feat: cicd release tests tf apply, destroy

.github/workflows/release-tests.yml

@@ -7,10 +7,6 @@ on:
   # Allows manual testing
   workflow_dispatch:
 
-# TODO:
-# - Github env vars/secrets made available to this repo 
-# - After full testing, uncomment slack channel status
-
 jobs:
   pre-commit:
     permissions:
@@ -30,6 +26,12 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
+      # Truncate and s3-friendly-ify tfstate filename
+      - name: Prereqs
+        id: prereqs
+        run: |
+          echo "REPOSITORY_NAME=`echo \"${{  github.ref_name }}\" | tr -d './' | cut -c1-15`" >> $GITHUB_ENV
+
       # Here we read the terraform version from the .terraform-version file, and then install that version
       - name: Get Terraform version
         id: tf_version
@@ -43,23 +45,21 @@ jobs:
         id: prep_env
         working-directory: utils/cicd
         run: |
-          sed -i 's|VAR-TF_STATE_BUCKET|${{ secrets.FD_CICD_TF_STATE_BUCKET }}|g' backend.tf
-          sed -i 's|VAR-AWS_REGION|${{ secrets.FD_CICD_AWS_REGION}}|g' backend.tf
-          sed -i 's|VAR-GITHUB_REPOSITORY|${{ github.ref_name }}|g' backend.tf
-          echo -e "\n cicd backend.tf contents:\n"
-          cat backend.tf
+          sed -i "s|VAR-TF_STATE_BUCKET|${{ secrets.FD_CICD_TF_STATE_BUCKET }}|g" backend.tf
+          sed -i "s|VAR-AWS_REGION|${{ secrets.FD_CICD_AWS_REGION}}|g" backend.tf
+          sed -i "s|VAR-GITHUB_REPOSITORY|$REPOSITORY_NAME|g" backend.tf
 
       - name: Update stac-server lambdas
         id: update_stac_lambdas
         run: ./utils/update-lambdas.bash
 
-      # - name: Configure Terraform Init Credentials
-      #   id: init_creds
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   with:
-      #     aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
-      #     role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
-      #     role-session-name: GitHubReleaseInit
+      - name: Configure Terraform Init Credentials
+        id: init_creds
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
+          role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
+          role-session-name: GitHubReleaseInit
 
       - name: Terraform Init
         id: tf_init
@@ -71,108 +71,108 @@ jobs:
         working-directory: utils/cicd
         run: terraform validate
 
-      # - name: Configure Terraform Plan Credentials
-      #   id: plan_creds
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   with:
-      #     aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
-      #     role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
-      #     role-session-name: GitHubReleasePlan
+      - name: Configure Terraform Plan Credentials
+        id: plan_creds
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
+          role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
+          role-session-name: GitHubReleasePlan
 
       - name: Terraform Plan
         id: tf_plan
         working-directory: utils/cicd
         run: terraform plan -out test.tfplan
 
