From 5ad2eb8682cf4b9eaf42ec378099b43bcdf6d190 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Thu, 18 Apr 2024 15:11:52 +0100 Subject: [PATCH 1/6] Terraform init assume backend role --- .github/workflows/nuke-redeploy.yml | 17 +++++++++++++---- scripts/terraform-init.sh | 12 ++++++------ 2 files changed, 19 insertions(+), 10 deletions(-) diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml index 7aa22e8eedd..ae109468506 100644 --- a/.github/workflows/nuke-redeploy.yml +++ b/.github/workflows/nuke-redeploy.yml @@ -1,4 +1,3 @@ ---- name: Redeploy after nuke on: push: @@ -13,7 +12,6 @@ on: paths: - '.github/workflows/nuke-redeploy.yml' schedule: - # * is a special character in YAML so you have to quote this string # trigger every sunday at 12:00am - cron: '0 12 * * 0' workflow_dispatch: @@ -37,6 +35,7 @@ jobs: steps: - id: set-matrix run: echo "matrix=$(jq -c '.|sort' <<< $NUKE_REDEPLOY_ACCOUNTS)" >> $GITHUB_OUTPUT + redeploy-after-nuke: permissions: id-token: write # This is required for requesting the JWT @@ -51,32 +50,42 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + - name: Set Account Number run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + + - name: Get Backend AWS Account Number + run: | + BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) + echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV + - name: configure aws credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" role-session-name: githubactionsrolesession aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0 with: terraform_version: "~1" terraform_wrapper: false + - name: Plan after nuke - ${{ matrix.nuke_accts }} run: | terraform --version echo "Terraform Plan - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/github-actions\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-plan.sh terraform/environments/${ACCOUNT_NAME%-development} + - name: Apply after nuke - ${{ matrix.nuke_accts }} if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }} run: | terraform --version echo "Terraform apply - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/github-actions\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development} env: diff --git a/scripts/terraform-init.sh b/scripts/terraform-init.sh index e707854f06f..55ec5067055 100755 --- a/scripts/terraform-init.sh +++ b/scripts/terraform-init.sh @@ -2,13 +2,13 @@ set -e -# This script runs terraform init with input set to false and no color outputs, suitable for running as part of a CI/CD pipeline. -# You need to pass through a Terraform directory as an argument, e.g. -# sh terraform-init.sh terraform/environments +# This script runs terraform init with input set to false, no color outputs, and backend-config, suitable for running as part of a CI/CD pipeline. +# You need to pass through a Terraform directory and backend config as arguments, e.g. +# sh terraform-init.sh terraform/environments "assume_role={role_arn=\"arn:aws:iam::123456789012:role/github-actions\"}" -if [ -z "$1" ]; then - echo "Unsure where to run terraform, exiting" +if [ -z "$1" ] || [ -z "$2" ]; then + echo "Unsure where to run terraform, exiting. (Usage: terraform-init.sh )" exit 1 else - terraform -chdir="$1" init -input=false -no-color + terraform -chdir="$1" init -input=false -no-color -backend-config="$2" fi From 9d35285655f3ce07eb9444cc88689b0c3038d3ad Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Thu, 18 Apr 2024 16:39:39 +0100 Subject: [PATCH 2/6] update apply after nuke script --- .github/workflows/nuke-redeploy.yml | 4 ++-- scripts/terraform-apply-after-nuke.sh | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml index ae109468506..20feee1efea 100644 --- a/.github/workflows/nuke-redeploy.yml +++ b/.github/workflows/nuke-redeploy.yml @@ -76,7 +76,7 @@ jobs: run: | terraform --version echo "Terraform Plan - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/github-actions\"}" + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/role/modernisation-account-terraform-state-member-access\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-plan.sh terraform/environments/${ACCOUNT_NAME%-development} @@ -85,7 +85,7 @@ jobs: run: | terraform --version echo "Terraform apply - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/github-actions\"}" + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/role/modernisation-account-terraform-state-member-access\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development} env: diff --git a/scripts/terraform-apply-after-nuke.sh b/scripts/terraform-apply-after-nuke.sh index b466d25e239..fbc2c5c0cc1 100644 --- a/scripts/terraform-apply-after-nuke.sh +++ b/scripts/terraform-apply-after-nuke.sh @@ -14,6 +14,10 @@ nuke_account_ids_json=$(aws secretsmanager get-secret-value --secret-id nuke_acc declare -A account_ids eval "$(jq -r '.NUKE_ACCOUNT_IDS | to_entries | .[] |"account_ids[" + (.key | @sh) + "]=" + (.value | @sh)' <<<"$nuke_account_ids_json")" +# Retrieve Modernisation Platform Account Id +BACKEND_NUMBER=$(aws ssm get-parameters --region eu-west-2 --names "modernisation_platform_account_id" --with-decryption --query "Parameters[*].