From 225bad90480f24107db10c6f408ccc8fb082d9b7 Mon Sep 17 00:00:00 2001 From: Danielle Adams Date: Tue, 19 Mar 2024 14:41:56 -0600 Subject: [PATCH] ARCH-2035 - Updating to latest versions of actions --- .../im-reusable-finish-build-workflow.yml | 2 +- ...im-reusable-finish-deployment-workflow.yml | 4 +- workflow-templates/im-build-db-ci.yml | 536 +++++++++--------- workflow-templates/im-build-dotnet-ci.yml | 44 +- .../im-build-increment-version-on-merge.yml | 114 ++-- workflow-templates/im-build-npm-package.yml | 6 +- workflow-templates/im-build-nuget-package.yml | 14 +- ...-build-tf-auto-plan-and-comment-on-prs.yml | 252 ++++---- .../im-deploy-az-app-manually.yml | 14 +- workflow-templates/im-deploy-az-database.yml | 6 +- .../im-deploy-az-swap-app-slots.yml | 300 +++++----- .../im-deploy-files-to-az-storage-account.yml | 6 +- workflow-templates/im-deploy-iis-website.yml | 6 +- .../im-deploy-multiple-items-at-once.yml | 236 ++++---- .../im-deploy-on-prem-database.yml | 8 +- .../im-deploy-techdocs-site.yml | 184 +++--- ...loy-tf-auto-apply-main-to-dev-on-merge.yml | 14 +- .../im-deploy-tf-manual-apply.yml | 18 +- .../im-deploy-windows-service.yml | 6 +- ...m-run-add-or-update-az-keyvault-secret.yml | 200 +++---- .../im-run-annotate-app-insights.yml | 234 ++++---- .../im-run-delete-azure-blob.yml | 184 +++--- workflow-templates/im-run-flyway-repair.yml | 346 +++++------ .../im-run-start-stop-restart-azure-app.yml | 248 ++++---- workflow-templates/im-run-tf-destroy.yml | 14 +- workflow-templates/im-run-tf-import.yml | 214 +++---- workflow-templates/im-run-tf-taint.yml | 212 +++---- workflow-templates/im-run-unlock-tf-state.yml | 202 +++---- .../im-run-validate-deployed-terraform.yml | 10 +- workflow-templates/im-test-cypress.yml | 8 +- workflow-templates/im-test-postman.yml | 164 +++--- 31 files changed, 1903 insertions(+), 1903 deletions(-) diff --git a/.github/workflows/im-reusable-finish-build-workflow.yml b/.github/workflows/im-reusable-finish-build-workflow.yml index 84902285..c386e3bc 100644 --- a/.github/workflows/im-reusable-finish-build-workflow.yml +++ b/.github/workflows/im-reusable-finish-build-workflow.yml @@ -167,7 +167,7 @@ jobs: - name: Send status to team's notification channel if: always() continue-on-error: true - uses: im-open/post-status-to-teams-action@v1.3 + uses: im-open/post-status-to-teams-action@v1.4 with: title: ${{ inputs.title-of-teams-post }} workflow-status: ${{ steps.conclusion.outputs.workflow_conclusion }} diff --git a/.github/workflows/im-reusable-finish-deployment-workflow.yml b/.github/workflows/im-reusable-finish-deployment-workflow.yml index 22b1e489..bad06d88 100644 --- a/.github/workflows/im-reusable-finish-deployment-workflow.yml +++ b/.github/workflows/im-reusable-finish-deployment-workflow.yml @@ -266,7 +266,7 @@ jobs: - name: Send status to team's notification channel if: always() - uses: im-open/post-status-to-teams-action@v1.3 + uses: im-open/post-status-to-teams-action@v1.4 with: title: ${{ inputs.title-of-teams-post }} workflow-status: ${{ steps.conclusion.outputs.workflow_conclusion }} @@ -329,7 +329,7 @@ jobs: - name: Send Status to Deployment Notifications Channel for Prod Deploys if: always() && steps.post-to-deployment-channel.outputs.post == 'true' - uses: im-open/post-status-to-teams-action@v1.3 + uses: im-open/post-status-to-teams-action@v1.4 with: title: ${{ inputs.title-of-teams-post }} workflow-status: ${{ steps.conclusion.outputs.workflow_conclusion }} diff --git a/workflow-templates/im-build-db-ci.yml b/workflow-templates/im-build-db-ci.yml index dd84b3cf..ddff0dcf 100644 --- a/workflow-templates/im-build-db-ci.yml +++ b/workflow-templates/im-build-db-ci.yml @@ -1,268 +1,268 @@ -# Workflow Code: GiddyBuzzard_v18 DO NOT REMOVE -# Purpose: -# The main purpose of this workflow is to verify that the database can be created, all of the migration scripts can be run, and any tests that exist pass. -# In addition to that, however, there are three other things this workflow template is set up to do. -# 1. Create snapshots. Snapshots are create sql object (table, view, sproc, etc.) scripts that show the shape of an object and can be -# useful for keeping a historical record in GitHub of the changes to them. -# 2. Create a backup of the database and store it for later consumption. The backup can then be used in a workflow to circumvent the need -# to spin up the database from scratch. Very helpful for decreasing build times. Please note however that this is only a backup of a local database. -# It does not take the place of backups that should be happening of Production databases. -# 3. Create mock sql objects that can be consumed by other database repos' CI processes. A flag on the build database step in this workflow can be set -# so that your database's dependencies are downloaded and installed. -# -# The need for creating snapshots and backups in this workflow is not a very common need. They are here in case you need them, but likely you won't. -# There are TODO's throughout this template that let you know when something isn't necessary if you don't want snapshots and/or backups created. -# -# Creating mock sql objects is a bit less rare of a need, but only if your database is a sectioned off part of the legacy ExtendHealth monolith. Again, -# there will be TODO's showing you where some items can be removed if you don't have any dependencies and/or don't need to create mock objects to be -# consumed by others. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Azure SQL Database (Core Template) -# - On-Prem Database (Core Template) - -name: Build Database CI -# TODO: Select the appropriate trigger, if push and pull are both included, two builds will be kicked off when a PR exists and a new commit is pushed to the corresponding branch. -on: - # This workflow will run for the PR events: - # opened/reopened: A PR is opened/re-opened, - # synchronize: The PR's head branch is updated (commits pushed, the base branch changed or the head is updated from the base branch) - # closed: A PR is merged or closed (The triggers job makes sure we only run if a merge happened, not when a close happens) - pull_request: - types: [opened, reopened, synchronize, closed] -env: - DB_NAME: '' # TODO: Fill in your repo's database name - DB_SERVER_NAME: 'localhost' - DB_SERVER_PORT: '1433' - DEFAULT_BRANCH: 'main' # TODO: verify default branch name - GITHUB_PACKAGE_URL: 'https://nuget.pkg.github.com' # TODO: This can be removed if your database doesn't have any dependency objects stored in GitHub Packages - GITHUB_PACKAGE_SOURCE_URL: '${{ env.GITHUB_PACKAGE_URL }}/${{ github.repository_owner }}/index.json' - - # TODO: The following are all for the snapshot step below and can be removed if it's not used - SNAPSHOT_PATH: './snapshot' # TODO: Verify this path is correct - EXCLUDED_DB_SNAPSHOT_OBJECTS: '' # TODO: Add some comma separated values to this - - # TODO: These next variables are for backing up the database. Remove if not needed. - BACKUP_PATH: '' # TODO: The path on the action runner to put the backup path - BACKUP_FILENAME: '' # TODO: The name to give the backup file - -jobs: - # TODO: If you don't need to create snapshots, backups, or mock objects then this whole job can be removed. Make sure to update the 'needs' of later jobs accordingly. - set-vars: - runs-on: ubuntu-latest - outputs: - last-commit-is-snapshot: ${{ steps.capture-branch-state.outputs.isSnapshot }} # TODO: Can be useful for if logic to skip steps. Remove if this isn't something you need to branch on. - current-branch-is-default: ${{ steps.capture-branch-state.outpus.isDefaultBranch }} # TODO: Can be useful for if logic to skip steps. Remove if your CI process is the same for all branches. - should-skip-remaining-workflow-jobs: ${{ steps.capture-branch-state.outputs.skip }} # TODO: This is only needed if your workflow is committing a snapshot and needs to skip running the CI for that commit. Remove this and its usages if not needed. - steps: - - uses: actions/checkout@v3 - - # TODO: Update or remove this if you aren't creating snapshots and/or are doing the same CI process for every branch. - - name: Capture branch details - id: capture-branch-state - shell: pwsh - run: | - $CurrentBranch = git rev-parse --abbrev-ref HEAD - $LastCommitBy = git --no-pager show -s --format="%aN" - $CurrentBranchIsDefault = ($CurrentBranch -eq "${{ env.DEFAULT_BRANCH }}") - $LastCommitIsSnapshot = ($LastCommitBy -eq "github-actions") - - "isDefaultBranch=$CurrentBranchIsDefault" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - "isSnapshot=$LastCommitIsSnapshot" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - - - if ($LastCommitIsSnapshot -and !$CurrentBranchIsDefault) - { - Write-Host "Snapshot was last commit, skipping the other jobs" - "skip=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - } - else - { - Write-Host "Snapshot was not the last commit, continuing with the other jobs" - "skip=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - } - - # TODO: Remove this linting job if your project doesn't need/want it - lint-migration-files: - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - needs: set-vars # TODO: Remove this if you deleted the set-vars job - if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. - steps: - - uses: actions/checkout@v3 - - - uses: actions/setup-node@v3 - with: - node-version: '14' # TODO: The current LTS version. Can be updated to something else if needed. - - - id: migration-folder - shell: pwsh - run: | - "folder=$($(Get-Date).Year).$($(Get-Date).Month.ToString("00"))" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - - name: SQL Lint - uses: im-open/tsql-lint-action@v1.1 - with: - tsqllint-version: 1.11.0 - path-to-sql-files: 'Database/src/SqlDatabase/Migrations/${{ steps.migration-folder.outputs.folder }}' # TODO: Update this path to wherever the files to lint live - file-name-filter: 'V9*.sql' # TODO: Update this if necessary - path-to-lint-config: ./.tsqllintrc # TODO: Update this with the path to your project's .tsllintrc file - - build-database: - runs-on: [self-hosted, im-linux] - needs: [set-vars, lint-migration-files] # TODO: Remove any jobs you deleted above - if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. - - env: - SQL_SERVER_PASSWORD: 'StrongPassword!1' - - services: - sqlserver: - image: mcr.microsoft.com/mssql/server:2022-latest - ports: - - 1433:1433 - options: -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=StrongPassword!1" - - steps: - - uses: actions/checkout@v3 - - - name: Install Flyway - uses: im-open/setup-flyway@v1.1 - with: - version: 7.2.0 # This version works with the current version of build-database-ci-action. Newer versions might, but they should be tested. - - - name: Build Database - uses: im-open/build-database-ci-action@v3.3 - with: - # TODO: These parameters are the most commonly used. They tell the action to create the repo's database on the Action Runner, - # validate and run the repo's migration scripts, run tests, and seed data into the database for future needs (like integration tests). - # There is more configuration for the action that can happen though, and more it can do. - # See https://github.com/im-open/build-database-ci-action for detailed documentation and examples. - db-server-name: ${{ env.DB_SERVER_NAME }} - db-name: ${{ env.DB_NAME }} - create-database-file: '' # TODO: Add the path to the create database file (often called Initialization.sql) - migration-files-path: '' # TODO: Add the path to the directory with your migration files - should-validate-migrations: true # This will make flyway validate the migration scripts before running them - run-tests: true - test-files-path: '' # TODO: Add the path to the directory with your test files - seed-data: true - seed-data-files-path: '' # TODO: Add the path to the directory with your seed data files - use-integrated-security: false - db-username: 'sa' # The default system administrator account that comes with SQL Server. This is the only account set up in our self hosted Action Runners' SQL Server instances. - db-password: ${{ env.SQL_SERVER_PASSWORD }} - - - ######################################################################################################################### - # The previous three steps are all that most builds will need. They will build your database on the Action Runner and run any tests you have. - # The following steps are for the three activities mentioned at the start of this template. - # 1. Creating snapshots - # 2. Creating mock sql objects - # 3. Creating a backup - # Remove the ones that are unnecessary for your repo's CI process. - ######################################################################################################################### - - # The next four steps can be removed if your build doesn't need to create snapshots of database objects. - # Otherwise they can be uncommented and the TODO's addressed. - # TODO: Replace what is in this step with what your build needs in order to determine what database objects have changed - # The output is a json string containing a list of objects with the following properties (see https://github.com/im-open/increment-database-object-snapshots#inputs for more information) - # * objectName - # * schemaName - # * objectType - # * operationType - # - name: Get db objects that have changed - # id: changed-objects - # shell: pwsh - # run: | - # $changedObjectsQuery = - # "SELECT - # objectId, - # schemaName, - # objectName, - # CASE objectType - # WHEN 'U' THEN 'Tables' - # WHEN 'V' THEN 'Views' - # WHEN 'P' THEN 'StoredProcedures' - # WHEN 'SO' THEN 'Sequences' - # WHEN 'TF' THEN 'UserDefinedFunctions' - # WHEN 'FN' THEN 'UserDefinedFunctions' - # WHEN 'IF' THEN 'UserDefinedFunctions' - # WHEN 'SN' THEN 'Synonyms' - # ELSE objectType - # END AS objectType, - # operationType - # FROM DBA.V_ChangedObjectsForSnapshot" - - # $changedObjects = Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" -Query $changedObjectsQuery - # $mappedObjects = $changedObjects | foreach-object { @{ schemaName=$_.schemaName; objectName=$_.objectName; objectType=$_.objectType; operationType=$_.operationType } } - # $objectsAsJson = $mappedObjects | ConvertTo-Json -Compress - - # "json=$objectsAsJson" | Out-File -FilePath $env:GITHUB_OUTPUT -Append - - # - name: Increment snapshots - # uses: im-open/increment-database-object-snapshots@v1.0 - # with: - # db-name: ${{ env.DB_NAME }} - # instance-name: ${{ env.DB_SERVER_NAME }} - # snapshot-path: ${{ env.SNAPSHOT_PATH }} - # objects-to-increment: '${{ steps.changed-objects.outputs.json }}' - # excluded-db-objects: ${{ env.EXCLUDED_DB_SNAPSHOT_OBJECTS }} - - # - name: Setup git for snapshot commit - # run: | - # git config user.name github-actions - # git config user.email github-actions@github.com - - # TODO: Update the commit message if desired - # - name: Commit the snapshots - # run: | - # git add ${{ env.SNAPSHOT_PATH }} - # git commit -m "Automated Snapshot Commit" - # git push -f origin HEAD - - ##### End of snapshot steps ##### - - - # This allows the next steps to authenticate with and push to GitHub Packages. - # If you aren't using the steps below you can remove this one. - # - name: Authenticate with GitHub Packages - # uses: im-open/authenticate-with-gh-package-registries@v1.1 - # with: - # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - # orgs: 'im-practices,im-client' # TODO: Verify list of orgs packages will be pulled from - - # Remove this if you don't need to publish mock sql objects - # - name: Create and publish views from tables - # uses: im-open/sql-view-to-table-generator@v1.1 - # with: - # schema-names: 'dbo,CustomSchema' # TODO: Replace this with an actual list - # db-name: ${{ env.DB_NAME }} - # db-server: ${{ env.DB_SERVER_NAME }} - # default-branch: ${{ env.DEFAULT_BRANCH }} - # nuget-retrieval-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} - # publish-packages: true - # nuget-publish-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} - # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo - # repository-url: ${{ github.repositoryUrl }} - - # TODO: This is needed only if you have to update what objects have changed so it can be used in another step like changed-objects. - # Remove or update as needed. - # - name: Update database object versions - # shell: pwsh - # run: | - # $updateObjectVersionsSQL = "EXEC DBA.usp_UpdateCheckSumForChangedObjectDefinitions;" - # Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" $updateObjectVersionsSQL - - # TODO: Remove this if your build doesn't need to create/publish backup files - # - name: Create and publish backup files - # uses: im-open/create-and-publish-db-backup-file@v1.1 - # with: - # db-server: ${{ env.DB_SERVER_NAME }} - # db-name: ${{ env.DB_NAME }} - # backup-path: '${{ env.BACKUP_PATH }}' # This can be changed if needed - # backup-name: '${{ env.BACKUP_FILENAME }}' - # version: '1.1.${{ github.run_number }}' # TODO: Set to 1.1.*** in order to not conflict with previous versions from Teamcity. Update this if desired. - # nuget-source-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} - # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo - # repository-url: ${{ github.repositoryUrl }} - # authors: '' # TODO: This will get put in the .nuspec file. It should be updated with your team name or something similar. +# Workflow Code: GiddyBuzzard_v19 DO NOT REMOVE +# Purpose: +# The main purpose of this workflow is to verify that the database can be created, all of the migration scripts can be run, and any tests that exist pass. +# In addition to that, however, there are three other things this workflow template is set up to do. +# 1. Create snapshots. Snapshots are create sql object (table, view, sproc, etc.) scripts that show the shape of an object and can be +# useful for keeping a historical record in GitHub of the changes to them. +# 2. Create a backup of the database and store it for later consumption. The backup can then be used in a workflow to circumvent the need +# to spin up the database from scratch. Very helpful for decreasing build times. Please note however that this is only a backup of a local database. +# It does not take the place of backups that should be happening of Production databases. +# 3. Create mock sql objects that can be consumed by other database repos' CI processes. A flag on the build database step in this workflow can be set +# so that your database's dependencies are downloaded and installed. +# +# The need for creating snapshots and backups in this workflow is not a very common need. They are here in case you need them, but likely you won't. +# There are TODO's throughout this template that let you know when something isn't necessary if you don't want snapshots and/or backups created. +# +# Creating mock sql objects is a bit less rare of a need, but only if your database is a sectioned off part of the legacy ExtendHealth monolith. Again, +# there will be TODO's showing you where some items can be removed if you don't have any dependencies and/or don't need to create mock objects to be +# consumed by others. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Azure SQL Database (Core Template) +# - On-Prem Database (Core Template) + +name: Build Database CI +# TODO: Select the appropriate trigger, if push and pull are both included, two builds will be kicked off when a PR exists and a new commit is pushed to the corresponding branch. +on: + # This workflow will run for the PR events: + # opened/reopened: A PR is opened/re-opened, + # synchronize: The PR's head branch is updated (commits pushed, the base branch changed or the head is updated from the base branch) + # closed: A PR is merged or closed (The triggers job makes sure we only run if a merge happened, not when a close happens) + pull_request: + types: [opened, reopened, synchronize, closed] +env: + DB_NAME: '' # TODO: Fill in your repo's database name + DB_SERVER_NAME: 'localhost' + DB_SERVER_PORT: '1433' + DEFAULT_BRANCH: 'main' # TODO: verify default branch name + GITHUB_PACKAGE_URL: 'https://nuget.pkg.github.com' # TODO: This can be removed if your database doesn't have any dependency objects stored in GitHub Packages + GITHUB_PACKAGE_SOURCE_URL: '${{ env.GITHUB_PACKAGE_URL }}/${{ github.repository_owner }}/index.json' + + # TODO: The following are all for the snapshot step below and can be removed if it's not used + SNAPSHOT_PATH: './snapshot' # TODO: Verify this path is correct + EXCLUDED_DB_SNAPSHOT_OBJECTS: '' # TODO: Add some comma separated values to this + + # TODO: These next variables are for backing up the database. Remove if not needed. + BACKUP_PATH: '' # TODO: The path on the action runner to put the backup path + BACKUP_FILENAME: '' # TODO: The name to give the backup file + +jobs: + # TODO: If you don't need to create snapshots, backups, or mock objects then this whole job can be removed. Make sure to update the 'needs' of later jobs accordingly. + set-vars: + runs-on: ubuntu-latest + outputs: + last-commit-is-snapshot: ${{ steps.capture-branch-state.outputs.isSnapshot }} # TODO: Can be useful for if logic to skip steps. Remove if this isn't something you need to branch on. + current-branch-is-default: ${{ steps.capture-branch-state.outpus.isDefaultBranch }} # TODO: Can be useful for if logic to skip steps. Remove if your CI process is the same for all branches. + should-skip-remaining-workflow-jobs: ${{ steps.capture-branch-state.outputs.skip }} # TODO: This is only needed if your workflow is committing a snapshot and needs to skip running the CI for that commit. Remove this and its usages if not needed. + steps: + - uses: actions/checkout@v4 + + # TODO: Update or remove this if you aren't creating snapshots and/or are doing the same CI process for every branch. + - name: Capture branch details + id: capture-branch-state + shell: pwsh + run: | + $CurrentBranch = git rev-parse --abbrev-ref HEAD + $LastCommitBy = git --no-pager show -s --format="%aN" + $CurrentBranchIsDefault = ($CurrentBranch -eq "${{ env.DEFAULT_BRANCH }}") + $LastCommitIsSnapshot = ($LastCommitBy -eq "github-actions") + + "isDefaultBranch=$CurrentBranchIsDefault" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + "isSnapshot=$LastCommitIsSnapshot" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + + + if ($LastCommitIsSnapshot -and !$CurrentBranchIsDefault) + { + Write-Host "Snapshot was last commit, skipping the other jobs" + "skip=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + } + else + { + Write-Host "Snapshot was not the last commit, continuing with the other jobs" + "skip=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + } + + # TODO: Remove this linting job if your project doesn't need/want it + lint-migration-files: + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + needs: set-vars # TODO: Remove this if you deleted the set-vars job + if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-node@v4 + with: + node-version: '14' # TODO: The current LTS version. Can be updated to something else if needed. + + - id: migration-folder + shell: pwsh + run: | + "folder=$($(Get-Date).Year).$($(Get-Date).Month.ToString("00"))" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + - name: SQL Lint + uses: im-open/tsql-lint-action@v1.1 + with: + tsqllint-version: 1.11.0 + path-to-sql-files: 'Database/src/SqlDatabase/Migrations/${{ steps.migration-folder.outputs.folder }}' # TODO: Update this path to wherever the files to lint live + file-name-filter: 'V9*.sql' # TODO: Update this if necessary + path-to-lint-config: ./.tsqllintrc # TODO: Update this with the path to your project's .tsllintrc file + + build-database: + runs-on: [self-hosted, im-linux] + needs: [set-vars, lint-migration-files] # TODO: Remove any jobs you deleted above + if: ${{ needs.set-vars.outputs.should-skip-remaining-workflow-jobs == 'false' }} # TODO: Remove this if there is no snapshot commit that should cause this step to be skipped. + + env: + SQL_SERVER_PASSWORD: 'StrongPassword!1' + + services: + sqlserver: + image: mcr.microsoft.com/mssql/server:2022-latest + ports: + - 1433:1433 + options: -e "ACCEPT_EULA=Y" -e "MSSQL_SA_PASSWORD=StrongPassword!1" + + steps: + - uses: actions/checkout@v4 + + - name: Install Flyway + uses: im-open/setup-flyway@v1.1 + with: + version: 7.2.0 # This version works with the current version of build-database-ci-action. Newer versions might, but they should be tested. + + - name: Build Database + uses: im-open/build-database-ci-action@v3.3 + with: + # TODO: These parameters are the most commonly used. They tell the action to create the repo's database on the Action Runner, + # validate and run the repo's migration scripts, run tests, and seed data into the database for future needs (like integration tests). + # There is more configuration for the action that can happen though, and more it can do. + # See https://github.com/im-open/build-database-ci-action for detailed documentation and examples. + db-server-name: ${{ env.DB_SERVER_NAME }} + db-name: ${{ env.DB_NAME }} + create-database-file: '' # TODO: Add the path to the create database file (often called Initialization.sql) + migration-files-path: '' # TODO: Add the path to the directory with your migration files + should-validate-migrations: true # This will make flyway validate the migration scripts before running them + run-tests: true + test-files-path: '' # TODO: Add the path to the directory with your test files + seed-data: true + seed-data-files-path: '' # TODO: Add the path to the directory with your seed data files + use-integrated-security: false + db-username: 'sa' # The default system administrator account that comes with SQL Server. This is the only account set up in our self hosted Action Runners' SQL Server instances. + db-password: ${{ env.SQL_SERVER_PASSWORD }} + + + ######################################################################################################################### + # The previous three steps are all that most builds will need. They will build your database on the Action Runner and run any tests you have. + # The following steps are for the three activities mentioned at the start of this template. + # 1. Creating snapshots + # 2. Creating mock sql objects + # 3. Creating a backup + # Remove the ones that are unnecessary for your repo's CI process. + ######################################################################################################################### + + # The next four steps can be removed if your build doesn't need to create snapshots of database objects. + # Otherwise they can be uncommented and the TODO's addressed. + # TODO: Replace what is in this step with what your build needs in order to determine what database objects have changed + # The output is a json string containing a list of objects with the following properties (see https://github.com/im-open/increment-database-object-snapshots#inputs for more information) + # * objectName + # * schemaName + # * objectType + # * operationType + # - name: Get db objects that have changed + # id: changed-objects + # shell: pwsh + # run: | + # $changedObjectsQuery = + # "SELECT + # objectId, + # schemaName, + # objectName, + # CASE objectType + # WHEN 'U' THEN 'Tables' + # WHEN 'V' THEN 'Views' + # WHEN 'P' THEN 'StoredProcedures' + # WHEN 'SO' THEN 'Sequences' + # WHEN 'TF' THEN 'UserDefinedFunctions' + # WHEN 'FN' THEN 'UserDefinedFunctions' + # WHEN 'IF' THEN 'UserDefinedFunctions' + # WHEN 'SN' THEN 'Synonyms' + # ELSE objectType + # END AS objectType, + # operationType + # FROM DBA.V_ChangedObjectsForSnapshot" + + # $changedObjects = Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" -Query $changedObjectsQuery + # $mappedObjects = $changedObjects | foreach-object { @{ schemaName=$_.schemaName; objectName=$_.objectName; objectType=$_.objectType; operationType=$_.operationType } } + # $objectsAsJson = $mappedObjects | ConvertTo-Json -Compress + + # "json=$objectsAsJson" | Out-File -FilePath $env:GITHUB_OUTPUT -Append + + # - name: Increment snapshots + # uses: im-open/increment-database-object-snapshots@v1.0 + # with: + # db-name: ${{ env.DB_NAME }} + # instance-name: ${{ env.DB_SERVER_NAME }} + # snapshot-path: ${{ env.SNAPSHOT_PATH }} + # objects-to-increment: '${{ steps.changed-objects.outputs.json }}' + # excluded-db-objects: ${{ env.EXCLUDED_DB_SNAPSHOT_OBJECTS }} + + # - name: Setup git for snapshot commit + # run: | + # git config user.name github-actions + # git config user.email github-actions@github.com + + # TODO: Update the commit message if desired + # - name: Commit the snapshots + # run: | + # git add ${{ env.SNAPSHOT_PATH }} + # git commit -m "Automated Snapshot Commit" + # git push -f origin HEAD + + ##### End of snapshot steps ##### + + + # This allows the next steps to authenticate with and push to GitHub Packages. + # If you aren't using the steps below you can remove this one. + # - name: Authenticate with GitHub Packages + # uses: im-open/authenticate-with-gh-package-registries@v1.1 + # with: + # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + # orgs: 'im-practices,im-client' # TODO: Verify list of orgs packages will be pulled from + + # Remove this if you don't need to publish mock sql objects + # - name: Create and publish views from tables + # uses: im-open/sql-view-to-table-generator@v1.1 + # with: + # schema-names: 'dbo,CustomSchema' # TODO: Replace this with an actual list + # db-name: ${{ env.DB_NAME }} + # db-server: ${{ env.DB_SERVER_NAME }} + # default-branch: ${{ env.DEFAULT_BRANCH }} + # nuget-retrieval-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} + # publish-packages: true + # nuget-publish-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} + # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo + # repository-url: ${{ github.repositoryUrl }} + + # TODO: This is needed only if you have to update what objects have changed so it can be used in another step like changed-objects. + # Remove or update as needed. + # - name: Update database object versions + # shell: pwsh + # run: | + # $updateObjectVersionsSQL = "EXEC DBA.usp_UpdateCheckSumForChangedObjectDefinitions;" + # Invoke-Sqlcmd -ServerInstance "${{ env.DB_SERVER_NAME }}" -Database "${{ env.DB_NAME }}" $updateObjectVersionsSQL + + # TODO: Remove this if your build doesn't need to create/publish backup files + # - name: Create and publish backup files + # uses: im-open/create-and-publish-db-backup-file@v1.1 + # with: + # db-server: ${{ env.DB_SERVER_NAME }} + # db-name: ${{ env.DB_NAME }} + # backup-path: '${{ env.BACKUP_PATH }}' # This can be changed if needed + # backup-name: '${{ env.BACKUP_FILENAME }}' + # version: '1.1.${{ github.run_number }}' # TODO: Set to 1.1.*** in order to not conflict with previous versions from Teamcity. Update this if desired. + # nuget-source-url: ${{ env.GITHUB_PACKAGE_SOURCE_URL }} + # nuget-api-key: '${{ secrets.GITHUB_TOKEN }}' # Special per-job token generated by GH for interacting with the repo + # repository-url: ${{ github.repositoryUrl }} + # authors: '' # TODO: This will get put in the .nuspec file. It should be updated with your team name or something similar. diff --git a/workflow-templates/im-build-dotnet-ci.yml b/workflow-templates/im-build-dotnet-ci.yml index 301e3425..a1f49aa9 100644 --- a/workflow-templates/im-build-dotnet-ci.yml +++ b/workflow-templates/im-build-dotnet-ci.yml @@ -1,4 +1,4 @@ -# Workflow Code: LoathsomeSnipe_v52 DO NOT REMOVE +# Workflow Code: LoathsomeSnipe_v53 DO NOT REMOVE # Purpose: # Automatically checks out the code, builds, run tests and creates artifacts # which are uploaded to a GH release when commits are pushed to a PR. In the @@ -75,7 +75,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ needs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }} @@ -88,7 +88,7 @@ jobs: - name: Check for an npm cache id: has-cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: '**/node_modules' key: ${{ env.NPM_CACHE_KEY }} @@ -100,14 +100,14 @@ jobs: # This action creates a post-job step that will upload the node_modules dir to the cache if the job completes successfully - name: Setup caching for node_modules directory if cache does not exist if: steps.has-cache.outputs.cache-hit != 'true' - uses: actions/cache@v3 + uses: actions/cache@v4 with: key: ${{ env.NPM_CACHE_KEY }} path: '**/node_modules' enableCrossOsArchive: true - name: Setup node if cache does not exist - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 if: steps.has-cache.outputs.cache-hit != 'true' with: node-version: '16' @@ -138,7 +138,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ needs.setup-build-workflow.outputs.REF_TO_BUILD_AND_TAG }} @@ -152,7 +152,7 @@ jobs: - name: Check for a nuget cache id: has-cache - uses: actions/cache@v3 + uses: actions/cache@v4 with: path: '~/.nuget/packages' key: ${{ env.NUGET_CACHE_KEY }} @@ -164,7 +164,7 @@ jobs: # This action creates a post-job step that will upload the ./.nuget/packages dir to the cache if the job completes successfully - name: Setup caching for nuget packages if cache does not exist if: steps.has-cache.outputs.cache-hit != 'true' - uses: actions/cache@v3 + uses: actions/cache@v4 with: key: ${{ env.NUGET_CACHE_KEY }} path: ~/.nuget/packages @@ -172,7 +172,7 @@ jobs: - name: Setup .NET Core if cache does not exist if: steps.has-cache.outputs.cache-hit != 'true' - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} env: @@ -228,7 +228,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.REF_TO_BUILD_AND_TAG }} @@ -276,7 +276,7 @@ jobs: # ConnectionStrings.<>: 'Server=localhost;Database=${{ env.DB_NAME }};Trusted_Connection=False;User ID=SA;Password=${{ env.SQL_SERVER_PASSWORD }}' # TODO: Verify connectionString name for app setting and any additional properties that need to be added - name: Setup .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} env: @@ -296,7 +296,7 @@ jobs: - name: create status check/comment for test results if: always() id: dotnet_test_check - uses: im-open/process-dotnet-test-results@v2.3 + uses: im-open/process-dotnet-test-results@v3.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo timezone: ${{ env.TIMEZONE }} @@ -308,7 +308,7 @@ jobs: - name: create code coverage report id: coverage_report if: always() && steps.test.outcome == 'success' && env.IS_DEPENDABOT_PR == 'false' - uses: im-open/code-coverage-report-generator@4.9 + uses: im-open/code-coverage-report-generator@v5.0 with: reports: '*/**/coverage.opencover.xml' targetdir: ${{ env.CODE_COVERAGE_DIR_DOTNET }} @@ -324,7 +324,7 @@ jobs: - name: create status check/comment for code coverage results if: always() && steps.coverage_report.outcome == 'success' && env.IS_DEPENDABOT_PR == 'false' id: dotnet_coverage_check - uses: im-open/process-code-coverage-summary@v2.2 + uses: im-open/process-code-coverage-summary@v2.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo summary-file: '${{ env.CODE_COVERAGE_DIR_DOTNET }}/Summary.md' @@ -374,7 +374,7 @@ jobs: JEST_TEST_REPORT_NAME: 'Jest Tests' steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: ref: ${{ env.REF_TO_BUILD_AND_TAG }} @@ -387,7 +387,7 @@ jobs: path: '**/node_modules' - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: '16' @@ -405,7 +405,7 @@ jobs: - name: create status check/comment for jest test results if: always() id: jest_test_check - uses: im-open/process-jest-test-results@v2.1 + uses: im-open/process-jest-test-results@v2.2 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo timezone: ${{ env.TIMEZONE }} @@ -419,7 +419,7 @@ jobs: - name: create code coverage report id: coverage_report if: always() && steps.test.outcome == 'success' && env.IS_DEPENDABOT_PR == 'false' - uses: im-open/code-coverage-report-generator@4.9 + uses: im-open/code-coverage-report-generator@v5.0 with: reports: '*/**/lcov.info' targetdir: ${{ env.CODE_COVERAGE_DIR_JEST }} @@ -435,7 +435,7 @@ jobs: - name: create status check/comment for code coverage results if: always() && steps.coverage_report.outcome == 'success' && env.IS_DEPENDABOT_PR == 'false' id: jest_coverage_check - uses: im-open/process-code-coverage-summary@v2.2 + uses: im-open/process-code-coverage-summary@v2.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo summary-file: '${{ env.CODE_COVERAGE_DIR_JEST }}/Summary.md' @@ -494,7 +494,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.REF_TO_BUILD_AND_TAG }} @@ -514,7 +514,7 @@ jobs: path: '**/node_modules' - name: Setup Node - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: node-version: '16' @@ -524,7 +524,7 @@ jobs: run: npm rebuild - name: Setup .