name: Deploy infrastructure on: push: branches: - "**" jobs: determine_stage: runs-on: ubuntu-latest outputs: stage: ${{ steps.set-stage.outputs.stage }} steps: - name: Determine stage from branch id: set-stage shell: bash run: | env BRANCH="${GITHUB_REF_NAME}" if [[ "$BRANCH" == "prod" ]]; then echo "stage=prod" >> "$GITHUB_OUTPUT" elif [[ "$BRANCH" == "dev" ]]; then echo "stage=dev" >> "$GITHUB_OUTPUT" else echo "stage=dev" >> "$GITHUB_OUTPUT" fi # ============================================================ # 1️⃣ Shared Terraform (infra) # ============================================================ shared_terraform: needs: determine_stage runs-on: ubuntu-latest env: STAGE: ${{ needs.determine_stage.outputs.stage }} steps: - uses: actions/checkout@v4 - uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.DEV_AWS_REGION }} - uses: hashicorp/setup-terraform@v3 - name: Terraform Init working-directory: infrastructure/terraform/shared run: terraform init -reconfigure - name: Terraform Workspace working-directory: infrastructure/terraform/shared run: terraform workspace select ${STAGE} || terraform workspace new ${STAGE} - name: Terraform Plan working-directory: infrastructure/terraform/shared run: terraform plan -var-file=${STAGE}.tfvars -out=tfplan - name: Terraform Apply if: env.STAGE == 'prod' working-directory: infrastructure/terraform/shared run: terraform apply -auto-approve tfplan # ============================================================ # Fetch DB credentials # ============================================================ fetch_db: needs: determine_stage runs-on: ubuntu-latest outputs: db_username: ${{ steps.get_db.outputs.db_username }} db_password: ${{ steps.get_db.outputs.db_password }} steps: - uses: actions/checkout@v4 - name: Configure AWS uses: aws-actions/configure-aws-credentials@v4 with: aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} aws-region: ${{ secrets.DEV_AWS_REGION }} - id: get_db run: | SECRET=$(aws secretsmanager get-secret-value \ --secret-id "${{ needs.determine_stage.outputs.stage }}/assessment_model/db_credentials" \ --query SecretString --output text) echo "db_username=$(echo $SECRET | jq -r .db_assessment_model_username)" >> $GITHUB_OUTPUT echo "db_password=$(echo $SECRET | jq -r .db_assessment_model_password)" >> $GITHUB_OUTPUT # ============================================================ # 2️⃣ Build Address 2 UPRN image and Push # ============================================================ address2uprn_image: needs: [determine_stage, shared_terraform] uses: ./.github/workflows/_build_image.yml with: ecr_repo: address2uprn-${{ needs.determine_stage.outputs.stage }} dockerfile_path: backend/address2UPRN/handler/Dockerfile build_context: . secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }} # ============================================================ # 3️⃣ Deploy Address 2 UPRN Lambda # ============================================================ address2uprn_lambda: needs: [address2uprn_image, determine_stage] uses: ./.github/workflows/_deploy_lambda.yml with: lambda_name: address2uprn lambda_path: infrastructure/terraform/lambda/address2UPRN stage: ${{ needs.determine_stage.outputs.stage }} ecr_repo: address2uprn-${{ needs.determine_stage.outputs.stage }} image_digest: ${{ needs.address2uprn_image.outputs.image_digest }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }} # ============================================================ # 2️⃣ Build Postcode Splitter image and Push # ============================================================ postcodeSplitter_image: needs: [determine_stage, shared_terraform] uses: ./.github/workflows/_build_image.yml with: ecr_repo: postcode_splitter-${{ needs.determine_stage.outputs.stage }} dockerfile_path: backend/postcode_splitter/handler/Dockerfile build_context: . secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }} # ============================================================ # 3️⃣ Deploy Postcode Splitter Lambda # ============================================================ postcodeSplitter_lambda: needs: [postcodeSplitter_image, determine_stage] uses: ./.github/workflows/_deploy_lambda.yml with: lambda_name: postcodeSplitter lambda_path: infrastructure/terraform/lambda/postcodeSplitter stage: ${{ needs.determine_stage.outputs.stage }} ecr_repo: postcode_splitter-${{ needs.determine_stage.outputs.stage }} image_digest: ${{ needs.postcodeSplitter_image.outputs.image_digest }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }} # ============================================================ # Condition ETL image and Push # ============================================================ condition_etl_image: needs: [determine_stage, shared_terraform] uses: ./.github/workflows/_build_image.yml with: ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }} dockerfile_path: backend/condition/handler/Dockerfile build_context: . build_args: | DEV_DB_HOST=$DEV_DB_HOST DEV_DB_PORT=$DEV_DB_PORT DEV_DB_NAME=$DEV_DB_NAME secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }} DEV_DB_HOST: ${{ secrets.DEV_DB_HOST }} DEV_DB_PORT: ${{ secrets.DEV_DB_PORT }} DEV_DB_NAME: ${{ secrets.DEV_DB_NAME }} # ============================================================ # Deploy Condition ETL Lambda # ============================================================ condition_etl_lambda: needs: [condition_etl_image, fetch_db, determine_stage] uses: ./.github/workflows/_deploy_lambda.yml with: lambda_name: condition-etl lambda_path: infrastructure/terraform/lambda/condition-etl stage: ${{ needs.determine_stage.outputs.stage }} ecr_repo: condition-etl-${{ needs.determine_stage.outputs.stage }} image_digest: ${{ needs.condition_etl_image.outputs.image_digest }} environment_vars: | DB_USERNAME=${{ needs.fetch_db.outputs.db_username }} DB_PASSWORD=${{ needs.fetch_db.outputs.db_password }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} AWS_REGION: ${{ secrets.DEV_AWS_REGION }}