Skip to content

MLPAB-2689: Show dashboard certificate providers until certificate provided and identity confirmed #1578

MLPAB-2689: Show dashboard certificate providers until certificate provided and identity confirmed

MLPAB-2689: Show dashboard certificate providers until certificate provided and identity confirmed #1578

name: "[Workflow] Destroy PR Environment"
on:
pull_request:
branches:
- main
types:
- closed
permissions:
id-token: write
contents: read
security-events: none
pull-requests: read
actions: none
checks: none
deployments: none
issues: none
packages: none
repository-projects: none
statuses: none
defaults:
run:
shell: bash
jobs:
fetch_s3_av_version:
name: Fetch the S3 AV Zip version tag
runs-on: ubuntu-latest
steps:
- name: Configure AWS Credentials
uses: aws-actions/[email protected]
with:
aws-region: eu-west-1
role-to-assume: arn:aws:iam::311462405659:role/modernising-lpa-github-actions-ssm-get-parameter
role-duration-seconds: 900
role-session-name: GithubActionsSSMGetParameter
- name: Pull S3 AV Zip tag
id: pull_s3_av_tag
run: |
key="/opg-s3-antivirus/zip-version-main"
value=$(aws ssm get-parameter --name "$key" --query 'Parameter.Value' --output text 2>/dev/null || true)
echo "Using $key: $value"
echo "tag=${value}" >> $GITHUB_OUTPUT
outputs:
s3_av_scanner_zip_tag: ${{ steps.pull_s3_av_tag.outputs.tag }}
generate_environment_workspace_name:
runs-on: ubuntu-latest
steps:
- name: Generate workspace name
id: name_workspace
run: |
workspace=${{ github.event.pull_request.number }}
workspace=${workspace//-}
workspace=${workspace//_}
workspace=${workspace//\/}
workspace=${workspace:0:11}
workspace=$(echo ${workspace} | tr '[:upper:]' '[:lower:]')
echo "name=${workspace}" >> $GITHUB_OUTPUT
echo ${workspace}
outputs:
environment_workspace_name: ${{ steps.name_workspace.outputs.name }}
cleanup_workspace:
runs-on: ubuntu-latest
needs: [ generate_environment_workspace_name, fetch_s3_av_version ]
steps:
- name: Checkout
uses: actions/checkout@v4
- name: get lambda function zips
working-directory: ./terraform/environment/region/modules/s3_antivirus/
run: |
echo "Pulling AV lambda version: ${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}" >> $GITHUB_STEP_SUMMARY
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip -O lambda_layer.zip
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/lambda_layer-amd64.zip.sha256sum -O lambda_layer.zip.sha256sum
sha256sum -c "lambda_layer.zip.sha256sum"
echo "Lambda Layer Zip SHA256 Hash: $(cat lambda_layer.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip -O myFunction.zip
wget https://github.com/ministryofjustice/opg-s3-antivirus/releases/download/${{ needs.fetch_s3_av_version.outputs.s3_av_scanner_zip_tag }}/myFunction-amd64.zip.sha256sum -O myFunction.zip.sha256sum
sha256sum -c "myFunction.zip.sha256sum"
echo "Lambda Function Zip SHA256 Hash: $(cat myFunction.zip.sha256sum)" >> $GITHUB_STEP_SUMMARY
- name: Configure AWS Credentials For Terraform
uses: aws-actions/[email protected]
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
aws-region: eu-west-1
role-duration-seconds: 3600
role-session-name: OPGModernisingLPATerraformGithubAction
- uses: webfactory/[email protected]
with:
ssh-private-key: ${{ secrets.OPG_MODERNISING_LPA_DEPLOY_KEY_PRIVATE_KEY }}
- name: Setup Workspace Manager
run: |
wget https://github.com/ministryofjustice/opg-terraform-workspace-manager/releases/download/v0.3.2/opg-terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz
sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin
sudo chmod +x /usr/local/bin/terraform-workspace-manager
terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=1 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci
- name: Parse terraform version
id: tf_version_setup
working-directory: ./terraform/environment
run: |
if [ -f ./versions.tf ]; then
terraform_version=$(cat ./versions.tf | ../../scripts/terraform-version.sh)
echo "- Terraform version: [${terraform_version}]" >> $GITHUB_STEP_SUMMARY
echo "TERRAFORM_VERSION=${terraform_version}" >> $GITHUB_OUTPUT
fi
- name: "Terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]"
run: echo "terraform version [${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}]"
working-directory: ./terraform/environment
- uses: hashicorp/[email protected]
with:
terraform_version: ${{ steps.tf_version_setup.outputs.TERRAFORM_VERSION }}
terraform_wrapper: false
- name: Terraform Init
run: terraform init -input=false
working-directory: ./terraform/environment
- name: Destroy PR environment and Terraform workspace
working-directory: ./terraform/environment
env:
TF_VAR_pagerduty_api_key: ${{ secrets.PAGERDUTY_API_KEY }}
run: |
terraform workspace select -or-create=true ${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}
terraform destroy -auto-approve
terraform workspace select default
terraform workspace delete ${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}
- name: Remove protection for environment workspace
run: |
terraform-workspace-manager -register-workspace=${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }} -time-to-protect=0 -aws-account-id=653761790766 -aws-iam-role=modernising-lpa-ci
- name: Configure AWS Credentials For AWS CLI
uses: aws-actions/[email protected]
with:
role-to-assume: arn:aws:iam::653761790766:role/modernising-lpa-github-actions-cloudwatch-log-group-delete
aws-region: eu-west-1
role-duration-seconds: 900
role-session-name: OPGModernisingLPALogGroupDeleteGithubAction
- name: Remove container insights log group
run: |
aws logs delete-log-group --log-group-name /aws/ecs/containerinsights/${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}/performance
- name: Configure AWS Credentials For opensearch
uses: aws-actions/[email protected]
with:
role-to-assume: arn:aws:iam::653761790766:role/modernising-lpa-github-actions-opensearch-delete-index
aws-region: eu-west-1
role-duration-seconds: 900
role-session-name: OPGModernisingOpensearchIndexDeleteGithubAction
- name: Delete opensearch index lpas_v2_${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}
run: |
pip install awscurl==0.33
response=$(awscurl \
"${{ secrets.DEVELOPMENT_OPENSEARCH_COLLECTION_ENDPOINT }}/lpas_v2_${{ needs.generate_environment_workspace_name.outputs.environment_workspace_name }}" \
--request DELETE \
--region eu-west-1 \
--service aoss)
if [[ $response == *'"acknowledged":true'* ]]; then
echo "Request successful."
elif [[ $response == *'"status":404'* ]]; then
echo "Request successful but index not found."
else
exit 1
fi