chore: bump next #3095

Summary
Jobs
- terraform
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/terraform.yml at 2c131fd

	name: 'Terraform'

	on:
	push:
	branches:
	- dev
	- main
	- test
	paths:
	- 'terraform/**'
	- '.github/**'
	- 'app/**'
	- 'lambda/**'
	pull_request:
	paths:
	- 'terraform/**'
	- '.github/**'
	- 'app/**'
	- 'lambda/**'

	env:
	TF_VERSION: 1.1.4

	jobs:
	terraform:
	permissions: write-all
	runs-on: ubuntu-20.04
	steps:
	- name: Set env to development
	if: (github.ref == 'refs/heads/dev' && github.event_name == 'push') \|\| (github.base_ref == 'dev' && github.event_name == 'pull_request')
	run: \|
	cat >> $GITHUB_ENV <<EOF
	APP_URL=https://bcgov.github.io/sso-requests-sandbox
	API_URL=https://gcp9dahm4c.execute-api.ca-central-1.amazonaws.com/test/app
	API_AUTH_SECRET=${{ secrets.API_AUTH_SECRET }}
	APP_ENV=development
	GRAFANA_API_URL=https://sso-grafana-sandbox.apps.gold.devops.gov.bc.ca/api
	GRAFANA_API_TOKEN=${{ secrets.DEV_GRAFANA_API_TOKEN }}
	TF_STATE_BUCKET=xgr00q-dev-sso-requests
	TF_STATE_BUCKET_KEY=css-tf-dev-state
	TF_STATE_DYNAMODB_TABLE=xgr00q-dev-sso-requests-state-locking
	TERRAFORM_DEPLOY_ROLE_ARN=${{ secrets.DEV_TERRAFORM_DEPLOY_ROLE_ARN }}
	SSO_ISSUER_URL=https://dev.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration
	SUBNET_A=App_Dev_aza_net
	SUBNET_B=App_Dev_azb_net
	SUBNET_DATA_A=Data_Dev_aza_net
	SUBNET_DATA_B=Data_Dev_azb_net
	KEYCLOAK_V2_DEV_URL=https://dev.sandbox.loginproxy.gov.bc.ca
	KEYCLOAK_V2_TEST_URL=https://test.sandbox.loginproxy.gov.bc.ca
	KEYCLOAK_V2_PROD_URL=https://sandbox.loginproxy.gov.bc.ca
	KEYCLOAK_V2_DEV_USERNAME=${{ secrets.DEV_KEYCLOAK_V2_DEV_USERNAME }}
	KEYCLOAK_V2_DEV_PASSWORD=${{ secrets.DEV_KEYCLOAK_V2_DEV_PASSWORD }}
	KEYCLOAK_V2_TEST_USERNAME=${{ secrets.DEV_KEYCLOAK_V2_TEST_USERNAME }}
	KEYCLOAK_V2_TEST_PASSWORD=${{ secrets.DEV_KEYCLOAK_V2_TEST_PASSWORD }}
	KEYCLOAK_V2_PROD_USERNAME=${{ secrets.DEV_KEYCLOAK_V2_PROD_USERNAME }}
	KEYCLOAK_V2_PROD_PASSWORD=${{ secrets.DEV_KEYCLOAK_V2_PROD_PASSWORD }}
	REALM_REGISTRY_API=${{ secrets.DEV_REALM_REGISTRY_API }}
	CHES_TOKEN_ENDPOINT=https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token
	CHES_API_ENDPOINT=https://ches.api.gov.bc.ca/api/v1/email
	CHES_USERNAME=${{secrets.CHES_USERNAME_PROD}}
	CHES_PASSWORD=${{secrets.CHES_PASSWORD_PROD}}
	VERIFY_USER_SECRET=${{secrets.VERIFY_USER_SECRET}}
	CUSTOM_DOMAIN_NAME=api-dev.loginproxy.gov.bc.ca
	UPTIME_STATUS_DOMAIN_NAME=status.sandbox.loginproxy.gov.bc.ca
	AWS_ECR_URI=${{secrets.DEV_AWS_ECR_URI}}
	INCLUDE_DIGITAL_CREDENTIAL=true
	INSTALL_GRAFANA=true
	INSTALL_REDIS=true

