bcgov
diff --git a/‎.github/workflows/.deploy_stack.yml‎
Lines changed: 50 additions & 1 deletion b/‎.github/workflows/.deploy_stack.yml‎
Lines changed: 50 additions & 1 deletion
diff --git a/‎.github/workflows/.deployer.yml‎
Lines changed: 47 additions & 62 deletions b/‎.github/workflows/.deployer.yml‎
Lines changed: 47 additions & 62 deletions
diff --git a/‎.github/workflows/merge.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/merge.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/pause-resources.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/pause-resources.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/pr-open.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/pr-open.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 55 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 55 deletions
diff --git a/‎.github/workflows/resume-resources.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/resume-resources.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 10 additions & 1 deletion b/‎.gitignore‎
Lines changed: 10 additions & 1 deletion
@@ -38,8 +38,57 @@ permissions:
   id-token: write # This is required for requesting the JWT
   contents: write # This is required for actions/checkout
 jobs:
+  
+  ecr:
+    name:  ECR
+    runs-on: ubuntu-24.04
+    environment: ${{ inputs.environment_name }}
+    strategy:
+      matrix:
+        package: [backend,migrations]
+    steps:
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
+          role-session-name: gha-ecr-push
+          aws-region: ca-central-1
+      
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+        
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+          
+      - name: Pull, tag and push image to ECR
+        env:
+          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
+          GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ inputs.tag }}
+        run: |
+          # Check if command is apply and validate image exists
+          if [ "${{ inputs.command }}" == "apply" ]; then
+            docker manifest inspect $GHCR_IMAGE > /dev/null 2>&1 || { echo "Error: Image $GHCR_IMAGE does not exist and command is apply"; exit 1; }
+            docker pull $GHCR_IMAGE || { echo "Error: Failed to pull image $GHCR_IMAGE"; exit 1; }
+            
+            # Tag for ECR
+            ECR_IMAGE=$ECR_REGISTRY/${{ github.repository }}:${{ matrix.package }}-${{ inputs.tag }}
+            docker tag $GHCR_IMAGE $ECR_IMAGE
+            
+            # Push to ECR
+            docker push $ECR_IMAGE
+          else
+            echo "Command is not apply, continuing"
+            exit 0;
+          fi
+          
   stack-prefix:
     name: Stack Prefix
+    needs: ecr
     uses: ./.github/workflows/.stack-prefix.yml
   deploy-db:
     name: Deploys Database
@@ -79,7 +128,7 @@ jobs:
   build-ui:
     name: Build And upload UI to s3 ${{ inputs.environment_name }}
     environment: ${{ inputs.environment_name }}
-    if: ( inputs.command == 'apply' )
+    if: (inputs.command == 'apply')
     needs: [deploy-api, deploy-cloudfront]
     runs-on: ubuntu-24.04
     steps:
 
@@ -41,15 +41,12 @@ on:
         value: ${{ jobs.infra.outputs.CF_DOMAIN }}
       CF_DISTRIBUTION_ID:
         value: ${{ jobs.infra.outputs.CF_DISTRIBUTION_ID }}
-    
 
