From f6f5f5cd9b922fa6b7b4903a846e6598088d0fdc Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Tue, 10 Feb 2026 16:45:51 +0000 Subject: [PATCH 1/5] safetly do not deploy --- .github/workflows/_build_image.yml | 2 +- .github/workflows/_deploy_lambda.yml | 18 +++++++++++++++ .github/workflows/deploy_terraform.yml | 32 ++++++++++++++++++++------ 3 files changed, 44 insertions(+), 8 deletions(-) diff --git a/.github/workflows/_build_image.yml b/.github/workflows/_build_image.yml index 408c0319..641e31f9 100644 --- a/.github/workflows/_build_image.yml +++ b/.github/workflows/_build_image.yml @@ -104,4 +104,4 @@ jobs: --image-ids imageTag=${GITHUB_SHA} \ --query 'imageDetails[0].imageDigest' \ --output text) - echo "image_digest=$DIGEST" >> "$GITHUB_OUTPUT" + echo "image_digest=$DIGEST" >> "$GITHUB_OUTPUT" \ No newline at end of file diff --git a/.github/workflows/_deploy_lambda.yml b/.github/workflows/_deploy_lambda.yml index bff106c5..8424f0d5 100644 --- a/.github/workflows/_deploy_lambda.yml +++ b/.github/workflows/_deploy_lambda.yml @@ -23,6 +23,18 @@ on: required: true type: string + terraform_apply: + required: false + type: string + default: 'false' + # can only be 'true' or 'false' + + terraform_destroy: + required: false + type: string + default: 'false' + # can only be 'true' or 'false' + secrets: AWS_ACCESS_KEY_ID: required: true @@ -87,5 +99,11 @@ jobs: -out=lambdaplan - name: Terraform Apply + if: (inputs.terraform_apply == 'true' || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') && inputs.terraform_destroy != 'true' working-directory: ${{ inputs.lambda_path }} run: terraform apply -auto-approve lambdaplan + + - name: Terraform Destroy + if: inputs.terraform_destroy == 'true' + working-directory: ${{ inputs.lambda_path }} + run: terraform destroy -auto-approve \ No newline at end of file diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml index 4ac08e41..6fc38976 100644 --- a/.github/workflows/deploy_terraform.yml +++ b/.github/workflows/deploy_terraform.yml @@ -4,27 +4,39 @@ on: push: branches: - "**" + paths: + - 'infrastructure/terraform/**' + - '.github/workflows/deploy_terraform.yml' + - '.github/workflows/_build_image.yml' + - '.github/workflows/_deploy_lambda.yml' jobs: determine_stage: runs-on: ubuntu-latest + outputs: stage: ${{ steps.set-stage.outputs.stage }} + env: + AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} + AWS_REGION: ${{ secrets.DEV_AWS_REGION }} + DEV_DB_HOST: ${{ secrets.DEV_DB_HOST }} + steps: - name: Determine stage from branch id: set-stage shell: bash run: | - env + echo "AWS_ACCESS_KEY_ID is set? ${AWS_ACCESS_KEY_ID:+yes}" + echo "AWS_SECRET_ACCESS_KEY is set? ${AWS_SECRET_ACCESS_KEY:+yes}" + echo "AWS_REGION=$AWS_REGION" + echo "DEV_DB_HOST=$DEV_DB_HOST" + BRANCH="${GITHUB_REF_NAME}" if [[ "$BRANCH" == "prod" ]]; then echo "stage=prod" >> "$GITHUB_OUTPUT" - - elif [[ "$BRANCH" == "dev" ]]; then - echo "stage=dev" >> "$GITHUB_OUTPUT" - else echo "stage=dev" >> "$GITHUB_OUTPUT" fi @@ -109,10 +121,17 @@ jobs: ecr_repo: postcode_splitter-${{ needs.determine_stage.outputs.stage }} dockerfile_path: backend/postcode_splitter/handler/Dockerfile build_context: . + build_args: | + DEV_DB_HOST=$DEV_DB_HOST + DEV_DB_PORT=$DEV_DB_PORT + DEV_DB_NAME=$DEV_DB_NAME secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }} + DEV_DB_HOST: ${{ secrets.DEV_DB_HOST }} + DEV_DB_PORT: ${{ secrets.DEV_DB_PORT }} + DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }} # ============================================================ # 3️⃣ Deploy Postcode Splitter Lambda @@ -168,5 +187,4 @@ jobs: secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ${{ secrets.DEV_AWS_REGION }} - + AWS_REGION: ${{ secrets.DEV_AWS_REGION }} \ No newline at end of file From 5f7e85d3a93fc93037c98640ec0aa0fbc79e7c51 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Tue, 10 Feb 2026 16:46:26 +0000 Subject: [PATCH 2/5] safe --- .github/workflows/unit_tests.