	INCLUDE_BC_SERVICES_CARD=true
	ALLOW_BC_SERVICES_CARD_PROD=true

	BCSC_INITIAL_ACCESS_TOKEN_DEV=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_SIT}}
	BCSC_INITIAL_ACCESS_TOKEN_TEST=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_SIT}}
	BCSC_INITIAL_ACCESS_TOKEN_PROD=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_SIT}}
	BCSC_REGISTRATION_BASE_URL_DEV=${{secrets.BCSC_REGISTRATION_BASE_URL_SIT}}
	BCSC_REGISTRATION_BASE_URL_TEST=${{secrets.BCSC_REGISTRATION_BASE_URL_SIT}}
	BCSC_REGISTRATION_BASE_URL_PROD=${{secrets.BCSC_REGISTRATION_BASE_URL_SIT}}

	EOF

	- name: Set env to test
	if: (github.ref == 'refs/heads/test' && github.event_name == 'push') \|\| (github.base_ref == 'test' && github.event_name == 'pull_request')
	run: \|
	cat >> $GITHUB_ENV <<EOF
	APP_URL=https://bcgov.github.io/sso-requests-preview
	API_URL=https://kcbkts0s8a.execute-api.ca-central-1.amazonaws.com/test/app
	API_AUTH_SECRET=${{ secrets.API_AUTH_SECRET }}
	APP_ENV=test
	GRAFANA_API_URL=https://sso-grafana-sandbox.apps.gold.devops.gov.bc.ca/api
	GRAFANA_API_TOKEN=${{ secrets.DEV_GRAFANA_API_TOKEN }}
	TF_STATE_BUCKET=xgr00q-test-sso-requests
	TF_STATE_BUCKET_KEY=css-tf-test-state
	TF_STATE_DYNAMODB_TABLE=xgr00q-test-sso-requests-state-locking
	TERRAFORM_DEPLOY_ROLE_ARN=${{ secrets.TEST_TERRAFORM_DEPLOY_ROLE_ARN }}
	SSO_ISSUER_URL=https://test.loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration
	SUBNET_A=App_Test_aza_net
	SUBNET_B=App_Test_azb_net
	SUBNET_DATA_A=Data_Test_aza_net
	SUBNET_DATA_B=Data_Test_azb_net
	KEYCLOAK_V2_DEV_URL=https://sso-keycloak-c6af30-dev.apps.golddr.devops.gov.bc.ca
	KEYCLOAK_V2_TEST_URL=https://sso-keycloak-c6af30-test.apps.golddr.devops.gov.bc.ca
	KEYCLOAK_V2_PROD_URL=https://sso-keycloak-c6af30-prod.apps.golddr.devops.gov.bc.ca
	KEYCLOAK_V2_DEV_USERNAME=${{ secrets.TEST_KEYCLOAK_V2_DEV_USERNAME }}
	KEYCLOAK_V2_DEV_PASSWORD=${{ secrets.TEST_KEYCLOAK_V2_DEV_PASSWORD }}
	KEYCLOAK_V2_TEST_USERNAME=${{ secrets.TEST_KEYCLOAK_V2_TEST_USERNAME }}
	KEYCLOAK_V2_TEST_PASSWORD=${{ secrets.TEST_KEYCLOAK_V2_TEST_PASSWORD }}
	KEYCLOAK_V2_PROD_USERNAME=${{ secrets.TEST_KEYCLOAK_V2_PROD_USERNAME }}
	KEYCLOAK_V2_PROD_PASSWORD=${{ secrets.TEST_KEYCLOAK_V2_PROD_PASSWORD }}
	REALM_REGISTRY_API=${{ secrets.DEV_REALM_REGISTRY_API }}
	CHES_TOKEN_ENDPOINT=https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token
	CHES_API_ENDPOINT=https://ches.api.gov.bc.ca/api/v1/email
	CHES_USERNAME=${{secrets.CHES_USERNAME_PROD}}
	CHES_PASSWORD=${{secrets.CHES_PASSWORD_PROD}}
	VERIFY_USER_SECRET=${{secrets.VERIFY_USER_SECRET}}
	CUSTOM_DOMAIN_NAME=api-test.loginproxy.gov.bc.ca
	UPTIME_STATUS_DOMAIN_NAME=status.sandbox.loginproxy.gov.bc.ca
	AWS_ECR_URI=${{secrets.DEV_AWS_ECR_URI}}
	INCLUDE_DIGITAL_CREDENTIAL=true
	INSTALL_GRAFANA=false
	INSTALL_REDIS=true

