MLPAB-1767 Add receive account ids to allow cross account puts to us #1585
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "[Workflow] Destroy PR Environment" | |
on: | |
pull_request: | |
branches: | |
- main | |
types: | |
- closed | |
permissions: | |
id-token: write | |
contents: read | |
security-events: none | |
pull-requests: read | |
actions: none | |
checks: none | |
deployments: none | |
issues: none | |
packages: none | |
repository-projects: none | |
statuses: none | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
fetch_s3_av_version: | |
name: Fetch the S3 AV Zip version tag | |
runs-on: ubuntu-latest | |
steps: | |
- name: Configure AWS Credentials | |
uses: aws-actions/[email protected] | |
with: | |
aws-region: eu-west-1 | |
role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ssm-get-parameter | |
role-duration-seconds: 900 | |
role-session-name: GithubActionsSSMGetParameter | |
- name: Pull S3 AV Zip tag | |
id: pull_s3_av_tag | |
run: | | |
key="/opg-s3-antivirus/zip-version-main" | |
value=$(aws ssm get-parameter --name "$key" --query 'Parameter.Value' --output text 2>/dev/null || true) | |
echo "Using $key: $value" | |
echo "tag=${value}" >> $GITHUB_OUTPUT | |
outputs: | |
s3_av_scanner_zip_tag: ${{ steps.pull_s3_av_tag.outputs.tag }} | |
generate_environment_workspace_name: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Generate workspace name | |
id: name_workspace | |
run: | | |
workspace=${{ github.event.pull_request.number }} | |
workspace=${workspace//-} | |
workspace=${workspace//_} | |
workspace=${workspace//\/} | |
workspace=${workspace:0:11} | |
workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]') | |
echo "name=${workspace}" >> $GITHUB_OUTPUT | |
echo ${workspace} | |
outputs: | |
environment_workspace_name: ${{ steps.name_workspace.outputs.name }} | |
cleanup_workspace: | |
runs-on: ubuntu-latest | |
needs: [ generate_environment_workspace_name, fetch_s3_av_version ] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: get lambda function zips | |
working-directory: ./terraform/environment/region/modules/s3_antivirus/ | |
run: | | |
echo "Pulling AV lambda version: ${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}" >> $GITHUB_STEP_SUMMARY | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip -O lambda_layer.zip | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip.sha256sum -O lambda_layer.zip.sha256sum | |
sha256sum -c "lambda_layer.zip.sha256sum" | |
echo "Lambda Layer Zip SHA256 Hash: $(cat lambda_layer.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip -O myFunction.zip | |
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip.sha256sum -O myFunction.zip.sha256sum | |
sha256sum -c "myFunction.zip.sha256sum" | |
echo "Lambda Function Zip SHA256 Hash: $(cat myFunction.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY | |
- name: Configure AWS Credentials For Terraform | |
uses: aws-actions/[email protected] | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | |
aws-region: eu-west-1 | |
role-duration-seconds: 3600 | |
role-session-name: OPGModernisingLPATerraformGithubAction | |
- uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }} | |
- name: Setup Workspace Manager | |
run: | | |
wget https://github.com/ministryofjustice/opg-terraform-workspace-manager/releases/download/v0.3.2/opg-terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz | |
sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin | |
sudo chmod +x /usr/local/bin/terraform-workspace-manager | |
terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=1 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci | |
- name: Parse terraform version | |
id: tf_version_setup | |
working-directory: ./terraform/environment | |
run: | | |
if [ -f ./versions.tf ]; then | |
terraform_version=$(cat ./versions.tf | ../../scripts/terraform-version.sh) | |
echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY | |
echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT | |
fi | |
- name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" | |
run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]" | |
working-directory: ./terraform/environment | |
- uses: hashicorp/[email protected] | |
with: | |
terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }} | |
terraform_wrapper: false | |
- name: Terraform Init | |
run: terraform init -input=false | |
working-directory: ./terraform/environment | |
- name: Destroy PR environment and Terraform workspace | |
working-directory: ./terraform/environment | |
env: | |
TF_VAR_pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }} | |
run: | | |
terraform workspace select -or-create=true ${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} | |
terraform destroy -auto-approve | |
terraform workspace select default | |
terraform workspace delete ${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} | |
- name: Remove protection for environment workspace | |
run: | | |
terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=0 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci | |
- name: Configure AWS Credentials For AWS CLI | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: arn:aws:iam::653761790766:role/modernising-lpa-github-actions-cloudwatch-log-group-delete | |
aws-region: eu-west-1 | |
role-duration-seconds: 900 | |
role-session-name: OPGModernisingLPALogGroupDeleteGithubAction | |
- name: Remove container insights log group | |
run: | | |
aws logs delete-log-group --log-group-name /aws/ecs/containerinsights/${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}/performance | |
- name: Configure AWS Credentials For opensearch | |
uses: aws-actions/[email protected] | |
with: | |
role-to-assume: arn:aws:iam::653761790766:role/modernising-lpa-github-actions-opensearch-delete-index | |
aws-region: eu-west-1 | |
role-duration-seconds: 900 | |
role-session-name: OPGModernisingOpensearchIndexDeleteGithubAction | |
- name: Delete opensearch index lpas_v2_${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} | |
run: | | |
pip install awscurl==0.33 | |
response=$(awscurl \ | |
"${{ secrets.DEVELOPMENT_OPENSEARCH_COLLECTION_ENDPOINT }}/lpas_v2_${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}" \ | |
--request DELETE \ | |
--region eu-west-1 \ | |
--service aoss) | |
if [[ $response == *'"acknowledged":true'* ]]; then | |
echo "Request successful." | |
elif [[ $response == *'"status":404'* ]]; then | |
echo "Request successful but index not found." | |
else | |
exit 1 | |
fi |