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 14d5a06f..cc6431b8 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -4,9 +4,6 @@ on: pull_request: branches: - "**" - push: - branches: - - "**" jobs: @@ -30,4 +27,4 @@ jobs: env: EPC_AUTH_TOKEN: ${{ secrets.DEV_EPC_AUTH_TOKEN }} run: | - make test + make test \ No newline at end of file From 362120ba2c08aefb7e8dbddff753d7aff76dc058 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Tue, 10 Feb 2026 16:53:02 +0000 Subject: [PATCH 3/5] simpler logic --- .github/workflows/_deploy_lambda.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/_deploy_lambda.yml b/.github/workflows/_deploy_lambda.yml index 8424f0d5..3612ab43 100644 --- a/.github/workflows/_deploy_lambda.yml +++ b/.github/workflows/_deploy_lambda.yml @@ -99,11 +99,11 @@ jobs: -out=lambdaplan - name: Terraform Apply - if: (inputs.terraform_apply == 'true' || github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main') && inputs.terraform_destroy != 'true' + if: inputs.terraform_apply == 'true' && inputs.terraform_destroy != 'true' working-directory: ${{ inputs.lambda_path }} run: terraform apply -auto-approve lambdaplan - name: Terraform Destroy - if: inputs.terraform_destroy == 'true' + if: inputs.terraform_destroy == 'true' && inputs.terraform_apply != 'true' working-directory: ${{ inputs.lambda_path }} run: terraform destroy -auto-approve \ No newline at end of file From 3d7b6d65843db6ab5a3d52e1f5b711e5f9df5952 Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Tue, 10 Feb 2026 17:02:17 +0000 Subject: [PATCH 4/5] only true for dev --- .github/workflows/deploy_terraform.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml index 6fc38976..df378b85 100644 --- a/.github/workflows/deploy_terraform.yml +++ b/.github/workflows/deploy_terraform.yml @@ -16,6 +16,7 @@ jobs: outputs: stage: ${{ steps.set-stage.outputs.stage }} + terraform_apply: ${{ steps.set-stage.outputs.terraform_apply }} env: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} @@ -28,17 +29,17 @@ jobs: id: set-stage shell: bash run: | - echo "AWS_ACCESS_KEY_ID is set? ${AWS_ACCESS_KEY_ID:+yes}" - echo "AWS_SECRET_ACCESS_KEY is set? ${AWS_SECRET_ACCESS_KEY:+yes}" - echo "AWS_REGION=$AWS_REGION" - echo "DEV_DB_HOST=$DEV_DB_HOST" - BRANCH="${GITHUB_REF_NAME}" if [[ "$BRANCH" == "prod" ]]; then echo "stage=prod" >> "$GITHUB_OUTPUT" + echo "terraform_apply=false" >> "$GITHUB_OUTPUT" + elif [[ "$BRANCH" == "dev" ]]; then + echo "stage=dev" >> "$GITHUB_OUTPUT" + echo "terraform_apply=true" >> "$GITHUB_OUTPUT" else echo "stage=dev" >> "$GITHUB_OUTPUT" + echo "terraform_apply=false" >> "$GITHUB_OUTPUT" fi # ============================================================ @@ -105,6 +106,7 @@ jobs: stage: ${{ needs.determine_stage.outputs.stage }} ecr_repo: address2uprn-${{ needs.determine_stage.outputs.stage }} image_digest: ${{ needs.address2uprn_image.outputs.image_digest }} + terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} @@ -145,6 +147,7 @@ jobs: stage: ${{ needs.determine_stage.outputs.stage }} ecr_repo: postcode_splitter-${{ needs.determine_stage.outputs.stage }} image_digest: ${{ needs.postcodeSplitter_image.outputs.image_digest }} + terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} @@ -184,6 +187,7 @@ jobs: stage: ${{ needs.determine_stage.outputs.stage }} ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }} image_digest: ${{ needs.condition_etl_image.outputs.image_digest }} + terraform_apply: ${{ needs.determine_stage.outputs.terraform_apply }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} From 9a8cc902d0c4717ed9d625a7dc9338d97e8bb6bc Mon Sep 17 00:00:00 2001 From: Jun-te Kim Date: Tue, 10 Feb 2026 17:02:40 +0000 Subject: [PATCH 5/5] comments to make it more clear --- .github/workflows/deploy_terraform.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy_terraform.yml b/.github/workflows/deploy_terraform.yml index df378b85..71e2ad9d 100644 --- a/.github/workflows/deploy_terraform.yml +++ b/.github/workflows/deploy_terraform.yml @@ -38,6 +38,7 @@ jobs: echo "stage=dev" >> "$GITHUB_OUTPUT" echo "terraform_apply=true" >> "$GITHUB_OUTPUT" else + # Feature branch echo "stage=dev" >> "$GITHUB_OUTPUT" echo "terraform_apply=false" >> "$GITHUB_OUTPUT" fi