diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml index 7aa22e8eedd..53e61399b7c 100644 --- a/.github/workflows/nuke-redeploy.yml +++ b/.github/workflows/nuke-redeploy.yml @@ -1,5 +1,5 @@ ---- name: Redeploy after nuke + on: push: branches: @@ -21,6 +21,7 @@ env: AWS_REGION: "eu-west-2" ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} NUKE_REDEPLOY_ACCOUNTS: ${{ secrets.MODERNISATION_PLATFORM_AUTONUKE_REBUILD }} + BACKEND_NUMBER: ${{ secrets.MODERNISATION_PLATFORM_ACCOUNT_ID }} TF_IN_AUTOMATION: true permissions: {} @@ -37,6 +38,7 @@ jobs: steps: - id: set-matrix run: echo "matrix=$(jq -c '.|sort' <<< $NUKE_REDEPLOY_ACCOUNTS)" >> $GITHUB_OUTPUT + redeploy-after-nuke: permissions: id-token: write # This is required for requesting the JWT @@ -51,32 +53,37 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Set Account Number run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" role-session-name: githubactionsrolesession aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_version: "~1" terraform_wrapper: false + - name: Plan after nuke - ${{ matrix.nuke_accts }} run: | terraform --version echo "Terraform Plan - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/modernisation-account-terraform-state-member-access\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-plan.sh terraform/environments/${ACCOUNT_NAME%-development} + - name: Apply after nuke - ${{ matrix.nuke_accts }} if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }} run: | terraform --version echo "Terraform apply - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/modernisation-account-terraform-state-member-access\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development} env: diff --git a/scripts/terraform-apply-after-nuke.sh b/scripts/terraform-apply-after-nuke.sh index b466d25e239..64c89aa7ad9 100644 --- a/scripts/terraform-apply-after-nuke.sh +++ b/scripts/terraform-apply-after-nuke.sh @@ -14,6 +14,9 @@ nuke_account_ids_json=$(aws secretsmanager get-secret-value --secret-id nuke_acc declare -A account_ids eval "$(jq -r '.NUKE_ACCOUNT_IDS | to_entries | .[] |"account_ids[" + (.key | @sh) + "]=" + (.value | @sh)' <<<"$nuke_account_ids_json")" +# Retrieve Modernisation Platform Account Id +BACKEND_NUMBER=$(aws ssm get-parameters --region eu-west-2 --names "modernisation_platform_account_id" --with-decryption --query "Parameters[*].{Value:Value}" --output text) + redeployed_envs=() skipped_envs=() failed_envs=() @@ -22,7 +25,7 @@ for key in "${!account_ids[@]}"; do to_dir_name "$key" if [[ "$NUKE_DO_NOT_RECREATE_ENVIRONMENTS" != *"${dir_name}-development,"* ]]; then echo "BEGIN: terraform apply ${dir_name}-development" - bash scripts/terraform-init.sh "terraform/environments/${dir_name}" || exit_code=$? + bash scripts/terraform-init.sh "terraform/environments/${dir_name}" "assume_role={role_arn=\"arn:aws:iam::${BACKEND_NUMBER}:role/modernisation-account-terraform-state-member-access\"}" || exit_code=$? terraform -chdir="terraform/environments/${dir_name}" workspace select "${dir_name}-development" || exit_code=$? bash scripts/terraform-apply.sh "terraform/environments/${dir_name}" || exit_code=$? if [[ $exit_code -ne 0 ]]; then diff --git a/scripts/terraform-init.sh b/scripts/terraform-init.sh index e707854f06f..b443ba0cbea 100755 --- a/scripts/terraform-init.sh +++ b/scripts/terraform-init.sh @@ -2,13 +2,13 @@ set -e -# This script runs terraform init with input set to false and no color outputs, suitable for running as part of a CI/CD pipeline. -# You need to pass through a Terraform directory as an argument, e.g. -# sh terraform-init.sh terraform/environments +# This script runs terraform init with input set to false, no color outputs, and backend-config, suitable for running as part of a CI/CD pipeline. +# You need to pass through a Terraform directory and backend config as arguments, e.g. +# sh terraform-init.sh terraform/environments "assume_role={role_arn=\"arn:aws:iam::123456789012:role/modernisation-account-terraform-state-member-access\"}" -if [ -z "$1" ]; then - echo "Unsure where to run terraform, exiting" +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Unsure where to run terraform, exiting. (Usage: terraform-init.sh )" exit 1 else - terraform -chdir="$1" init -input=false -no-color + terraform -chdir="$1" init -input=false -no-color -backend-config="$2" fi