CDCgov · devopsmatt · Jan 22, 2025 · Jan 15, 2025 · Jan 17, 2025 · Jan 21, 2025
diff --git a/.github/workflows/0 b/.github/workflows/0
diff --git a/.github/workflows/alert_MBUsers_Inactive.yml b/.github/workflows/alert_MBUsers_Inactive.yml
@@ -48,7 +48,8 @@ jobs:
           message: |
             ${{ steps.users_out.outputs.MESSAGE_RESPONSE }}
           icon-emoji: ':hourglass_flowing_sand:'
-          channel: temp-cdc-rs-notifications  # Updated channel
+          channel: cdc-reportstream-bot-notifications
+  # Updated channel in slack
           webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}  # Updated webhook secret
           color: warning
           slackify-markdown: true
diff --git a/.github/workflows/alert_PD_schedule_Slack.yml b/.github/workflows/alert_PD_schedule_Slack.yml
@@ -5,9 +5,8 @@ on:
     - cron: "7 13 * * Mon"  #UTC-5
 
 env:
-  channel: temp-cdc-rs-notifications
-  # prime-reportstream-engineering
-
+  channel: cdc-reportstream-bot-notifications
+  # Updated Slack Channel
 jobs:
   pre_job:
     name: Pre Job

diff --git a/.github/workflows/alert_cert_expire.yml b/.github/workflows/alert_cert_expire.yml
@@ -61,7 +61,7 @@ jobs:
           message: |
             ${{ steps.format_out.outputs.LIST }}
           icon-emoji: ':bell:'
-          channel: temp-cdc-rs-notifications  # Updated channel
+          channel: cdc-reportstream-bot-notifications
           webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}  # Updated webhook secret
           color: warning
 

diff --git a/.github/workflows/alert_resource_costs.yml b/.github/workflows/alert_resource_costs.yml
@@ -65,7 +65,8 @@ jobs:
             * **Provisioned by: \`${{ steps.last-pusher.outputs.username }}\`**
             * **Last Change Date: \`${{ steps.last-pusher.outputs.last_change_date }}\`**
           icon-emoji: ':money_with_wings:'
-          channel: temp-cdc-rs-notifications  # Updated channel
+          channel: cdc-reportstream-bot-notifications
+  # Updated channel
           webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}  # Updated webhook secret
           color: failure
           slackify-markdown: true
diff --git a/.github/workflows/alert_terraform_changes.yml b/.github/workflows/alert_terraform_changes.yml
@@ -65,6 +65,7 @@ jobs:
             "resource-drifts": "${{ env.resource-drifts }}"
 
           icon-emoji: ':bell:'
-          channel: temp-cdc-rs-notifications  # Updated channel
+          channel: cdc-reportstream-bot-notifications
+  # Updated Slack channel
           webhook-url: ${{ secrets.SLACK_NOTIFICATIONS_WEBHOOK_URL }}  # Updated webhook secret
           color: warning
@@ -1,85 +1,126 @@
-name: Cleanup ACR images
+name: Deploy Terraform
 
 on:
-  schedule:
-    - cron:  "0 0 * * *" # Runs daily at midnight UTC
-
+  push:
+    branches:
+      - main
+      - production
+    paths:
+      - '**.tf'
 
 env:
   AZURE_CREDENTIALS: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ secrets.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
 
 jobs:
-  cleanup_images:
+  pre_job:
+    name: Set Build Environment
+    concurrency:
+      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
+      cancel-in-progress: true
     runs-on: ubuntu-latest
-    strategy:
-      max-parallel: 1
-      matrix:
-        env: [staging, prod]
+    outputs:
+      env_name: ${{ steps.build_vars.outputs.env_name }}
+      tf_change: ${{ steps.build_vars.outputs.has_terraform_change }}
     steps:
-      - name: "Check out changes"
+      - name: Check out changes
         uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - name: Build vars
+        id: build_vars
+        uses: ./.github/actions/build-vars
 
-      - name: Connect to VPN & Login into Azure
+  confirm_changes:
+    name: Check Terraform Stats - ${{ needs.pre_job.outputs.env_name }}
+    if: ${{ needs.pre_job.outputs.tf_change == 'true' }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
+      cancel-in-progress: true
+    needs:
+      - pre_job
+    environment: ${{ needs.pre_job.outputs.env_name }}
+    runs-on: ubuntu-latest
+    outputs:
+      change_count: ${{ steps.stats1.outputs.change-count }}
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - name: Connect to VPN and login to Azure
         uses: ./.github/actions/vpn-azure
         with:
+          env-name: ${{ needs.pre_job.outputs.env_name }}
           tls-key: ${{ secrets.TLS_KEY }}
           ca-cert: ${{ secrets.CA_CRT}}
           user-crt: ${{ secrets.USER_CRT }}
           user-key: ${{ secrets.USER_KEY }}
           sp-creds: ${{ env.AZURE_CREDENTIALS }}
+          tf-auth: true
+      - name: Collect Terraform stats
+        uses: josiahsiegel/terraform-stats@68b8cbe42c494333fbf6f8d90ac86da1fb69dcc2
+        id: stats1
+        with:
+          terraform-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}
+          terraform-version: 1.7.4
+          add-args: "-refresh=false"
+  - name: Run Terraform Plan
+    run: |
+      terraform init -input=false
+      terraform validate
+      terraform fmt -recursive
+      terraform plan -out=tf.plan
+  - name: Run Terraform Apply
+    run: |
+      terraform apply -input=false -no-color -lock-timeout=600s -auto-approve tf.plan
 
