From c72606e276c15646ca21e269d5bb220425818e32 Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Thu, 12 Sep 2024 13:29:10 +0100 Subject: [PATCH 1/5] [NRL-793] WIP workflow for building permissions --- .../workflows/update-lambda-permissions.yml | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 .github/workflows/update-lambda-permissions.yml diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml new file mode 100644 index 00000000..82c666d2 --- /dev/null +++ b/.github/workflows/update-lambda-permissions.yml @@ -0,0 +1,107 @@ +name: Update Lambda Permissions +run-name: Updating permissions on ${{ inputs.environment }} using ${{ inputs.branch_name }} by ${{ github.actor }} + +on: + workflow_dispatch: + inputs: + environment: + description: Environment to deploy to + required: true + default: "dev" + type: environment + + stack_name: + description: Name of stack to apply permissions to + required: true + type: string + + branch_name: + description: Branch to deploy + required: true + +permissions: + id-token: write + contents: read + actions: write + +jobs: + build-permissions: + name: Building permissions package for ${{ inputs.environment }} + runs-on: [self-hosted, ci] + environment: ${{ inputs.environment }} + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Setup asdf cache + uses: actions/cache@v4 + with: + path: ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf- + + - name: Install asdf + uses: asdf-vm/actions/install@v3.0.2 + + - name: Install zip + run: sudo apt-get install zip + + - name: Setup Python environment + run: | + poetry install --no-root + source $(poetry env info --path)/bin/activate + + - name: Configure Management Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} + role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} + + - name: Create lambda permissions layer + run: | + account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) + make get-s3-perms ENV=${account} TF_WORKSPACE_NAME=${{ inputs.stack_name }} + + - name: Save NRLF permissions in cache + uses: actions/cache/save@v4 + with: + key: ${{ github.run_id }}-nrlf-permissions + path: dist/nrlf_permissions.zip + + apply-permissions: + name: Applying permissions to ${{ inputs.environment }} + runs-on: [self-hosted, ci] + environment: ${{ inputs.environment }} + + needs: build-permissions + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Restore NRLF permissions cache + uses: actions/cache/restore@v4 + with: + key: ${{ github.run_id }}-nrlf-permissions + path: dist/nrlf_permissions.zip + fail-on-cache-miss: true + + - name: Terraform Init + run: | + terraform -chdir=terraform/infrastructure init + terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ + terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} + + - name: Terraform Apply + run: | + terraform -chdir=terraform/infrastructure apply -auto-approve \ + --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ + --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ + --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ From a80f2b3d5bc431e7fe60e256da75dcc575cf265f Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Fri, 13 Sep 2024 14:03:22 +0100 Subject: [PATCH 2/5] [NRL-793] WIP workflow for building permissions --- scripts/pull-lambda-code-for-stack.sh | 48 +++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 scripts/pull-lambda-code-for-stack.sh diff --git a/scripts/pull-lambda-code-for-stack.sh b/scripts/pull-lambda-code-for-stack.sh new file mode 100644 index 00000000..6807343f --- /dev/null +++ b/scripts/pull-lambda-code-for-stack.sh @@ -0,0 +1,48 @@ +#!