feat: Automatically invalidate CDN cache after deployment

[TylerHendrickson]

This PR adds a step to the "Terraform Apply" workflow that invalidates the CloudFront distribution cache automatically after a successful deployment, which helps ensure that the latest-deployed version of the web app is being served.

A new Terraform output provides the ID of the CloudFront distribution. Once terraform apply is run successfully from the GHA deployment workflow, the next step in the job (which is conditional, but enabled by default) retrieves the output and runs the AWS CLI command to create a new CloudFront invalidation.

[github-actions]

QA Summary

QA Check	Result
🌐 Web Tests	✅
🔗 API Tests	✅
📏 ESLint	✅
🧹 TFLint	✅

Test Coverage

Coverage report for api suite

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🟡	All files	70.42	33.33	70.17	70.42
🟢	directives/requireAuth	100	100	100	100
🟢	requireAuth.ts	100	100	100	100
🟡	directives/skipAuth	50	100	0	50
🟡	skipAuth.ts	50	100	0	50	13
🔴	functions	0	100	0	0
🔴	graphql.ts	0	100	0	0	13-20
🔴	graphql	0	100	100	0
🔴	agencies.sdl.ts	0	100	100	0	1
🔴	inputTemplates.sdl.ts	0	100	100	0	1
🔴	organizations.sdl.ts	0	100	100	0	1
🔴	outputTemplates.sdl.ts	0	100	100	0	1
🔴	reportingPeriods.sdl.ts	0	100	100	0	1
🔴	roles.sdl.ts	0	100	100	0	1
🔴	users.sdl.ts	0	100	100	0	1
🔴	lib	40.74	50	57.14	40.74
🟢	auth.ts	83.33	100	66.66	83.33	15
🔴	db.ts	31.25	50	50	31.25	15-35,45,47
🟢	logger.ts	100	100	100	100
🔴	tracer.ts	0	100	100	0	5-14
🟡	services/agencies	70.58	0	83.33	70.58
🟢	agencies.scenarios.ts	100	100	100	100
🟡	agencies.ts	68.75	0	83.33	68.75	40-48
🟢	services/inputTemplates	92.3	100	83.33	92.3
🟢	inputTemplates.scenarios.ts	100	100	100	100
🟢	inputTemplates.ts	91.66	100	83.33	91.66	47
🟢	services/organizations	92.3	100	83.33	92.3
🟢	organizations.scenarios.ts	100	100	100	100
🟢	organizations.ts	91.66	100	83.33	91.66	47
🟢	services/outputTemplates	92.3	100	83.33	92.3
🟢	outputTemplates.scenarios.ts	100	100	100	100
🟢	outputTemplates.ts	91.66	100	83.33	91.66	43
🟡	services/reportingPeriods	80	100	62.5	80
🟢	reportingPeriods.scenarios.ts	100	100	100	100
🟡	reportingPeriods.ts	78.57	100	62.5	78.57	43-53
🟢	services/roles	92.3	100	83.33	92.3
🟢	roles.scenarios.ts	100	100	100	100
🟢	roles.ts	91.66	100	83.33	91.66	40
🟡	services/users	75	100	55.55	75
🟢	users.scenarios.ts	100	100	100	100
🟡	users.ts	73.33	100	55.55	73.33	40-49