	INCLUDE_BC_SERVICES_CARD=true
	ALLOW_BC_SERVICES_CARD_PROD=false

	BCSC_INITIAL_ACCESS_TOKEN_DEV=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_TEST}}
	BCSC_INITIAL_ACCESS_TOKEN_TEST=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_TEST}}
	BCSC_INITIAL_ACCESS_TOKEN_PROD=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_TEST}}
	BCSC_REGISTRATION_BASE_URL_DEV=${{secrets.BCSC_REGISTRATION_BASE_URL_TEST}}
	BCSC_REGISTRATION_BASE_URL_TEST=${{secrets.BCSC_REGISTRATION_BASE_URL_TEST}}
	BCSC_REGISTRATION_BASE_URL_PROD=${{secrets.BCSC_REGISTRATION_BASE_URL_TEST}}

	EOF

	- name: Set env to production
	if: (github.ref == 'refs/heads/main' && github.event_name == 'push') \|\| (github.base_ref == 'main' && github.event_name == 'pull_request')
	run: \|
	cat >> $GITHUB_ENV <<EOF
	APP_URL=https://bcgov.github.io/sso-requests
	API_URL=https://kgodz1zmk2.execute-api.ca-central-1.amazonaws.com/test/app
	API_AUTH_SECRET=${{ secrets.API_AUTH_SECRET }}
	APP_ENV=production
	GRAFANA_API_URL=https://sso-grafana.apps.gold.devops.gov.bc.ca/api
	GRAFANA_API_TOKEN=${{ secrets.PROD_GRAFANA_API_TOKEN }}
	TF_STATE_BUCKET=xgr00q-prod-sso-requests
	TF_STATE_BUCKET_KEY=css-tf-prod-state
	TF_STATE_DYNAMODB_TABLE=xgr00q-prod-sso-requests-state-locking
	TERRAFORM_DEPLOY_ROLE_ARN=${{ secrets.PROD_TERRAFORM_DEPLOY_ROLE_ARN }}
	SSO_ISSUER_URL=https://loginproxy.gov.bc.ca/auth/realms/standard/.well-known/openid-configuration
	SUBNET_A=App_Prod_aza_net
	SUBNET_B=App_Prod_azb_net
	SUBNET_DATA_A=Data_Prod_aza_net
	SUBNET_DATA_B=Data_Prod_azb_net
	KEYCLOAK_V2_DEV_URL=https://dev.loginproxy.gov.bc.ca
	KEYCLOAK_V2_TEST_URL=https://test.loginproxy.gov.bc.ca
	KEYCLOAK_V2_PROD_URL=https://loginproxy.gov.bc.ca
	KEYCLOAK_V2_DEV_USERNAME=${{ secrets.PROD_KEYCLOAK_V2_DEV_USERNAME }}
	KEYCLOAK_V2_DEV_PASSWORD=${{ secrets.PROD_KEYCLOAK_V2_DEV_PASSWORD }}
	KEYCLOAK_V2_TEST_USERNAME=${{ secrets.PROD_KEYCLOAK_V2_TEST_USERNAME }}
	KEYCLOAK_V2_TEST_PASSWORD=${{ secrets.PROD_KEYCLOAK_V2_TEST_PASSWORD }}
	KEYCLOAK_V2_PROD_USERNAME=${{ secrets.PROD_KEYCLOAK_V2_PROD_USERNAME }}
	KEYCLOAK_V2_PROD_PASSWORD=${{ secrets.PROD_KEYCLOAK_V2_PROD_PASSWORD }}
	REALM_REGISTRY_API=${{ secrets.PROD_REALM_REGISTRY_API }}
	CHES_TOKEN_ENDPOINT=https://loginproxy.gov.bc.ca/auth/realms/comsvcauth/protocol/openid-connect/token
	CHES_API_ENDPOINT=https://ches.api.gov.bc.ca/api/v1/email
	CHES_USERNAME=${{secrets.CHES_USERNAME_PROD}}
	CHES_PASSWORD=${{secrets.CHES_PASSWORD_PROD}}
	VERIFY_USER_SECRET=${{secrets.VERIFY_USER_SECRET}}
	CUSTOM_DOMAIN_NAME=api.loginproxy.gov.bc.ca
	UPTIME_STATUS_DOMAIN_NAME=status.loginproxy.gov.bc.ca
	AWS_ECR_URI=${{secrets.PROD_AWS_ECR_URI}}
	INSTALL_GRAFANA=true
	INSTALL_REDIS=true
	INCLUDE_DIGITAL_CREDENTIAL=true

