#8 Move SSM parameter definitions to bootstrap terraform #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Pull Request Checks | |
| on: | |
| pull_request: | |
| branches: [main, live] | |
| jobs: | |
| backend-tests: | |
| name: Backend Tests | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| working-directory: ./serverless | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Use Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "20" | |
| cache: "npm" | |
| cache-dependency-path: "./serverless/package-lock.json" | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Run backend tests | |
| run: npm test | |
| - name: Run linting | |
| run: npm run lint | |
| - name: Check TypeScript build | |
| run: npx tsc --noEmit | |
| verify-ssm-parameters-dev: | |
| name: Verify SSM Parameters (Dev) | |
| if: github.base_ref == 'main' | |
| uses: ./.github/workflows/verify-ssm-parameters.yml | |
| with: | |
| environment: dev | |
| secrets: inherit | |
| verify-ssm-parameters-prod: | |
| name: Verify SSM Parameters (Prod) | |
| if: github.base_ref == 'live' | |
| uses: ./.github/workflows/verify-ssm-parameters.yml | |
| with: | |
| environment: prod | |
| secrets: inherit | |
| terraform-plan-dev: | |
| name: Terraform Plan (Dev) | |
| if: github.base_ref == 'main' | |
| runs-on: ubuntu-latest | |
| needs: verify-ssm-parameters-dev | |
| defaults: | |
| run: | |
| working-directory: ./infra/terraform | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: latest | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-2 | |
| - name: Terraform Init | |
| working-directory: ./infra/terraform/dev | |
| run: terraform init | |
| - name: Set Terraform environment variables | |
| run: | | |
| echo "TF_VAR_alert_email=${{ vars.ALERT_EMAIL }}" >> $GITHUB_ENV | |
| - name: Terraform Plan | |
| working-directory: ./infra/terraform/dev | |
| timeout-minutes: 5 | |
| run: | | |
| echo "Starting Terraform plan at $(date)" | |
| echo "Current working directory: $(pwd)" | |
| echo "Terraform version: $(terraform version)" | |
| echo "AWS region: $AWS_REGION" | |
| echo "Checking state lock status..." | |
| # Add debugging for state backend | |
| terraform show -json 2>/dev/null | jq -r '.backend // "No backend info"' || echo "Could not query backend info" | |
| # Enable verbose logging | |
| export TF_LOG=DEBUG | |
| export TF_LOG_PATH=/tmp/terraform.log | |
| echo "Running terraform plan with timeout and debugging..." | |
| timeout 240 terraform plan -no-color -lock-timeout=60s > plan_full.txt 2>&1 || { | |
| exit_code=$? | |
| echo "Terraform plan failed with exit code: $exit_code" | |
| echo "=== Plan output ===" | |
| cat plan_full.txt | |
| echo "=== Terraform debug logs (last 50 lines) ===" | |
| tail -n 50 /tmp/terraform.log 2>/dev/null || echo "No debug logs available" | |
| echo "=== Current processes ===" | |
| ps aux | grep -E "(terraform|aws)" | grep -v grep || echo "No terraform/aws processes found" | |
| echo "plan<<EOF" >> $GITHUB_OUTPUT | |
| cat plan_full.txt >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| exit $exit_code | |
| } | |
| echo "Terraform plan completed successfully at $(date)" | |
| cat plan_full.txt | |
| # Check if there are any changes planned | |
| if grep -q "No changes" plan_full.txt; then | |
| echo "has_changes=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| # Extract only the meaningful plan output (skipping "Refreshing state..." lines) | |
| grep -v "Refreshing state" plan_full.txt > plan_changes.txt | |
| echo "plan<<EOF" >> $GITHUB_OUTPUT | |
| cat plan_changes.txt >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| fi | |
| id: plan-dev | |
| - name: Add Dev Plan Comment | |
| if: steps.plan-dev.outputs.has_changes == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const output = `#### Terraform Dev Plan 📋 | |
| \`\`\`terraform | |
| ${{ steps.plan-dev.outputs.plan || 'No output available' }} | |
| \`\`\` | |
| `; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) | |
| terraform-plan-prod: | |