-    
-      
 env:
-    TG_VERSION: 0.55.2
-    TF_VERSION: 1.5.3
-    TG_SRC_PATH: terraform/${{ inputs.working_directory }}
-    AWS_REGION: ca-central-1
+  TG_VERSION: 0.63.6
+  TF_VERSION: 1.12.2
+  TG_SRC_PATH: terraform/${{ inputs.working_directory }}
+  AWS_REGION: ca-central-1
 permissions:
   id-token: write # This is required for requesting the JWT
   contents: write # This is required for actions/checkout
@@ -66,92 +63,80 @@ jobs:
   steps:
     - name: Checkout
       uses: actions/checkout@v4
-    
     - name: Configure AWS Credentials
       uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
       with:
         role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
         role-session-name: ${{ inputs.environment_name }}-deployment
         aws-region: ${{ env.AWS_REGION }}
-    
     - uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3
       with:
         terraform_version: ${{ env.TF_VERSION }}
-    
-    - name: Setup Terragrunt
-      uses: autero1/action-terragrunt@aefb0a43c4f5503a91fefb307745c4d51c26ed0e # v3
-      with:
-          terragrunt-version: ${{ env.TG_VERSION }}
-    
     - name: Get ECR Registry
-      if: inputs.app_env == 'prod'
       id: ecr-check
       run: |
         ECR_REGISTRY=$(aws sts get-caller-identity --query Account --output text).dkr.ecr.ca-central-1.amazonaws.com
         echo "ecr-registry=$ECR_REGISTRY" >> $GITHUB_OUTPUT
-    
     - name: Image Tags
       id: image-tags
       shell: bash
       run: |
-        if [[ "${{ inputs.app_env }}" == "prod" && "${{ inputs.working_directory }}" == "api" ]]; then
-          API_IMAGE="${{ steps.ecr-check.outputs.ecr-registry }}/${{ github.event.repository.name }}-backend-prod:${{ inputs.tag }}"
-          FLYWAY_IMAGE="${{ steps.ecr-check.outputs.ecr-registry }}/${{ github.event.repository.name }}-migrations-prod:${{ inputs.tag }}"
-        else
-          API_IMAGE="ghcr.io/${{ github.repository }}/backend:${{ inputs.tag }}"
-          FLYWAY_IMAGE="ghcr.io/${{ github.repository }}/migrations:${{ inputs.tag }}"
-        fi
+        API_IMAGE="${{ steps.ecr-check.outputs.ecr-registry }}/${{ github.repository }}:backend-${{ inputs.tag }}"
+        FLYWAY_IMAGE="${{ steps.ecr-check.outputs.ecr-registry }}/${{ github.repository }}:migrations-${{ inputs.tag }}"
         echo "api-image=$API_IMAGE" >> $GITHUB_OUTPUT
         echo "flyway-image=$FLYWAY_IMAGE" >> $GITHUB_OUTPUT
+    
+    - name: Setup Terragrunt
+      uses: autero1/action-terragrunt@aefb0a43c4f5503a91fefb307745c4d51c26ed0e # v3
+      with:
+        terragrunt-version: ${{ env.TG_VERSION }}
     - name: Terragrunt ${{inputs.command}}
       working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
       env:
-          target_env: ${{ inputs.environment_name }}
-          aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
-          flyway_image: ${{ steps.image-tags.outputs.flyway-image }}
-          api_image: ${{ steps.image-tags.outputs.api-image }}
-          app_env: ${{inputs.app_env}}
-          stack_prefix: ${{ inputs.stack_prefix }}
-          repo_name: ${{ github.event.repository.name }}
+        target_env: ${{ inputs.environment_name }}
+        aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
+        api_image: ${{ steps.image-tags.outputs.api-image }}
+        flyway_image: ${{ steps.image-tags.outputs.flyway-image }}
+        app_env: ${{inputs.app_env}}
+        stack_prefix: ${{ inputs.stack_prefix }}
+        repo_name: ${{ github.event.repository.name }}
       run: |
-          # Run terraform
-          terragrunt run-all ${{inputs.command}} --terragrunt-non-interactive
-    
+        # Run terraform
+        terragrunt run-all ${{inputs.command}} --terragrunt-non-interactive
     - name: Terragrunt API Outputs
-      if: ( inputs.working_directory == 'api'  && inputs.command == 'apply' )
+      if: (inputs.working_directory == 'api'  && inputs.command == 'apply')
       working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
       id: tg-outputs
       env:
-          target_env: ${{ inputs.environment_name }}
-          aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
-          flyway_image: ${{ steps.image-tags.outputs.flyway-image }}
-          api_image: ${{ steps.image-tags.outputs.api-image }}
-          app_env: ${{inputs.app_env}}
-          stack_prefix: ${{ inputs.stack_prefix }}
-          repo_name: ${{ github.event.repository.name }}
+        target_env: ${{ inputs.environment_name }}
+        aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
+        api_image: ${{ steps.image-tags.outputs.api-image }}
+        flyway_image: ${{ steps.image-tags.outputs.flyway-image }}
+        app_env: ${{inputs.app_env}}
+        stack_prefix: ${{ inputs.stack_prefix }}
+        repo_name: ${{ github.event.repository.name }}
       run: |
-          terragrunt output -json > outputs.json
-          #print the output
-          cat outputs.json
-            echo "API_GW_URL=$(jq -r .apigw_url.value outputs.json)" >> $GITHUB_OUTPUT
-    
+        terragrunt output -json > outputs.json
+        #print the output
+        cat outputs.json
+        echo "API_GW_URL=$(jq -r .apigw_url.value outputs.json)" >> $GITHUB_OUTPUT
     - name: Terragrunt Frontend Outputs
-      if: ( inputs.working_directory == 'frontend' && inputs.command == 'apply' )
+      if: (inputs.working_directory == 'frontend' && inputs.command == 'apply')
       working-directory: terraform/${{ inputs.working_directory }}/${{ inputs.environment_name }}
       id: tg-outputs-frontend
       env:
-          target_env: ${{ inputs.environment_name }}
-          aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
-          flyway_image: ${{ steps.image-tags.outputs.flyway-image }}
-          api_image: ${{ steps.image-tags.outputs.api-image }}
-          app_env: ${{inputs.app_env}}
-          stack_prefix: ${{ inputs.stack_prefix }}
-          repo_name: ${{ github.event.repository.name }}
+        target_env: ${{ inputs.environment_name }}
+        aws_license_plate: ${{ secrets.AWS_LICENSE_PLATE }}
+        api_image: ${{ steps.image-tags.outputs.api-image }}
+        flyway_image: ${{ steps.image-tags.outputs.flyway-image }}
+        app_env: ${{inputs.app_env}}
+        stack_prefix: ${{ inputs.stack_prefix }}
+        repo_name: ${{ github.event.repository.name }}
       run: |
-          terragrunt output -json > outputs.json
-          #print the output
-          cat outputs.json
-          
-          echo "S3_BUCKET_ARN=$(jq -r .s3_bucket_arn.value outputs.json)" >> $GITHUB_OUTPUT
-          echo "CF_DOMAIN=$(jq -r .cloudfront.value.domain_name outputs.json)" >> $GITHUB_OUTPUT
-          echo "CF_DISTRIBUTION_ID=$(jq -r .cloudfront.value.distribution_id outputs.json)" >> $GITHUB_OUTPUT
+        terragrunt output -json > outputs.json
+        #print the output
+        cat outputs.json
+        
+        echo "S3_BUCKET_ARN=$(jq -r .s3_bucket_arn.value outputs.json)" >> $GITHUB_OUTPUT
+        echo "CF_DOMAIN=$(jq -r .cloudfront.value.domain_name outputs.json)" >> $GITHUB_OUTPUT
+        echo "CF_DISTRIBUTION_ID=$(jq -r .cloudfront.value.distribution_id outputs.json)" >> $GITHUB_OUTPUT
@@ -44,7 +44,7 @@ jobs:
     needs: [resume-resources, vars]
     uses: ./.github/workflows/.deploy_stack.yml
     with:
-      environment_name: dev
+      environment_name: prod # ::change it to:: dev , template repo only has PROD
       command: apply
       tag: ${{ needs.vars.outputs.pr }}
       app_env: dev
@@ -77,7 +77,7 @@ jobs:
     needs: [vars, e2e]
     uses: ./.github/workflows/.deploy_stack.yml
     with:
-      environment_name: dev # since we are using the same namespace env for dev and test
+      environment_name: prod # ::change it to:: test , template repo only has PROD
       command: apply
       tag: ${{ needs.vars.outputs.pr }}
       app_env: test
 
