Merge pull request #5761 from ministryofjustice/bug/nuke-workflow

🐛  Redeploy After Nuke Update - Terraform init assume backend role

.github/workflows/nuke-redeploy.yml

@@ -1,5 +1,5 @@
----
 name: Redeploy after nuke
+
 on:
   push:
     branches:
@@ -21,6 +21,7 @@ env:
   AWS_REGION: "eu-west-2"
   ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
   NUKE_REDEPLOY_ACCOUNTS: ${{ secrets.MODERNISATION_PLATFORM_AUTONUKE_REBUILD }}
+  BACKEND_NUMBER: ${{ secrets.MODERNISATION_PLATFORM_ACCOUNT_ID }}
   TF_IN_AUTOMATION: true
 
 permissions: {}
@@ -37,6 +38,7 @@ jobs:
     steps:
       - id: set-matrix
         run: echo "matrix=$(jq -c '.|sort' <<< $NUKE_REDEPLOY_ACCOUNTS)" >> $GITHUB_OUTPUT
+
   redeploy-after-nuke:
     permissions:
       id-token: write # This is required for requesting the JWT
@@ -51,32 +53,37 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+
       - name: Set Account Number
         run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${ACCOUNT_NAME}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV
+
       - name: configure aws credentials
         uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
         with:
           role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions"
           role-session-name: githubactionsrolesession
           aws-region: ${{ env.AWS_REGION }}
+
       - name: Load and Configure Terraform
         uses: hashicorp/setup-terraform@a1502cd9e758c50496cc9ac5308c4843bcd56d36 # v3.0.0
         with:
           terraform_version: "~1"
           terraform_wrapper: false
+
       - name: Plan after nuke - ${{ matrix.nuke_accts }}
         run: |
           terraform --version
           echo "Terraform Plan - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name
-          bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development}
+          bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/modernisation-account-terraform-state-member-access\"}"
           terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}"
           bash scripts/terraform-plan.sh terraform/environments/${ACCOUNT_NAME%-development}
+
       - name: Apply after nuke - ${{ matrix.nuke_accts }}
         if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main') }}
         run: |
           terraform --version
           echo "Terraform apply - ${ACCOUNT_NAME%-development}" # removes the -development suffix in order to get the directory name
-          bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development}
+          bash scripts/terraform-init.sh terraform/environments/${ACCOUNT_NAME%-development} "assume_role={role_arn=\"arn:aws:iam::${{ env.BACKEND_NUMBER }}:role/modernisation-account-terraform-state-member-access\"}"
           terraform -chdir="terraform/environments/${ACCOUNT_NAME%-development}" workspace select "${ACCOUNT_NAME}"
           bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development}
     env:

scripts/terraform-apply-after-nuke.sh

@@ -14,6 +14,9 @@ nuke_account_ids_json=$(aws secretsmanager get-secret-value --secret-id nuke_acc
 declare -A account_ids
 eval "$(jq -r '.NUKE_ACCOUNT_IDS | to_entries | .[] |"account_ids[" + (.key | @sh) + "]=" + (.value | @sh)' <<<"$nuke_account_ids_json")"
 
+# Retrieve Modernisation Platform Account Id 
+BACKEND_NUMBER=$(aws ssm get-parameters --region eu-west-2 --names "modernisation_platform_account_id" --with-decryption --query "Parameters[*].{Value:Value}" --output text)
+
 redeployed_envs=()
 skipped_envs=()
 failed_envs=()
@@ -22,7 +25,7 @@ for key in "${!account_ids[@]}"; do
   to_dir_name "$key"
   if [[ "$NUKE_DO_NOT_RECREATE_ENVIRONMENTS" != *"${dir_name}-development,"* ]]; then
     echo "BEGIN: terraform apply ${dir_name}-development"
-    bash scripts/terraform-init.sh "terraform/environments/${dir_name}" || exit_code=$?
+    bash scripts/terraform-init.sh "terraform/environments/${dir_name}" "assume_role={role_arn=\"arn:aws:iam::${BACKEND_NUMBER}:role/modernisation-account-terraform-state-member-access\"}" || exit_code=$?
     terraform -chdir="terraform/environments/${dir_name}" workspace select "${dir_name}-development" || exit_code=$?
     bash scripts/terraform-apply.sh "terraform/environments/${dir_name}" || exit_code=$?
     if [[ $exit_code -ne 0 ]]; then

scripts/terraform-init.sh

@@ -2,13 +2,13 @@
 
 set -e
 
-# This script runs terraform init with input set to false and no color outputs, suitable for running as part of a CI/CD pipeline.
-# You need to pass through a Terraform directory as an argument, e.g.
-# sh terraform-init.sh terraform/environments
+# This script runs terraform init with input set to false, no color outputs, and backend-config, suitable for running as part of a CI/CD pipeline.
+# You need to pass through a Terraform directory and backend config as arguments, e.g.
+# sh terraform-init.sh terraform/environments "assume_role={role_arn=\"arn:aws:iam::123456789012:role/modernisation-account-terraform-state-member-access\"}"
 
-if [ -z "$1" ]; then
-  echo "Unsure where to run terraform, exiting"
+if [ -z "$1" ] || [ -z "$2" ]; then
+  echo "Unsure where to run terraform, exiting. (Usage: terraform-init.sh <terraform_directory> <backend_config>)"
   exit 1
 else
-  terraform -chdir="$1" init -input=false -no-color
+  terraform -chdir="$1" init -input=false -no-color -backend-config="$2"
 fi