Merge pull request #702 from Hestia-Homes/feature/deploy_safely

Feature/deploy safely
2026-06-08 11:17:27 +00:00 · 2026-02-10 17:08:28 +00:00 · 2026-02-10 17:08:28 +00:00 · d4064da365
commit d4064da365
parent 8774aea00f 9a8cc902d0
4 changed files with 48 additions and 10 deletions
--- a/.github/workflows/_build_image.yml
+++ b/.github/workflows/_build_image.yml
@ -104,4 +104,4 @@ jobs:
            --image-ids imageTag=${GITHUB_SHA} \
            --query 'imageDetails[0].imageDigest' \
            --output text)
-          echo "image_digest=$DIGEST" >> "$GITHUB_OUTPUT"
+          echo "image_digest=$DIGEST" >> "$GITHUB_OUTPUT"
--- a/.github/workflows/_deploy_lambda.yml
+++ b/.github/workflows/_deploy_lambda.yml
@ -23,6 +23,18 @@ on:
        required: true
        type: string

+      terraform_apply:
+        required: false
+        type: string
+        default: 'false'
+        # can only be 'true' or 'false'
+
+      terraform_destroy:
+        required: false
+        type: string
+        default: 'false'
+        # can only be 'true' or 'false'
+
    secrets:
      AWS_ACCESS_KEY_ID:
        required: true
@ -87,5 +99,11 @@ jobs:
            -out=lambdaplan

      - name: Terraform Apply
+        if: inputs.terraform_apply == 'true' && inputs.terraform_destroy != 'true'
        working-directory: ${{ inputs.lambda_path }}
        run: terraform apply -auto-approve lambdaplan
+
+      - name: Terraform Destroy
+        if: inputs.terraform_destroy == 'true' && inputs.terraform_apply != 'true'
+        working-directory: ${{ inputs.lambda_path }}
+        run: terraform destroy -auto-approve
--- a/.github/workflows/deploy_terraform.yml
+++ b/.github/workflows/deploy_terraform.yml
@ -4,29 +4,43 @@ on:
  push:
    branches:
      - "**"
+    paths:
+      - 'infrastructure/terraform/**'
+      - '.github/workflows/deploy_terraform.yml'
+      - '.github/workflows/_build_image.yml'
+      - '.github/workflows/_deploy_lambda.yml'

 jobs:
  determine_stage:
    runs-on: ubuntu-latest
+
    outputs:
      stage: ${{ steps.set-stage.outputs.stage }}
+      terraform_apply: ${{ steps.set-stage.outputs.terraform_apply }}
+
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      DEV_DB_HOST: ${{ secrets.DEV_DB_HOST }}

    steps:
      - name: Determine stage from branch
        id: set-stage
        shell: bash
        run: |
-          env
          BRANCH="${GITHUB_REF_NAME}"

          if [[ "$BRANCH" == "prod" ]]; then
            echo "stage=prod" >> "$GITHUB_OUTPUT"
-
+            echo "terraform_apply=false" >> "$GITHUB_OUTPUT"
          elif [[ "$BRANCH" == "dev" ]]; then
            echo "stage=dev" >> "$GITHUB_OUTPUT"
-
+            echo "terraform_apply=true" >> "$GITHUB_OUTPUT"
          else
+            # Feature branch
            echo "stage=dev" >> "$GITHUB_OUTPUT"
+            echo "terraform_apply=false" >> "$GITHUB_OUTPUT"
          fi

  # ============================================================
@ -93,6 +107,7 @@ jobs:
      stage: ${{ needs.determine_stage.outputs.stage }}
      ecr_repo: address2uprn-${{ needs.determine_stage.outputs.stage }}
      image_digest: ${{ needs.address2uprn_image.outputs.image_digest }}
+      terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
@ -109,10 +124,17 @@ jobs:
      ecr_repo: postcode_splitter-${{ needs.determine_stage.outputs.stage }}
      dockerfile_path: backend/postcode_splitter/handler/Dockerfile
      build_context: .
+      build_args: |
+        DEV_DB_HOST=$DEV_DB_HOST
+        DEV_DB_PORT=$DEV_DB_PORT
+        DEV_DB_NAME=$DEV_DB_NAME
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
+      DEV_DB_HOST: ${{ secrets.DEV_DB_HOST }}
+      DEV_DB_PORT: ${{ secrets.DEV_DB_PORT }}
+      DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }}

  # ============================================================
  # 3️⃣ Deploy Postcode Splitter Lambda
@ -126,6 +148,7 @@ jobs:
      stage: ${{ needs.determine_stage.outputs.stage }}
      ecr_repo: postcode_splitter-${{ needs.determine_stage.outputs.stage }}
      image_digest: ${{ needs.postcodeSplitter_image.outputs.image_digest }}
+      terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
@ -165,8 +188,8 @@ jobs:
      stage: ${{ needs.determine_stage.outputs.stage }}
      ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }}
      image_digest: ${{ needs.condition_etl_image.outputs.image_digest }}
+      terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }}
    secrets:
      AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
      AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
-
+      AWS_REGION: ${{ secrets.DEV_AWS_REGION }}
--- a/.github/workflows/unit_tests.yml
+++ b/.github/workflows/unit_tests.yml
@ -4,9 +4,6 @@ on:
  pull_request:
    branches:
      - "**"
-  push:
-    branches:
-      - "**"


 jobs:
@ -30,4 +27,4 @@ jobs:
        env:
          EPC_AUTH_TOKEN: ${{ secrets.DEV_EPC_AUTH_TOKEN }}
        run: |
-          make test
+          make test