-      # - name: Configure Terraform Apply Credentials
-      #   id: apply_creds
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   with:
-      #     aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
-      #     role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
-      #     role-session-name: GitHubReleaseApply
-
-      # - name: Terraform Apply
-      #   id: tf_apply
-      #   continue-on-error: true
-      #   working-directory: utils/cicd
-      #   run: terraform apply -input=false test.tfplan
-
-      # - name: Post tf_apply success status to Slack channel
-      #   id: tf_apply_successs
-      #   if: steps.tf_apply.outcome == 'success'
-      #   continue-on-error: true
-      #   uses: slackapi/slack-github-action@v2.1.1
-      #   with:
-      #     method: chat.postMessage
-      #     token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
-      #     payload: |
-      #       channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
-      #       text: ":badger_dance: terraform-aws-stac-server - ${{  github.ref_name }} terraform apply job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
-
-      # - name: Post tf_apply failure status to Slack channel
-      #   id: tf_apply_failure
-      #   if: steps.tf_apply.outcome != 'success'
-      #   continue-on-error: true
-      #   uses: slackapi/slack-github-action@v2.1.1
-      #   with:
-      #     method: chat.postMessage
-      #     token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
-      #     payload: |
-      #       channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
-      #       text: ":sadpanda: terraform-aws-stac-server -${{  github.ref_name }} terraform apply has failed!\n:alert: make sure cleanup job deletes all AWS resources!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
-
-      # - name: Configure Terraform Cleanup Check Credentials
-      #   id: cleanup_check_creds
-      #   if: always()
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   with:
-      #     aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
-      #     role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
-      #     role-session-name: GitHubReleaseCleanupCheck
-
-      # - name: Terraform Destroy Pre-Check
-      #   id: tf_destroy_plan
-      #   if: always()
-      #   working-directory: utils/cicd
-      #   run: terraform plan -destroy -out test-cleanup.tfplan
-
-      # - name: Configure Terraform Cleanup Credentials
-      #   id: cleanup_creds
-      #   if: always()
-      #   uses: aws-actions/configure-aws-credentials@v5
-      #   with:
-      #     aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
-      #     role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
-      #     role-session-name: GitHubReleaseCleanup
-
-      # - name: Terraform Destroy
-      #   id: tf_destroy_apply
-      #   if: always()
-      #   continue-on-error: true
-      #   working-directory: utils/cicd
-      #   run: terraform apply -destroy -input=false test-cleanup.tfplan
-
-      # - name: Post tf_destroy success status to Slack channel
-      #   id: tf_destroy_apply_successs
-      #   if: steps.tf_destroy_apply.outcome == 'success'
-      #   continue-on-error: true
-      #   uses: slackapi/slack-github-action@v2.1.1
-      #   with:
-      #     method: chat.postMessage
-      #     token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
-      #     payload: |
-      #       channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
-      #       text: ":badger_dance: terraform-aws-stac-server - ${{  github.ref_name }} cleanup job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
-
-      # - name: Post tf_destroy failure status to Slack channel
-      #   id: tf_destroy_apply_failure
-      #   if: steps.tf_destroy_apply.outcome != 'success'
-      #   continue-on-error: true
-      #   uses: slackapi/slack-github-action@v2.1.1
-      #   with:
-      #     method: chat.postMessage
-      #     token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
-      #     payload: |
-      #       channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
-      #       text: ":sadpanda: terraform-aws-stac-server -${{  github.ref_name }} cleanup job has failed!\n:alert: make sure AWS resources are deleted!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+      - name: Configure Terraform Apply Credentials
+        id: apply_creds
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
+          role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
+          role-session-name: GitHubReleaseApply
+
+      - name: Terraform Apply
+        id: tf_apply
+        continue-on-error: true
+        working-directory: utils/cicd
+        run: terraform apply -input=false test.tfplan
+
+      - name: Post tf_apply success status to Slack channel
+        id: tf_apply_successs
+        if: steps.tf_apply.outcome == 'success'
+        continue-on-error: true
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
+            text: ":badger_dance: terraform-aws-stac-server - ${{  github.ref_name }} terraform apply job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+
+      - name: Post tf_apply failure status to Slack channel
+        id: tf_apply_failure
+        if: steps.tf_apply.outcome != 'success'
+        continue-on-error: true
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
+            text: ":sadpanda: terraform-aws-stac-server -${{  github.ref_name }} terraform apply has failed!\n:alert: make sure cleanup job deletes all AWS resources!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+
+      - name: Configure Terraform Cleanup Check Credentials
+        id: cleanup_check_creds
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
+          role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
+          role-session-name: GitHubReleaseCleanupCheck
+
+      - name: Terraform Destroy Pre-Check
+        id: tf_destroy_plan
+        if: always()
+        working-directory: utils/cicd
+        run: terraform plan -destroy -out test-cleanup.tfplan
+
+      - name: Configure Terraform Cleanup Credentials
+        id: cleanup_creds
+        if: always()
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          aws-region: ${{ secrets.FD_CICD_AWS_REGION }}
+          role-to-assume: ${{ secrets.FD_CICD_AWS_ROLE }}
+          role-session-name: GitHubReleaseCleanup
+
+      - name: Terraform Destroy
+        id: tf_destroy_apply
+        if: always()
+        continue-on-error: true
+        working-directory: utils/cicd
+        run: terraform apply -destroy -input=false test-cleanup.tfplan
+
+      - name: Post tf_destroy success status to Slack channel
+        id: tf_destroy_apply_successs
+        if: steps.tf_destroy_apply.outcome == 'success'
+        continue-on-error: true
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
+            text: ":badger_dance: terraform-aws-stac-server - ${{  github.ref_name }} cleanup job has succeeded!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"
+
+      - name: Post tf_destroy failure status to Slack channel
+        id: tf_destroy_apply_failure
+        if: steps.tf_destroy_apply.outcome != 'success'
+        continue-on-error: true
+        uses: slackapi/slack-github-action@v2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.FD_CICD_SLACK_BOT_TOKEN }}
+          payload: |
+            channel: ${{ secrets.FD_CICD_SLACK_CHANNEL_ID }}
+            text: ":sadpanda: terraform-aws-stac-server -${{  github.ref_name }} cleanup job has failed!\n:alert: make sure AWS resources are deleted!\n${{ github.event.pull_request.html_url || github.event.head_commit.url }}"

