feat: Updated Prod Workflow To Match AWS Profile (#36)

erastusndico · erastus.ndi · web-flow · commit 00019979df44 · 2025-10-02T10:03:08.000+01:00
* feat: Updated Prod Workflow To Match AWS Profile

* feat: Updated Prod Workflow To Match AWS Profile

* feat: Updated Prod Workflow To Match AWS Profile

---------

Co-authored-by: erastus.ndi &lt;erastus.ndi@digital.homeoffice.gov.uk&gt;
diff --git a/.github/workflows/deploy-to-prod.yaml b/.github/workflows/deploy-to-prod.yaml
@@ -28,18 +28,43 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Install Required Tools
+        run: |
+          npm install -g typescript
+          echo "NODE.JS version: $(node -v)"
+          echo "NPM version: $(npm -v)"
+          echo "AWS CLI version: $(aws --version)"
+
+      # First, authenticate to non-prod to access staging artifacts
+      - name: Configure AWS credentials for Non-Prod (Staging)
+        uses: aws-actions/configure-aws-credentials@v4.2.1
+        with:
+          role-to-assume: ${{ env.NON_PROD_DEPLOYMENT_ROLE }}
+          aws-region: ${{ env.AWS_REGION }}
+          role-session-name: staging-access
+
+      - name: Setup Non-Prod AWS Profile
+        run: |
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile nonprod
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile nonprod
+          aws configure set aws_session_token $AWS_SESSION_TOKEN --profile nonprod
+          aws configure set region ${{ env.AWS_REGION }} --profile nonprod
+          echo "Non-Prod profile configured"
+
+      # Then, authenticate to prod for deployment
       - name: Configure AWS credentials for Prod
         uses: aws-actions/configure-aws-credentials@v4.2.1
         with:
           role-to-assume: ${{ env.PROD_DEPLOYMENT_ROLE }}
           aws-region: ${{ env.AWS_REGION }}
 
-      - name: Install Required Tools
+      - name: Setup Prod AWS Profile
         run: |
-          npm install -g typescript
-          echo "NODE.JS version: $(node -v)"
-          echo "NPM version: $(npm -v)"
-          echo "AWS CLI version: $(aws --version)"
+          aws configure set aws_access_key_id $AWS_ACCESS_KEY_ID --profile prod
+          aws configure set aws_secret_access_key $AWS_SECRET_ACCESS_KEY --profile prod
+          aws configure set aws_session_token $AWS_SESSION_TOKEN --profile prod
+          aws configure set region ${{ env.AWS_REGION }} --profile prod
+          echo "Prod profile configured"
 
       - name: Prepare Scripts
         run: |
@@ -55,6 +80,15 @@ jobs:
           chmod +x ./pipeline_scripts/functions.sh
           ls -la ./pipeline_scripts/
 
+      - name: Verify AWS Profiles
+        run: |
+          echo "Available AWS profiles:"
+          aws configure list-profiles
+          echo "Testing nonprod profile access:"
+          aws sts get-caller-identity --profile nonprod
+          echo "Testing prod profile access:"
+          aws sts get-caller-identity --profile prod
+
       - name: Copy Artifacts and Deploy to Prod
         run: |
           echo "Starting prod deployment for version ${{ github.event.inputs.version }}"
diff --git a/pipeline_scripts/deploy-to-prod.sh b/pipeline_scripts/deploy-to-prod.sh
@@ -29,39 +29,73 @@ if [ ! -f "./functions.sh" ]; then
 fi
 source ./functions.sh
 
-log_message "Getting bucket names from SSM parameters"
+log_message "Getting bucket names from SSM parameters (using prod profile)"
+# Get S3 bucket base name using prod profile since SSM parameters are in prod account
+export AWS_PROFILE=prod
 s3_bucket_zip_files
 STAGING_BUCKET="$S3-staging"
 PROD_BUCKET="$S3-$ENVIRONMENT"
 
 log_message "STAGING_BUCKET: $STAGING_BUCKET"
 log_message "PROD_BUCKET: $PROD_BUCKET"
 