-      - name: List ${{ matrix.env }} repository images
-        run: |
-          az acr login --name pdh${{ matrix.env }}containerregistry
-          images=$(az acr repository show-tags --name pdh${{ matrix.env }}containerregistry --repository pdh${{ matrix.env }} --orderby time_asc --output table)
-          echo "Reserving latest 2 from:"
-          echo "$images"
-          echo "$images" | head -n -2 > ${{ matrix.env }}-images.txt
-          sed -i '1,2d' ${{ matrix.env }}-images.txt
-
-      - name: Delete old images in ${{ matrix.env }} env
-        env:
-          IMAGE_FILE: ${{ matrix.env }}-images.txt
-        run: |
-          if [ -e "$IMAGE_FILE" ]; then
-            while IFS= read -r image_id; do
-                az acr repository delete --name pdh${{ matrix.env }}containerregistry --image pdh${{ matrix.env }}:$image_id --yes
-                if [ $? -eq 0 ]; then
-                    echo "Deleted image: pdh${{ matrix.env }}containerregistry:$image_id"
-                else
-                    echo "Failed to delete image: pdh${{ matrix.env }}containerregistry:$image_id"
-                fi
-            done < "$IMAGE_FILE"
-              else
-                echo "File not found: $IMAGE_FILE"
-          fi
-
-        # Pushing a modified image using an existing tag untags the previously pushed image,
-        # resulting in an orphaned (or "dangling") image.
-        # The previously pushed image's manifest--and its layer data--remains in the registry.
-        # They still need to be removed
-
-      - name: List image manifests in ${{ matrix.env }} env
-        run: |
-          az acr login --name pdh${{ matrix.env }}containerregistry
-          manifest=$(az acr manifest list-metadata -r pdh${{ matrix.env }}containerregistry -n pdh${{ matrix.env }} --orderby time_asc --output tsv --query "[*].{Digest:digest}")
-          echo "Reserving latest 4 from:"
-          echo "$manifest"
-          echo "$manifest" | head -n -4 > ${{ matrix.env }}-untaged-images.txt
+  approve_deploy:
+    name: Approve Deploy - ${{ needs.pre_job.outputs.env_name }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
+      cancel-in-progress: true
+    needs:
+      - pre_job
+      - confirm_changes
+    if: needs.confirm_changes.outputs.change_count > '0'
+    runs-on: ubuntu-latest
+    environment: ${{ needs.pre_job.outputs.env_name }}_terraform
+    steps:
+      - name: Echo change count
+        run: echo ${{ needs.confirm_changes.outputs.change_count }}
 
-      - name: Delete image manifest in ${{ matrix.env }} env
-        env:
-          UNTAGED_FILE: ${{ matrix.env }}-untaged-images.txt
+  run_deploy:
+    name: Run Deploy - ${{ needs.pre_job.outputs.env_name }}
+    concurrency:
+      group: ${{ github.workflow }}-${{ needs.pre_job.outputs.env_name }}
+      cancel-in-progress: true
+    needs:
+      - pre_job
+      - approve_deploy
+    if: needs.confirm_changes.outputs.change_count > '0'
+    runs-on: ubuntu-latest
+    environment: ${{ needs.pre_job.outputs.env_name }}
+    defaults:
+      run:
+        working-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}
+    steps:
+      - name: Check Out Changes
+        uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938
+      - name: Connect to VPN and login to Azure
+        uses: ./.github/actions/vpn-azure
+        with:
+          env-name: ${{ needs.pre_job.outputs.env_name }}
+          tls-key: ${{ secrets.TLS_KEY }}
+          ca-cert: ${{ secrets.CA_CRT}}
+          user-crt: ${{ secrets.USER_CRT }}
+          user-key: ${{ secrets.USER_KEY }}
+          sp-creds: ${{ env.AZURE_CREDENTIALS }}
+          tf-auth: true
+      - name: Use specific version of Terraform
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd
+        with:
+          terraform_version: 1.7.4
+          terraform_wrapper: false
+      - name: Run Terraform
         run: |
-          if [ -e "$UNTAGED_FILE" ]; then
-            while IFS= read -r manifest_id; do
-                az acr repository delete --name pdh${{ matrix.env }}containerregistry --image pdh${{ matrix.env }}@$manifest_id --yes
-                if [ $? -eq 0 ]; then
-                    echo "Deleted image: pdh${{ matrix.env }}:$manifest_id"
-                else
-                    echo "Failed to delete image: pdh${{ matrix.env }}:$manifest_id"
-                fi
-            done < "$UNTAGED_FILE"
-              else
-                echo "File not found: $UNTAGED_FILE"
-          fi
+          terraform init -input=false
+          terraform validate
+          terraform fmt -recursive
+          terraform plan -out ${{ needs.pre_job.outputs.env_name }}-tf.plan
+          terraform apply -input=false -no-color -lock-timeout=600s -auto-approve ${{ needs.pre_job.outputs.env_name }}-tf.plan
@@ -63,7 +63,16 @@ jobs:
           terraform-directory: operations/app/terraform/vars/${{ needs.pre_job.outputs.env_name }}
           terraform-version: 1.7.4
           add-args: "-refresh=false"
-
+        -name:  Run Terraform Plan
+          run: |
+            terraform init -input=false
+            terraform validate
+            terraform fmt -recursive
+            terraform plan -out=tf.plan
+        - name: Run Terraform Apply
+          run: |
+            terraform apply -input=false -no-color -lock-timeout=600s -auto-approve tf.plan
+
   approve_deploy:
     name: Approve Deploy - ${{ needs.pre_job.outputs.env_name }}
     concurrency: