From 97ccfd27957bb38889e4cc68b15097ed870ca353 Mon Sep 17 00:00:00 2001 From: Danielle Adams Date: Wed, 21 Aug 2024 16:11:47 -0600 Subject: [PATCH] ARCH-2140 - Adding annotate app insights & pd change events Adding annotate-app-insights and a pagerduty-change-events-action to relevant workflows. --- .../im-deploy-az-app-manually.yml | 31 +++++++---- workflow-templates/im-deploy-az-database.yml | 9 ++- .../im-deploy-az-swap-app-slots.yml | 26 ++++++++- .../im-deploy-files-to-az-storage-account.yml | 54 ++++++++++++++++-- workflow-templates/im-deploy-iis-website.yml | 9 ++- .../im-deploy-on-prem-database.yml | 9 ++- ...loy-tf-auto-apply-main-to-dev-on-merge.yml | 25 +++++++-- .../im-deploy-tf-manual-apply.yml | 35 +++++++----- .../im-deploy-windows-files.yml | 10 +++- .../im-deploy-windows-service.yml | 9 ++- ...m-run-add-or-update-az-keyvault-secret.yml | 32 ++++++++++- .../im-run-delete-azure-blob.yml | 40 +++++++++++++- workflow-templates/im-run-flyway-repair.yml | 30 +++++++++- .../im-run-start-stop-restart-azure-app.yml | 23 +++++++- workflow-templates/im-run-tf-destroy.yml | 31 ++++++++++- workflow-templates/im-run-tf-import.yml | 55 ++++++++++++++++++- workflow-templates/im-run-tf-taint.yml | 52 +++++++++++++++++- workflow-templates/im-run-unlock-tf-state.yml | 53 +++++++++++++++++- 18 files changed, 481 insertions(+), 52 deletions(-) diff --git a/workflow-templates/im-deploy-az-app-manually.yml b/workflow-templates/im-deploy-az-app-manually.yml index 23226ef0..e2abbb11 100644 --- a/workflow-templates/im-deploy-az-app-manually.yml +++ b/workflow-templates/im-deploy-az-app-manually.yml @@ -1,4 +1,4 @@ -# Workflow Code: AmbitiousLizard_v52 DO NOT REMOVE +# Workflow Code: AmbitiousLizard_v53 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release # with the specified tags, makes changes to any configuration files for the specified @@ -219,6 +219,7 @@ jobs: UNZIPPED_ASSET: 'published_app' # TODO: If you have multiple deployables, this name is probably different and you need to update the value. DEPLOY_ZIP: 'deploy.zip' # TODO: remove if this workflow is for an azure function AZ_APP_TYPE: 'webapp' # TODO: If this workflow is for an azure function, change this value to functionapp + AZ_APP_NAME: ${{ needs.set-vars.outputs.AZ_APP_NAME }} steps: - name: Download artifacts from release @@ -329,18 +330,18 @@ jobs: # - name: Create a deployment slot # run: | # az ${{ env.AZ_APP_TYPE }} deployment slot create \ - # --name ${{ needs.set-vars.outputs.AZ_APP_NAME }} \ + # --name ${{ env.AZ_APP_NAME }} \ # --slot ${{ env.AZ_SLOT_NAME }} \ # --resource-group ${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }} \ # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ - # --configuration-source ${{ needs.set-vars.outputs.AZ_APP_NAME }} + # --configuration-source ${{ env.AZ_APP_NAME }} # TODO: Uncomment if you use User Managed Identity in your app service. # - name: Assign MSI to slot # if: steps.create-slot.outcome == 'success' # run: | # az webapp identity assign \ - # --name ${{ needs.set-vars.outputs.AZ_APP_NAME }} \ + # --name ${{ env.AZ_APP_NAME }} \ # --resource-group ${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }} \ # --slot ${{ env.AZ_SLOT_NAME }} \ # --identities /subscriptions/${{ vars.ARM_SUBSCRIPTION_ID }}/resourcegroups/${{ needs.set-vars.outputs.PRIMARY_RESOURCE_GROUP }}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/${{ needs.set-vars.outputs.AZ_APP_MSI }} @@ -350,7 +351,7 @@ jobs: # if: steps.create-slot.outcome == 'success' # run: | # az webapp vnet-integration add \ - # --name ${{ needs.set-vars.outputs.AZ_APP_NAME }} \ + # --name ${{ env.AZ_APP_NAME }} \ # --resource-group ${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }} \ # --vnet ${{ needs.set-vars.outputs.VNET }} \ # --subnet ${{ needs.set-vars.outputs.SUBNET }} \ @@ -360,7 +361,7 @@ jobs: - name: Deploy to Azure Web App uses: azure/webapps-deploy@v3 with: - app-name: ${{ needs.set-vars.outputs.AZ_APP_NAME }} + app-name: ${{ env.AZ_APP_NAME }} package: ./${{ env.DEPLOY_ZIP }} slot-name: ${{ env.AZ_SLOT_NAME }} # TODO: Delete if not using slots @@ -368,7 +369,7 @@ jobs: - name: Deploy to Azure Function uses: azure/functions-action@v1 with: - app-name: ${{ needs.set-vars.outputs.AZ_APP_NAME }} + app-name: ${{ env.AZ_APP_NAME }} package: ./${{ env.UNZIPPED_ASSET }} slot-name: ${{ env.AZ_SLOT_NAME }} # TODO: Delete if not using slots @@ -379,7 +380,7 @@ jobs: # az ${{ env.AZ_APP_TYPE }} deployment slot swap \ # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ # --resource-group ${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }} \ - # --name ${{ needs.set-vars.outputs.AZ_APP_NAME }} \ + # --name ${{ env.AZ_APP_NAME }} \ # --slot ${{ env.AZ_SLOT_NAME }} \ # --target-slot ${{ env.TARGET_SLOT }} @@ -388,7 +389,7 @@ jobs: # - run: | # az ${{ env.AZ_APP_TYPE }} deployment slot delete \ # --slot ${{ env.AZ_SLOT_NAME }} \ - # --name ${{ needs.set-vars.outputs.AZ_APP_NAME }} \ + # --name ${{ env.AZ_APP_NAME }} \ # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ # --resource-group ${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }} @@ -406,16 +407,22 @@ jobs: pagerduty-api-key: ${{ secrets.PAGERDUTY_API_KEY }} # This is an org-level secret maintenance-window-id: ${{ steps.open-window.outputs.maintenance-window-id }} - # TODO: Delete the following step if not using app insights - name: Annotate App Insights uses: im-open/create-app-insights-annotation@v1.0 with: subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable resourceGroupName: ${{ needs.set-vars.outputs.PRIMARY_RESOURCE_GROUP }} appInsightsResourceName: '${{ needs.set-vars.outputs.APP_INSIGHTS_NAME }}' - releaseName: '${{ needs.set-vars.outputs.AZ_APP_NAME }}-${{ env.RELEASE_TAG }}' + releaseName: '${{ env.AZ_APP_NAME }}-${{ env.RELEASE_TAG }}' category: 'Deployment' - customMetadata: 'ProjectName=${{ needs.set-vars.outputs.AZ_APP_NAME }},DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + customMetadata: 'ProjectName=${{ env.AZ_APP_NAME }},DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ inputs.tag }} deployed to ${{ inputs.environment-or-target }} ${{ env.AZ_APP_NAME }} (${{ job.status }})' - name: Azure logout if: always() && steps.login.outcome == 'success' diff --git a/workflow-templates/im-deploy-az-database.yml b/workflow-templates/im-deploy-az-database.yml index a45efd73..379a8f5b 100644 --- a/workflow-templates/im-deploy-az-database.yml +++ b/workflow-templates/im-deploy-az-database.yml @@ -1,4 +1,4 @@ -# Workflow Code: BetrayedCod_v37 DO NOT REMOVE +# Workflow Code: BetrayedCod_v38 DO NOT REMOVE # Purpose: # Gathers the required approvals from stakeholders and attestors, ensures # tags are valid for production deployments and runs the migrations against @@ -257,6 +257,13 @@ jobs: category: 'Deployment' customMetadata: 'ProjectName=${{ needs.set-vars.outputs.APP_INSIGHTS_ANNOTATION }},DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ env.RELEASE_TAG }} deployed to ${{ inputs.environment-or-target }} ${{ env.DB_NAME }} (${{ job.status }})' + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-deploy-az-swap-app-slots.yml b/workflow-templates/im-deploy-az-swap-app-slots.yml index f92c0802..0249bec8 100644 --- a/workflow-templates/im-deploy-az-swap-app-slots.yml +++ b/workflow-templates/im-deploy-az-swap-app-slots.yml @@ -1,4 +1,4 @@ -# Workflow Code: IrritatedHyena_v23 DO NOT REMOVE +# Workflow Code: IrritatedHyena_v24 DO NOT REMOVE # Purpose: # Swaps deployment slots in a specified environment for an Azure App Service # or Function outside of a deployment when someone kicks it off manually. @@ -94,6 +94,13 @@ jobs: AZ_APP_NAME@demo: '' AZ_APP_NAME@uat: '' AZ_APP_NAME@prod: '' + # This variable is used to annotate app insights + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' - name: Open a PagerDuty Maintenance Window if: env.OPEN_WINDOW == 'true' @@ -135,6 +142,23 @@ jobs: # --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} \ # --resource-group ${{ env.RESOURCE_GROUP }} + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + releaseName: '${{ env.AZ_APP_NAME }}-Slot-Swap' + category: 'Deployment' + customMetadata: 'ProjectName=${{ env.AZ_APP_NAME }},SourceSlot=${{ env.SOURCE_SLOT }},TargetSlot=${{ env.TARGET_SLOT }},DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ env.SOURCE_SLOT }} slot swapped with ${{ env.TARGET_SLOT }} slot for ${{ env.AZ_APP_NAME }} (${{ job.status }})' + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-deploy-files-to-az-storage-account.yml