	INCLUDE_BC_SERVICES_CARD=true
	ALLOW_BC_SERVICES_CARD_PROD=true

	BCSC_INITIAL_ACCESS_TOKEN_DEV=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_TEST}}
	BCSC_INITIAL_ACCESS_TOKEN_TEST=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_TEST}}
	BCSC_INITIAL_ACCESS_TOKEN_PROD=${{secrets.BCSC_INITIAL_ACCESS_TOKEN_PROD}}
	BCSC_REGISTRATION_BASE_URL_DEV=${{secrets.BCSC_REGISTRATION_BASE_URL_TEST}}
	BCSC_REGISTRATION_BASE_URL_TEST=${{secrets.BCSC_REGISTRATION_BASE_URL_TEST}}
	BCSC_REGISTRATION_BASE_URL_PROD=${{secrets.BCSC_REGISTRATION_BASE_URL_PROD}}

	EOF

	- uses: hmarr/debug-action@v3
	- uses: actions/checkout@v4

	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
	- name: Cache Node dependencies
	uses: actions/cache@v4
	id: yarn-cache
	with:
	path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
	key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
	restore-keys: ${{ runner.os }}-yarn-

	- name: Install dependencies for frontend
	run: make app_install

	- name: Install dependencies for backend
	run: make server_install

	- name: Fetch OIDC discovery configuration
	id: discovery
	uses: bcgov/sso-requests-actions/actions/wellknown@v0.58.0
	with:
	discovery-url: ${{ env.SSO_ISSUER_URL }}
	continue-on-error: true

	- name: Save OIDC discovery configration as JSON
	run: \|
	echo '${{ steps.discovery.outputs.config }}' > sso-configuration.json
	working-directory: ./lambda/app/src

	- name: Fetch OIDC discovery configuration - API
	id: discovery-api
	uses: bcgov/sso-requests-actions/actions/wellknown@v0.58.0
	with:
	discovery-url: ${{ env.KEYCLOAK_V2_PROD_URL }}/auth/realms/standard/.well-known/openid-configuration
	continue-on-error: true

	- name: Save OIDC discovery configration as JSON - API
	run: \|
	echo '${{ steps.discovery-api.outputs.config }}' > api-sso-configuration.json
	working-directory: ./lambda/css-api/src

	- name: Build lambda artifacts
	run: \|
	make build_all
	working-directory: ./lambda

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: ${{ env.TERRAFORM_DEPLOY_ROLE_ARN }}
	aws-region: ca-central-1

	- name: Terraform Format
	id: fmt
	run: terraform fmt -check
	working-directory: ./terraform

	- name: Create S3 Bucket in dev environment
	if: (github.ref == 'refs/heads/dev' && github.event_name == 'push') \|\| (github.base_ref == 'dev' && github.event_name == 'pull_request')
	run: \|
	cp env-resources.tf_dev env-resources.tf
	working-directory: ./terraform

	- name: Create S3 Bucket in test environment
	if: (github.ref == 'refs/heads/test' && github.event_name == 'push') \|\| (github.base_ref == 'test' && github.event_name == 'pull_request')
	run: \|
	cp env-resources.tf_test env-resources.tf
	working-directory: ./terraform

	- name: Create S3 Bucket in prod environment
	if: (github.ref == 'refs/heads/main' && github.event_name == 'push') \|\| (github.base_ref == 'main' && github.event_name == 'pull_request')
	run: \|
	cp env-resources.tf_prod env-resources.tf
	working-directory: ./terraform

	- name: Terraform Variables
	run: \|
	cat >"config.tf" <<EOF
	terraform {
	backend "s3" {
	bucket = "${{ env.TF_STATE_BUCKET }}"
	key = "${{ env.TF_STATE_BUCKET_KEY }}"
	region = "ca-central-1"
	dynamodb_table = "${{ env.TF_STATE_DYNAMODB_TABLE }}"
	}
	}
	EOF