/bin/bash +# Pull down all the lambda code for the named stack +set -o errexit -o nounset -o pipefail + +: ${DIST_DIR:="./dist"} + +stack_name="$1" + +function pull_lambda_code(){ + local api_name="$1" + local endpoint_name="$2" + local lambda_name="nhds-nrlf--${stack_name}--API-${api_name}--${endpoint_name}" + + echo "Downloading code for lambda ${lambda_name}...." + code_url="$(aws lambda get-function --function-name ${lambda_name} | jq -r .Code.Location)" + curl "${code_url}" > "${DIST_DIR}/${api_name}-${endpoint_name}.zip" +} + +function pull_layer_code(){ + local name="$1" + local layer_name="nhds-nrlf--${stack_name}--${name}" + local layer_version="$(aws lambda list-layer-versions --layer-name ${layer_name} | jq -r '.LayerVersions[0].Version')" + local layer_pkg_name="$(echo ${layer_name} | tr '-' '_').zip" + + echo "Downloading code for layer ${layer_name} version ${layer_version}...." + code_url="$(aws lambda get-layer-version --layer-name ${layer_name} --version-number ${layer_version} | jq -r .Content.Location)" + curl "${code_url}" > "${DIST_DIR}/${layer_pkg_name}" +} + +mkdir -p "${DIST_DIR}" + +echo "Pulling code for consumer API lambdas...." +for endpoint_name in $(ls api/consumer) +do + pull_lambda_code "consumer" "${endpoint_name}" +done + +echo "Pulling code for producer API lambdas...." +for endpoint_name in $(ls api/producer) +do + pull_lambda_code "producer" "${endpoint_name}" +done + +echo "Pulling code for layers...." +for layer_name in nrlf dependency-layer nrlf-permissions +do + pull_layer_code "${layer_name}" +done From f27eeaa80d1ff93a1a4df400ba30f3c67e43ad3f Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Tue, 17 Sep 2024 12:34:19 +0100 Subject: [PATCH 3/5] [NRL-793] Complete update-lambda-permissions workflow and pull-lambda-code-for-stack.sh script --- .../workflows/update-lambda-permissions.yml | 117 +++++++++++++++++- scripts/pull-lambda-code-for-stack.sh | 31 +++-- 2 files changed, 135 insertions(+), 13 deletions(-) mode change 100644 => 100755 scripts/pull-lambda-code-for-stack.sh diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml index 82c666d2..5d10876a 100644 --- a/.github/workflows/update-lambda-permissions.yml +++ b/.github/workflows/update-lambda-permissions.yml @@ -26,7 +26,7 @@ permissions: jobs: build-permissions: - name: Building permissions package for ${{ inputs.environment }} + name: Build permissions for ${{ inputs.environment }} runs-on: [self-hosted, ci] environment: ${{ inputs.environment }} @@ -73,12 +73,49 @@ jobs: key: ${{ github.run_id }}-nrlf-permissions path: dist/nrlf_permissions.zip - apply-permissions: - name: Applying permissions to ${{ inputs.environment }} + pull-deployed-lambdas: + name: Pull deployed lambdas for ${{ inputs.environment }} runs-on: [self-hosted, ci] environment: ${{ inputs.environment }} - needs: build-permissions + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Configure Management Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} + role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} + + - name: Configure Account Role + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-chaining: true + role-to-assume: ${{ secrets.DEPLOY_ROLE_ARN }} + role-session-name: github-actions-ci-acc-${{ inputs.environment }}-${{ github.run_id }} + + - name: Pull deployed lambda artifacts + run: | + account=$(echo '${{ inputs.environment }}' | cut -d '-' -f1) + ./scripts/pull-lambda-code-for-stack.sh ${{ inputs.stack_name }} + + - name: Save lambda artifacts in cache + uses: actions/cache/save@v4 + with: + key: ${{ github.run_id }}-pulled-lambda-artifacts + path: dist/*.zip + + terraform-plan: + name: Plan changes to ${{ inputs.environment }} + runs-on: [self-hosted, ci] + environment: ${{ inputs.environment }} + + needs: [build-permissions, pull-deployed-lambdas] steps: - name: Git clone - ${{ github.ref }} @@ -86,6 +123,13 @@ jobs: with: ref: ${{ github.ref }} + - name: Restore pulled lambda artifacts + uses: actions/cache/restore@v4 + with: + key: ${{ github.run_id }}-pulled-lambda-artifacts + path: ./dist + fail-on-cache-miss: true + - name: Restore NRLF permissions cache uses: actions/cache/restore@v4 with: @@ -93,15 +137,76 @@ jobs: path: dist/nrlf_permissions.zip fail-on-cache-miss: true + - name: Configure Management Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} + role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} + - name: Terraform Init run: | terraform -chdir=terraform/infrastructure init terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} - - name: Terraform Apply + - name: Terraform Plan run: | - terraform -chdir=terraform/infrastructure apply -auto-approve \ + terraform -chdir=terraform/infrastructure plan \ --var-file=etc/${{ vars.ACCOUNT_NAME }}.tfvars \ --var assume_role_arn=${{ secrets.DEPLOY_ROLE_ARN }} \ --var use_shared_resources=$(poetry