CHANGELOG.md

@@ -17,6 +17,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 
 
+## [1.0.2] - 2025-11-03
+
+### Added
+
+- Finish release-tests cicd
+
 ## [1.0.1] - 2025-11-03
 
 ### Added

utils/cicd/backend.tf

@@ -4,7 +4,7 @@ terraform {
     # these are injected from env vars by CICD
     bucket       = "VAR-TF_STATE_BUCKET"
     region       = "VAR-AWS_REGION"
-    key          = "VAR-GITHUB_REPOSITORY-tfstacserv-cicd.tfstate"
+    key          = "VAR-GITHUB_REPOSITORY-cicd-stac-server.tfstate"
     use_lockfile = true
   }
 }

utils/cicd/main.tf

@@ -12,13 +12,13 @@ module "main" {
   source = "../.."
 
   # project
-  project_name                             = "ssrv-cicd"
+  project_name                             = "cicd"
   stac_id                                  = "stac-server"
   stac_title                               = "STAC API"
   stac_description                         = "A STAC API using stac-server"
   stac_server_version                      = null
-  stac_api_stage                           = "git"
-  stac_api_rootpath                        = "git"
+  stac_api_stage                           = "gh"
+  stac_api_rootpath                        = "gh"
   deploy_local_stac_server_artifacts       = false
   deploy_stac_server_opensearch_serverless = true
   deploy_stac_server_outside_vpc           = false

utils/cicd/vpc-data/data.tf

@@ -1,15 +1,8 @@
 # For our CI/CD deployment of stac-server, we must pull VPC details of the AWS account that the CI/CD
 # process is running in
 
-locals {
-  # A VPC with the following tag must exist in the AWS account used for CI/CD
-  searchtag = {
-    Name = "aws-controltower-VPC"
-  }
-}
-
 data "aws_vpc" "vpc" {
-  tags = local.searchtag
+  tags = { Name = "aws-controltower-VPC" }
 }
 
 data "aws_subnets" "private" {
@@ -18,14 +11,7 @@ data "aws_subnets" "private" {
     values = [data.aws_vpc.vpc.id]
   }
 
-  tags = local.searchtag
-}
-
-data "aws_subnet" "private_subnets" {
-  for_each = toset(data.aws_subnets.private.ids)
-
-  vpc_id = data.aws_vpc.vpc.id
-  id     = each.value
+  tags = { Name = "aws-controltower-PrivateSubnet*" }
 }
 
 data "aws_security_group" "security_group" {

utils/cicd/vpc-data/outputs.tf

@@ -7,7 +7,7 @@ output "vpc_cidr" {
 }
 
 output "private_subnet_ids" {
-  value = values(data.aws_subnet.private_subnets)[*].id
+  value = data.aws_subnets.private.ids
 }
 
 output "security_group_id" {