b/workflow-templates/im-deploy-files-to-az-storage-account.yml index 92cad1a1..c9f21472 100644 --- a/workflow-templates/im-deploy-files-to-az-storage-account.yml +++ b/workflow-templates/im-deploy-files-to-az-storage-account.yml @@ -1,4 +1,4 @@ -# Workflow Code: BubblyGreyhound_v29 DO NOT REMOVE +# Workflow Code: BubblyGreyhound_v30 DO NOT REMOVE # Purpose: # Checks out the repository and deploys a directory to the # specified storage account when someone kicks it off manually. @@ -46,11 +46,9 @@ permissions: env: ENVIRONMENT: ${{ github.event.inputs.environment }} GITHUB_REF: ${{ github.event.inputs.branch-tag-sha }} - STORAGE_ACCOUNT_NAME: '' # TODO: Add the appropriate storage account name TARGET_CONTAINER: '' # TODO: Add the appropriate target container in the stg account SOURCE_DIRECTORY: '' # TODO: Add the appropriate source directory - DEPLOY_BOARD_NUM: '' # TODO: Add the automated deployment board number or remove if not using an automated deployment project board. - + jobs: deploy-to-azure: runs-on: im-linux @@ -65,6 +63,36 @@ jobs: | Environment | `${{ env.ENVIRONMENT }}` | | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + uses: im-open/set-environment-variables-by-scope@v1.2 + with: + scope: ${{ env.ENVIRONMENT }} + env: + # TODO: For the following inputs, fill in the value if you have the environment and delete the environment if it does not exist + # This variable is used to swap and delete slots + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + # This variable is used to deploy to the correct storage account + STORAGE_ACCOUNT_NAME@dev: '' + STORAGE_ACCOUNT_NAME@qa: '' + STORAGE_ACCOUNT_NAME@stage: '' + STORAGE_ACCOUNT_NAME@demo: '' + STORAGE_ACCOUNT_NAME@uat: '' + STORAGE_ACCOUNT_NAME@prod: '' + # This variable is used to annotate app insights + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + - name: Checkout Repository uses: actions/checkout@v4 with: @@ -99,7 +127,23 @@ jobs: -d '${{ env.TARGET_CONTAINER }}' \ -s '${{ env.SOURCE_DIRECTORY }}' - # Only run this step if TechHub metadata.name value is passed in + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + releaseName: '${{ env.STORAGE_ACCOUNT_NAME }}-File-Deploy' + category: 'Deployment' + customMetadata: 'StorageAccountName=${{ env.STORAGE_ACCOUNT_NAME }},TargetContainer=${{ env.TARGET_CONTAINER }},SourceDirectory=${{ env.SOURCE_DIRECTORY }},DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ env.SOURCE_DIRECTORY }}@${{ env.GITHUB_REF }} deployed to ${{ env.STORAGE_ACCOUNT_NAME }} (${{ job.status }})' + - name: Create GitHub Deployment if: always() uses: im-open/create-github-deployment@v1.0 diff --git a/workflow-templates/im-deploy-iis-website.yml b/workflow-templates/im-deploy-iis-website.yml index 0f266d2d..bb18e5da 100644 --- a/workflow-templates/im-deploy-iis-website.yml +++ b/workflow-templates/im-deploy-iis-website.yml @@ -1,4 +1,4 @@ -# Workflow Code: FuzzyDragon_v50 DO NOT REMOVE +# Workflow Code: FuzzyDragon_v51 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release # with the specified tags, makes changes to any configuration files for the specified environments, @@ -372,6 +372,13 @@ jobs: service-account-id: ${{ env.DEPLOYMENT_SA_ID }} service-account-password: ${{ secrets.DEPLOYMENT_SA_SECRET }} + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ inputs.tag }} deployed to ${{ inputs.environment }} ${{ env.WEBSITE_NAME }} (${{ job.status }})' + - name: Close the PagerDuty Maintenance Window if: always() && steps.open-window.outcome == 'success' uses: im-open/close-pagerduty-maintenance-window@v1.2 diff --git a/workflow-templates/im-deploy-on-prem-database.yml b/workflow-templates/im-deploy-on-prem-database.yml index df00082d..c4e3e250 100644 --- a/workflow-templates/im-deploy-on-prem-database.yml +++ b/workflow-templates/im-deploy-on-prem-database.yml @@ -1,4 +1,4 @@ -# Workflow Code: AmazedPiglet_v38 DO NOT REMOVE +# Workflow Code: AmazedPiglet_v39 DO NOT REMOVE # Purpose: # Gathers the required approvals from stakeholders and attestors, ensures tags # are valid for production deployments and runs the migrations against an on-prem @@ -196,6 +196,13 @@ jobs: username: '${{ steps.vault-secrets.outputs.SQL_AUTH_USERNAME }}' password: '${{ steps.vault-secrets.outputs.SQL_AUTH_PASSWORD }}' + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ env.RELEASE_TAG }} deployed to ${{ env.ENVIRONMENT }} ${{ env.DB_NAME }} (${{ job.status }})' + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml index 9df19e35..ff3ff730 100644 --- a/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml +++ b/workflow-templates/im-deploy-tf-auto-apply-main-to-dev-on-merge.yml @@ -1,4 +1,4 @@ -# Workflow Code: IrritableEagle_v39 DO NOT REMOVE +# Workflow Code: IrritableEagle_v40 DO NOT REMOVE # Purpose: # Automatically runs a terraform apply -auto-approve with the changes # in the PR against the dev environment when a PR is merged to main. @@ -41,6 +41,8 @@ env: TF_IN_AUTOMATION: 'true' TF_VERSION: '~>1.4.0' #TODO: Verify your version of terraform. TF_WORKING_DIR: './infrastructure/dev' # TODO: Verify this directory is correct for your repository (older projects may not be inside of an infrastructure folder) + RESOURCE_GROUP: '' # TODO: Populate this value + APP_INSIGHTS_NAME: '' # TODO: Populate this value # The following SSH_* secrets are org-level secrets SSH_KEY_STORAGE_ACCOUNT: ${{ secrets.SSH_STORAGE_ACCOUNT }} SSH_KEY_NETWORK_INFO: ${{ secrets.SSH_NETWORK_INFO }} @@ -55,9 +57,7 @@ env: jobs: auto-apply-tf: if: github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main' # TODO: verify default branch name - runs-on: im-linux - environment: 'Dev' defaults: @@ -110,6 +110,7 @@ jobs: # TODO: Remove the pagerduty token if not configuring pagerduty. If using pagerduty verify 'pagerduty_token' is the name of the variable that tf expects # TODO: Add any other secrets that would be required for a tf plan to succeed. Since this is a multi-line command every line except the last will need a \ on the end of it # PAGERDUTY_API_KEY is an org-level secret + - name: Terraform Apply run: | terraform apply -auto-approve -lock-timeout=90s \ @@ -138,7 +139,23 @@ jobs: { "name": "Actor", "value": "${{ github.actor }}" } ] - # Only run this step if TechHub metadata.name value is passed in + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + releaseName: 'Infrastructure.main' + category: 'Deployment' + customMetadata: 'ProjectName=Infrastructure,DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] Terraform@main deployed to ${{ env.RESOURCE_GROUP }} (${{ job.status }})' + - name: Create GitHub Deployment if: always() uses: im-open/create-github-deployment@v1.0 diff --git a/workflow-templates/im-deploy-tf-manual-apply.yml b/workflow-templates/im-deploy-tf-manual-apply.yml index 1e5f1ba2..566d2ea4 100644 --- a/workflow-templates/im-deploy-tf-manual-apply.yml +++ b/workflow-templates/im-deploy-tf-manual-apply.yml @@ -1,4 +1,4 @@ -# Workflow Code: InsaneHamster_v51 DO NOT REMOVE +# Workflow Code: InsaneHamster_v52 DO NOT REMOVE # Purpose: # Deploys the terraform from a specified root module at a # specified when someone kicks off the workflow manually. @@ -367,20 +367,25 @@ jobs: - name: Terraform Apply run: terraform apply -auto-approve -no-color -lock-timeout=90s -input=false ./plans/tfplan - # TODO: Uncomment to Annotate in AppInsights - # - name: Annotate App Insights - # uses: im-open/create-app-insights-annotation@v1.0 - # continue-on-error: true - # with: - # subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable - # - # # The following line assumes the App insights resource is always in the primary region's resource group. - # # You might change this when App insights becomes available in our secondary region. - # resourceGroupName: ${{ needs.set-vars.outputs.PRIMARY_RESOURCE_GROUP }} - # appInsightsResourceName: ${{ needs.set-vars.outputs.APP_INSIGHTS_NAME }} - # releaseName: 'Infra.${{ env.GITHUB_REF }}' - # category: 'Deployment' - # customMetadata: 'ProjectName=,DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' # TODO: Update project name + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + continue-on-error: true + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + # The following line assumes the App insights resource is always in the primary region's resource group. + # You might change this when App insights becomes available in our secondary region. + resourceGroupName: ${{ needs.set-vars.outputs.PRIMARY_RESOURCE_GROUP }} + appInsightsResourceName: ${{ needs.set-vars.outputs.APP_INSIGHTS_NAME }} + releaseName: 'Infrastructure.