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} env: diff --git a/workflow-templates/im-build-increment-version-on-merge.yml b/workflow-templates/im-build-increment-version-on-merge.yml index ada07ce3..e016dca7 100644 --- a/workflow-templates/im-build-increment-version-on-merge.yml +++ b/workflow-templates/im-build-increment-version-on-merge.yml @@ -1,57 +1,57 @@ -# Workflow Code: AngryGoose_v14 DO NOT REMOVE -# Purpose: -# Automatically calculates the next semantic version and creates a tag on the repository -# when a PR is merged. The tag is used in later workflows to deploy the tf or db. -# -# Note: -# This workflow should not be used to tag repos that have CI workflows that create their own releases, like -# the dotnet ci build because this workflow would conflict with that. This workflow is recommended for -# things like infrastructure repositories or database projects that do not have a CI build which increments -# their versions. -# -# Frequency: -# This workflow should only be used once per repository -# If the repo has multiple projects that need this workflow (like db and tf), multiple tags can be generated with -# with this workflow by duplicating the increment version step and including different 'tag-prefix' args. -# -# Projects to use this Template with: -# - Azure SQL Database (Core Template) -# - On-Prem Database (Core Template) -# - Storage Account Deployments (Core Template) -# - Terraform (Core Template) - -name: Increment Version on Merge -on: - pull_request: - types: [closed] - -jobs: - increment-version: - if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' # TODO: verify default branch name - - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - - steps: - - name: Checkout Repository - uses: actions/checkout@v3 - with: - fetch-depth: 0 - # Because this is running only on merged PRs, the default behavior of always checking out the merge commit is correct here. - - # See https://github.com/im-open/git-version-lite for more details around how to increment major/minor/patch through commit messages - - name: Increment the version - id: calculate_version - uses: im-open/git-version-lite@v3.0 - with: - default-release-type: major # This means if the action cannot find a tag, it will start at v1.0.0 - - - name: Create version tag on GitHub - uses: actions/github-script@v6 - with: - script: | - github.rest.git.createRef({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: 'refs/tags/${{ steps.calculate_version.outputs.NEXT_VERSION}}', - sha: context.sha // context.sha is the SHA of the merge commit - }) +# Workflow Code: AngryGoose_v15 DO NOT REMOVE +# Purpose: +# Automatically calculates the next semantic version and creates a tag on the repository +# when a PR is merged. The tag is used in later workflows to deploy the tf or db. +# +# Note: +# This workflow should not be used to tag repos that have CI workflows that create their own releases, like +# the dotnet ci build because this workflow would conflict with that. This workflow is recommended for +# things like infrastructure repositories or database projects that do not have a CI build which increments +# their versions. +# +# Frequency: +# This workflow should only be used once per repository +# If the repo has multiple projects that need this workflow (like db and tf), multiple tags can be generated with +# with this workflow by duplicating the increment version step and including different 'tag-prefix' args. +# +# Projects to use this Template with: +# - Azure SQL Database (Core Template) +# - On-Prem Database (Core Template) +# - Storage Account Deployments (Core Template) +# - Terraform (Core Template) + +name: Increment Version on Merge +on: + pull_request: + types: [closed] + +jobs: + increment-version: + if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' # TODO: verify default branch name + + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + fetch-depth: 0 + # Because this is running only on merged PRs, the default behavior of always checking out the merge commit is correct here. + + # See https://github.com/im-open/git-version-lite for more details around how to increment major/minor/patch through commit messages + - name: Increment the version + id: calculate_version + uses: im-open/git-version-lite@v3.0 + with: + default-release-type: major # This means if the action cannot find a tag, it will start at v1.0.0 + + - name: Create version tag on GitHub + uses: actions/github-script@v7 + with: + script: | + github.rest.git.createRef({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: 'refs/tags/${{ steps.calculate_version.outputs.NEXT_VERSION}}', + sha: context.sha // context.sha is the SHA of the merge commit + }) diff --git a/workflow-templates/im-build-npm-package.yml b/workflow-templates/im-build-npm-package.yml index dfc35c58..8a2dd619 100644 --- a/workflow-templates/im-build-npm-package.yml +++ b/workflow-templates/im-build-npm-package.yml @@ -1,4 +1,4 @@ -# Workflow Code: GloomyBadger_v32 DO NOT REMOVE +# Workflow Code: GloomyBadger_v33 DO NOT REMOVE # Purpose: # Automatically calculates the next semantic version, runs an npm ci, an npm run tests # if there is one, an npm publish and then pushes a latest tag for main builds. When the @@ -66,11 +66,11 @@ jobs: working-directory: '' # TODO: Add the path to the npm package project steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: ref: ${{ env.REF_TO_BUILD_AND_TAG }} - - uses: actions/setup-node@v3 + - uses: actions/setup-node@v4 with: node-version: 16 # TODO: verify node version registry-url: https://npm.pkg.github.com/ diff --git a/workflow-templates/im-build-nuget-package.yml b/workflow-templates/im-build-nuget-package.yml index d14b059a..76c2d58c 100644 --- a/workflow-templates/im-build-nuget-package.yml +++ b/workflow-templates/im-build-nuget-package.yml @@ -1,4 +1,4 @@ -# Workflow Code: TrustingCockroach_v42 DO NOT REMOVE +# Workflow Code: TrustingCockroach_v43 DO NOT REMOVE # Purpose: # Automatically builds the project and runs tests with code coverage. If # everything is green, a new semantic version is calculated and a new package @@ -77,7 +77,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # TODO: If you are using any nuget/npm packages from GitHub Packages uncomment this step # - name: Authenticate with GitHub Packages @@ -87,7 +87,7 @@ jobs: # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from - name: Setup .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} env: @@ -119,7 +119,7 @@ jobs: - name: create status check/comment for test results id: dotnet_test_check - uses: im-open/process-dotnet-test-results@v2.3 + uses: im-open/process-dotnet-test-results@v3.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo timezone: ${{ env.TIMEZONE }} @@ -130,7 +130,7 @@ jobs: - name: create code coverage report if: env.IS_DEPENDABOT_PR == 'false' - uses: im-open/code-coverage-report-generator@4.9 + uses: im-open/code-coverage-report-generator@v5.0 with: reports: '*/**/coverage.opencover.xml' targetdir: ${{ env.CODE_COVERAGE_DIR_DOTNET }} @@ -146,7 +146,7 @@ jobs: - name: create status check/comment for code coverage results if: env.IS_DEPENDABOT_PR == 'false' id: dotnet_coverage_check - uses: im-open/process-code-coverage-summary@v2.2 + uses: im-open/process-code-coverage-summary@v2.3 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo summary-file: '${{ env.CODE_COVERAGE_DIR_DOTNET }}/Summary.md' @@ -186,7 +186,7 @@ jobs: dotnet nuget push "$nupkg" --source "https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json" --api-key ${{ secrets.GITHUB_TOKEN }} - name: Create a tag for main builds - uses: actions/github-script@v6 + uses: actions/github-script@v7 if: ${{ env.IS_MERGE_TO_MAIN }} == 'true' with: github-token: ${{secrets.GITHUB_TOKEN}} diff --git a/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml b/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml index fa842f99..8bafb2ed 100644 --- a/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml +++ b/workflow-templates/im-build-tf-auto-plan-and-comment-on-prs.yml @@ -1,126 +1,126 @@ -# Workflow Code: DeterminedPorcupine_v22 DO NOT REMOVE -# Purpose: -# Automatically runs a terraform plan against the specified environments and -# comments on the PR with the expected changes when commits are pushed to a PR. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Core Template) -# -# TODO Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Automatically run tf plan and comment on PR -on: - pull_request: - types: [opened, reopened, synchronize] - # TODO: Verify the paths where changes should trigger this workflow. This can be removed entirely if all changes should trigger the workflow. - paths: - - 'infrastructure/**' - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - # Required for commenting on PR - pull-requests: write - -jobs: - auto-plan-the-tf: - runs-on: [self-hosted, im-linux] - - strategy: - matrix: - # TODO: By default this only runs a plan against dev, but other envs can be added: qa, stage, demo, uat, prod - environment: [dev] - - environment: ${{ matrix.environment }} - - env: - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ matrix.environment }}' # TODO: Verify this directory structure would be correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_KEY_AAD_GROUP_MEMBERS: ${{ secrets.SSH_AAD_GROUP_MEMBERS }} # This is an org level secret - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" }, - { "orgAndRepo": "im-platform/aad-group-members", "envName" : "SSH_KEY_AAD_GROUP_MEMBERS" } - ] - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - name: Checkout Repository - uses: actions/checkout@v3 - - - name: Setup Terraform - id: setup - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - # Allows pulling modules from the repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Terraform Init - if: always() - id: init - run: terraform init - - - name: Terraform Format - if: always() - working-directory: . - id: fmt - run: terraform fmt -check -recursive - - # TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects - # TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it - # PAGERDUTY_API_KEY is an org level secret - - name: Terraform Plan - if: always() - id: plan - run: | - terraform plan -no-color -lock=false \ - -var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}" - - - name: 'Terraform Comment' - if: always() - uses: actions/github-script@v6 - env: - PLAN: "\n```\n${{ steps.plan.outputs.stdout }}\n```\n" - with: - github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - script: | - const output = `### Format, Init and Plan Results for ${{ matrix.environment }} - #### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` - #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` - #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` -
Show Plan - ${process.env.PLAN} -
- - __Pusher__: @${{ github.actor }} - __Action__: \`${{ github.event_name }}\``; - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) +# Workflow Code: DeterminedPorcupine_v23 DO NOT REMOVE +# Purpose: +# Automatically runs a terraform plan against the specified environments and +# comments on the PR with the expected changes when commits are pushed to a PR. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Core Template) +# +# TODO Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Automatically run tf plan and comment on PR +on: + pull_request: + types: [opened, reopened, synchronize] + # TODO: Verify the paths where changes should trigger this workflow. This can be removed entirely if all changes should trigger the workflow. + paths: + - 'infrastructure/**' + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + # Required for commenting on PR + pull-requests: write + +jobs: + auto-plan-the-tf: + runs-on: [self-hosted, im-linux] + + strategy: + matrix: + # TODO: By default this only runs a plan against dev, but other envs can be added: qa, stage, demo, uat, prod + environment: [dev] + + environment: ${{ matrix.environment }} + + env: + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ matrix.environment }}' # TODO: Verify this directory structure would be correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_KEY_AAD_GROUP_MEMBERS: ${{ secrets.SSH_AAD_GROUP_MEMBERS }} # This is an org level secret + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" }, + { "orgAndRepo": "im-platform/aad-group-members", "envName" : "SSH_KEY_AAD_GROUP_MEMBERS" } + ] + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Setup Terraform + id: setup + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + # Allows pulling modules from the repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Terraform Init + if: always() + id: init + run: terraform init + + - name: Terraform Format + if: always() + working-directory: . + id: fmt + run: terraform fmt -check -recursive + + # TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects + # TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it + # PAGERDUTY_API_KEY is an org level secret + - name: Terraform Plan + if: always() + id: plan + run: | + terraform plan -no-color -lock=false \ + -var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}" + + - name: 'Terraform Comment' + if: always() + uses: actions/github-script@v7 + env: + PLAN: "\n```\n${{ steps.plan.outputs.stdout }}\n```\n" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + script: | + const output = `### Format, Init and Plan Results for ${{ matrix.environment }} + #### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` +
Show Plan + ${process.env.PLAN} +
+ + __Pusher__: @${{ github.actor }} + __Action__: \`${{ github.event_name }}\``; + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) diff --git a/workflow-templates/im-deploy-az-app-manually.yml b/workflow-templates/im-deploy-az-app-manually.yml index 2f52d674..10d1f2fa 100644 --- a/workflow-templates/im-deploy-az-app-manually.yml +++ b/workflow-templates/im-deploy-az-app-manually.yml @@ -1,4 +1,4 @@ -# Workflow Code: AmbitiousLizard_v48 DO NOT REMOVE +# Workflow Code: AmbitiousLizard_v49 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release # with the specified tags, makes changes to any configuration files for the specified @@ -295,7 +295,7 @@ jobs: - name: Open a PagerDuty Maintenance Window id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.2 + uses: im-open/open-pagerduty-maintenance-window@v1.3 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret description: '${{ env.PAGERDUTY_WINDOW_DESC }}' @@ -305,7 +305,7 @@ jobs: - name: AZ Login id: login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} @@ -363,7 +363,7 @@ jobs: # TODO: remove this step if this workflow is for an azure function - name: Deploy to Azure Web App - uses: azure/webapps-deploy@v2 + uses: azure/webapps-deploy@v3 with: app-name: ${{ needs.set-vars.outputs.AZ_APP_NAME }} package: ./${{ env.DEPLOY_ZIP }} @@ -371,7 +371,7 @@ jobs: # TODO: remove this step if this workflow is for an azure app service - name: Deploy to Azure Function - uses: azure/functions-action@v1.4.8 + uses: azure/functions-action@v1 with: app-name: ${{ needs.set-vars.outputs.AZ_APP_NAME }} package: ./${{ env.UNZIPPED_ASSET }} @@ -406,7 +406,7 @@ jobs: - name: Close the PagerDuty Maintenance Window if: always() && steps.open-window.outcome == 'success' - uses: im-open/close-pagerduty-maintenance-window@v1.1 + uses: im-open/close-pagerduty-maintenance-window@v1.2 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} @@ -440,7 +440,7 @@ jobs: # TODO: Uncomment if you have a separate workflow for swapping slots and you want to trigger it now. Delete if you don't. # A dispatch event like this could also trigger other workflows that do things like smoke tests # - name: Trigger the Slot Swap - # uses: actions/github-script@v6 + # uses: actions/github-script@v7 # with: # github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org-level secret #TODO: make sure im-pipeline-bot has at least write access to your repo # script: | diff --git a/workflow-templates/im-deploy-az-database.yml b/workflow-templates/im-deploy-az-database.yml index c967f6fc..fd4ae1be 100644 --- a/workflow-templates/im-deploy-az-database.yml +++ b/workflow-templates/im-deploy-az-database.yml @@ -1,4 +1,4 @@ -# Workflow Code: BetrayedCod_v33 DO NOT REMOVE +# Workflow Code: BetrayedCod_v34 DO NOT REMOVE # Purpose: # Gathers the required approvals from stakeholders and attestors, ensures # tags are valid for production deployments and runs the migrations against @@ -175,14 +175,14 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.RELEASE_TAG }} # TODO: If your database uses Azure Active Directory Authentication then this step can be removed - name: AZ Login id: login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} diff --git a/workflow-templates/im-deploy-az-swap-app-slots.yml b/workflow-templates/im-deploy-az-swap-app-slots.yml index 7350f512..5e9f458c 100644 --- a/workflow-templates/im-deploy-az-swap-app-slots.yml +++ b/workflow-templates/im-deploy-az-swap-app-slots.yml @@ -1,150 +1,150 @@ -# Workflow Code: IrritatedHyena_v20 DO NOT REMOVE -# Purpose: -# Swaps deployment slots in a specified environment for an Azure App Service -# or Function outside of a deployment when someone kicks it off manually. -# -# Frequency: -# - This workflow can be duplicated once per app service or function -# -# Projects to use this Template with: -# - Azure App Service or Function (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Swap Azure App Slots -run-name: Swap ${{ inputs.environment }} AZ App Slots -# This workflow can be kicked off manually and it can also be kicked off automatically from -# another workflow by using the repository_dispatch event trigger. This workflow is designed -# to know about each of your environments, so the only thing you need to input is the -# environment where slots will be toggled. - -on: - workflow_dispatch: - inputs: - environment: - description: The environment where slots are being swapped - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - open-pagerduty-window: - description: Open a pagerduty maintenance window - required: true - default: 'false' - type: boolean - # When using repository dispatch, the payload must have the following properties: - # { environment: 'dev|qa|stage|demo|uat|prod', 'open-pagerduty-window': 'true|false'} - repository_dispatch: - types: [swap_slots] - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - - -jobs: - swap-slots: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment || github.event.client_payload.environment }} - env: - PAGERDUTY_WINDOW_IN_MIN: 30 # TODO: Verify the length of your PD Maintenance Window - PAGERDUTY_WINDOW_DESC: 'Deploying Code to ${{ github.event.inputs.environment }} from GitHub Actions' # TODO: Verify this PD Maintenance Window Description - TARGET_SLOT: 'Production' # TODO: Verify that this is correct. This is the name azure uses by default. If you are using a different slot for your main site, update it here - SOURCE_SLOT: '' # TODO: Add the name of the source slot - AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function, change this value to functionapp - ENVIRONMENT: ${{ github.event.inputs.environment || github.event.client_payload.environment }} - OPEN_WINDOW: ${{ github.event.inputs.open-pagerduty-window || github.event.client_payload.open-pagerduty-window }} - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Target Slot | `${{ env.TARGET_SLOT }}` | - | Source Slot | `${{ env.SOURCE_SLOT }}` | - | Open PD Window | `${{ env.OPEN_WINDOW }}` |' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ env.ENVIRONMENT }} - env: - # TODO: For the following inputs, fill in the value if you have the environment and delete the environment if it does not exist - # This variable is used to swap and delete slots - RESOURCE_GROUP@dev: '' - RESOURCE_GROUP@qa: '' - RESOURCE_GROUP@stage: '' - RESOURCE_GROUP@demo: '' - RESOURCE_GROUP@uat: '' - RESOURCE_GROUP@prod: '' - # This variable is used to swap and delete slots - AZ_APP_NAME@dev: '' - AZ_APP_NAME@qa: '' - AZ_APP_NAME@stage: '' - AZ_APP_NAME@demo: '' - AZ_APP_NAME@uat: '' - AZ_APP_NAME@prod: '' - - - name: Open a PagerDuty Maintenance Window - if: env.OPEN_WINDOW == 'true' - id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.2 - with: - pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret - description: '${{ env.PAGERDUTY_WINDOW_DESC }}' - minutes: ${{ env.PAGERDUTY_WINDOW_IN_MIN }} - service-id: ${{ vars.PAGERDUTY_SERVICE_ID }} # This is an env-level variable - #service-ids: '' # TODO: Provide a comma separated list if there are multiple ids. 