CDD-2442 Set Up CI/CD Workflow for auth-dev and auth-test Environments #1248

ChristianAMartin · 2025-02-13T11:42:18Z

We need to set up and integrate the CI/CD pipeline for the newly provisioned auth-dev and auth-test AWS accounts. This involves ensuring the infrastructure deployment process is automated and aligned with existing workflows for other environments.

github-actions · 2025-02-13T11:43:14Z

unit test coverage report

Title	Statements	Branches	Functions
lambda-producer-handler	100% (41/41)	25% (2/8)	100% (8/8)
lambda-db-password-rotation	100% (26/26)	40% (4/10)	100% (4/4)
lambda-alarm-notification	100% (23/23)		100% (5/5)
legacy-dashboard-redirect-viewer-request	100% (16/16)	100% (4/4)	100% (3/3)
public-api-cloud-front-viewer-request	100% (18/18)	100% (12/12)	100% (3/3)

Title	Tests	Time
lambda-producer-handler	16	0.787s ⏱️
lambda-db-password-rotation	5	0.636s ⏱️
lambda-alarm-notification	5	0.641s ⏱️
legacy-dashboard-redirect-viewer-request	10	0.487s ⏱️
public-api-cloud-front-viewer-request	11	0.492s ⏱️

.github/workflows/pull-request.yml

A-Ashiq · 2025-02-19T13:44:13Z

.github/workflows/pull-request.yml

+      - name: Set AWS Role for Target Environment
+        env:
+          TARGET_ENV: ${{ needs.build_base.outputs.target_env || 'test' }}
+          AWS_ROLE_AUTH_DEV: ${{ secrets.UHD_TERRAFORM_ROLE_AUTH_DEV }}


Can you remove this please, we shouldn't be touching the dev account from the PR workflow

A-Ashiq · 2025-02-19T13:44:39Z

.github/workflows/pull-request.yml

+          AWS_ROLE_TEST: ${{ secrets.UHD_TERRAFORM_ROLE_TEST }}
+        run: |
+          if [[ "$TARGET_ENV" == "auth-dev" ]]; then
+            echo "AWS_ROLE=$AWS_ROLE_AUTH_DEV" >> $GITHUB_ENV


As above, we should only be interacting with either of the test accounts from the PR workflow

A-Ashiq · 2025-02-19T13:56:06Z

.github/workflows/well-known-environment.yml

@@ -149,6 +149,8 @@ jobs:
          dev-account-role: ${{ secrets.UHD_TERRAFORM_ROLE_DEV }}
          test-account-role: ${{ secrets.UHD_TERRAFORM_ROLE_TEST }}
          uat-account-role: ${{ secrets.UHD_TERRAFORM_ROLE_UAT }}
+          auth-dev-account-role: ${{ secrets.UHD_TERRAFORM_ROLE_AUTH_DEV }}


I suspect that these roles won't exist yet, so we've got the chicken & egg situation I was talking about before.
I think we'll likely need to deploy to those envs from our machines the first time around, and then we can pass in the role ARN to these secrets

A-Ashiq · 2025-02-19T13:56:29Z

scripts/_terraform.sh

+    fi
+
+    if [[ $workspace == *"auth"* ]]; then
+        _get_auth_target_aws_account_name "$workspace"


This is much nicer now 👍

A-Ashiq · 2025-02-19T13:57:28Z

scripts/_terraform.sh

    fi
 }

+function _get_auth_target_aws_account_name() {
+    local workspace=$1
+


We'll need a case to handle the ephemeral CI environments too being matched to the auth-test account

… role selection

ChristianAMartin force-pushed the task/configure-cicd-pipeline/CDD-2442 branch 2 times, most recently from 8b44df5 to ca48516 Compare February 18, 2025 09:34

ChristianAMartin marked this pull request as ready for review February 19, 2025 09:39

ChristianAMartin requested a review from a team as a code owner February 19, 2025 09:39

ChristianAMartin force-pushed the task/configure-cicd-pipeline/CDD-2442 branch 2 times, most recently from 59be983 to 8572079 Compare February 19, 2025 10:01