${{ env.GITHUB_REF }}' + category: 'Deployment' + customMetadata: 'ProjectName=Infrastructure,DeployedBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] Terraform@${{ env.GITHUB_REF }} deployed to ${{ env.TARGET_RESOURCE_GROUP }} (${{ job.status }})' # TODO: Uncomment if you have azure locks in stage and prod # - name: Add RGRP Azure Locks diff --git a/workflow-templates/im-deploy-windows-files.yml b/workflow-templates/im-deploy-windows-files.yml index 4eeaad4b..d30ee580 100644 --- a/workflow-templates/im-deploy-windows-files.yml +++ b/workflow-templates/im-deploy-windows-files.yml @@ -1,4 +1,4 @@ -# Workflow Code: MysteriousStranger_v20 DO NOT REMOVE +# Workflow Code: MysteriousStranger_v21 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release with the # specified tags, makes changes to any configuration files for the specified environments, stops @@ -88,6 +88,7 @@ jobs: # Each env has their own stakeholder approval environment. If no required reviewers are set for # that environment, the workflow will continue without requiring anyone to approve the deployment. + stakeholder-approval: needs: [setup-deployment-workflow] runs-on: ubuntu-latest # Force this to run on github-hosted runner by using a tag that does not exist on self-hosted runners @@ -205,6 +206,13 @@ jobs: deployment-folder-path: '${{ env.DEPLOYMENT_PATH }}' clean-deployment-folder: 'true' # TODO: Verify that all files not in the deployment package should be removed. + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ inputs.tag }} deployed to ${{ inputs.environment }} ${{ env.WINDOWS_SERVER }}/${{ env.DEPLOYMENT_PATH }} (${{ job.status }})' + - name: Delete .zips and folder that contains sensitive info continue-on-error: true working-directory: ./ diff --git a/workflow-templates/im-deploy-windows-service.yml b/workflow-templates/im-deploy-windows-service.yml index efea43b9..ebd6f292 100644 --- a/workflow-templates/im-deploy-windows-service.yml +++ b/workflow-templates/im-deploy-windows-service.yml @@ -1,4 +1,4 @@ -# Workflow Code: MaterialVolcano_v44 DO NOT REMOVE +# Workflow Code: MaterialVolcano_v45 DO NOT REMOVE # Purpose: # Gathers various stakeholder and attestor approvals, downloads artifacts from a release with the # specified tags, makes changes to any configuration files for the specified environments, stops @@ -336,6 +336,13 @@ jobs: service-account-id: ${{ env.DEPLOYMENT_SA_ID }} service-account-password: ${{ secrets.DEPLOYMENT_SA_SECRET }} + - name: Send Deployment Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Deployment] ${{ inputs.tag }} deployed to ${{ inputs.environment }} ${{ env.SERVICE_NAME }} (${{ job.status }})' + - name: Close the PagerDuty Maintenance Window if: always() && steps.open-window.outcome == 'success' uses: im-open/close-pagerduty-maintenance-window@v1.2 diff --git a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml index 69cb9cc6..a2136dfb 100644 --- a/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml +++ b/workflow-templates/im-run-add-or-update-az-keyvault-secret.yml @@ -1,4 +1,4 @@ -# Workflow Code: CockySquirrel_v18 DO NOT REMOVE +# Workflow Code: CockySquirrel_v19 DO NOT REMOVE # Purpose: # Adds or updates an azure KeyVault secret in the specified # environment when someone kicks it off manually. @@ -77,6 +77,18 @@ jobs: KEYVAULT_NAME@demo: '' KEYVAULT_NAME@uat: '' KEYVAULT_NAME@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' - name: AZ Login id: login @@ -88,10 +100,26 @@ jobs: subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} client-id: ${{ vars.ARM_CLIENT_ID }} - - name: keyvault add or update secret + - name: Add or update KeyVault secret # ARM_SUBSCRIPTION_ID is an env-level variable run: az keyvault secret set --name ${{ github.event.inputs.secret_name }} --vault-name ${{ env.KEYVAULT_NAME }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} --value "${{ github.event.inputs.secret_value }}" + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=AddOrUpdateSecret,KeyVault=${{ env.KEYVAULT_NAME }},SecretName=${{ inputs.secret_name }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send KeyVault Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] ${{ inputs.secret_name }} added or updated in ${{ env.KEYVAULT_NAME }} (${{ job.status }})' + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-run-delete-azure-blob.yml b/workflow-templates/im-run-delete-azure-blob.yml index 357fb06f..ef651e77 100644 --- a/workflow-templates/im-run-delete-azure-blob.yml +++ b/workflow-templates/im-run-delete-azure-blob.yml @@ -1,4 +1,4 @@ -# Workflow Code: ScornfulFlamingo_v8 DO NOT REMOVE +# Workflow Code: ScornfulFlamingo_v9 DO NOT REMOVE # Purpose: # Deletes a blob from a specified Azure Storage Account when someone kicks it off manually. # @@ -71,6 +71,28 @@ jobs: subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} client-id: ${{ vars.ARM_CLIENT_ID }} + # For more information and best practices on the usage and options available + # for this action go to: https://github.com/im-open/set-environment-variables-by-scope#usage-instructions + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.2 + with: + scope: ${{ inputs.environment }} + env: + # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + # This call uses RBAC (--auth-mode login) to delete files from the azure storage account. # No other key or connection string is needed. In order to delete files from a stg account # the SP that authenticates in the step above needs an additional permission (Storage @@ -84,6 +106,22 @@ jobs: --container-name '${{ github.event.inputs.container-name }}' \ --name '${{ github.event.inputs.blob-name }}' + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=DeleteAzBlob,Blob=${{ inputs.blob-name }},Container=${{ inputs.container-name }},StorageAccount=${{ inputs.storage-account-name }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Delete Blob Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] ${{ inputs.container-name }}/${{ inputs.blob-name }} deleted from ${{ inputs.storage-account-name }} (${{ job.status }})' + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-run-flyway-repair.yml b/workflow-templates/im-run-flyway-repair.yml index c883fab1..94650997 100644 --- a/workflow-templates/im-run-flyway-repair.yml +++ b/workflow-templates/im-run-flyway-repair.yml @@ -1,4 +1,4 @@ -# Workflow Code: SpiritedGnat_v22 DO NOT REMOVE +# Workflow Code: SpiritedGnat_v23 DO NOT REMOVE # Purpose: # Runs a flyway repair command against an Azure SQL or # On-Prem Database when someone kicks it off manually. @@ -108,6 +108,18 @@ jobs: AZURE_KEY_VAULT@qa: '' AZURE_KEY_VAULT@stage demo: '' AZURE_KEY_VAULT@prod: '' + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' # TODO: Remove this step if this workflow is run against an on-prem database # or if your database uses Azure Active Directory Authentication @@ -165,6 +177,22 @@ jobs: username: '${{ env.SQL_USER }}' password: '${{ env.SQL_PASSWORD }}' + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=FlywayRepair,Database=${{ env.DB_NAME }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Flyway Repair Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] Flyway Repair run on ${{ env.DB_NAME }} (${{ job.status }})' + - name: Azure logout if: always() && steps.login.outcome == 'success' run: | diff --git a/workflow-templates/im-run-start-stop-restart-azure-app.yml b/workflow-templates/im-run-start-stop-restart-azure-app.yml index f0ad7888..21142ce2 100644 --- a/workflow-templates/im-run-start-stop-restart-azure-app.yml +++ b/workflow-templates/im-run-start-stop-restart-azure-app.yml @@ -1,4 +1,4 @@ -# Workflow Code: NeedyPig_v19 DO NOT REMOVE +# Workflow Code: NeedyPig_v20 DO NOT REMOVE # Purpose: # Performs a start, stop or restart on an app service in the # specified environment when someone kicks it off manually. @@ -88,6 +88,12 @@ jobs: APP_NAME@demo: '' APP_NAME@uat: '' APP_NAME@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' # TODO: If this workflow is restarting a slot update these values, otherwise delete this section. # TODO: If the slot has the same name in all environments, delete this section and populate the env.SLOT_NAME in the job below with the single value # SLOT_NAME@dev: '' @@ -115,6 +121,21 @@ jobs: - name: ${{ env.ACTION }} ${{ env.AZ_APP_TYPE }} run: az ${{ env.AZ_APP_TYPE }} ${{ env.ACTION }} --name ${{ env.APP_NAME }} --resource-group ${{ env.RESOURCE_GROUP }} --subscription ${{ vars.ARM_SUBSCRIPTION_ID }} + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=${{ env.ACTION }},App=${{ env.APP_NAME }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send ${{ inputs.action }} Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] ${{ env.ACTION }} ${{ env.APP_NAME }} (${{ job.status }})' - name: Azure logout if: always() && steps.login.outcome == 'success' diff --git a/workflow-templates/im-run-tf-destroy.yml b/workflow-templates/im-run-tf-destroy.yml index c0f5ee1d..191527a7 100644 --- a/workflow-templates/im-run-tf-destroy.yml +++ b/workflow-templates/im-run-tf-destroy.yml @@ -1,4 +1,4 @@ -# Workflow Code: HostileMacaw_v30 DO NOT REMOVE +# Workflow Code: HostileMacaw_v31 DO NOT REMOVE # Purpose: # Destroys the resources created by a terraform configuration when someone kicks it off manually. # @@ -92,6 +92,7 @@ jobs: PRIMARY_RESOURCE_GROUP: ${{ steps.set-variables.outputs.PRIMARY_RESOURCE_GROUP }} STORAGE_ACCOUNT: ${{ steps.set-variables.outputs.STORAGE_ACCOUNT }} GITHUB_SECRETS_ENVIRONMENT: ${{ steps.set-variables.outputs.GITHUB_SECRETS_ENVIRONMENT }} + APP_INSIGHTS_NAME: ${{ steps.set-variables.outputs.APP_INSIGHTS_NAME }} steps: # For more information and best practices on the usage and options available @@ -131,6 +132,14 @@ jobs: STORAGE_ACCOUNT@demo: '' STORAGE_ACCOUNT@uat: '' STORAGE_ACCOUNT@prod prod-secondary: '' + + # This variable is used to annotate app insights + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage stage-secondary: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod prod-secondary: '' # Used for getting Azure Credentials Secrets GITHUB_SECRETS_ENVIRONMENT@dev qa stage prod demo: '${{ inputs.root-module }}' @@ -268,6 +277,10 @@ jobs: runs-on: im-linux environment: ${{ needs.set-vars.outputs.GITHUB_SECRETS_ENVIRONMENT }} + env: + APP_INSIGHTS_NAME: ${{ needs.set-vars.outputs.APP_INSIGHTS_NAME }} + RESOURCE_GROUP: ${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }} + defaults: run: shell: bash @@ -350,6 +363,22 @@ jobs: # run: | # az group lock create --name "${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }}-delete-locks" --resource-group "${{ needs.set-vars.outputs.TARGET_RESOURCE_GROUP }}" --lock-type CanNotDelete + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=DestroyTerraform,Target=${{ inputs.tf-targets }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Terraform Destroy Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] ${{ inputs.tf-targets }} destroyed in ${{ env.RESOURCE_GROUP }} (${{ job.status }})' + - name: Azure logout run: | az logout diff --git a/workflow-templates/im-run-tf-import.yml b/workflow-templates/im-run-tf-import.yml index 800c8073..ca55c97d 100644 --- a/workflow-templates/im-run-tf-import.yml +++ b/workflow-templates/im-run-tf-import.yml @@ -1,4 +1,4 @@ -# Workflow Code: DrearyBuck_v24 DO NOT REMOVE +# Workflow Code: DrearyBuck_v25 DO NOT REMOVE # Purpose: # Imports a specified resource into the terraform state when someone kicks it off manually. @@ -71,7 +71,7 @@ jobs: defaults: run: shell: bash - + steps: - run: | echo $' @@ -82,6 +82,26 @@ jobs: | Resource Address | `${{ github.event.inputs.tf-resource-address }}` | | Resource ID | `${{ github.event.inputs.tf-resource-id }}` |' >> $GITHUB_STEP_SUMMARY + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.2 + with: + scope: ${{ inputs.environment }} + env: + # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + - name: Checkout Repository uses: actions/checkout@v4 with: @@ -93,6 +113,15 @@ jobs: with: deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + - name: AZ Login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -106,3 +135,25 @@ jobs: working-directory: '${{ env.TF_WORKING_DIR }}' # TODO: Add any additional parameters that are needed run: terraform import ${{ github.event.inputs.tf-resource-address }} ${{ github.event.inputs.tf-resource-id }} + + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=TerraformImport,Resource=${{ inputs.tf-resource-address }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Terraform Import Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] ${{ inputs.tf-resource-address }} imported in ${{ env.RESOURCE_GROUP }} (${{ job.status }})' + + - name: Azure logout + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-tf-taint.yml b/workflow-templates/im-run-tf-taint.yml index 08f63bf6..002bac65 100644 --- a/workflow-templates/im-run-tf-taint.yml +++ b/workflow-templates/im-run-tf-taint.yml @@ -1,4 +1,4 @@ -# Workflow Code: GratefulTermite_v20 DO NOT REMOVE +# Workflow Code: GratefulTermite_v21 DO NOT REMOVE # Purpose: # Taints a specified terraform resource when someone kicks it off manually. # @@ -79,6 +79,26 @@ jobs: | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` | | TF Resource Address | `${{ github.event.inputs.tf-resource-address }}` |' >> $GITHUB_STEP_SUMMARY + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.2 + with: + scope: ${{ inputs.environment }} + env: + # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + - name: Checkout Repository uses: actions/checkout@v4 with: @@ -90,6 +110,15 @@ jobs: with: deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + - name: AZ Login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -104,3 +133,24 @@ jobs: # https://www.terraform.io/docs/cli/commands/taint.html#usage run: terraform taint ${{ github.event.inputs.tf-resource-address }} + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=TerraformTaint,Resource=${{ inputs.tf-resource-address }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Terraform Taint Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] ${{ inputs.tf-resource-address }} tainted in ${{ env.RESOURCE_GROUP }} (${{ job.status }})' + + - name: Azure logout + run: | + az logout + az cache purge + az account clear diff --git a/workflow-templates/im-run-unlock-tf-state.yml b/workflow-templates/im-run-unlock-tf-state.yml index e8d6039b..f2c7f4ce 100644 --- a/workflow-templates/im-run-unlock-tf-state.yml +++ b/workflow-templates/im-run-unlock-tf-state.yml @@ -1,4 +1,4 @@ -# Workflow Code: FrazzledFerret_v26 DO NOT REMOVE +# Workflow Code: FrazzledFerret_v27 DO NOT REMOVE # Purpose: # Removes a lock from the terraform state when someone kicks it off manually. # @@ -78,6 +78,26 @@ jobs: | Environment | `${{ env.ENVIRONMENT }}` | | Branch/Tag/Sha | `${{ env.GITHUB_REF }}` |' >> $GITHUB_STEP_SUMMARY + - name: Set Variables + id: set-variables + uses: im-open/set-environment-variables-by-scope@v1.2 + with: + scope: ${{ inputs.environment }} + env: + # TODO: For the following inputs, fill in the value if you have the environment or delete the environment if it does not exist + RESOURCE_GROUP@dev: '' + RESOURCE_GROUP@qa: '' + RESOURCE_GROUP@stage: '' + RESOURCE_GROUP@demo: '' + RESOURCE_GROUP@uat: '' + RESOURCE_GROUP@prod: '' + APP_INSIGHTS_NAME@dev: '' + APP_INSIGHTS_NAME@qa: '' + APP_INSIGHTS_NAME@stage: '' + APP_INSIGHTS_NAME@demo: '' + APP_INSIGHTS_NAME@uat: '' + APP_INSIGHTS_NAME@prod: '' + - name: Checkout Repository uses: actions/checkout@v4 with: @@ -89,6 +109,15 @@ jobs: with: deploy-key-info: ${{ env.SSH_DEPLOY_KEY_INFO }} + - name: AZ Login + uses: azure/login@v2 + with: + # This is an org-level variable + tenant-id: ${{ vars.ARM_TENANT_ID }} + # These are env-level variables + subscription-id: ${{ vars.ARM_SUBSCRIPTION_ID }} + client-id: ${{ vars.ARM_CLIENT_ID }} + - name: Setup Terraform uses: hashicorp/setup-terraform@v3 with: @@ -99,3 +128,25 @@ jobs: - name: Terraform Unlock State run: terraform force-unlock -force ${{ github.event.inputs.lock-id }} + + - name: Annotate App Insights + uses: im-open/create-app-insights-annotation@v1.0 + with: + subscriptionId: ${{ vars.ARM_SUBSCRIPTION_ID }} # This is an env-level variable + resourceGroupName: ${{ env.RESOURCE_GROUP }} + appInsightsResourceName: '${{ env.APP_INSIGHTS_NAME }}' + category: 'Runbook' + customMetadata: 'Action=UnlockTfState,LockId=${{ inputs.lock-id }},RunBy=${{ github.actor }},RunID=${{ github.run_id }}' + + - name: Send Unlock TF State Event to PagerDuty + if: always() + uses: im-open/pagerduty-change-events-action@v1.1 + with: + integration-key: ${{ secrets.PAGERDUTY_INTEGRATION_KEY }} # This is an env-level secret # TODO: Ensure an integration has been created in PagerDuty on each applicable service and the secret added to the environment + custom-event: '[Runbook] Terraform State unlocked in ${{ env.RESOURCE_GROUP }} (${{ job.status }})' + + - name: Azure logout + run: | + az logout + az cache purge + az account clear