'PD01,PD02,PD03' - - - name: AZ Login - id: login - uses: azure/login@v1 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - - name: Swap - # ARM_SUBSCRIPTION_ID is an env-level variable - run: | - az ${{ env.AZ_APP_TYPE }} deployment slot swap \ - --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ - --resource-group ${{ env.RESOURCE_GROUP }} \ - --name ${{ env.AZ_APP_NAME }} \ - --slot ${{ env.SOURCE_SLOT }} \ - --target-slot ${{ env.TARGET_SLOT }} - - # TODO: Uncomment if you want to destroy the slot after swap. Delete if you don't. - # ARM_SUBSCRIPTION_ID is an env-level variable - # - run: | - # az ${{ env.AZ_APP_TYPE }} deployment slot delete \ - # --slot ${{ env.SOURCE_SLOT }} \ - # --name ${{ env.AZ_APP_NAME }} \ - # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ - # --resource-group ${{ env.RESOURCE_GROUP }} - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear - - - name: Close the PagerDuty Maintenance Window - if: always() && env.OPEN_WINDOW == 'true' && steps.open-window.outcome == 'success' - uses: im-open/close-pagerduty-maintenance-window@v1.1 - with: - pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret - maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} +# Workflow Code: IrritatedHyena_v21 DO NOT REMOVE +# Purpose: +# Swaps deployment slots in a specified environment for an Azure App Service +# or Function outside of a deployment when someone kicks it off manually. +# +# Frequency: +# - This workflow can be duplicated once per app service or function +# +# Projects to use this Template with: +# - Azure App Service or Function (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Swap Azure App Slots +run-name: Swap ${{ inputs.environment }} AZ App Slots +# This workflow can be kicked off manually and it can also be kicked off automatically from +# another workflow by using the repository_dispatch event trigger. This workflow is designed +# to know about each of your environments, so the only thing you need to input is the +# environment where slots will be toggled. + +on: + workflow_dispatch: + inputs: + environment: + description: The environment where slots are being swapped + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + open-pagerduty-window: + description: Open a pagerduty maintenance window + required: true + default: 'false' + type: boolean + # When using repository dispatch, the payload must have the following properties: + # { environment: 'dev|qa|stage|demo|uat|prod', 'open-pagerduty-window': 'true|false'} + repository_dispatch: + types: [swap_slots] + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + + +jobs: + swap-slots: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment || github.event.client_payload.environment }} + env: + PAGERDUTY_WINDOW_IN_MIN: 30 # TODO: Verify the length of your PD Maintenance Window + PAGERDUTY_WINDOW_DESC: 'Deploying Code to ${{ github.event.inputs.environment }} from GitHub Actions' # TODO: Verify this PD Maintenance Window Description + TARGET_SLOT: 'Production' # TODO: Verify that this is correct. This is the name azure uses by default. If you are using a different slot for your main site, update it here + SOURCE_SLOT: '' # TODO: Add the name of the source slot + AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function, change this value to functionapp + ENVIRONMENT: ${{ github.event.inputs.environment || github.event.client_payload.environment }} + OPEN_WINDOW: ${{ github.event.inputs.open-pagerduty-window || github.event.client_payload.open-pagerduty-window }} + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Target Slot | `${{ env.TARGET_SLOT }}` | + | Source Slot | `${{ env.SOURCE_SLOT }}` | + | Open PD Window | `${{ env.OPEN_WINDOW }}` |' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ env.ENVIRONMENT }} + env: + # TODO: For the following inputs, fill in the value if you have the environment and delete the environment if it does not exist + # This variable is used to swap and delete slots + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + # This variable is used to swap and delete slots + AZ_APP_NAME@dev: '' + AZ_APP_NAME@qa: '' + AZ_APP_NAME@stage: '' + AZ_APP_NAME@demo: '' + AZ_APP_NAME@uat: '' + AZ_APP_NAME@prod: '' + + - name: Open a PagerDuty Maintenance Window + if: env.OPEN_WINDOW == 'true' + id: open-window + uses: im-open/open-pagerduty-maintenance-window@v1.3 + with: + pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret + description: '${{ env.PAGERDUTY_WINDOW_DESC }}' + minutes: ${{ env.PAGERDUTY_WINDOW_IN_MIN }} + service-id: ${{ vars.PAGERDUTY_SERVICE_ID }} # This is an env-level variable + #service-ids: '' # TODO: Provide a comma separated list if there are multiple ids. 'PD01,PD02,PD03' + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + - name: Swap + # ARM_SUBSCRIPTION_ID is an env-level variable + run: | + az ${{ env.AZ_APP_TYPE }} deployment slot swap \ + --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ + --resource-group ${{ env.RESOURCE_GROUP }} \ + --name ${{ env.AZ_APP_NAME }} \ + --slot ${{ env.SOURCE_SLOT }} \ + --target-slot ${{ env.TARGET_SLOT }} + + # TODO: Uncomment if you want to destroy the slot after swap. Delete if you don't. + # ARM_SUBSCRIPTION_ID is an env-level variable + # - run: | + # az ${{ env.AZ_APP_TYPE }} deployment slot delete \ + # --slot ${{ env.SOURCE_SLOT }} \ + # --name ${{ env.AZ_APP_NAME }} \ + # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ + # --resource-group ${{ env.RESOURCE_GROUP }} + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear + + - name: Close the PagerDuty Maintenance Window + if: always() && env.OPEN_WINDOW == 'true' && steps.open-window.outcome == 'success' + uses: im-open/close-pagerduty-maintenance-window@v1.2 + with: + pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret + maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} diff --git a/workflow-templates/im-deploy-files-to-az-storage-account.yml b/workflow-templates/im-deploy-files-to-az-storage-account.yml index 023846b7..a90e8185 100644 --- a/workflow-templates/im-deploy-files-to-az-storage-account.yml +++ b/workflow-templates/im-deploy-files-to-az-storage-account.yml @@ -1,4 +1,4 @@ -# Workflow Code: BubblyGreyhound_v26 DO NOT REMOVE +# Workflow Code: BubblyGreyhound_v27 DO NOT REMOVE # Purpose: # Checks out the repository and deploys a directory to the # specified storage account when someone kicks it off manually. @@ -70,7 +70,7 @@ jobs: | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.GITHUB_REF }} fetch-depth: 0 @@ -82,7 +82,7 @@ jobs: - name: AZ Login id: login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} diff --git a/workflow-templates/im-deploy-iis-website.yml b/workflow-templates/im-deploy-iis-website.yml index 887a179b..464b6d12 100644 --- a/workflow-templates/im-deploy-iis-website.yml +++ b/workflow-templates/im-deploy-iis-website.yml @@ -1,4 +1,4 @@ -# Workflow Code: FuzzyDragon_v46 DO NOT REMOVE +# Workflow Code: FuzzyDragon_v47 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release # with the specified tags, makes changes to any configuration files for the specified environments, @@ -258,7 +258,7 @@ jobs: - name: Open a PagerDuty Maintenance Window id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.2 + uses: im-open/open-pagerduty-maintenance-window@v1.3 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an env-level secret description: '${{ env.PAGERDUTY_WINDOW_DESC }}' @@ -379,7 +379,7 @@ jobs: - name: Close the PagerDuty Maintenance Window if: always() && steps.open-window.outcome == 'success' - uses: im-open/close-pagerduty-maintenance-window@v1.1 + uses: im-open/close-pagerduty-maintenance-window@v1.2 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} diff --git a/workflow-templates/im-deploy-multiple-items-at-once.yml b/workflow-templates/im-deploy-multiple-items-at-once.yml index 59cfc833..2569744c 100644 --- a/workflow-templates/im-deploy-multiple-items-at-once.yml +++ b/workflow-templates/im-deploy-multiple-items-at-once.yml @@ -1,118 +1,118 @@ -# Workflow Code: MercifulLlama_v16 DO NOT REMOVE -# Purpose: -# This is only required when teams have separate deployable artifacts (db/mfe/api/etc.) -# but they need each item to be deployed together. -# -# This workflow coordinates setting up environment variables, getting various stakeholder -# and attestor approvals, ensuring the tag is valid for prod deployments and then initiates -# individual deployments via repository_dispatch events. -# -# Note: -# This workflow is intended to be used with repos that have multiple deployable artifacts which are deployed together. It is not -# intended for repos that have a single deployable or repos with multiple deployable artifacts that are deployed independently. -# This workflow initiates multiple deployments but each deployable item should have their own streamlined deployment workflow set up. -# The streamlined deployment uses the normal workflow (app service/function, database, windows service, iis site, etc) but has -# instructions above the repository_dispatch trigger around the changes that need to be made. -# -# Frequency: -# - This workflow can be duplicated. A new workflow should be setup -# for each distinct group of items that needs to be deployed together. -# -# Projects to use this Template with: -# - Any project that needs to be deployed at the same time as others - -name: Deploy Multiple Items -run-name: Deploy ${{ inputs.tag }} to ${{ inputs.environment }} -on: - workflow_dispatch: - inputs: - tag: - description: The tag for the release that will be deployed. For Production, only tags reachable by the default branch will be accepted. - required: true - environment: - description: The environment to deploy to - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -env: - ENVIRONMENT: ${{ inputs.environment }} - RELEASE_TAG: ${{ inputs.tag }} # This is the tag that we'll be deploying - -jobs: - # This job utilizes a reusable workflow which will: - # 1 - Verify the tag provided is a valid ref. - # 2 - If deploying to a production environment, verify the tag is reachable from the default branch - # and that the corresponding release is production ready (not pre-release or a draft). - setup-deployment-workflow: - uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 - with: - ref-to-deploy: ${{ inputs.tag }} - deployment-environment: ${{ inputs.environment }} - # production-environments: 'prod,prod-secondary' # TODO: Adjust and include the production-environments if necessary (some apps may need to add stage/stage-secondary to this list) - # default-branch: main # TODO: Update and include this arg if the default branch is not main - # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. - - # Each env has their own stakeholder approval environment. If no required reviewers are set for - # that environment, the workflow will continue without requiring anyone to approve the deployment. - stakeholder-approval: - needs: [setup-deployment-workflow] - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - environment: '${{ github.event.inputs.environment }} Stakeholder Approval' # Use inputs context because env context is not available to environment: - steps: - - run: | - echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - echo "Stakeholder approval was received or no required reviewers were set for this environment." - - # Each env has their own attestor approval environment (meant for QA Attestations). If no required reviewers are set for - # that environment, the workflow will continue without requiring anyone to approve the deployment. - attestor-approval: - needs: [setup-deployment-workflow] - runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners - environment: '${{ github.event.inputs.environment }} Attestor Approval' # Use inputs context because env context is not available to environment: - steps: - - run: | - echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - echo "Attestor approval was received or no required reviewers were set for this environment." - - initiate-deployments: - needs: [stakeholder-approval, attestor-approval] - runs-on: [self-hosted, im-linux] - - steps: - - run: echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - - # The 'start deployment' blocks below will initiate the deployment of a single item by creating a repository dispatch event that tells GitHub to - # kick off a particular workflow. Each deployable item that will be started this way should have a streamlined copy of the appropriate workflow - # (app service/function, database, windows service, iis site, etc). The streamlined copy has a repository_dispatch event of a certain type that - # should match what is specified here. The streamlined workflow also won't have any of the tag verification/approvals/etc. - # - # Something to keep in mind is Actions doesn't wait for the streamlined workflow to finish, it will move on as soon as GitHub indicates the - # request has been received. If your use case is to have one streamlined deployment completely finish before starting the next one, the - # 'start deployment' block below should be copied to the bottom of the workflow that acts as a gate to the next deployment workflow. - - # TODO: Add a 'start deployment' block for each item that needs to be deployed. This is a 'fire and forget' method - - name: Start Deployment for # TODO: Add the name of the deployable - uses: actions/github-script@v6 - with: - github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org-level secret #TODO: make sure im-pipeline-bot has at least write access to your repo - script: | - github.rest.repos.createDispatchEvent({ - owner: context.repo.owner, - repo: context.repo.repo, - event_type: "", // TODO: Get the type from the streamlined workflow that will be kicked off. This is listed in the types:[] under the repository_dispatch trigger. - client_payload: { - environment: "${{ env.ENVIRONMENT }}", - tag: "${{ env.RELEASE_TAG }}" - } - }); - - # TODO: If you need one deployment to wait for one to finish before it begins, consider - # using reusable workflows rather than the repository_dispatch event above - # https://docs.github.com/en/actions/learn-github-actions/reusing-workflows +# Workflow Code: MercifulLlama_v17 DO NOT REMOVE +# Purpose: +# This is only required when teams have separate deployable artifacts (db/mfe/api/etc.) +# but they need each item to be deployed together. +# +# This workflow coordinates setting up environment variables, getting various stakeholder +# and attestor approvals, ensuring the tag is valid for prod deployments and then initiates +# individual deployments via repository_dispatch events. +# +# Note: +# This workflow is intended to be used with repos that have multiple deployable artifacts which are deployed together. It is not +# intended for repos that have a single deployable or repos with multiple deployable artifacts that are deployed independently. +# This workflow initiates multiple deployments but each deployable item should have their own streamlined deployment workflow set up. +# The streamlined deployment uses the normal workflow (app service/function, database, windows service, iis site, etc) but has +# instructions above the repository_dispatch trigger around the changes that need to be made. +# +# Frequency: +# - This workflow can be duplicated. A new workflow should be setup +# for each distinct group of items that needs to be deployed together. +# +# Projects to use this Template with: +# - Any project that needs to be deployed at the same time as others + +name: Deploy Multiple Items +run-name: Deploy ${{ inputs.tag }} to ${{ inputs.environment }} +on: + workflow_dispatch: + inputs: + tag: + description: The tag for the release that will be deployed. For Production, only tags reachable by the default branch will be accepted. + required: true + environment: + description: The environment to deploy to + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +env: + ENVIRONMENT: ${{ inputs.environment }} + RELEASE_TAG: ${{ inputs.tag }} # This is the tag that we'll be deploying + +jobs: + # This job utilizes a reusable workflow which will: + # 1 - Verify the tag provided is a valid ref. + # 2 - If deploying to a production environment, verify the tag is reachable from the default branch + # and that the corresponding release is production ready (not pre-release or a draft). + setup-deployment-workflow: + uses: im-practices/.github/.github/workflows/im-reusable-setup-deployment-workflow.yml@v2 + with: + ref-to-deploy: ${{ inputs.tag }} + deployment-environment: ${{ inputs.environment }} + # production-environments: 'prod,prod-secondary' # TODO: Adjust and include the production-environments if necessary (some apps may need to add stage/stage-secondary to this list) + # default-branch: