RDS Immutable Backups (#2244) #1426

Workflow file for this run

.github/workflows/merge_to_main_staging.yml at 39b042e

	name: "Merge to main (Staging)"

	on:
	# This will be used to dispatch this workflow from the manifest repo when environment variables change
	workflow_dispatch:
	push:
	branches:
	- main
	paths:
	- ".env"
	- "aws/**"
	- "env/staging/**"
	- "env/staging_config.tfvars"
	- ".github/workflows/merge_to_main_staging.yml"

	defaults:
	run:
	shell: bash

	env:
	ACCOUNT_ID: ${{ secrets.STAGING_AWS_ACCOUNT_ID }}
	AWS_REGION: ca-central-1
	ENVIRONMENT: staging
	OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN_STAGING }}
	WORKFLOW: true

	permissions:
	id-token: write
	contents: write
	pull-requests: write

	jobs:

	terragrunt-apply-common:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformDevApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply COMMON
	run: \|
	cd env/${{env.ENVIRONMENT}}/common
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-ecr:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: Configure credentials to Notify Private ECR using OIDC
	uses: aws-actions/configure-aws-credentials@master
	with:
	role-to-assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role-session-name: NotifyApiGitHubActions
	aws-region: "ca-central-1"

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v2

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformDevApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply ECR
	run: \|
	cd env/${{env.ENVIRONMENT}}/ecr
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-ecr-us-east:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: Configure credentials to Notify Private ECR using OIDC
	uses: aws-actions/configure-aws-credentials@master
	with:
	role-to-assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role-session-name: NotifyApiGitHubActions
	aws-region: "us-east-1"

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v2

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformDevApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply ECR
	run: \|
	cd env/${{env.ENVIRONMENT}}/ecr-us-east
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m


	terragrunt-apply-ses_receiving_emails:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-ecr-us-east]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply ses_receiving_emails
	run: \|
	cd env/${{env.ENVIRONMENT}}/ses_receiving_emails
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-dns:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ses_receiving_emails]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply dns
	run: \|
	cd env/${{env.ENVIRONMENT}}/dns
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-ses_validation_dns_entries:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-dns]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply ses_validation_dns_entries
	run: \|
	cd env/${{env.ENVIRONMENT}}/ses_validation_dns_entries
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m


	terragrunt-apply-cloudfront:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply cloudfront
	run: \|
	cd env/${{env.ENVIRONMENT}}/cloudfront
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-eks:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-dns,terragrunt-apply-cloudfront]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply eks
	run: \|
	cd env/${{env.ENVIRONMENT}}/eks
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-aws-auth:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-eks]
	env:
	COMPONENT: "aws-auth"
	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install sponge
	run: \|
	sudo apt update
	sudo apt-get install -y moreutils

	- name: Install OpenVPN
	run: \|
	sudo apt update
	sudo apt install -y openvpn openvpn-systemd-resolved

	- name: Install 1Pass CLI and Download TFVars
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws && cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: Retrieve VPN Config
	run: \|
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars
	cd ../env/${{env.ENVIRONMENT}}/eks
	terragrunt init -upgrade
	ENDPOINT_ID=$(terragrunt output --raw gha_vpn_id)
	CERT=$(terragrunt output --raw gha_vpn_certificate)
	KEY=$(terragrunt output --raw gha_vpn_key)
	aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id $ENDPOINT_ID --output text > /var/tmp/${{env.ENVIRONMENT}}.ovpn
	echo "<cert>
	$CERT
	</cert>" >> /var/tmp/${{env.ENVIRONMENT}}.ovpn
	echo "<key>
	$KEY
	</key>" >> /var/tmp/${{env.ENVIRONMENT}}.ovpn

	- name: Setup helmfile
	uses: ./.github/actions/setup-helmfile-wrapper


	- name: Connect to VPN
	uses: "kota65535/github-openvpn-connect-action@cd2ed8a90cc7b060dc4e001143e811b5f7ea0af5" # v3.1.0
	with:
	config_file: /var/tmp/${{env.ENVIRONMENT}}.ovpn
	echo_config: false