@@ -34,6 +34,7 @@ jobs:
   pause-resources-dev:
     name: Pause Resources Dev
     if: (inputs.app_env == 'dev' || inputs.app_env == 'all' || github.event_name == 'schedule')
+    environment: prod # ::change it to:: dev , template repo only has PROD
     needs: [stack-prefix]
     runs-on: ubuntu-24.04
     steps:
@@ -53,7 +54,7 @@ jobs:
   pause-resources-test:
     name: Pause Resources Test
     if: (inputs.app_env == 'test' || inputs.app_env == 'all' || github.event_name == 'schedule')
-    environment: test
+    environment: prod # ::change it to:: test , template repo only has PROD
     needs: [stack-prefix]
     runs-on: ubuntu-24.04
     steps:
 
@@ -34,7 +34,7 @@ jobs:
       cancel-in-progress: false
     uses: ./.github/workflows/.deploy_stack.yml
     with:
-      environment_name: dev
+      environment_name: prod # ::change it to:: dev , template repo only has PROD
       command: plan
       tag: ${{ github.event.number || 'latest' }} 
       app_env: ${{ github.event.number || 'latest' }} # ephermal, prefixed for easy clean up of PR resources in s3 and dynamodb generated by terraform
@@ -69,10 +69,10 @@ jobs:
     concurrency:
       group: deploy-dev-${{ github.event.number || 'latest' }}
       cancel-in-progress: false
-    needs: [resume-resources-dev]
+    needs: [resume-resources-dev, plan-stack]
     uses: ./.github/workflows/.deploy_stack.yml
     with:
-      environment_name: dev
+      environment_name: prod # ::change it to:: dev , template repo only has PROD
       command: apply
       tag: manual
       app_env: dev
 