main # TODO: Update and include this arg if the default branch is not main + # workflow-summary : | # TODO: If desired, the workflow summary that is generated can be overridden by providing this custom value. + + # Each env has their own stakeholder approval environment. If no required reviewers are set for + # that environment, the workflow will continue without requiring anyone to approve the deployment. + stakeholder-approval: + needs: [setup-deployment-workflow] + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + environment: '${{ github.event.inputs.environment }} Stakeholder Approval' # Use inputs context because env context is not available to environment: + steps: + - run: | + echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." + echo "Stakeholder approval was received or no required reviewers were set for this environment." + + # Each env has their own attestor approval environment (meant for QA Attestations). If no required reviewers are set for + # that environment, the workflow will continue without requiring anyone to approve the deployment. + attestor-approval: + needs: [setup-deployment-workflow] + runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners + environment: '${{ github.event.inputs.environment }} Attestor Approval' # Use inputs context because env context is not available to environment: + steps: + - run: | + echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." + echo "Attestor approval was received or no required reviewers were set for this environment." + + initiate-deployments: + needs: [stakeholder-approval, attestor-approval] + runs-on: [self-hosted, im-linux] + + steps: + - run: echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." + + # The 'start deployment' blocks below will initiate the deployment of a single item by creating a repository dispatch event that tells GitHub to + # kick off a particular workflow. Each deployable item that will be started this way should have a streamlined copy of the appropriate workflow + # (app service/function, database, windows service, iis site, etc). The streamlined copy has a repository_dispatch event of a certain type that + # should match what is specified here. The streamlined workflow also won't have any of the tag verification/approvals/etc. + # + # Something to keep in mind is Actions doesn't wait for the streamlined workflow to finish, it will move on as soon as GitHub indicates the + # request has been received. If your use case is to have one streamlined deployment completely finish before starting the next one, the + # 'start deployment' block below should be copied to the bottom of the workflow that acts as a gate to the next deployment workflow. + + # TODO: Add a 'start deployment' block for each item that needs to be deployed. This is a 'fire and forget' method + - name: Start Deployment for # TODO: Add the name of the deployable + uses: actions/github-script@v7 + with: + github-token: ${{ secrets.PIPELINE_BOT_PAT }} # This is an org-level secret #TODO: make sure im-pipeline-bot has at least write access to your repo + script: | + github.rest.repos.createDispatchEvent({ + owner: context.repo.owner, + repo: context.repo.repo, + event_type: "", // TODO: Get the type from the streamlined workflow that will be kicked off. This is listed in the types:[] under the repository_dispatch trigger. + client_payload: { + environment: "${{ env.ENVIRONMENT }}", + tag: "${{ env.RELEASE_TAG }}" + } + }); + + # TODO: If you need one deployment to wait for one to finish before it begins, consider + # using reusable workflows rather than the repository_dispatch event above + # https://docs.github.com/en/actions/learn-github-actions/reusing-workflows diff --git a/workflow-templates/im-deploy-on-prem-database.yml b/workflow-templates/im-deploy-on-prem-database.yml index 6a862fc4..d17057ad 100644 --- a/workflow-templates/im-deploy-on-prem-database.yml +++ b/workflow-templates/im-deploy-on-prem-database.yml @@ -1,4 +1,4 @@ -# Workflow Code: AmazedPiglet_v34 DO NOT REMOVE +# Workflow Code: AmazedPiglet_v35 DO NOT REMOVE # Purpose: # Gathers the required approvals from stakeholders and attestors, ensures tags # are valid for production deployments and runs the migrations against an on-prem @@ -125,7 +125,7 @@ jobs: - run: echo "The current environment is ${{ env.ENVIRONMENT }}. The Tag is ${{ env.RELEASE_TAG }}." - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.RELEASE_TAG }} @@ -154,7 +154,7 @@ jobs: - name: AZ Login id: login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} @@ -174,7 +174,7 @@ jobs: - name: Import Secrets id: vault-secrets - uses: hashicorp/vault-action@v2.5.0 + uses: hashicorp/vault-action@v3 with: url: '${{ env.VAULT_URL }}' token: '${{ steps.vault_token.outputs.client_token }}' diff --git a/workflow-templates/im-deploy-techdocs-site.yml b/workflow-templates/im-deploy-techdocs-site.yml index 06715bf4..461e052e 100644 --- a/workflow-templates/im-deploy-techdocs-site.yml +++ b/workflow-templates/im-deploy-techdocs-site.yml @@ -1,93 +1,93 @@ -# Workflow Code: SparklyToad_v2 DO NOT REMOVE -# Purpose: -# Publishes a techdocs site to the storage account where TechHub -# looks for TechDocs. -# -# Frequency: -# - This workflow can be used once per TechDocs site or can be combined -# to publish multiple docs at once -# -# Projects to use this Template with: -# - Any project with TechDocs - -name: Publish TechDocs Site - -# TODO: Select the appropriate triggers for when TechDocs should be published -on: - # push: - # workflow_dispatch: - # pull_request: - # types: [closed] - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -jobs: - publish-techdocs-site: - runs-on: [self-hosted, im-techdocs] - - # TODO: Uncomment if you need this, otherwise remove it - # services: - # kroki: - # image: yuzutech/kroki - # ports: - # - 8000:8000 - - environment: dev - - env: - # These items will remain the same for all workflows - ACCOUNT_NAME: bdaimpna26techhubsa - CONTAINER_NAME: techdocs - - # This is project dependent. - # TODO: Replace kind and entity name based on the entity this techdocs site will belong to. - # The name can be found in catalog-info.yaml. - ENTITY_NAME: 'default//' - - steps: - - name: Checkout code - uses: actions/checkout@v3 - - # All SPs that are owners of their rgrp's have access to publish to bdaimpna26techhubsa. - # Use the credentials for your SP to login and publish to the storage account. - - name: AZ Login - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} # TODO: Verify this secret is set - # TODO: If the repo you are publishing from has federated access to the techdocs RGRP, you can use the secretless - # pattern below for accessing the rgrp, otherwise, you need to provide azure credentials for publishing the docs. - # # This is an org-level variable - # tenant-id: ${{ vars.ARM_TENANT_ID }} - # # These are env-level variables - # subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - # client-id: ${{ vars.ARM_CLIENT_ID }} - - - # The im-techdocs runner used in this workflow contains the TechDocs CLI & several plugins, see the installed items here: - # https://github.com/im-practices/coldstone-configs/blob/main/configs/im-techdocs.cold.json - # If additional plugins are needed, follow the same format as below or submit to modify the im-techdocs runner. - # - name: Install additional mkdocs plugins - # run: python -m pip install mkdocs-newsletter==1.* - - - name: Generate & Publish TechDocs Site - working-directory: '' # TODO: specify the working directory where the mkdocs.yaml file is located - run: | - techdocs-cli generate --no-docker --verbose - techdocs-cli publish --publisher-type azureBlobStorage --azureAccountName ${{ env.ACCOUNT_NAME }} --storage-name ${{ env.CONTAINER_NAME }} --entity ${{ env.ENTITY_NAME }} - - # TODO: To publish additional sites: - # 1 - Duplicate the 'Generate & Publish TechDocs Site' step - # 2 - Give each step a more specific name - # 3 - Update the working directory to the location of the additional site - # 4 - Update the --entity argument with the name of the additional site - - - name: Azure logout - if: always() - run: | - az logout - az cache purge - az account clear +# Workflow Code: SparklyToad_v3 DO NOT REMOVE +# Purpose: +# Publishes a techdocs site to the storage account where TechHub +# looks for TechDocs. +# +# Frequency: +# - This workflow can be used once per TechDocs site or can be combined +# to publish multiple docs at once +# +# Projects to use this Template with: +# - Any project with TechDocs + +name: Publish TechDocs Site + +# TODO: Select the appropriate triggers for when TechDocs should be published +on: + # push: + # workflow_dispatch: + # pull_request: + # types: [closed] + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +jobs: + publish-techdocs-site: + runs-on: [self-hosted, im-techdocs] + + # TODO: Uncomment if you need this, otherwise remove it + # services: + # kroki: + # image: yuzutech/kroki + # ports: + # - 8000:8000 + + environment: dev + + env: + # These items will remain the same for all workflows + ACCOUNT_NAME: bdaimpna26techhubsa + CONTAINER_NAME: techdocs + + # This is project dependent. + # TODO: Replace kind and entity name based on the entity this techdocs site will belong to. + # The name can be found in catalog-info.yaml. + ENTITY_NAME: 'default//' + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # All SPs that are owners of their rgrp's have access to publish to bdaimpna26techhubsa. + # Use the credentials for your SP to login and publish to the storage account. + - name: AZ Login + uses: azure/login@v2 + with: + creds: ${{ secrets.AZURE_CREDENTIALS }} # TODO: Verify this secret is set + # TODO: If the repo you are publishing from has federated access to the techdocs RGRP, you can use the secretless + # pattern below for accessing the rgrp, otherwise, you need to provide azure credentials for publishing the docs. + # # This is an org-level variable + # tenant-id: ${{ vars.ARM_TENANT_ID }} + # # These are env-level variables + # subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + # client-id: ${{ vars.ARM_CLIENT_ID }} + + + # The im-techdocs runner used in this workflow contains the TechDocs CLI & several plugins, see the installed items here: + # https://github.com/im-practices/coldstone-configs/blob/main/configs/im-techdocs.cold.json + # If additional plugins are needed, follow the same format as below or submit to modify the im-techdocs runner. + # - name: Install additional mkdocs plugins + # run: python -m pip install mkdocs-newsletter==1.* + + - name: Generate & Publish TechDocs Site + working-directory: '' # TODO: specify the working directory where the mkdocs.yaml file is located + run: | + techdocs-cli generate --no-docker --verbose + techdocs-cli publish --publisher-type azureBlobStorage --azureAccountName ${{ env.ACCOUNT_NAME }} --storage-name ${{ env.CONTAINER_NAME }} --entity ${{ env.ENTITY_NAME }} + + # TODO: To publish additional sites: + # 1 - Duplicate the 'Generate & Publish TechDocs Site' step + # 2 - Give each step a more specific name + # 3 - Update the working directory to the location of the additional site + # 4 - Update the --entity argument with the name of the additional site + + - name: Azure logout + if: always() + run: | + az logout + az cache purge + az account clear \ No newline at end of file diff --git a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml index b80700d9..b94dee21 100644 --- a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml +++ b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml @@ -1,4 +1,4 @@ -# Workflow Code: IrritableEagle_v35 DO NOT REMOVE +# Workflow Code: IrritableEagle_v36 DO NOT REMOVE # Purpose: # Automatically runs a terraform apply -auto-approve with the changes # in the PR against the dev environment when a PR is merged to main. @@ -70,7 +70,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 # Allows pulling modules from the repo instead of artifactory - name: Setup SSH Keys and known_hosts @@ -84,7 +84,7 @@ jobs: Install-Module -Name SqlServer -Force - name: AZ Login - uses: azure/login@v1 + uses: azure/login@v2 with: tenant-id: ${{ vars.ARM_TENANT_ID }} subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} @@ -92,7 +92,7 @@ jobs: - name: Setup Terraform id: setup - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3 with: terraform_version: '${{ env.TF_VERSION }}' @@ -102,7 +102,7 @@ jobs: - name: Open a PagerDuty Maintenance Window id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.2 + uses: im-open/open-pagerduty-maintenance-window@v1.3 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret description: '${{ env.PAGERDUTY_WINDOW_DESC }}' @@ -119,7 +119,7 @@ jobs: -var="pagerduty_token=${{ secrets.PAGERDUTY_API_KEY }}" - name: Close the PagerDuty Maintenance Window - uses: im-open/close-pagerduty-maintenance-window@v1.1 + uses: im-open/close-pagerduty-maintenance-window@v1.2 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} @@ -127,7 +127,7 @@ jobs: # TODO: Remove this step if you do not want a teams notification - name: Send Status to Teams if: always() - uses: im-open/post-status-to-teams-action@v1.3 + uses: im-open/post-status-to-teams-action@v1.4 with: title: Auto-Deploying Terraform to Dev # TODO: Replace with your project workflow-status: ${{ job.status }} diff --git a/workflow-templates/im-deploy-tf-manual-apply.yml b/workflow-templates/im-deploy-tf-manual-apply.yml index bab638f6..47a36283 100644 --- a/workflow-templates/im-deploy-tf-manual-apply.yml +++ b/workflow-templates/im-deploy-tf-manual-apply.yml @@ -1,4 +1,4 @@ -# Workflow Code: InsaneHamster_v47 DO NOT REMOVE +# Workflow Code: InsaneHamster_v48 DO NOT REMOVE # Purpose: # Deploys the terraform from a specified root module at a # specified when someone kicks off the workflow manually. @@ -177,7 +177,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.GITHUB_REF }} @@ -189,7 +189,7 @@ jobs: - name: Open a PagerDuty Maintenance Window id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.2 + uses: im-open/open-pagerduty-maintenance-window@v1.3 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret description: '${{ env.DEPLOYMENT_DESC }}' @@ -198,7 +198,7 @@ jobs: #service-ids: '' # TODO: Provide a comma separated list if there are multiple ids. 'PD01,PD02,PD03' - name: AZ Login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} @@ -208,7 +208,7 @@ jobs: - name: Setup Terraform id: setup - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3 with: terraform_version: '${{ env.TF_VERSION }}' @@ -300,7 +300,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.GITHUB_REF }} @@ -316,7 +316,7 @@ jobs: Install-Module -Name SqlServer -Force - name: AZ Login - uses: azure/login@v1 + uses: azure/login@v2 with: tenant-id: ${{ vars.ARM_TENANT_ID }} subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} @@ -324,7 +324,7 @@ jobs: - name: Setup Terraform id: setup - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3 with: terraform_version: '${{ env.TF_VERSION }}' @@ -400,7 +400,7 @@ jobs: az account clear - name: Close the PagerDuty Maintenance Window - uses: im-open/close-pagerduty-maintenance-window@v1.1 + uses: im-open/close-pagerduty-maintenance-window@v1.2 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret maintenance-window-id: ${{ needs.tf-plan.outputs.maintenance_window_id }} diff --git a/workflow-templates/im-deploy-windows-service.yml b/workflow-templates/im-deploy-windows-service.yml index f8b1379a..73f87a7b 100644 --- a/workflow-templates/im-deploy-windows-service.yml +++ b/workflow-templates/im-deploy-windows-service.yml @@ -1,4 +1,4 @@ -# Workflow Code: MaterialVolcano_v40 DO NOT REMOVE +# Workflow Code: MaterialVolcano_v41 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release with the # specified tags, makes changes to any configuration files for the specified environments, stops @@ -222,7 +222,7 @@ jobs: - name: Open a PagerDuty Maintenance Window id: open-window - uses: im-open/open-pagerduty-maintenance-window@v1.2 + uses: im-open/open-pagerduty-maintenance-window@v1.3 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an env-level secret description: '${{ env.PAGERDUTY_WINDOW_DESC }}' @@ -343,7 +343,7 @@ jobs: - name: Close the PagerDuty Maintenance Window if: always() && steps.open-window.outcome == 'success' - uses: im-open/close-pagerduty-maintenance-window@v1.1 + uses: im-open/close-pagerduty-maintenance-window@v1.2 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} diff --git a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml index 9cbb49c1..e273942a 100644 --- a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml +++ b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml @@ -1,100 +1,100 @@ -# Workflow Code: CockySquirrel_v15 DO NOT REMOVE -# Purpose: -# Adds or updates an azure KeyVault secret in the specified -# environment when someone kicks it off manually. -# -# Frequency: -# - This workflow can be duplicated for each keyvault this repository contains -# -# Projects to use this Template with: -# - Terraform (Optional Template) -# - Azure App Service or Function (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Add or update azure keyvault secret # TODO: You may wish to add the name of the key vault to this name and the file name if there are multiple key vaults this repository can add secrets to -run-name: Add or Update ${{ inputs.secret_name }} in ${{ inputs.environment }} -on: - workflow_dispatch: - inputs: - secret_name: - description: The name of the secret to add, azure requires it conform to the following pattern - ^[0-9a-zA-Z-]+$ - required: true - secret_value: - description: The value of the secret - required: true - environment: - description: The environment to add the secret to - required: true - default: prod - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -jobs: - set-secret: - runs-on: [self-hosted, im-linux] - - environment: ${{ github.event.inputs.environment }} - - steps: - - name: Mask the secret value - uses: actions/github-script@v6 - with: - script: | - core.info(`Masking the value for ${context.payload.inputs.secret_name} so it is not exposed.