| name: Terraform Plan (Prod) | |
| if: github.base_ref == 'live' | |
| runs-on: ubuntu-latest | |
| needs: verify-ssm-parameters-prod | |
| environment: prod | |
| defaults: | |
| run: | |
| working-directory: ./infra/terraform | |
| permissions: | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.11.4" | |
| - name: Configure AWS credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws-region: us-east-2 | |
| - name: Terraform Init | |
| working-directory: ./infra/terraform/prod | |
| run: terraform init | |
| - name: Check and Clear State Locks | |
| working-directory: ./infra/terraform/prod | |
| run: | | |
| echo "Checking for existing state locks in prod account..." | |
| # Try to acquire a lock briefly to see if one exists | |
| if ! timeout 10 terraform plan -detailed-exitcode >/dev/null 2>&1; then | |
| echo "Terraform operation failed, checking if it's a lock issue..." | |
| # Check the state file directly for lock info | |
| if aws s3 cp s3://jaildata-tf-state/terraform.tfstate - 2>/dev/null | jq -e '.lineage' >/dev/null 2>&1; then | |
| echo "State file exists and is readable" | |
| else | |
| echo "State file may have issues" | |
| fi | |
| # Try to force unlock any existing locks | |
| echo "Attempting to clear any existing locks..." | |
| terraform force-unlock -force $(aws s3 cp s3://jaildata-tf-state/.terraform/terraform.tfstate.lock.info - 2>/dev/null | jq -r '.ID // empty') 2>/dev/null || echo "No lock file found or unable to unlock" | |
| else | |
| echo "No lock detected" | |
| fi | |
| - name: Set Terraform environment variables | |
| run: | | |
| echo "TF_VAR_alert_email=${{ vars.ALERT_EMAIL }}" >> $GITHUB_ENV | |
| - name: Terraform Plan | |
| working-directory: ./infra/terraform/prod | |
| timeout-minutes: 5 | |
| run: | | |
| echo "Starting Terraform plan at $(date)" | |
| echo "Current working directory: $(pwd)" | |
| echo "Terraform version: $(terraform version)" | |
| echo "AWS region: $AWS_REGION" | |
| echo "Checking state lock status..." | |
| # Add debugging for state backend | |
| terraform show -json 2>/dev/null | jq -r '.backend // "No backend info"' || echo "Could not query backend info" | |
| # Enable verbose logging | |
| export TF_LOG=DEBUG | |
| export TF_LOG_PATH=/tmp/terraform.log | |
| echo "Running terraform plan with timeout and debugging..." | |
| timeout 240 terraform plan -no-color -lock-timeout=60s > plan_full.txt 2>&1 || { | |
| exit_code=$? | |
| echo "Terraform plan failed with exit code: $exit_code" | |
| echo "=== Plan output ===" | |
| cat plan_full.txt | |
| echo "=== Terraform debug logs (last 50 lines) ===" | |
| tail -n 50 /tmp/terraform.log 2>/dev/null || echo "No debug logs available" | |
| echo "=== Current processes ===" | |
| ps aux | grep -E "(terraform|aws)" | grep -v grep || echo "No terraform/aws processes found" | |
| echo "plan<<EOF" >> $GITHUB_OUTPUT | |
| cat plan_full.txt >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| exit $exit_code | |
| } | |
| echo "Terraform plan completed successfully at $(date)" | |
| cat plan_full.txt | |
| # Check if there are any changes planned | |
| if grep -q "No changes" plan_full.txt; then | |
| echo "has_changes=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "has_changes=true" >> $GITHUB_OUTPUT | |
| # Extract only the meaningful plan output (skipping "Refreshing state..." lines) | |
| grep -v "Refreshing state" plan_full.txt > plan_changes.txt | |
| echo "plan<<EOF" >> $GITHUB_OUTPUT | |
| cat plan_changes.txt >> $GITHUB_OUTPUT | |
| echo "EOF" >> $GITHUB_OUTPUT | |
| fi | |
| id: plan-prod | |
| - name: Add Prod Plan Comment | |
| if: steps.plan-prod.outputs.has_changes == 'true' | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| const output = `#### Terraform Prod Plan 🏭 | |
| \`\`\`terraform | |
| ${{ steps.plan-prod.outputs.plan || 'No output available' }} | |
| \`\`\` | |
| `; | |
| github.rest.issues.createComment({ | |
| issue_number: context.issue.number, | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| body: output | |
| }) |