run python scripts/are_resources_shared_for_stack.py ${{ inputs.stack_name }}) \ + --out tfplan + + - name: Save Terraform Plan + run: | + terraform -chdir=terraform/infrastructure show -no-color tfplan > terraform/infrastructure/tfplan.txt + aws s3 cp terraform/infrastructure/tfplan s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan + aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt + + terraform-apply: + name: Apply permissions to ${{ inputs.environment }} + runs-on: [self-hosted, ci] + environment: ${{ inputs.environment }} + + needs: terraform-plan + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Restore pulled lambda artifacts + uses: actions/cache/restore@v4 + with: + key: ${{ github.run_id }}-pulled-lambda-artifacts + path: ./dist + fail-on-cache-miss: true + + - name: Restore NRLF permissions cache + uses: actions/cache/restore@v4 + with: + key: ${{ github.run_id }}-nrlf-permissions + path: dist/nrlf_permissions.zip + fail-on-cache-miss: true + + - name: Configure Management Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} + role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} + + - name: Download Terraform Plan artifact + run: aws s3 cp s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan terraform/infrastructure/tfplan + + - name: Terraform Init + run: | + terraform -chdir=terraform/infrastructure init + terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ + terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} + + - name: Terraform Apply + run: | + terraform -chdir=terraform/infrastructure apply tfplan diff --git a/scripts/pull-lambda-code-for-stack.sh b/scripts/pull-lambda-code-for-stack.sh old mode 100644 new mode 100755 index 6807343f..251ea80b --- a/scripts/pull-lambda-code-for-stack.sh +++ b/scripts/pull-lambda-code-for-stack.sh @@ -9,40 +9,57 @@ stack_name="$1" function pull_lambda_code(){ local api_name="$1" local endpoint_name="$2" - local lambda_name="nhds-nrlf--${stack_name}--API-${api_name}--${endpoint_name}" + local lambda_name="nhsd-nrlf--${stack_name}--api--${api_name}--${endpoint_name}" - echo "Downloading code for lambda ${lambda_name}...." + echo -n "- Downloading code for lambda ${lambda_name}.... " code_url="$(aws lambda get-function --function-name ${lambda_name} | jq -r .Code.Location)" - curl "${code_url}" > "${DIST_DIR}/${api_name}-${endpoint_name}.zip" + curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${api_name}-${endpoint_name}.zip" + echo "✅" } function pull_layer_code(){ local name="$1" - local layer_name="nhds-nrlf--${stack_name}--${name}" + local layer_name="nhsd-nrlf--${stack_name}--${name}" local layer_version="$(aws lambda list-layer-versions --layer-name ${layer_name} | jq -r '.LayerVersions[0].Version')" - local layer_pkg_name="$(echo ${layer_name} | tr '-' '_').zip" + local layer_pkg_name="$(echo ${name} | tr '-' '_').zip" - echo "Downloading code for layer ${layer_name} version ${layer_version}...." + echo -n "- Downloading code for layer ${layer_name} version ${layer_version}...." code_url="$(aws lambda get-layer-version --layer-name ${layer_name} --version-number ${layer_version} | jq -r .Content.Location)" - curl "${code_url}" > "${DIST_DIR}/${layer_pkg_name}" + curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${layer_pkg_name}" + echo "✅" } mkdir -p "${DIST_DIR}" +echo echo "Pulling code for consumer API lambdas...." for endpoint_name in $(ls api/consumer) do + if [ ! -d "api/consumer/${endpoint_name}" ]; then + continue + fi + pull_lambda_code "consumer" "${endpoint_name}" done +echo echo "Pulling code for producer API lambdas...." for endpoint_name in $(ls api/producer) do + if [ ! -d "api/producer/${endpoint_name}" ]; then + continue + fi + pull_lambda_code "producer" "${endpoint_name}" done +echo echo "Pulling code for layers...." for layer_name in nrlf dependency-layer nrlf-permissions do pull_layer_code "${layer_name}" done + +echo +echo "✅ Done. Code is in ${DIST_DIR}" +echo From 50353af40a58146895ed2224d89b4797b3a2bedc Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Tue, 17 Sep 2024 12:55:55 +0100 Subject: [PATCH 4/5] [NRL-793] Fixed up shellcheck reports in new pull-lambda-code-for-stack.sh --- scripts/pull-lambda-code-for-stack.sh | 37 ++++++++++++++++++--------- 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/scripts/pull-lambda-code-for-stack.sh b/scripts/pull-lambda-code-for-stack.sh index 251ea80b..4e497160 100755 --- a/scripts/pull-lambda-code-for-stack.sh +++ b/scripts/pull-lambda-code-for-stack.sh @@ -2,29 +2,38 @@ # Pull down all the lambda code for the named stack set -o errexit -o nounset -o pipefail -: ${DIST_DIR:="./dist"} +: "${DIST_DIR:="./dist"}" + +if [ $# -ne 1 ] +then + echo "Error: stack-name argument is missing" 1>&2 + echo "Usage: $0 " 1>&2 + exit 1 +fi stack_name="$1" function pull_lambda_code(){ local api_name="$1" local endpoint_name="$2" - local lambda_name="nhsd-nrlf--${stack_name}--api--${api_name}--${endpoint_name}" + + lambda_name="nhsd-nrlf--${stack_name}--api--${api_name}--${endpoint_name}" echo -n "- Downloading code for lambda ${lambda_name}.... " - code_url="$(aws lambda get-function --function-name ${lambda_name} | jq -r .Code.Location)" + code_url="$(aws lambda get-function --function-name "${lambda_name}" | jq -r .Code.Location)" curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${api_name}-${endpoint_name}.zip" echo "✅" } function pull_layer_code(){ local name="$1" - local layer_name="nhsd-nrlf--${stack_name}--${name}" - local layer_version="$(aws lambda list-layer-versions --layer-name ${layer_name} | jq -r '.LayerVersions[0].Version')" - local layer_pkg_name="$(echo ${name} | tr '-' '_').zip" - echo -n "- Downloading code for layer ${layer_name} version ${layer_version}...." - code_url="$(aws lambda get-layer-version --layer-name ${layer_name} --version-number ${layer_version} | jq -r .Content.Location)" + layer_name="nhsd-nrlf--${stack_name}--${name}" + layer_pkg_name="$(echo "${name}" | tr '-' '_').zip" + layer_version="$(aws lambda list-layer-versions --layer-name "${layer_name}" | jq -r '.LayerVersions[0].Version')" + + echo -n "- Downloading code for layer ${layer_name} version ${layer_version}.... " + code_url="$(aws lambda get-layer-version --layer-name "${layer_name}" --version-number "${layer_version}" | jq -r .Content.Location)" curl "${code_url}" 2>/dev/null > "${DIST_DIR}/${layer_pkg_name}" echo "✅" } @@ -33,23 +42,27 @@ mkdir -p "${DIST_DIR}" echo echo "Pulling code for consumer API lambdas...." -for endpoint_name in $(ls api/consumer) +for endpoint_path in api/consumer/* do - if [ ! -d "api/consumer/${endpoint_name}" ]; then + if [ ! -d "${endpoint_path}" ] + then continue fi + endpoint_name="$(basename "${endpoint_path}")" pull_lambda_code "consumer" "${endpoint_name}" done echo echo "Pulling code for producer API lambdas...." -for endpoint_name in $(ls api/producer) +for endpoint_path in api/producer/* do - if [ ! -d "api/producer/${endpoint_name}" ]; then + if [ ! -d "${endpoint_path}" ] + then continue fi + endpoint_name="$(basename "${endpoint_path}")" pull_lambda_code "producer" "${endpoint_name}" done From 2c568210ff4526c7f5c8aed1ba5fb74d06d9f36d Mon Sep 17 00:00:00 2001 From: Matt Dean Date: Tue, 17 Sep 2024 16:29:05 +0100 Subject: [PATCH 5/5] [NRL-793] Add version checks before updating perms --- .github/workflows/persistent-environment.yml | 3 +- .../workflows/update-lambda-permissions.yml | 64 ++++++++++++++++++- scripts/get_current_info.sh | 8 +++ terraform/infrastructure/data.tf | 7 ++ terraform/infrastructure/output.tf | 4 ++ 5 files changed, 81 insertions(+), 5 deletions(-) create mode 100755 scripts/get_current_info.sh diff --git a/.github/workflows/persistent-environment.yml b/.github/workflows/persistent-environment.yml index a3333620..fd103dc5 100644 --- a/.github/workflows/persistent-environment.yml +++ b/.github/workflows/persistent-environment.yml @@ -234,8 +234,7 @@ jobs: - name: Update environment config version run: | - short_commit_ref="$(echo ${{ github.sha }} | cut -c1-8)" - deployed_version="${{ inputs.branch_name }}@${short_commit_ref}" + deployed_version=$(terraform -chdir=terraform/infrastructure output --raw version) poetry run python ./scripts/set_env_config.py inactive-version ${deployed_version} ${{ inputs.environment }} - name: Smoke Test diff --git a/.github/workflows/update-lambda-permissions.yml b/.github/workflows/update-lambda-permissions.yml