{Value:Value}" --output text) +echo "Modernisation Platform Account Id: $BACKEND_NUMBER" + redeployed_envs=() skipped_envs=() failed_envs=() @@ -22,7 +26,7 @@ for key in "${!account_ids[@]}"; do to_dir_name "$key" if [[ "$NUKE_DO_NOT_RECREATE_ENVIRONMENTS" != *"${dir_name}-development,"* ]]; then echo "BEGIN: terraform apply ${dir_name}-development" - bash scripts/terraform-init.sh "terraform/environments/${dir_name}" || exit_code=$? + bash scripts/terraform-init.sh "terraform/environments/${dir_name}" "assume_role={role_arn=\"arn:aws:iam::${BACKEND_NUMBER}:role/modernisation-account-terraform-state-member-access\"}" || exit_code=$? terraform -chdir="terraform/environments/${dir_name}" workspace select "${dir_name}-development" || exit_code=$? bash scripts/terraform-apply.sh "terraform/environments/${dir_name}" || exit_code=$? if [[ $exit_code -ne 0 ]]; then From 5dedec1c28f4286369b13b5b2fd6e70f2bfd1539 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Thu, 18 Apr 2024 16:56:43 +0100 Subject: [PATCH 3/6] lookup account number from github secret --- .github/workflows/nuke-redeploy.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml index 20feee1efea..cc4d353a7b4 100644 --- a/.github/workflows/nuke-redeploy.yml +++ b/.github/workflows/nuke-redeploy.yml @@ -1,4 +1,5 @@ name: Redeploy after nuke + on: push: branches: @@ -12,6 +13,7 @@ on: paths: - '.github/workflows/nuke-redeploy.yml' schedule: + # * is a special character in YAML so you have to quote this string # trigger every sunday at 12:00am - cron: '0 12 * * 0' workflow_dispatch: @@ -19,6 +21,7 @@ env: AWS_REGION: "eu-west-2" ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} NUKE_REDEPLOY_ACCOUNTS: ${{ secrets.MODERNISATION_PLATFORM_AUTONUKE_REBUILD }} + BACKEND_NUMBER: ${{ secrets.MODERNISATION_PLATFORM_ACCOUNT_ID }} TF_IN_AUTOMATION: true permissions: {} @@ -54,11 +57,6 @@ jobs: - name: Set Account Number run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV - - name: Get Backend AWS Account Number - run: | - BACKEND_NUMBER=$(jq -r -e '.modernisation_platform_account_id' <<< $ENVIRONMENT_MANAGEMENT) - echo "BACKEND_NUMBER=${BACKEND_NUMBER}" >> $GITHUB_ENV - - name: configure aws credentials uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 with: From a1f1acc8490dda71eda600dbef44c642be71f343 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Thu, 18 Apr 2024 17:00:55 +0100 Subject: [PATCH 4/6] update example text --- scripts/terraform-init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/terraform-init.sh b/scripts/terraform-init.sh index 55ec5067055..b443ba0cbea 100755 --- a/scripts/terraform-init.sh +++ b/scripts/terraform-init.sh @@ -4,7 +4,7 @@ set -e # This script runs terraform init with input set to false, no color outputs, and backend-config, suitable for running as part of a CI/CD pipeline. # You need to pass through a Terraform directory and backend config as arguments, e.g. -# sh terraform-init.sh terraform/environments "assume_role={role_arn=\"arn:aws:iam::123456789012:role/github-actions\"}" +# sh terraform-init.sh terraform/environments "assume_role={role_arn=\"arn:aws:iam::123456789012:role/modernisation-account-terraform-state-member-access\"}" if [ -z "$1" ] || [ -z "$2" ]; then echo "Unsure where to run terraform, exiting. (Usage: terraform-init.sh )" From c3ccb520293e1487af4a3a8bc6f0f842c022a943 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Fri, 19 Apr 2024 08:25:36 +0100 Subject: [PATCH 5/6] remove additional role --- .github/workflows/nuke-redeploy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml index cc4d353a7b4..53e61399b7c 100644 --- a/.github/workflows/nuke-redeploy.yml +++ b/.github/workflows/nuke-redeploy.yml @@ -74,7 +74,7 @@ jobs: run: | terraform --version echo "Terraform Plan - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/role/modernisation-account-terraform-state-member-access\"}" + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/modernisation-account-terraform-state-member-access\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-plan.sh terraform/environments/${ACCOUNT_NAME%-development} @@ -83,7 +83,7 @@ jobs: run: | terraform --version echo "Terraform apply - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name - bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/role/modernisation-account-terraform-state-member-access\"}" + bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/modernisation-account-terraform-state-member-access\"}" terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}" bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development} env: From b4d203b405660ee8d522de2dc4f4d4950a7fa4d8 Mon Sep 17 00:00:00 2001 From: Aaron Robinson <41325732+ASTRobinson@users.noreply.github.com> Date: Fri, 19 Apr 2024 08:38:24 +0100 Subject: [PATCH 6/6] removed-accountid-echo --- scripts/terraform-apply-after-nuke.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/scripts/terraform-apply-after-nuke.sh b/scripts/terraform-apply-after-nuke.sh index fbc2c5c0cc1..64c89aa7ad9 100644 --- a/scripts/terraform-apply-after-nuke.sh +++ b/scripts/terraform-apply-after-nuke.sh @@ -16,7 +16,6 @@ eval "$(jq -r '.NUKE_ACCOUNT_IDS | to_entries | .[] |"account_ids[" + (.key | @s # Retrieve Modernisation Platform Account Id BACKEND_NUMBER=$(aws ssm get-parameters --region eu-west-2 --names "modernisation_platform_account_id" --with-decryption --query "Parameters[*].{Value:Value}" --output text) -echo "Modernisation Platform Account Id: $BACKEND_NUMBER" redeployed_envs=() skipped_envs=()