`); - core.setSecret(context.payload.inputs.secret_value); - - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ github.event.inputs.environment }}` | - | Secret Name | `${{ github.event.inputs.secret_name }}` |' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ github.event.inputs.environment }} - env: - # TODO: For the following keyvault name inputs, fill in the value if you have the environment and delete the environment if it does not exist - KEYVAULT_NAME@dev: '' - KEYVAULT_NAME@qa: '' - KEYVAULT_NAME@stage: '' - KEYVAULT_NAME@demo: '' - KEYVAULT_NAME@uat: '' - KEYVAULT_NAME@prod: '' - - - name: AZ Login - id: login - uses: azure/login@v1 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - - name: keyvault add or update secret - # ARM_SUBSCRIPTION_ID is an env-level variable - run: az keyvault secret set --name ${{ github.event.inputs.secret_name }} --vault-name ${{ env.KEYVAULT_NAME }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} --value "${{ github.event.inputs.secret_value }}" - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: CockySquirrel_v16 DO NOT REMOVE +# Purpose: +# Adds or updates an azure KeyVault secret in the specified +# environment when someone kicks it off manually. +# +# Frequency: +# - This workflow can be duplicated for each keyvault this repository contains +# +# Projects to use this Template with: +# - Terraform (Optional Template) +# - Azure App Service or Function (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Add or update azure keyvault secret # TODO: You may wish to add the name of the key vault to this name and the file name if there are multiple key vaults this repository can add secrets to +run-name: Add or Update ${{ inputs.secret_name }} in ${{ inputs.environment }} +on: + workflow_dispatch: + inputs: + secret_name: + description: The name of the secret to add, azure requires it conform to the following pattern - ^[0-9a-zA-Z-]+$ + required: true + secret_value: + description: The value of the secret + required: true + environment: + description: The environment to add the secret to + required: true + default: prod + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +jobs: + set-secret: + runs-on: [self-hosted, im-linux] + + environment: ${{ github.event.inputs.environment }} + + steps: + - name: Mask the secret value + uses: actions/github-script@v7 + with: + script: | + core.info(`Masking the value for ${context.payload.inputs.secret_name} so it is not exposed.`); + core.setSecret(context.payload.inputs.secret_value); + + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ github.event.inputs.environment }}` | + | Secret Name | `${{ github.event.inputs.secret_name }}` |' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ github.event.inputs.environment }} + env: + # TODO: For the following keyvault name inputs, fill in the value if you have the environment and delete the environment if it does not exist + KEYVAULT_NAME@dev: '' + KEYVAULT_NAME@qa: '' + KEYVAULT_NAME@stage: '' + KEYVAULT_NAME@demo: '' + KEYVAULT_NAME@uat: '' + KEYVAULT_NAME@prod: '' + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + - name: keyvault add or update secret + # ARM_SUBSCRIPTION_ID is an env-level variable + run: az keyvault secret set --name ${{ github.event.inputs.secret_name }} --vault-name ${{ env.KEYVAULT_NAME }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} --value "${{ github.event.inputs.secret_value }}" + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-annotate-app-insights.yml b/workflow-templates/im-run-annotate-app-insights.yml index 3fce0236..d1e28203 100644 --- a/workflow-templates/im-run-annotate-app-insights.yml +++ b/workflow-templates/im-run-annotate-app-insights.yml @@ -1,117 +1,117 @@ -# Workflow Code: EmpatheticDolphin_v17 DO NOT REMOVE -# Purpose: -# Creates an ad hoc app insights annotation for a specified -# environment when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository assuming -# there is only one app insights instance set up per env -# -# Projects to use this Template with: -# - Azure App Service or Function (Optional Template) -# - Azure SQL Database (Optional Template) -# - Terraform (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Annotate App Insights -run-name: Annotate ${{ inputs.eventName }} in ${{ inputs.environment }} App Insights -on: - workflow_dispatch: - inputs: - environment: - description: The environment the service is in - required: true - default: prod - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - category: - description: The category of the annotation - required: false - default: 'Deployment' - eventName: - description: The name of the release/tag that will be deployed or the event that will be annotated. If there are multiple deployables in the repo you should include the project it is for. - required: true - customMetadata: - description: 'The comma separated custom metadata pairs. Format: name1=value1,name2=value2' - required: false - default: '' - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - -jobs: - create-annotation: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Category | `${{ github.event.inputs.category }}` | - | EventName | `${{ github.event.inputs.eventName }}` | - | Custom Metadata | `${{ github.event.inputs.customMetadata }}`|' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - id: set-variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ github.event.inputs.environment }} - env: - # This variable is used to upload and download blobs from blob storage - RESOURCE_GROUP@dev: '' - RESOURCE_GROUP@qa: '' - RESOURCE_GROUP@stage: '' - RESOURCE_GROUP@demo: '' - RESOURCE_GROUP@uat: '' - RESOURCE_GROUP@prod: '' - # TODO: For the following app insights name inputs, fill in the value if you have the environment and delete the environment if it does not exist - APP_INSIGHTS_NAME@dev: '' - APP_INSIGHTS_NAME@qa: '' - APP_INSIGHTS_NAME@stage: '' - APP_INSIGHTS_NAME@demo: '' - APP_INSIGHTS_NAME@uat: '' - APP_INSIGHTS_NAME@prod: '' - - - name: AZ Login - id: login - uses: azure/login@v1 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - - name: annotate - uses: im-open/create-app-insights-annotation@v1.0 - with: - subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable - resourceGroupName: ${{ env.RESOURCE_GROUP }} - appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' - releaseName: ${{ github.event.inputs.eventName }} - category: ${{ github.event.inputs.category }} - customMetadata: ${{ github.event.inputs.customMetadata }} - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: EmpatheticDolphin_v18 DO NOT REMOVE +# Purpose: +# Creates an ad hoc app insights annotation for a specified +# environment when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository assuming +# there is only one app insights instance set up per env +# +# Projects to use this Template with: +# - Azure App Service or Function (Optional Template) +# - Azure SQL Database (Optional Template) +# - Terraform (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Annotate App Insights +run-name: Annotate ${{ inputs.eventName }} in ${{ inputs.environment }} App Insights +on: + workflow_dispatch: + inputs: + environment: + description: The environment the service is in + required: true + default: prod + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + category: + description: The category of the annotation + required: false + default: 'Deployment' + eventName: + description: The name of the release/tag that will be deployed or the event that will be annotated. If there are multiple deployables in the repo you should include the project it is for. + required: true + customMetadata: + description: 'The comma separated custom metadata pairs. Format: name1=value1,name2=value2' + required: false + default: '' + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + +jobs: + create-annotation: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment }} + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Category | `${{ github.event.inputs.category }}` | + | EventName | `${{ github.event.inputs.eventName }}` | + | Custom Metadata | `${{ github.event.inputs.customMetadata }}`|' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ github.event.inputs.environment }} + env: + # This variable is used to upload and download blobs from blob storage + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + # TODO: For the following app insights name inputs, fill in the value if you have the environment and delete the environment if it does not exist + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + - name: annotate + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + releaseName: ${{ github.event.inputs.eventName }} + category: ${{ github.event.inputs.category }} + customMetadata: ${{ github.event.inputs.customMetadata }} + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-delete-azure-blob.yml b/workflow-templates/im-run-delete-azure-blob.yml index 5210279a..30c1a9c2 100644 --- a/workflow-templates/im-run-delete-azure-blob.yml +++ b/workflow-templates/im-run-delete-azure-blob.yml @@ -1,92 +1,92 @@ -# Workflow Code: ScornfulFlamingo_v6 DO NOT REMOVE -# Purpose: -# Deletes a blob from a specified Azure Storage Account when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Storage Account Deployments (Core Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. -# - The SP used in this workflow needs an additional permission (StorageBlob Data Contributor) so it can delete blobs -# https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal - -name: Delete Azure Blob -run-name: Delete ${{ inputs.environment }} blob ${{ inputs.blob-name }} -# TODO: Evaluate the appropriate triggers -on: - workflow_dispatch: - inputs: - storage-account-name: - description: The name of the storage account where the blob to delete lives - required: true - container-name: - description: The name of the storage account container where the blob to delete lives - required: true - blob-name: - description: The name of the blob to delete - required: true - environment: - description: The environment to delete the blob from - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -jobs: - delete-blob: - runs-on: [self-hosted, im-linux] - - environment: ${{ github.event.inputs.environment }} - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ github.event.inputs.environment }}` | - | Storage Acct | `${{ github.event.inputs.storage-account-name }}` | - | Container | `${{ github.event.inputs.container-name }}` | - | Blob Name | `${{ github.event.inputs.blob-name }}` |' >> $GITHUB_STEP_SUMMARY - - - name: AZ Login - id: login - uses: azure/login@v1 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - # This call uses RBAC (--auth-mode login) to delete files from the azure storage account. - # No other key or connection string is needed. In order to delete files from a stg account - # the SP that authenticates in the step above needs an additional permission (Storage - # Blob Data Contributor). Without that permission, this call will not succeed. - # https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal - - name: Delete Blob - run: | - az storage blob delete \ - --auth-mode login \ - --account-name '${{ github.event.inputs.storage-account-name }}' \ - --container-name '${{ github.event.inputs.container-name }}' \ - --name '${{ github.event.inputs.blob-name }}' - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: ScornfulFlamingo_v7 DO NOT REMOVE +# Purpose: +# Deletes a blob from a specified Azure Storage Account when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Storage Account Deployments (Core Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. +# - The SP used in this workflow needs an additional permission (StorageBlob Data Contributor) so it can delete blobs +# https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal + +name: Delete Azure Blob +run-name: Delete ${{ inputs.environment }} blob ${{ inputs.blob-name }} +# TODO: Evaluate the appropriate triggers +on: + workflow_dispatch: + inputs: + storage-account-name: + description: The name of the storage account where the blob to delete lives + required: true + container-name: + description: The name of the storage account container where the blob to delete lives + required: true + blob-name: + description: The name of the blob to delete + required: true + environment: + description: The environment to delete the blob from + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +jobs: + delete-blob: + runs-on: [self-hosted, im-linux] + + environment: ${{ github.event.inputs.environment }} + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ github.event.inputs.environment }}` | + | Storage Acct | `${{ github.event.inputs.storage-account-name }}` | + | Container | `${{ github.event.inputs.container-name }}` | + | Blob Name | `${{ github.event.inputs.blob-name }}` |' >> $GITHUB_STEP_SUMMARY + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + # This call uses RBAC (--auth-mode login) to delete files from the azure storage account. + # No other key or connection string is needed. In order to delete files from a stg account + # the SP that authenticates in the step above needs an additional permission (Storage + # Blob Data Contributor). Without that permission, this call will not succeed. + # https://docs.microsoft.com/en-us/azure/storage/blobs/assign-azure-role-data-access?tabs=portal + - name: Delete Blob + run: | + az storage blob delete \ + --auth-mode login \ + --account-name '${{ github.event.inputs.storage-account-name }}' \ + --container-name '${{ github.event.inputs.container-name }}' \ + --name '${{ github.event.inputs.blob-name }}' + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-flyway-repair.yml b/workflow-templates/im-run-flyway-repair.yml index 3b255fe6..c0c196eb 100644 --- a/workflow-templates/im-run-flyway-repair.yml +++ b/workflow-templates/im-run-flyway-repair.yml @@ -1,173 +1,173 @@ -# Workflow Code: SpiritedGnat_v19 DO NOT REMOVE -# Purpose: -# Runs a flyway repair command against an Azure SQL or -# On-Prem Database when someone kicks it off manually. -# -# Frequency: -# - This workflow can be duplicated once per database in the repository. -# -# Projects to use this Template with: -# - Azure Sql Database (Optional Template) -# - On-Prem Database (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Flyway Repair -run-name: Repair ${{ inputs.environment }} with ${{ inputs.branch-tag-sha }} -on: - workflow_dispatch: - inputs: - environment: - description: The environment the database is in - required: true - default: dev - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - branch-tag-sha: - description: The branch, tag or sha of the flyway scripts that should be repaired. - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - DB_SERVER_PORT: '1433' # TODO: Verify that this is correct - MIGRATIONS_HISTORY_TABLE: 'MigrationHistory' # TODO: Verify this table name - PATH_TO_MIGRATION_FILES: '' # TODO: Add the path to the migrations folder - VAULT_URL: 'https://vault.mktp.io:8200/' # TODO: Remove this if this workflow is run against an azure database - -jobs: - repair-database-migrations: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v3 - with: - ref: ${{ env.GITHUB_REF }} - - - name: Install Flyway - uses: im-open/setup-flyway@v1.1 - with: - version: 7.9.2 - - # TODO: Remove this step if this workflow is run against an on-prem database - # or if your database uses Azure Active Directory Authentication - - - name: AZ Login - id: login - uses: azure/login@v1 - with: - # TODO: If repairing an on prem database's migration history, the Service Principal these credentials are for needs to be given access to login to Vault. - # See this git-er-done article for more information: - # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup - - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - # TODO: Use this for any variables that change per environment - - name: Set Database Vars - id: db-vars - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ env.ENVIRONMENT }} - create-output-variables: true - input-file: '' # TODO: if you have an input file with your variable substitutions, add them here - env: - DB_NAME@dev: '' - DB_NAME@qa: '' - DB_NAME@stage demo: '' - DB_NAME@prod: '' - DB_SERVER_NAME@dev: '' - DB_SERVER_NAME@qa: '' - DB_SERVER_NAME@stage demo: '' - DB_SERVER_NAME@prod: '' - # TODO: Remove this if this workflow is run against an on-prem database - AZURE_KEY_VAULT@dev: '' - AZURE_KEY_VAULT@qa: '' - AZURE_KEY_VAULT@stage demo: '' - AZURE_KEY_VAULT@prod: '' - - # TODO: Remove this step if this workflow is run against an on-prem database - # or if your database uses Azure Active Directory Authentication - # Get the Azure SQL Creds from Key Vault - - name: Get Azure SQL Credentials - run: | - sqlUser=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqluser" --query value) - sqlPassword=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqlpassword" --query value) - echo "::add-mask::$sqlPassword" - # trim quotes added by az keyvault command - sqlUser=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlUser") - sqlPassword=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlPassword") - echo "SQL_USER=$sqlUser" >> $GITHUB_ENV - echo "SQL_PASSWORD=$sqlPassword" >> $GITHUB_ENV - - # TODO: Uncomment this step if this workflow is run against an on-prem database - # - name: Get Vault Token - # id: vault_token - # uses: im-open/get-vault-token-for-azure-user@v1.1 - # with: - # # TODO: Add the Azure Auth Method Role that was setup in Vault and has access to your secrets. - # # See this git-er-done article for more information: - # # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup - # vault-role: '' - # vault-url: '${{ env.VAULT_URL }}' - - # TODO: Uncomment this step if this workflow is run against an on-prem database - # - name: Import Secrets - # id: vault-secrets - # uses: hashicorp/vault-action@v2.3.1 - # with: - # url: '${{ env.VAULT_URL }}' - # token: '${{ steps.vault_token.outputs.client_token }}' - # # Warning! The formatting on the secrets parameter is intentional. The spaces, pipe, and semi-colon. Every secret, except the last one, needs a semi-colon at the end of the line. - # # See the action's documentation for more information: https://github.com/hashicorp/vault-action - # # TODO: Update (including the brackets) with your database Vault role name (see https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup). - # secrets: | - # database/static-creds/ username | SQL_USERNAME ; - # database/static-creds/ password | SQL_PASSWORD - - # TODO: If your database uses Azure Active Directory Authentication then you can login with a Service Principal - # instead of using the username and password of an account stored in Key Vault. - # See https://github.com/im-open/run-flyway-command