index 5d10876a..7bff088e 100644 --- a/.github/workflows/update-lambda-permissions.yml +++ b/.github/workflows/update-lambda-permissions.yml @@ -25,11 +25,67 @@ permissions: actions: write jobs: + check-versions: + name: Check versions + runs-on: [self-hosted, ci] + + steps: + - name: Git clone - ${{ github.ref }} + uses: actions/checkout@v4 + with: + ref: ${{ github.ref }} + + - name: Setup asdf cache + uses: actions/cache@v4 + with: + path: ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }} + restore-keys: | + ${{ runner.os }}-asdf- + + - name: Install asdf + uses: asdf-vm/actions/install@v3.0.2 + + - name: Install zip + run: sudo apt-get install zip + + - name: Setup Python environment + run: | + poetry install --no-root + source $(poetry env info --path)/bin/activate + + - name: Configure Management Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.MGMT_ROLE_ARN }} + role-session-name: github-actions-ci-${{ inputs.environment }}-${{ github.run_id }} + + - name: Terraform Init + run: | + terraform -chdir=terraform/infrastructure init + terraform -chdir=terraform/infrastructure workspace new ${{ inputs.stack_name }} || \ + terraform -chdir=terraform/infrastructure workspace select ${{ inputs.stack_name }} + + - name: Check deployed version matches build version + run: | + this_version="$(./scripts/get-current-info.sh) | jq -r .version)" + deployed_version="$(terraform -chdir=terraform/infrastructure output --raw version)" + + if [ "${deployed_version}" != "${this_version}" ]; then + echo "Deployed version is ${deployed_version}, not ${this_version}" + exit 1 + fi + + echo "Deployed version matches this version: ${deployed_version}" + build-permissions: name: Build permissions for ${{ inputs.environment }} runs-on: [self-hosted, ci] environment: ${{ inputs.environment }} + needs: [check-versions] + steps: - name: Git clone - ${{ github.ref }} uses: actions/checkout@v4 @@ -74,10 +130,12 @@ jobs: path: dist/nrlf_permissions.zip pull-deployed-lambdas: - name: Pull deployed lambdas for ${{ inputs.environment }} + name: Pull deployed lambdas from ${{ inputs.stack_name }} runs-on: [self-hosted, ci] environment: ${{ inputs.environment }} + needs: [check-versions] + steps: - name: Git clone - ${{ github.ref }} uses: actions/checkout@v4 @@ -111,7 +169,7 @@ jobs: path: dist/*.zip terraform-plan: - name: Plan changes to ${{ inputs.environment }} + name: Plan changes to ${{ inputs.stack_name }} for ${{ inputs.environment }} runs-on: [self-hosted, ci] environment: ${{ inputs.environment }} @@ -165,7 +223,7 @@ jobs: aws s3 cp terraform/infrastructure/tfplan.txt s3://nhsd-nrlf--mgmt--github-ci-logging/${{ inputs.environment }}/${{ github.run_id }}/tfplan.txt terraform-apply: - name: Apply permissions to ${{ inputs.environment }} + name: Apply permissions to ${{ inputs.stack_name }} for ${{ inputs.environment }} runs-on: [self-hosted, ci] environment: ${{ inputs.environment }} diff --git a/scripts/get_current_info.sh b/scripts/get_current_info.sh new file mode 100755 index 00000000..1c81d404 --- /dev/null +++ b/scripts/get_current_info.sh @@ -0,0 +1,8 @@ +#!/bin/bash +# Get the current info about the codebase +set -o errexit -o nounset -o pipefail + +BRANCH_NAME="$(git rev-parse --abbrev-ref HEAD)" +SHORT_COMMIT_HASH="$(git rev-parse --short=8 HEAD)" + +echo "{ \"version\": \"${BRANCH_NAME}@${SHORT_COMMIT_HASH}\" }" diff --git a/terraform/infrastructure/data.tf b/terraform/infrastructure/data.tf index 8a44ecb8..df9b9b34 100644 --- a/terraform/infrastructure/data.tf +++ b/terraform/infrastructure/data.tf @@ -34,3 +34,10 @@ data "aws_iam_policy" "pointers-kms-read-write" { count = var.use_shared_resources ? 1 : 0 name = "${local.shared_prefix}-pointers-kms-read-write" } + +data "external" "current-info" { + program = [ + "bash", + "../../scripts/get_current_info.sh", + ] +} diff --git a/terraform/infrastructure/output.tf b/terraform/infrastructure/output.tf index 440838c5..83194073 100644 --- a/terraform/infrastructure/output.tf +++ b/terraform/infrastructure/output.tf @@ -46,3 +46,7 @@ output "certificate_domain_name" { output "auth_store" { value = local.auth_store_id } + +output "version" { + value = data.external.current-info.result.version +}