-log_message "Checking if version $VERSION exists in staging bucket"
+log_message "Checking if version $VERSION exists in staging bucket (using nonprod profile)"
+
+# Switch to nonprod profile for staging bucket access
+export AWS_PROFILE=nonprod
 aws s3 ls s3://$STAGING_BUCKET/ | grep -v '/$' | grep "v${VERSION}"
 if [ $? -ne 0 ]; then
   log_message "ERROR: Version $VERSION not found in staging bucket $STAGING_BUCKET"
   exit 1
 fi
 log_message "Version $VERSION found in staging bucket"
 
-log_message "Copying versioned artifacts from staging to prod"
-artifacts_copied=0
-aws s3 ls s3://$STAGING_BUCKET/ | grep -v '/$' | grep "v${VERSION}" | awk '{print $4}' | while read FILENAME; do
-  log_message "Copying $FILENAME from staging to prod"
-  aws s3 cp s3://$STAGING_BUCKET/$FILENAME s3://$PROD_BUCKET/$FILENAME
-  artifacts_copied=$((artifacts_copied + 1))
+# Create temporary directory for artifacts
+TEMP_DIR="/tmp/artifacts_v${VERSION}"
+mkdir -p "$TEMP_DIR"
+log_message "Created temporary directory: $TEMP_DIR"
+
+log_message "Downloading versioned artifacts from staging to local runner (using nonprod profile)"
+artifacts_downloaded=0
+
+# Use nonprod profile for staging bucket access
+export AWS_PROFILE=nonprod
+while read FILENAME; do
+  log_message "Downloading $FILENAME from staging to local runner"
+  aws s3 cp s3://$STAGING_BUCKET/$FILENAME "$TEMP_DIR/$FILENAME"
+  artifacts_downloaded=$((artifacts_downloaded + 1))
+done < <(aws s3 ls s3://$STAGING_BUCKET/ | grep -v '/$' | grep "v${VERSION}" | awk '{print $4}')
+
+log_message "Downloaded $artifacts_downloaded artifacts to local runner"
+
+log_message "Uploading artifacts from local runner to prod bucket (using prod profile)"
+artifacts_uploaded=0
+# Switched to prod profile for prod bucket access
+export AWS_PROFILE=prod
+for FILENAME in "$TEMP_DIR"/*; do
+  if [ -f "$FILENAME" ]; then
+    BASENAME=$(basename "$FILENAME")
+    log_message "Uploading $BASENAME from runner to prod bucket"
+    aws s3 cp "$FILENAME" s3://$PROD_BUCKET/$BASENAME
+    artifacts_uploaded=$((artifacts_uploaded + 1))
+  fi
 done
 
-log_message "$artifacts_copied artifacts copied successfully"
+log_message "$artifacts_uploaded artifacts uploaded successfully to prod"
+
+# Clean up temporary directory
+rm -rf "$TEMP_DIR"
+log_message "Cleaned up temporary directory"
 
 export SEMANTIC_VERSION="$VERSION"
 
 
 log_message "Running update-lambda-functions.sh with version $SEMANTIC_VERSION"
 ./update-lambda-functions.sh "$SEMANTIC_VERSION"
 
-log_message "Verifying Lambda deployments in $ENVIRONMENT environment"
+log_message "Verifying Lambda deployments in $ENVIRONMENT environment (using prod profile)"
+
+export AWS_PROFILE=prod
 
 CORE_LAMBDA=$(aws ssm get-parameter \
   --name /lambda/kccorename \
diff --git a/pipeline_scripts/update-lambda-functions.sh b/pipeline_scripts/update-lambda-functions.sh
@@ -2,6 +2,9 @@
 set -e
 PIPELINE_DIR="$GITHUB_WORKSPACE/pipeline_scripts"
 
+# ======== Set AWS Profile =========
+export AWS_PROFILE=prod
+
 # =================================
 cd $PIPELINE_DIR
 source ./functions.sh