	cat >"ci.auto.tfvars" <<EOF
	app_url="${{ env.APP_URL }}"
	api_url="${{ env.API_URL }}"
	api_auth_secret="${{ env.API_AUTH_SECRET }}"
	app_env="${{ env.APP_ENV }}"
	gh_access_token="${{ secrets.GH_ACCESS_TOKEN }}"
	gh_secret="${{ secrets.GH_SECRET }}"
	sso_configuration_endpoint="${{ env.SSO_ISSUER_URL }}"
	subnet_a="${{ env.SUBNET_A }}"
	subnet_b="${{ env.SUBNET_B }}"
	subnet_data_a="${{ env.SUBNET_DATA_A }}"
	subnet_data_b="${{ env.SUBNET_DATA_B }}"
	keycloak_v2_dev_url="${{ env.KEYCLOAK_V2_DEV_URL }}"
	keycloak_v2_test_url="${{ env.KEYCLOAK_V2_TEST_URL }}"
	keycloak_v2_prod_url="${{ env.KEYCLOAK_V2_PROD_URL }}"
	keycloak_v2_dev_username="${{ env.KEYCLOAK_V2_DEV_USERNAME }}"
	keycloak_v2_test_username="${{ env.KEYCLOAK_V2_TEST_USERNAME }}"
	keycloak_v2_prod_username="${{ env.KEYCLOAK_V2_PROD_USERNAME }}"
	keycloak_v2_dev_password="${{ env.KEYCLOAK_V2_DEV_PASSWORD }}"
	keycloak_v2_test_password="${{ env.KEYCLOAK_V2_TEST_PASSWORD }}"
	keycloak_v2_prod_password="${{ env.KEYCLOAK_V2_PROD_PASSWORD }}"
	realm_registry_api="${{ env.REALM_REGISTRY_API }}"
	ches_username="${{ env.CHES_USERNAME }}"
	ches_password="${{ env.CHES_PASSWORD }}"
	ches_api_endpoint="${{ env.CHES_API_ENDPOINT }}"
	ches_token_endpoint="${{ env.CHES_TOKEN_ENDPOINT }}"
	custom_domain_name="${{ env.CUSTOM_DOMAIN_NAME }}"
	uptime_status_domain_name="${{ env.UPTIME_STATUS_DOMAIN_NAME }}"
	aws_ecr_uri="${{ env.AWS_ECR_URI }}"
	grafana_api_token="${{ env.GRAFANA_API_TOKEN }}"
	grafana_api_url="${{ env.GRAFANA_API_URL }}"
	include_digital_credential="${{ env.INCLUDE_DIGITAL_CREDENTIAL }}"
	rc_webhook="${{ secrets.RC_SSO_OPS_WEBHOOK }}"
	ms_graph_api_authority="${{secrets.MS_GRAPH_API_AUTHORITY}}"
	ms_graph_api_client_id="${{secrets.MS_GRAPH_API_CLIENT_ID}}"
	ms_graph_api_client_secret="${{secrets.MS_GRAPH_API_CLIENT_SECRET}}"
	install_grafana="${{ env.INSTALL_GRAFANA == 'true' && 1 \|\| 0 }}"
	install_redis="${{ env.INSTALL_REDIS == 'true' && 1 \|\| 0 }}"

	allow_bc_services_card_prod="${{env.ALLOW_BC_SERVICES_CARD_PROD}}"
	include_bc_services_card="${{env.INCLUDE_BC_SERVICES_CARD}}"
	bcsc_initial_access_token_dev="${{env.BCSC_INITIAL_ACCESS_TOKEN_DEV}}"
	bcsc_initial_access_token_test="${{env.BCSC_INITIAL_ACCESS_TOKEN_TEST}}"
	bcsc_initial_access_token_prod="${{env.BCSC_INITIAL_ACCESS_TOKEN_PROD}}"
	bcsc_registration_base_url_dev="${{env.BCSC_REGISTRATION_BASE_URL_DEV}}"
	bcsc_registration_base_url_test="${{env.BCSC_REGISTRATION_BASE_URL_TEST}}"
	bcsc_registration_base_url_prod="${{env.BCSC_REGISTRATION_BASE_URL_PROD}}"
	EOF

	working-directory: ./terraform

	- name: Terraform Init
	id: init
	run: terraform init -upgrade
	working-directory: ./terraform

	- name: Terraform Plan
	id: plan
	if: github.event_name == 'pull_request'
	run: terraform plan -no-color
	working-directory: ./terraform
	continue-on-error: true

	- uses: actions/github-script@v7
	if: github.event_name == 'pull_request'
	env:
	PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
	with:
	github-token: ${{ secrets.GITHUB_TOKEN }}
	script: \|
	const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
	#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
	#### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
	#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`

	<details><summary>Show Plan</summary>

	\`\`\`\n
	${process.env.PLAN}
	\`\`\`

	</details>

	Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\``;

	github.rest.issues.createComment({
	issue_number: context.issue.number,
	owner: context.repo.owner,
	repo: context.repo.repo,
	body: output
	})

	- name: Terraform Plan Status
	if: steps.plan.outcome == 'failure'
	run: exit 1

	- name: Terraform Apply
	if: github.event_name == 'push'
	run: terraform apply -auto-approve
	working-directory: ./terraform

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: bump next #3095

Workflow file

chore: bump next #3095

Jobs

Run details

Workflow file for this run