Coverage report for web suite

St	File	% Stmts	% Branch	% Funcs	% Lines	Uncovered Line #s
🔴	All files	23.84	25	21.42	22.32
🔴	src	15.38	0	50	15.38
🔴	App.tsx	0	0	0	0	3-32
🟢	Routes.tsx	100	100	100	100
🔴	entry.client.tsx	0	0	100	0	10-22
🔴	src/components/Agency/Agencies	0	100	0	0
🔴	Agencies.tsx	0	100	0	0	9-21
🔴	src/components/Agency/AgenciesCell	0	100	0	0
🔴	AgenciesCell.tsx	0	100	0	0	8-39
🔴	src/components/Agency/Agency	0	0	0	0
🔴	Agency.tsx	0	0	0	0	10-78
🔴	src/components/Agency/AgencyCell	0	100	0	0
🔴	AgencyCell.tsx	0	100	0	0	7-27
🔴	src/components/Agency/AgencyForm	0	0	0	0
🔴	AgencyForm.tsx	0	0	0	0	24-39
🔴	src/components/Agency/EditAgencyCell	0	100	0	0
🔴	EditAgencyCell.tsx	0	100	0	0	10-58
🔴	src/components/Agency/NewAgency	0	100	0	0
🔴	NewAgency.tsx	0	100	0	0	9-35
🔴	src/components/Organization/EditOrganizationCell	0	100	0	0
🔴	EditOrganizationCell.tsx	0	100	0	0	13-62
🔴	src/components/Organization/NewOrganization	0	100	0	0
🔴	NewOrganization.tsx	0	100	0	0	9-35
🔴	src/components/Organization/Organization	0	0	0	0
🔴	Organization.tsx	0	0	0	0	10-70
🔴	src/components/Organization/OrganizationCell	0	100	0	0
🔴	OrganizationCell.tsx	0	100	0	0	7-27
🔴	src/components/Organization/OrganizationForm	0	0	0	0
🔴	OrganizationForm.tsx	0	0	0	0	27-41
🔴	src/components/Organization/Organizations	0	100	0	0
🔴	Organizations.tsx	0	100	0	0	9-21
🔴	src/components/Organization/OrganizationsCell	0	100	0	0
🔴	OrganizationsCell.tsx	0	100	0	0	8-37
🟡	src/components/ReportingPeriodCell	55	0	55.55	47.05
🟢	ReportingPeriodCell.mock.ts	100	100	100	100
🔴	ReportingPeriodCell.stories.tsx	0	0	0	0	6-32
🟢	ReportingPeriodCell.tsx	100	100	100	100
🟡	src/components/ReportingPeriodsCell	57.14	28.57	60	50
🟢	ReportingPeriodsCell.mock.ts	100	100	100	100
🔴	ReportingPeriodsCell.stories.tsx	0	0	0	0	6-32
🟢	ReportingPeriodsCell.tsx	100	66.66	100	100	63-66
🟡	src/layouts/ScaffoldLayout	50	100	0	50
🟡	ScaffoldLayout.tsx	50	100	0	50	10
🟢	src/lib	100	100	100	100
🟢	formatters.tsx	100	100	100	100
🔴	src/pages/Agency/AgenciesPage	0	100	0	0
🔴	AgenciesPage.tsx	0	100	0	0	7-11
🔴	src/pages/Agency/AgencyPage	0	100	0	0
🔴	AgencyPage.tsx	0	100	0	0	7-8
🔴	src/pages/Agency/EditAgencyPage	0	100	0	0
🔴	EditAgencyPage.tsx	0	100	0	0	7-8
🔴	src/pages/Agency/NewAgencyPage	0	100	0	0
🔴	NewAgencyPage.tsx	0	100	0	0	3-4
🔴	src/pages/FatalErrorPage	0	0	0	0
🔴	FatalErrorPage.tsx	0	0	0	0	15
🔴	src/pages/NotFoundPage	0	100	0	0
🔴	NotFoundPage.tsx	0	100	0	0	2
🔴	src/pages/Organization/EditOrganizationPage	0	100	0	0
🔴	EditOrganizationPage.tsx	0	100	0	0	7-8
🔴	src/pages/Organization/NewOrganizationPage	0	100	0	0
🔴	NewOrganizationPage.tsx	0	100	0	0	3-4
🔴	src/pages/Organization/OrganizationPage	0	100	0	0
🔴	OrganizationPage.tsx	0	100	0	0	7-8
🔴	src/pages/Organization/OrganizationsPage	0	100	0	0
🔴	OrganizationsPage.tsx	0	100	0	0	7-8
🟡	src/pages/ReportingPeriodsPage	50	100	100	50
🔴	ReportingPeriodsPage.stories.tsx	0	100	100	0	5-13
🟢	ReportingPeriodsPage.tsx	100	100	100	100
🟡	src/pages/UploadTemplatePage	50	100	50	50
🔴	UploadTemplatePage.stories.tsx	0	100	100	0	5-13
🟡	UploadTemplatePage.tsx	75	100	50	75	9