for details. - - name: Flyway repair - uses: im-open/run-flyway-command@v1.5 - with: - flyway-command: 'repair' - db-server-name: ${{ steps.db-vars.outputs.DB_SERVER_NAME }} - db-server-port: ${{ env.DB_SERVER_PORT }} - db-name: ${{ steps.db-vars.outputs.DB_NAME }} - migration-history-table: ${{ env.MIGRATIONS_HISTORY_TABLE }} - migration-files-path: ${{ env.PATH_TO_MIGRATION_FILES }} - use-integrated-security: false - # These will be set by the step above this one, either by querying Azure Key Vault for Azure db's or Hashicorp Vault for on-prem db's - username: '${{ env.SQL_USER }}' - password: '${{ env.SQL_PASSWORD }}' - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: SpiritedGnat_v20 DO NOT REMOVE +# Purpose: +# Runs a flyway repair command against an Azure SQL or +# On-Prem Database when someone kicks it off manually. +# +# Frequency: +# - This workflow can be duplicated once per database in the repository. +# +# Projects to use this Template with: +# - Azure Sql Database (Optional Template) +# - On-Prem Database (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Flyway Repair +run-name: Repair ${{ inputs.environment }} with ${{ inputs.branch-tag-sha }} +on: + workflow_dispatch: + inputs: + environment: + description: The environment the database is in + required: true + default: dev + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + branch-tag-sha: + description: The branch, tag or sha of the flyway scripts that should be repaired. + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + DB_SERVER_PORT: '1433' # TODO: Verify that this is correct + MIGRATIONS_HISTORY_TABLE: 'MigrationHistory' # TODO: Verify this table name + PATH_TO_MIGRATION_FILES: '' # TODO: Add the path to the migrations folder + VAULT_URL: 'https://vault.mktp.io:8200/' # TODO: Remove this if this workflow is run against an azure database + +jobs: + repair-database-migrations: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + - name: Install Flyway + uses: im-open/setup-flyway@v1.1 + with: + version: 7.9.2 + + # TODO: Remove this step if this workflow is run against an on-prem database + # or if your database uses Azure Active Directory Authentication + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # TODO: If repairing an on prem database's migration history, the Service Principal these credentials are for needs to be given access to login to Vault. + # See this git-er-done article for more information: + # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup + + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + # TODO: Use this for any variables that change per environment + - name: Set Database Vars + id: db-vars + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ env.ENVIRONMENT }} + create-output-variables: true + input-file: '' # TODO: if you have an input file with your variable substitutions, add them here + env: + DB_NAME@dev: '' + DB_NAME@qa: '' + DB_NAME@stage demo: '' + DB_NAME@prod: '' + DB_SERVER_NAME@dev: '' + DB_SERVER_NAME@qa: '' + DB_SERVER_NAME@stage demo: '' + DB_SERVER_NAME@prod: '' + # TODO: Remove this if this workflow is run against an on-prem database + AZURE_KEY_VAULT@dev: '' + AZURE_KEY_VAULT@qa: '' + AZURE_KEY_VAULT@stage demo: '' + AZURE_KEY_VAULT@prod: '' + + # TODO: Remove this step if this workflow is run against an on-prem database + # or if your database uses Azure Active Directory Authentication + # Get the Azure SQL Creds from Key Vault + - name: Get Azure SQL Credentials + run: | + sqlUser=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqluser" --query value) + sqlPassword=$(az keyvault secret show --vault-name "${{ steps.db-vars.outputs.AZURE_KEY_VAULT }}" --name "sqlpassword" --query value) + echo "::add-mask::$sqlPassword" + # trim quotes added by az keyvault command + sqlUser=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlUser") + sqlPassword=$(sed -e 's/^"//' -e 's/"$//' <<<"$sqlPassword") + echo "SQL_USER=$sqlUser" >> $GITHUB_ENV + echo "SQL_PASSWORD=$sqlPassword" >> $GITHUB_ENV + + # TODO: Uncomment this step if this workflow is run against an on-prem database + # - name: Get Vault Token + # id: vault_token + # uses: im-open/get-vault-token-for-azure-user@v1.1 + # with: + # # TODO: Add the Azure Auth Method Role that was setup in Vault and has access to your secrets. + # # See this git-er-done article for more information: + # # https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup + # vault-role: '' + # vault-url: '${{ env.VAULT_URL }}' + + # TODO: Uncomment this step if this workflow is run against an on-prem database + # - name: Import Secrets + # id: vault-secrets + # uses: hashicorp/vault-action@v3 + # with: + # url: '${{ env.VAULT_URL }}' + # token: '${{ steps.vault_token.outputs.client_token }}' + # # Warning! The formatting on the secrets parameter is intentional. The spaces, pipe, and semi-colon. Every secret, except the last one, needs a semi-colon at the end of the line. + # # See the action's documentation for more information: https://github.com/hashicorp/vault-action + # # TODO: Update (including the brackets) with your database Vault role name (see https://github.com/im-practices/git-er-done/blob/main/actions/hashicorp-vault-integration.md#setup). + # secrets: | + # database/static-creds/ username | SQL_USERNAME ; + # database/static-creds/ password | SQL_PASSWORD + + # TODO: If your database uses Azure Active Directory Authentication then you can login with a Service Principal + # instead of using the username and password of an account stored in Key Vault. + # See https://github.com/im-open/run-flyway-command for details. + - name: Flyway repair + uses: im-open/run-flyway-command@v1.5 + with: + flyway-command: 'repair' + db-server-name: ${{ steps.db-vars.outputs.DB_SERVER_NAME }} + db-server-port: ${{ env.DB_SERVER_PORT }} + db-name: ${{ steps.db-vars.outputs.DB_NAME }} + migration-history-table: ${{ env.MIGRATIONS_HISTORY_TABLE }} + migration-files-path: ${{ env.PATH_TO_MIGRATION_FILES }} + use-integrated-security: false + # These will be set by the step above this one, either by querying Azure Key Vault for Azure db's or Hashicorp Vault for on-prem db's + username: '${{ env.SQL_USER }}' + password: '${{ env.SQL_PASSWORD }}' + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-start-stop-restart-azure-app.yml b/workflow-templates/im-run-start-stop-restart-azure-app.yml index a9d85192..b6d31051 100644 --- a/workflow-templates/im-run-start-stop-restart-azure-app.yml +++ b/workflow-templates/im-run-start-stop-restart-azure-app.yml @@ -1,124 +1,124 @@ -# Workflow Code: NeedyPig_v16 DO NOT REMOVE -# Purpose: -# Performs a start, stop or restart on an app service in the -# specified environment when someone kicks it off manually. -# -# Frequency: -# - This workflow should be duplicated once per app service/function in the repo. -# -# Projects to use this Template with: -# - Azure App Service or Function (Optional Template) -# -# TODO: Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Runbook - Start, stop or restart Azure App -run-name: ${{ inputs.action }} Azure App in ${{ inputs.environment }} -#TODO: You may wish to add the name of the app service/function to the names above and the file name if there are multiple app services or functions within the repository - -on: - workflow_dispatch: - inputs: - action: - description: The action that should be taken. - required: true - default: restart - type: choice - options: - - start - - stop - - restart - environment: - description: The environment the app is in - required: true - default: prod - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - ACTION: ${{ github.event.inputs.action }} - -jobs: - start-stop-restart: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - env: - AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function change the value to 'functionapp' - - steps: - - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}`| - | Action | `${{ env.ACTION }}` |' >> $GITHUB_STEP_SUMMARY - - # For more information and best practices on the usage and options available - # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions - - name: Set Variables - id: set-variables - uses: im-open/set-environment-variables-by-scope@v1.1 - with: - scope: ${{ env.ENVIRONMENT }} - env: - # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist - RESOURCE_GROUP@dev: '' - RESOURCE_GROUP@qa: '' - RESOURCE_GROUP@stage: '' - RESOURCE_GROUP@demo: '' - RESOURCE_GROUP@uat: '' - RESOURCE_GROUP@prod: '' - APP_NAME@dev: '' - APP_NAME@qa: '' - APP_NAME@stage: '' - APP_NAME@demo: '' - APP_NAME@uat: '' - APP_NAME@prod: '' - # TODO: If this workflow is restarting a slot update these values, otherwise delete this section. - # TODO: If the slot has the same name in all environments, delete this section and populate the env.SLOT_NAME in the job below with the single value - # SLOT_NAME@dev: '' - # SLOT_NAME@qa: '' - # SLOT_NAME@stage: '' - # SLOT_NAME@demo: '' - # SLOT_NAME@uat: '' - # SLOT_NAME@prod: '' - - - run: echo "'${{ env.ACTION }}' will be peformed on ${{ env.ENVIRONMENT }} ${{ env.APP_NAME }}" - - - name: AZ Login - id: login - uses: azure/login@v1 - with: - # This is an org-level variable - tenant-id: ${{ vars.ARM_TENANT_ID }} - # These are env-level variables - subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} - client-id: ${{ vars.ARM_CLIENT_ID }} - - # TODO: if you wish to perform any of the following actions on a slot, append the following to each of the commands: --slot ${{ env.SLOT_NAME }} - - # ARM_SUBSCRIPTION_ID is an env-level variable - - name: ${{ env.ACTION }} ${{ env.AZ_APP_TYPE }} - run: az ${{ env.AZ_APP_TYPE }} ${{ env.ACTION }} --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} - - - - name: Azure logout - if: always() && steps.login.outcome == 'success' - run: | - az logout - az cache purge - az account clear +# Workflow Code: NeedyPig_v17 DO NOT REMOVE +# Purpose: +# Performs a start, stop or restart on an app service in the +# specified environment when someone kicks it off manually. +# +# Frequency: +# - This workflow should be duplicated once per app service/function in the repo. +# +# Projects to use this Template with: +# - Azure App Service or Function (Optional Template) +# +# TODO: Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Runbook - Start, stop or restart Azure App +run-name: ${{ inputs.action }} Azure App in ${{ inputs.environment }} +#TODO: You may wish to add the name of the app service/function to the names above and the file name if there are multiple app services or functions within the repository + +on: + workflow_dispatch: + inputs: + action: + description: The action that should be taken. + required: true + default: restart + type: choice + options: + - start + - stop + - restart + environment: + description: The environment the app is in + required: true + default: prod + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + ACTION: ${{ github.event.inputs.action }} + +jobs: + start-stop-restart: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + env: + AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function change the value to 'functionapp' + + steps: + + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}`| + | Action | `${{ env.ACTION }}` |' >> $GITHUB_STEP_SUMMARY + + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.1 + with: + scope: ${{ env.ENVIRONMENT }} + env: + # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_NAME@dev: '' + APP_NAME@qa: '' + APP_NAME@stage: '' + APP_NAME@demo: '' + APP_NAME@uat: '' + APP_NAME@prod: '' + # TODO: If this workflow is restarting a slot update these values, otherwise delete this section. + # TODO: If the slot has the same name in all environments, delete this section and populate the env.SLOT_NAME in the job below with the single value + # SLOT_NAME@dev: '' + # SLOT_NAME@qa: '' + # SLOT_NAME@stage: '' + # SLOT_NAME@demo: '' + # SLOT_NAME@uat: '' + # SLOT_NAME@prod: '' + + - run: echo "'${{ env.ACTION }}' will be peformed on ${{ env.ENVIRONMENT }} ${{ env.APP_NAME }}" + + - name: AZ Login + id: login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + + # TODO: if you wish to perform any of the following actions on a slot, append the following to each of the commands: --slot ${{ env.SLOT_NAME }} + + # ARM_SUBSCRIPTION_ID is an env-level variable + - name: ${{ env.ACTION }} ${{ env.AZ_APP_TYPE }} + run: az ${{ env.AZ_APP_TYPE }} ${{ env.ACTION }} --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} + + + - name: Azure logout + if: always() && steps.login.outcome == 'success' + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-tf-destroy.yml b/workflow-templates/im-run-tf-destroy.yml index ebd89e4b..5da3121c 100644 --- a/workflow-templates/im-run-tf-destroy.yml +++ b/workflow-templates/im-run-tf-destroy.yml @@ -1,4 +1,4 @@ -# Workflow Code: HostileMacaw_v26 DO NOT REMOVE +# Workflow Code: HostileMacaw_v27 DO NOT REMOVE # Purpose: # Destroys the resources created by a terraform configuration when someone kicks it off manually. # @@ -166,7 +166,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.GITHUB_REF }} @@ -177,7 +177,7 @@ jobs: deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - name: AZ Login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} @@ -187,7 +187,7 @@ jobs: - name: Setup Terraform id: setup - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3 with: terraform_version: '${{ env.TF_VERSION }}' @@ -279,7 +279,7 @@ jobs: steps: - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ env.GITHUB_REF }} @@ -290,7 +290,7 @@ jobs: deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - name: AZ Login - uses: azure/login@v1 + uses: azure/login@v2 with: # This is an org-level variable tenant-id: ${{ vars.ARM_TENANT_ID }} @@ -300,7 +300,7 @@ jobs: - name: Setup Terraform id: setup - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3 with: terraform_version: '${{ env.TF_VERSION }}' diff --git a/workflow-templates/im-run-tf-import.yml b/workflow-templates/im-run-tf-import.yml index ae539e73..bf76e6fa 100644 --- a/workflow-templates/im-run-tf-import.yml +++ b/workflow-templates/im-run-tf-import.yml @@ -1,107 +1,107 @@ -# Workflow Code: DrearyBuck_v20 DO NOT REMOVE - -# Purpose: -# Imports a specified resource into the terraform state when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Optional Template) -# -# TODO Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Import Terraform State -run-name: Import ${{ inputs.environment }} ${{ inputs.tf-resource-address }} -on: - workflow_dispatch: - inputs: - environment: - description: The environment the import should be done in. - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - branch-tag-sha: - description: The branch, tag or sha of the terraform that has the configuration for the resource(s) to import. - required: true - tf-resource-address: - description: The address of the resource to import. E.g. module.common.azurerm_mssql_server.server - required: true - tf-resource-id: - description: The id of the resource to import. It should look something like /subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/{provider_name}/{...etc...}. - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } - ] - -jobs: - tf-import-state: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | - | Resource Address | `${{ github.event.inputs.tf-resource-address }}` | - | Resource ID | `${{ github.event.inputs.tf-resource-id }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v3 - with: - ref: ${{ env.GITHUB_REF }} - - # Allows pulling modules from the repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - - name: Terraform Init - run: terraform init - - - name: Terraform Import - # TODO: Add any additional parameters that are needed - run: terraform import ${{ github.event.inputs.tf-resource-address }} ${{ github.event.inputs.tf-resource-id }} +# Workflow Code: DrearyBuck_v21 DO NOT REMOVE + +# Purpose: +# Imports a specified resource into the terraform state when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Optional Template) +# +# TODO Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Import Terraform State +run-name: Import ${{ inputs.environment }} ${{ inputs.tf-resource-address }} +on: + workflow_dispatch: + inputs: + environment: + description: The environment the import should be done in. + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + branch-tag-sha: + description: The branch, tag or sha of the terraform that has the configuration for the resource(s) to import. + required: true + tf-resource-address: + description: The address of the resource to import. E.g. module.common.azurerm_mssql_server.server + required: true + tf-resource-id: + description: The id of the resource to import. It should look something like /subscriptions/{subscription_id}/resourceGroups/{resource_group_name}/providers/{provider_name}/{...etc...}. + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } + ] + +jobs: + tf-import-state: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | + | Resource Address | `${{ github.event.inputs.tf-resource-address }}` | + | Resource ID | `${{ github.event.inputs.tf-resource-id }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + # Allows pulling modules from the repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + - name: Terraform Init + run: terraform init + + - name: Terraform Import + # TODO: Add any additional parameters that are needed + run: terraform import ${{ github.event.inputs.tf-resource-address }} ${{ github.event.inputs.tf-resource-id }} diff --git a/workflow-templates/im-run-tf-taint.yml b/workflow-templates/im-run-tf-taint.yml index 0142d2fc..9f865640 100644 --- a/workflow-templates/im-run-tf-taint.yml +++ b/workflow-templates/im-run-tf-taint.yml @@ -1,106 +1,106 @@ -# Workflow Code: GratefulTermite_v17 DO NOT REMOVE -# Purpose: -# Taints a specified terraform resource when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Optional Template) -# -# TODO Prerequisites: -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Taint Terraform Resource -run-name: Taint ${{ inputs.environment }} resource${{ inputs.tf-resource-address }} -on: - workflow_dispatch: - inputs: - environment: - description: The environment the taint should be done in. - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - # This is required because a tf init has to be performed before the terraform taint command - branch-tag-sha: - description: The branch, tag or sha of the terraform that has the configuration for the resource to taint. - required: true - tf-resource-address: - description: The address of the resource to taint. E.g. module.my-module.azurerm_mssql_server.server - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } - ] - -jobs: - tf-taint-resource: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | - | TF Resource Address | `${{ github.event.inputs.tf-resource-address }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v3 - with: - ref: ${{ env.GITHUB_REF }} - - # Allows pulling modules from the respective github repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - # A terraform init is required before a terraform taint can be run - - name: Terraform Init - run: terraform init - - - name: Terraform Taint - # TODO: Add any additional parameters that are needed (-allow-missing, -lock=false, -lock-timeout=90s) - # https://www.terraform.io/docs/cli/commands/taint.html#usage - run: terraform taint ${{ github.event.inputs.tf-resource-address }} - +# Workflow Code: GratefulTermite_v18 DO NOT REMOVE +# Purpose: +# Taints a specified terraform resource when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Optional Template) +# +# TODO Prerequisites: +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Taint Terraform Resource +run-name: Taint ${{ inputs.environment }} resource${{ inputs.tf-resource-address }} +on: + workflow_dispatch: + inputs: + environment: + description: The environment the taint should be done in. + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + # This is required because a tf init has to be performed before the terraform taint command + branch-tag-sha: + description: The branch, tag or sha of the terraform that has the configuration for the resource to taint. + required: true + tf-resource-address: + description: The address of the resource to taint. E.g. module.my-module.azurerm_mssql_server.server + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } + ] + +jobs: + tf-taint-resource: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | + | TF Resource Address | `${{ github.event.inputs.tf-resource-address }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + # Allows pulling modules from the respective github repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + # A terraform init is required before a terraform taint can be run + - name: Terraform Init + run: terraform init + + - name: Terraform Taint + # TODO: Add any additional parameters that are needed (-allow-missing, -lock=false, -lock-timeout=90s) + # https://www.terraform.io/docs/cli/commands/taint.html#usage + run: terraform taint ${{ github.event.inputs.tf-resource-address }} + diff --git a/workflow-templates/im-run-unlock-tf-state.yml b/workflow-templates/im-run-unlock-tf-state.yml index f4cf24dd..baefbed6 100644 --- a/workflow-templates/im-run-unlock-tf-state.yml +++ b/workflow-templates/im-run-unlock-tf-state.yml @@ -1,101 +1,101 @@ -# Workflow Code: FrazzledFerret_v23 DO NOT REMOVE -# Purpose: -# Removes a lock from the terraform state when someone kicks it off manually. -# -# Frequency: -# - This workflow should only be used once per repository -# -# Projects to use this Template with: -# - Terraform (Core Template) -# -# TODO Prerequisites -# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. - -name: Unlock Terraform State -run-name: Unlock state in ${{ inputs.environment }} with id ${{ inputs.lock-id }} -on: - workflow_dispatch: - inputs: - lock-id: - description: The lock ID that needs to be removed. Terraform provides this value (lock info.ID) in the message indicating there was an error acquiring the state lock. - required: true - environment: - description: The environment the lock should be removed in - required: true - type: choice - options: # TODO: Update for the environments that are available - - dev - - qa - - stage - - demo - - uat - - prod - branch-tag-sha: - description: The branch, tag or sha of the terraform that is currently in the environment where the lock is. This is needed to do a terraform init with the appropriate code. - required: true - -permissions: - # Required for secretless azure access and deploys - id-token: write - contents: read - -env: - ENVIRONMENT: ${{ github.event.inputs.environment }} - GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - # The following ARM_* values are env-level secrets/variables - ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} - ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} - ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable - ARM_ENVIRONMENT: 'public' - TF_IN_AUTOMATION: 'true' - TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. - TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) - # The following SSH_* secrets are org-level secrets - SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} - SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} - SSH_DEPLOY_KEY_INFO: | - [ - { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, - { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } - ] - -jobs: - tf-unlock-state: - runs-on: [self-hosted, im-linux] - environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: - - defaults: - run: - shell: bash - working-directory: '${{ env.TF_WORKING_DIR }}' - - steps: - - run: | - echo $' - | Build Arguments | Value | - | --- | --- | - | Lock ID | `${{ github.event.inputs.lock-id }}` | - | Environment | `${{ env.ENVIRONMENT }}` | - | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY - - - name: Checkout Repository - uses: actions/checkout@v3 - with: - ref: ${{ env.GITHUB_REF }} - - # Allows pulling modules from the repo instead of artifactory - - name: Setup SSH Keys and known_hosts - uses: im-open/setup-deploy-keys@v1.1 - with: - deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2.0.3 - with: - terraform_version: '${{ env.TF_VERSION }}' - - - name: Terraform Init - run: terraform init - - - name: Terraform Unlock State - run: terraform force-unlock -force ${{ github.event.inputs.lock-id }} +# Workflow Code: FrazzledFerret_v24 DO NOT REMOVE +# Purpose: +# Removes a lock from the terraform state when someone kicks it off manually. +# +# Frequency: +# - This workflow should only be used once per repository +# +# Projects to use this Template with: +# - Terraform (Core Template) +# +# TODO Prerequisites +# - Ensure each of the repo-level and env-level secrets used in this workflow have been populated by an admin in your repository. + +name: Unlock Terraform State +run-name: Unlock state in ${{ inputs.environment }} with id ${{ inputs.lock-id }} +on: + workflow_dispatch: + inputs: + lock-id: + description: The lock ID that needs to be removed. Terraform provides this value (lock info.ID) in the message indicating there was an error acquiring the state lock. + required: true + environment: + description: The environment the lock should be removed in + required: true + type: choice + options: # TODO: Update for the environments that are available + - dev + - qa + - stage + - demo + - uat + - prod + branch-tag-sha: + description: The branch, tag or sha of the terraform that is currently in the environment where the lock is. This is needed to do a terraform init with the appropriate code. + required: true + +permissions: + # Required for secretless azure access and deploys + id-token: write + contents: read + +env: + ENVIRONMENT: ${{ github.event.inputs.environment }} + GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} + # The following ARM_* values are env-level secrets/variables + ARM_SUBSCRIPTION_ID: ${{ vars.ARM_SUBSCRIPTION_ID }} + ARM_CLIENT_ID: ${{ vars.ARM_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable + ARM_ENVIRONMENT: 'public' + TF_IN_AUTOMATION: 'true' + TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. + TF_WORKING_DIR: './infrastructure/${{ github.event.inputs.environment }}' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + # The following SSH_* secrets are org-level secrets + SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} + SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} + SSH_DEPLOY_KEY_INFO: | + [ + { "orgAndRepo": "im-platform/storage-account-network-rules", "envName" : "SSH_KEY_STORAGE_ACCOUNT" }, + { "orgAndRepo": "im-platform/network-information", "envName" : "SSH_KEY_NETWORK_INFO" } + ] + +jobs: + tf-unlock-state: + runs-on: [self-hosted, im-linux] + environment: ${{ github.event.inputs.environment }} # Use inputs context because env context is not available to environment: + + defaults: + run: + shell: bash + working-directory: '${{ env.TF_WORKING_DIR }}' + + steps: + - run: | + echo $' + | Build Arguments | Value | + | --- | --- | + | Lock ID | `${{ github.event.inputs.lock-id }}` | + | Environment | `${{ env.ENVIRONMENT }}` | + | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + + - name: Checkout Repository + uses: actions/checkout@v4 + with: + ref: ${{ env.GITHUB_REF }} + + # Allows pulling modules from the repo instead of artifactory + - name: Setup SSH Keys and known_hosts + uses: im-open/setup-deploy-keys@v1.1 + with: + deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: '${{ env.TF_VERSION }}' + + - name: Terraform Init + run: terraform init + + - name: Terraform Unlock State + run: terraform force-unlock -force ${{ github.event.inputs.lock-id }} diff --git a/workflow-templates/im-run-validate-deployed-terraform.yml b/workflow-templates/im-run-validate-deployed-terraform.yml index d5c8493a..2c12258f 100644 --- a/workflow-templates/im-run-validate-deployed-terraform.yml +++ b/workflow-templates/im-run-validate-deployed-terraform.yml @@ -1,4 +1,4 @@ -# Workflow Code: ShinySQUIRREL_v23 DO NOT REMOVE +# Workflow Code: ShinySQUIRREL_v24 DO NOT REMOVE # Purpose: # Validates that the deployed terraform matches what is supposed to be deployed # when it runs at a scheduled time or when someone kicks it off manually. @@ -69,7 +69,7 @@ jobs: steps: - name: Determine latest release id: get-latest - uses: actions/github-script@v6 + uses: actions/github-script@v7 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo script: | @@ -116,7 +116,7 @@ jobs: } - name: Checkout Repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: ${{ steps.get-latest.outputs.VERSION }} @@ -128,7 +128,7 @@ jobs: - name: Setup Terraform id: setup - uses: hashicorp/setup-terraform@v2.0.3 + uses: hashicorp/setup-terraform@v3 with: terraform_version: '${{ env.TF_VERSION }}' @@ -154,7 +154,7 @@ jobs: - name: Trigger PagerDuty when there are changes if: steps.plan.outputs.exitcode == '2' - uses: im-open/create-pagerduty-incident@v1.1 + uses: im-open/create-pagerduty-incident@v1.3 with: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret service-id: ${{ vars.PAGERDUTY_SERVICE_ID }} # This is an env-level variable diff --git a/workflow-templates/im-test-cypress.yml b/workflow-templates/im-test-cypress.yml index 2110ee2e..279d1449 100644 --- a/workflow-templates/im-test-cypress.yml +++ b/workflow-templates/im-test-cypress.yml @@ -1,4 +1,4 @@ -# Workflow Code: SurprisedHedgehog_v20 DO NOT REMOVE +# Workflow Code: SurprisedHedgehog_v21 DO NOT REMOVE # Purpose: # Runs the Cypress script specified in the workflow when commits # are pushed to the PR or when someone kicks it off manually. @@ -69,7 +69,7 @@ jobs: # AZURE_TENANT_ID: ${{ vars.ARM_TENANT_ID }} # This is an org-level variable steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 # TODO: If you are using any nuget/npm packages from GitHub Packages uncomment this step # - name: Authenticate with GitHub Packages @@ -82,7 +82,7 @@ jobs: run: npm install - name: Setup .NET Core - uses: actions/setup-dotnet@v3 + uses: actions/setup-dotnet@v4 with: dotnet-version: ${{ env.DOTNET_VERSION }} env: @@ -109,7 +109,7 @@ jobs: - name: Create Status check based on merged cypress results id: process-cypress - uses: im-open/process-cypress-test-results@v2.2 + uses: im-open/process-cypress-test-results@v3.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo results-file: '${{ env.JS_TEST_DIR }}/${{ env.CYPRESS_RESULTS_FILE }}' diff --git a/workflow-templates/im-test-postman.yml b/workflow-templates/im-test-postman.yml index ad9b7692..a3383b7f 100644 --- a/workflow-templates/im-test-postman.yml +++ b/workflow-templates/im-test-postman.yml @@ -1,82 +1,82 @@ -# Workflow Code: GuiltyBison_v14 DO NOT REMOVE -# Purpose: -# Runs the Postman script specified in the workflow when someone -# manually kicks it off or when another workflow triggers it. -# -# Frequency: -# - This workflow can be duplicated for each Postman project in the repository -# or it can be modified to run multiple projects. -# -# Projects to use this Template with: -# - App Service or Function (Optional Template) -# - On Prem Site (Optional Template) -# - On Prem Service (Optional Template) -# -# TODO: Prerequisites: -# - If the project contains a local nuget.config remove it. It interferes with restoring packages on the GitHub Action runners. -# - Make the following npm package changes: -# npm uninstall newman-reporter-teamcity -# - Update the reporters an options in your package.json script. For instance: -# old script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,teamcity", -# new script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,json --reporter-json-export postman-results.json", - -name: Run Postman Tests - -# TODO: Verify Triggers -on: - # For manually kicking off the tests - workflow_dispatch: - # For programatically kicking off tests, like when a deploy finishes - repository_dispatch: - types: [postman] - -env: - READ_PKG_TOKEN: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - PACKAGE_JSON_DIR: '' # TODO: Add the directory containing package.json - POSTMAN_NPM_SCRIPT_NAME: '' # TODO: Add postman npm script name - POSTMAN_RESULTS_NAME: '' # TODO: Add the name of the results file, set in npm script - -jobs: - run-postman: - runs-on: [self-hosted, im-linux] - - defaults: - run: - shell: bash - working-directory: ${{ env.PACKAGE_JSON_DIR }} - - steps: - - uses: actions/checkout@v3 - - # TODO: If you are using any nuget/npm packages from GitHub Packages uncomment this step - # - name: Authenticate with GitHub Packages - # uses: im-open/authenticate-with-gh-package-registries@v1.1 - # with: - # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret - # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from - - - name: Restore npm packages - run: npm install - - - name: Run Postman Tests - id: postman - continue-on-error: true - run: npm run ${{ env.POSTMAN_NPM_SCRIPT_NAME }} - - - name: Create Status check based on postman results - id: process-postman - uses: im-open/process-postman-test-results@v2.1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo - results-file: ${{ env.PACKAGE_JSON_DIR }}/${{ env.POSTMAN_RESULTS_NAME }} - timezone: 'america/denver' # TODO: Verify timezone - # TODO: Verify whether you want status checks, pr comments or both with the results of the tests. - create-status-check: true - # update-comment-if-one-exists: false # TODO: By default this creates one comment and updates it for each run. Uncomment if you wish to have one new comment for every workflow run. - create-pr-comment: true - - - name: Fail if postman errors - if: steps.postman.outcome == 'failure' - run: | - echo "The postman tests have failures" - exit 1 +# Workflow Code: GuiltyBison_v15 DO NOT REMOVE +# Purpose: +# Runs the Postman script specified in the workflow when someone +# manually kicks it off or when another workflow triggers it. +# +# Frequency: +# - This workflow can be duplicated for each Postman project in the repository +# or it can be modified to run multiple projects. +# +# Projects to use this Template with: +# - App Service or Function (Optional Template) +# - On Prem Site (Optional Template) +# - On Prem Service (Optional Template) +# +# TODO: Prerequisites: +# - If the project contains a local nuget.config remove it. It interferes with restoring packages on the GitHub Action runners. +# - Make the following npm package changes: +# npm uninstall newman-reporter-teamcity +# - Update the reporters an options in your package.json script. For instance: +# old script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,teamcity", +# new script: "newman run tests/postman-tests/ParticipantGuidance.postman_collection.json -e tests/postman-tests/participant-guidance-prod.postman_environment.json -r cli,json --reporter-json-export postman-results.json", + +name: Run Postman Tests + +# TODO: Verify Triggers +on: + # For manually kicking off the tests + workflow_dispatch: + # For programatically kicking off tests, like when a deploy finishes + repository_dispatch: + types: [postman] + +env: + READ_PKG_TOKEN: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + PACKAGE_JSON_DIR: '' # TODO: Add the directory containing package.json + POSTMAN_NPM_SCRIPT_NAME: '' # TODO: Add postman npm script name + POSTMAN_RESULTS_NAME: '' # TODO: Add the name of the results file, set in npm script + +jobs: + run-postman: + runs-on: [self-hosted, im-linux] + + defaults: + run: + shell: bash + working-directory: ${{ env.PACKAGE_JSON_DIR }} + + steps: + - uses: actions/checkout@v4 + + # TODO: If you are using any nuget/npm packages from GitHub Packages uncomment this step + # - name: Authenticate with GitHub Packages + # uses: im-open/authenticate-with-gh-package-registries@v1.1 + # with: + # read-pkg-token: ${{ secrets.READ_PKG_TOKEN }} # This is an org-level secret + # orgs: 'im-client,im-enrollment,im-practices' # TODO: Verify list of orgs packages will be pulled from + + - name: Restore npm packages + run: npm install + + - name: Run Postman Tests + id: postman + continue-on-error: true + run: npm run ${{ env.POSTMAN_NPM_SCRIPT_NAME }} + + - name: Create Status check based on postman results + id: process-postman + uses: im-open/process-postman-test-results@v2.3 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} # Special per-job token generated by GH for interacting with the repo + results-file: ${{ env.PACKAGE_JSON_DIR }}/${{ env.POSTMAN_RESULTS_NAME }} + timezone: 'america/denver' # TODO: Verify timezone + # TODO: Verify whether you want status checks, pr comments or both with the results of the tests. + create-status-check: true + # update-comment-if-one-exists: false # TODO: By default this creates one comment and updates it for each run. Uncomment if you wish to have one new comment for every workflow run. + create-pr-comment: true + + - name: Fail if postman errors + if: steps.postman.outcome == 'failure' + run: | + echo "The postman tests have failures" + exit 1