@@ -88,59 +88,6 @@ jobs:
           tags: |
             ${{ needs.vars.outputs.tags }}
   
-  push-to-ecr:
-    name: Push Images to ECR
-    needs: [vars, retag-images]
-    runs-on: ubuntu-24.04
-    strategy:
-      matrix:
-        package: [backend, migrations]
-    steps:
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
-        with:
-          role-to-assume: ${{ secrets.AWS_DEPLOY_ROLE_ARN }}
-          role-session-name: gha-ecr-push
-          aws-region: ca-central-1
-      
-      - name: Login to Amazon ECR
-        id: login-ecr
-        uses: aws-actions/amazon-ecr-login@v2
-        
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-          
-      - name: Pull, tag and push image to ECR
-        env:
-          ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          GHCR_IMAGE: ghcr.io/${{ github.repository }}/${{ matrix.package }}:${{ needs.vars.outputs.tag }}
-        run: |
-          # Create ECR repository if it doesn't exist
-            aws ecr create-repository \
-            --repository-name ${{ github.event.repository.name }}-${{ matrix.package }}-prod \
-            --image-tag-mutability IMMUTABLE \
-            --image-scanning-configuration scanOnPush=true \
-            || true
-            
-            # Apply lifecycle policy separately
-            aws ecr put-lifecycle-policy \
-            --repository-name ${{ github.event.repository.name }}-${{ matrix.package }}-prod \
-            --lifecycle-policy '{"rules":[{"rulePriority":1,"description":"Keep only 5 tagged images","selection":{"tagStatus":"tagged","tagPatternList":["*"],"countType":"imageCountMoreThan","countNumber":5},"action":{"type":"expire"}},{"rulePriority":2,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"imageCountMoreThan","countNumber":1},"action":{"type":"expire"}}]}' \
-            || true
-          
-          # Pull image from GHCR
-          docker pull $GHCR_IMAGE || { echo "Error: Failed to pull image $GHCR_IMAGE"; exit 1; }
-          
-          # Tag for ECR
-          ECR_IMAGE=$ECR_REGISTRY/${{ github.event.repository.name }}-${{ matrix.package }}-prod:${{ needs.vars.outputs.tag }}
-          docker tag $GHCR_IMAGE $ECR_IMAGE
-          
-          # Push to ECR
-          docker push $ECR_IMAGE
 
   resume-resources:
     name: Resume Resources # This job resumes resources for the merged PR which is needed if the resources were paused.
@@ -152,11 +99,11 @@ jobs:
 
   deploy:
     name: Deploy Stack
-    needs: [vars, resume-resources, retag-images, push-to-ecr]
+    needs: [vars, resume-resources, retag-images]
     uses: ./.github/workflows/.deploy_stack.yml
     secrets: inherit
     with:
-      environment_name: dev # since we only have one namespace dev, update this to PROD
+      environment_name: prod
       command: apply
       tag: ${{ needs.vars.outputs.tag}} # this is the tag of the containers to deploy
       app_env: prod
 
@@ -34,6 +34,7 @@ jobs:
   resume-resources-dev:
     if: (inputs.app_env == 'dev' || inputs.app_env == 'all' || github.event_name == 'schedule')
     name: Resume Resources Dev
+    environment: prod # ::change it to:: dev , template repo only has PROD
     needs: [stack-prefix]
     runs-on: ubuntu-24.04
     steps:
@@ -53,7 +54,7 @@ jobs:
   resume-resources-test:
     name: Resume Resources Test
     if: (inputs.app_env == 'test' || inputs.app_env == 'all' || github.event_name == 'schedule')
-    environment: test
+    environment: prod # ::change it to:: test , template repo only has PROD
     needs: [stack-prefix]
     runs-on: ubuntu-24.04
     steps:
 
@@ -368,4 +368,13 @@ pyrightconfig.json
 **/node_modules
 **/dist
 # nested terragrunt-cache
-**/.terragrunt-cache/**
+**/.terragrunt-cache/**
+**/.terraform
+# terraform plan output
+*.tfplan
+# terraform state
+*.tfstate
+# terraform state backup
+*.tfstate.backup
+# terraform lock file
+*.terraform.lock.hcl