisites, delegate-access] | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Decrypt Secrets | |
| uses: ./.github/actions/decrypt-secrets | |
| with: | |
| environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }} | |
| slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: "~1" | |
| terraform_wrapper: false | |
| - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/secure-baselines | |
| - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/secure-baselines | |
| - name: Persist terraform state to backend | |
| if: ${{ failure() && hashFiles('terraform/environments/bootstrap/secure-baselines/errored.tfstate') != '' }} | |
| run: | | |
| bash scripts/terraform-state-push.sh terraform/environments/bootstrap/secure-baselines | |
| if [ $? -eq 0 ]; then | |
| echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
| fi | |
| - name: Slack failure notification | |
| uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 | |
| with: | |
| webhook-type: incoming-webhook | |
| payload: | | |
| {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} | |
| if: ${{ failure() }} | |
| env: | |
| TF_WORKSPACE: ${{ matrix.workspaces }} | |
| STATE_PUSH_SUCCESSFUL: false | |
| single-sign-on: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
| runs-on: ubuntu-latest | |
| needs: [retrieve-secrets,setup-prerequisites, delegate-access] | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Decrypt Secrets | |
| uses: ./.github/actions/decrypt-secrets | |
| with: | |
| environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }} | |
| slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: "~1" | |
| terraform_wrapper: false | |
| - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/single-sign-on | |
| - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/single-sign-on | |
| - name: Persist terraform state to backend | |
| if: ${{ failure() && hashFiles('terraform/environments/bootstrap/single-sign-on/errored.tfstate') != '' }} | |
| run: | | |
| bash scripts/terraform-state-push.sh terraform/environments/bootstrap/single-sign-on | |
| if [ $? -eq 0 ]; then | |
| echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
| fi | |
| - name: Slack failure notification | |
| uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 | |
| with: | |
| webhook-type: incoming-webhook | |
| payload: | | |
| {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} | |
| if: ${{ failure() }} | |
| env: | |
| TF_WORKSPACE: ${{ matrix.workspaces }} | |
| STATE_PUSH_SUCCESSFUL: false | |
| member-bootstrap: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| workspaces: ${{ fromJSON(needs.setup-prerequisites.outputs.matrix) }} | |
| runs-on: ubuntu-latest | |
| needs: [retrieve-secrets,setup-prerequisites, single-sign-on] | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Decrypt Secrets | |
| uses: ./.github/actions/decrypt-secrets | |
| with: | |
| environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }} | |
| slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2 | |
| with: | |
| terraform_version: "~1" | |
| terraform_wrapper: false | |
| - run: bash scripts/terraform-init.sh terraform/environments/bootstrap/member-bootstrap | |
| - run: bash scripts/terraform-apply.sh terraform/environments/bootstrap/member-bootstrap | |
| - name: Persist terraform state to backend | |
| if: ${{ failure() && hashFiles('terraform/environments/bootstrap/member-bootstrap/errored.tfstate') != '' }} | |
| run: | | |
| bash scripts/terraform-state-push.sh terraform/environments/bootstrap/member-bootstrap | |
| if [ $? -eq 0 ]; then | |
| echo "STATE_PUSH_SUCCESSFUL=true" >> $GITHUB_ENV | |
| fi | |
| - name: Slack failure notification | |
| uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 | |
| with: | |
| webhook-type: incoming-webhook | |
| payload: | | |
| {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} | |
| if: ${{ failure() }} | |
| env: | |
| TF_WORKSPACE: ${{ matrix.workspaces }} | |
| STATE_PUSH_SUCCESSFUL: false | |
| update-permission-sets: | |
| runs-on: ubuntu-latest | |
| needs: [retrieve-secrets,delegate-access,single-sign-on] | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Decrypt Secrets | |
| uses: ./.github/actions/decrypt-secrets | |
| with: | |
| environment_management: ${{ needs.retrieve-secrets.outputs.environment_management }} | |
| slack_webhook_url: ${{ needs.retrieve-secrets.outputs.slack_webhook_url }} | |
| passphrase: ${{ secrets.PASSPHRASE }} | |
| - name: Set Account Number | |
| run: | | |
| ACCOUNT_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ACCOUNT_NUMBER" | |
| echo ACCOUNT_NUMBER=$ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Set Root Account Number | |
| run: | | |
| ROOT_ACCOUNT_NUMBER=$(jq -r -e '.aws_organizations_root_account_id' <<< $ENVIRONMENT_MANAGEMENT) | |
| echo "::add-mask::$ROOT_ACCOUNT_NUMBER" | |
| echo ROOT_ACCOUNT_NUMBER=$ROOT_ACCOUNT_NUMBER >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
| with: | |
| role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions-apply" | |
| role-session-name: githubactionsrolesession | |
| aws-region: ${{ env.AWS_REGION }} | |
| - name: Update permission sets | |
| run: | | |
| aws sts assume-role --role-arn "arn:aws:iam::${ROOT_ACCOUNT_NUMBER}:role/ModernisationPlatformSSOAdministrator" --role-session-name ssoadminrolesession > creds | |
| $(echo "export AWS_ACCESS_KEY_ID=$(echo $(cat creds) | sed -n 's/.*"AccessKeyId": "\([^"]*\)".*/\1/p')") | |
| $(echo "export AWS_SECRET_ACCESS_KEY=$(echo $(cat creds) | sed -n 's/.*"SecretAccessKey": "\([^"]*\)".*/\1/p')") | |
| $(echo "export AWS_SESSION_TOKEN=$(echo $(cat creds) | sed -n 's/.*"SessionToken": "\([^"]*\)".*/\1/p')") | |
| grep "ModernisationPlatformSSOAdministrator" <<< $(aws sts get-caller-identity) || { echo 'Failed to assume role' ; exit 1; } | |
| bash scripts/update-sso-permission-sets.sh | |
| - name: Slack failure notification | |
| uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0 | |
| with: | |
| webhook-type: incoming-webhook | |
| payload: | | |
| {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]} | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ env.SLACK_WEBHOOK_URL }} | |
| if: ${{ failure() }} |