[WD] Toggle public access to UR environment #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "[WD] Toggle public access to UR environment" | |
on: | |
workflow_dispatch: | |
inputs: | |
public_access_enabled: | |
description: 'Enable public access to the UR environment?' | |
required: true | |
type: boolean | |
permissions: | |
id-token: write | |
contents: write | |
security-events: write | |
pull-requests: write | |
actions: none | |
checks: none | |
deployments: none | |
issues: write | |
packages: none | |
repository-projects: none | |
statuses: none | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
fetch_s3_av_version: | |
name: Fetch the S3 AV Zip version tag | |
runs-on: ubuntu-latest | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/[email protected] | |
with: | |
aws-region: eu-west-1 | |
role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ssm-get-parameter | |
role-duration-seconds: 900 | |
role-session-name: GithubActionsSSMGetParameter | |
- name: Pull S3 AV Zip tag | |
id: pull_s3_av_tag | |
run: | | |
key="/opg-s3-antivirus/zip-version-main" | |
value=$(aws ssm get-parameter --name "$key" --query 'Parameter.Value' --output text 2>/dev/null || true) | |
echo "Using $key: $value" | |
echo "tag=${value}" >> $GITHUB_OUTPUT | |
outputs: | |
s3_av_scanner_zip_tag: ${{ steps.pull_s3_av_tag.outputs.tag }} | |
ur_toggle_public_access: | |
runs-on: ubuntu-latest | |
needs: [ fetch_s3_av_version ] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: get lambda function zips | |
working-directory: ./terraform/environment/region/modules/s3_antivirus/ | |
run: | | |
echo "Pulling AV lambda version: ${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}" >> $GITHUB_STEP_SUMMARY | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip -O lambda_layer.zip | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip.sha256sum -O lambda_layer.zip.sha256sum | |
sha256sum -c "lambda_layer.zip.sha256sum" | |
echo "Lambda Layer Zip SHA256 Hash: $(cat lambda_layer.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip -O myFunction.zip | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip.sha256sum -O myFunction.zip.sha256sum | |
sha256sum -c "myFunction.zip.sha256sum" | |
echo "Lambda Function Zip SHA256 Hash: $(cat myFunction.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY | |
- uses: unfor19/install-aws-cli-action@v1 | |
- name: Parse terraform version | |
id: tf_version_setup | |
working-directory: ./terraform/environment | |
run: | | |
if [ -f ./versions.tf ]; then | |
terraform_version=$(cat ./versions.tf | ../../scripts/terraform-version.sh) | |
echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY | |
echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT | |
fi | |
- name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" | |
run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" | |
working-directory: ./terraform/environment | |
- uses: hashicorp/[email protected] | |
with: | |
terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Configure AWS Credentials For Terraform | |
uses: aws-actions/[email protected] | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
aws-region: eu-west-1 | |
role-duration-seconds: 3600 | |
role-session-name: OPGModernisingLPATerraformGithubAction | |
- uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }} | |
- name: Terraform Init | |
run: terraform init -input=false | |
working-directory: ./terraform/environment | |
- name: Terraform Toggle Public Access for UR | |
env: | |
TF_WORKSPACE: ur | |
TF_VAR_pagerduty_api_key: ${{ secrets.pagerduty_api_key }} | |
run: | | |
terraform apply -lock-timeout=300s -input=false -auto-approve -var public_access_enabled=${{ inputs.public_access_enabled }} \ | |
-target 'module.eu_west_1[0].module.app.aws_security_group_rule.app_loadbalancer_public_access_ingress[0]' \ | |
-target 'module.eu_west_1[0].module.app.aws_security_group_rule.app_loadbalancer_public_access_ingress_port_80[0]' \ | |
-target 'module.eu_west_1[0].module.app.aws_security_group_rule.app_loadbalancer_port_80_redirect_ingress[0]' \ | |
-target 'module.eu_west_1[0].module.app.aws_security_group_rule.app_loadbalancer_ingress[0]' \ | |
-target 'module.eu_west_1[0].module.mock_onelogin[0].aws_security_group_rule.mock_onelogin_loadbalancer_public_access_ingress[0]' \ | |
-target 'module.eu_west_1[0].aws_service_discovery_private_dns_namespace.internal' \ | |
-target 'module.eu_west_1[0].aws_service_discovery_private_dns_namespace.mock_one_login' | |
working-directory: ./terraform/environment |