From 338f78e186428b52fec3f83da11bedbb810245df Mon Sep 17 00:00:00 2001
From: Neill Turner <neill.turner@education.gov.uk>
Date: Mon, 20 Jan 2025 12:08:16 +0000
Subject: [PATCH] CI-CD for domains

---
 .../.github/workflows/build-and-deploy.yml    | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)

diff --git a/templates/new_service/.github/workflows/build-and-deploy.yml b/templates/new_service/.github/workflows/build-and-deploy.yml
index 08edd084..86dac81b 100644
--- a/templates/new_service/.github/workflows/build-and-deploy.yml
+++ b/templates/new_service/.github/workflows/build-and-deploy.yml
@@ -170,3 +170,81 @@ jobs:
         db-seed: ${{ inputs.environment == 'review' && 'true' || 'false' }}
 #        gcp-wip: ${{ vars.GCP_WIP }}
 #        gcp-project-id: ${{ vars.GCP_PROJECT_ID }}
+
+  deploy_domains_infra:
+    name: Deploy Domains Infrastructure
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    concurrency: deploy_production
+    needs: [deploy]
+    environment:
+      name: production
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: azure/login@v2
+        with:
+          client-id:  ${{ secrets.AZURE_CLIENT_ID  }}
+          tenant-id:  ${{ secrets.AZURE_TENANT_ID   }}
+          subscription-id:  ${{ secrets.AZURE_SUBSCRIPTION_ID   }}
+
+      - name: Fetch secrets from key vault
+        uses: azure/CLI@v2
+        id: keyvault-secret
+        with:
+          inlineScript: |
+            SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv)
+            echo "::add-mask::$SLACK_WEBHOOK"
+            echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
+
+      - name: Deploy Domains Infrastructure
+        id: deploy_domains_infra
+        uses: DFE-Digital/github-actions/deploy-domains-infra@master
+        with:
+          azure-client-id:  ${{ secrets.AZURE_CLIENT_ID  }}
+          azure-tenant-id:  ${{ secrets.AZURE_TENANT_ID   }}
+          azure-subscription-id:  ${{ secrets.AZURE_SUBSCRIPTION_ID   }}
+          slack-webhook: ${{ steps.keyvault-secret.outputs.SLACK_WEBHOOK }}
+
+  deploy_domains_env:
+    name: Deploy Domains to ${{ matrix.domain_environment }} environment
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    concurrency: deploy_${{ matrix.domain_environment }}
+    needs: [deploy_domains_infra]
+    strategy:
+      max-parallel: 1
+      matrix:
+        domain_environment: [development, production]
+    environment:
+      name: production
+    permissions:
+      id-token: write
+
+    steps:
+      - uses: azure/login@v2
+        with:
+          client-id:  ${{ secrets.AZURE_CLIENT_ID  }}
+          tenant-id:  ${{ secrets.AZURE_TENANT_ID   }}
+          subscription-id:  ${{ secrets.AZURE_SUBSCRIPTION_ID   }}
+
+      - name: Fetch secrets from key vault
+        uses: azure/CLI@v2
+        id: keyvault-secret
+        with:
+          inlineScript: |
+            SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INF_KEY_VAULT }}" --query "value" -o tsv)
+            echo "::add-mask::$SLACK_WEBHOOK"
+            echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
+
+      - name: Deploy Domains Environment
+        id: deploy_domains_env
+        uses: DFE-Digital/github-actions/deploy-domains-env@master
+        with:
+          azure-client-id:  ${{ secrets.AZURE_CLIENT_ID  }}
+          azure-tenant-id:  ${{ secrets.AZURE_TENANT_ID   }}
+          azure-subscription-id:  ${{ secrets.AZURE_SUBSCRIPTION_ID   }}
+          environment: ${{ matrix.domain_environment }}
+          healthcheck: healthcheck/all
+          slack-webhook: ${{ steps.keyvault-secret.outputs.SLACK_WEBHOOK }}