	- name: Configure kubeconfig
	run: \|
	aws eks update-kubeconfig --name notification-canada-ca-${{env.ENVIRONMENT}}-eks-cluster
	kubectl config rename-context arn:aws:eks:ca-central-1:${{env.ACCOUNT_ID}}:cluster/notification-canada-ca-${{env.ENVIRONMENT}}-eks-cluster ${{env.ENVIRONMENT}}

	- name: terragrunt apply aws-auth
	run: \|
	cd env/${{env.ENVIRONMENT}}/aws-auth
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-elasticache:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply elasticache
	run: \|
	cd env/${{env.ENVIRONMENT}}/elasticache
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-rds:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply rds
	run: \|
	cd env/${{env.ENVIRONMENT}}/rds
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-lambda-api:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr,terragrunt-apply-rds]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply lambda-api
	run: \|
	cd env/${{env.ENVIRONMENT}}/lambda-api
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-lambda-admin-pr:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-elasticache,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply lambda-admin-pr
	run: \|
	cd env/${{env.ENVIRONMENT}}/lambda-admin-pr
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-performance-test:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply performance-test
	run: \|
	cd env/${{env.ENVIRONMENT}}/performance-test
	terragrunt init --upgrade --reconfigure
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-heartbeat:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply heartbeat
	run: \|
	cd env/${{env.ENVIRONMENT}}/heartbeat
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-database-tools:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-rds]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply database-tools
	run: \|
	cd env/${{env.ENVIRONMENT}}/database-tools
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-quicksight:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-rds]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply quicksight
	run: \|
	cd env/${{env.ENVIRONMENT}}/quicksight
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-lambda-google-cidr:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-eks,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply lambda-google-cidr
	run: \|
	cd env/${{env.ENVIRONMENT}}/lambda-google-cidr
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-ses_to_sqs_email_callbacks:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply ses_to_sqs_email_callbacks
	run: \|
	cd env/${{env.ENVIRONMENT}}/ses_to_sqs_email_callbacks
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-sns_to_sqs_sms_callbacks:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply sns_to_sqs_sms_callbacks
	run: \|
	cd env/${{env.ENVIRONMENT}}/sns_to_sqs_sms_callbacks
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-pinpoint_to_sqs_sms_callbacks:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply pinpoint_to_sqs_sms_callbacks
	run: \|
	cd env/${{env.ENVIRONMENT}}/pinpoint_to_sqs_sms_callbacks
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-system_status:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-rds,terragrunt-apply-eks]

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply system_status
	run: \|
	cd env/${{env.ENVIRONMENT}}/system_status
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-system_status_static_site:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	needs: [terragrunt-apply-common,terragrunt-apply-system_status]
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply system_status_static_site
	run: \|
	cd env/${{env.ENVIRONMENT}}/system_status_static_site
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-newrelic:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	needs: [terragrunt-apply-common]
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply newrelic
	run: \|
	cd env/${{env.ENVIRONMENT}}/newrelic
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-manifest_secrets:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	needs: [terragrunt-apply-rds, terragrunt-apply-elasticache, terragrunt-apply-eks, terragrunt-apply-ecr, terragrunt-apply-lambda-api, terragrunt-apply-lambda-admin-pr, terragrunt-apply-performance-test, terragrunt-apply-heartbeat, terragrunt-apply-database-tools, terragrunt-apply-quicksight, terragrunt-apply-lambda-google-cidr, terragrunt-apply-ses_to_sqs_email_callbacks, terragrunt-apply-sns_to_sqs_sms_callbacks, terragrunt-apply-pinpoint_to_sqs_sms_callbacks, terragrunt-apply-system_status, terragrunt-apply-system_status_static_site, terragrunt-apply-newrelic]
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply manifest_secrets
	run: \|
	cd env/${{env.ENVIRONMENT}}/manifest_secrets
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	terragrunt-apply-github:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	needs: [terragrunt-apply-rds, terragrunt-apply-elasticache, terragrunt-apply-eks, terragrunt-apply-ecr, terragrunt-apply-lambda-api, terragrunt-apply-lambda-admin-pr, terragrunt-apply-performance-test, terragrunt-apply-heartbeat, terragrunt-apply-database-tools, terragrunt-apply-quicksight, terragrunt-apply-lambda-google-cidr, terragrunt-apply-ses_to_sqs_email_callbacks, terragrunt-apply-sns_to_sqs_sms_callbacks, terragrunt-apply-pinpoint_to_sqs_sms_callbacks, terragrunt-apply-system_status, terragrunt-apply-system_status_static_site, terragrunt-apply-newrelic]
	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: setup-terraform
	uses: ./.github/actions/setup-terraform
	with:
	role_to_assume: arn:aws:iam::${{env.ACCOUNT_ID}}:role/notification-terraform-apply
	role_session_name: NotifyTerraformApply

	- name: Install 1Pass CLI
	run: \|
	curl -o 1pass.deb https://downloads.1password.com/linux/debian/amd64/stable/1password-cli-amd64-latest.deb
	sudo dpkg -i 1pass.deb
	sudo mkdir -p aws
	cd aws
	op read op://4eyyuwddp6w4vxlabrr2i2duxm/"TERRAFORM_SECRETS_${{env.ENVIRONMENT}}"/notesPlain > ${{env.ENVIRONMENT}}.tfvars

	- name: terragrunt apply github
	run: \|
	cd env/${{env.ENVIRONMENT}}/github
	terragrunt init -upgrade
	terragrunt apply --terragrunt-non-interactive -auto-approve -lock-timeout=10m

	bump-version-and-push-tag:
	if: \|
	always() &&
	github.event_name != 'workflow_dispatch' &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-common,terragrunt-apply-ecr,terragrunt-apply-dns,terragrunt-apply-ses_validation_dns_entries,terragrunt-apply-cloudfront,terragrunt-apply-eks,terragrunt-apply-elasticache,terragrunt-apply-rds,terragrunt-apply-lambda-api,terragrunt-apply-heartbeat,terragrunt-apply-database-tools,terragrunt-apply-quicksight,terragrunt-apply-lambda-google-cidr,terragrunt-apply-ses_to_sqs_email_callbacks,terragrunt-apply-sns_to_sqs_sms_callbacks,terragrunt-apply-pinpoint_to_sqs_sms_callbacks,terragrunt-apply-system_status,terragrunt-apply-ses_receiving_emails,terragrunt-apply-system_status_static_site,terragrunt-apply-newrelic,terragrunt-apply-manifest_secrets]
	steps:
	- name: Checkout
	uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0

	- name: bump-version-and-push-tag
	uses: mathieudutour/github-tag-action@bcb832838e1612ff92089d914bccc0fd39458223 # v4.6
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	release_branches: main

	trigger-manifests-helmfile-staging-apply:
	if: \|
	always() &&
	!contains(needs.*.result, 'failure') &&
	!contains(needs.*.result, 'cancelled')
	runs-on: ubuntu-latest
	needs: [terragrunt-apply-manifest_secrets]
	steps:
	- name: Trigger manifests helmfile staging apply
	uses: actions/github-script@v7
	with:
	github-token: ${{ secrets.MANIFESTS_WORKFLOW_TOKEN }}
	script: \|
	const result = await github.rest.actions.createWorkflowDispatch({
	owner: 'cds-snc',
	repo: 'notification-manifests',
	workflow_id: 'helmfile_staging_apply.yaml',
	ref: 'main'
	});
	console.log('Triggered helmfile staging apply workflow:', result.status);

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

RDS Immutable Backups (#2244) #1426

Workflow file

RDS Immutable Backups (#2244) #1426

Uh oh!

Jobs

Run details

Workflow file for this run