Pusher: @TylerHendrickson, Action: pull_request_target, Workflow: Continuous Integration

[github-actions]

Terraform Summary

Step	Result
🖌 Terraform Format & Style	✅
⚙️ Terraform Initialization	✅
🤖 Terraform Validation	✅
📖 Terraform Plan	✅

Hint: If "Terraform Format & Style" failed, run terraform fmt -recursive from the terraform/ directory and commit the results.

Output

Validation Output

Success! The configuration is valid.

Plan Output

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+   create
  ~ update in-place
-   destroy
-/+ destroy and then create replacement
+/- create replacement and then destroy

Terraform will perform the following actions:

  # aws_ecs_service.console will be updated in-place
  ~ resource "aws_ecs_service" "console" {
        id                                 = "arn:aws:ecs:us-west-2:357150818708:service/cpfreporter/cpfreporter-console"
        name                               = "cpfreporter-console"
        tags                               = {}
      ~ task_definition                    = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console:6" -> (known after apply)
        # (15 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_ecs_task_definition.console must be replaced
+/- resource "aws_ecs_task_definition" "console" {
      ~ arn                      = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console:6" -> (known after apply)
      ~ arn_without_revision     = "arn:aws:ecs:us-west-2:357150818708:task-definition/cpfreporter-console" -> (known after apply)
      ~ container_definitions    = (sensitive value) # forces replacement
      ~ id                       = "cpfreporter-console" -> (known after apply)
      ~ revision                 = 6 -> (known after apply)
-       tags                     = {} -> null
        # (9 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # aws_s3_object.lambda_artifact-graphql will be updated in-place
  ~ resource "aws_s3_object" "lambda_artifact-graphql" {
      ~ etag                   = "2bc4c7fae81fd797c970eaf47e78d39a-6" -> "34e00d4ff69d6cf8edc59159f1a63e74"
        id                     = "graphql.34e00d4ff69d6cf8edc59159f1a63e74.zip"
        tags                   = {}
      ~ version_id             = ".RgwktjOJYvcGcuvrUBjZEcG6aK2.wY1" -> (known after apply)
        # (11 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["200.html"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "7be77fdddec235c66f97a4f597429fbf" -> "a36c2b19a6a9c50e471fe53051800c5e"
        id                     = "dist/200.html"
      ~ source_hash            = "7be77fdddec235c66f97a4f597429fbf" -> "a36c2b19a6a9c50e471fe53051800c5e"
        tags                   = {}
      ~ version_id             = "05wVaXEAWCOvZh7phcOVz7MQdwT45_p3" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["build-manifest.json"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "b102f0b12b87cb09a61215f916c9962e" -> "6e8d9cb8cfd434dcd92775fe33ea0f33"
        id                     = "dist/build-manifest.json"
      ~ source_hash            = "b102f0b12b87cb09a61215f916c9962e" -> "6e8d9cb8cfd434dcd92775fe33ea0f33"
        tags                   = {}
      ~ version_id             = "qv6E8PlH2u1XgHjHfRT5DPqZoLFMYgHY" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["chunk-references.json"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "b32870f71c3769f1719312726fbe2f7f" -> "861bfdef0d3b879d10629be6fac234b5"
        id                     = "dist/chunk-references.json"
      ~ source_hash            = "b32870f71c3769f1719312726fbe2f7f" -> "861bfdef0d3b879d10629be6fac234b5"
        tags                   = {}
      ~ version_id             = "wczOyaYA3qKEl5Sfbh6VuCGgVAmP_E0q" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["index.html"] will be updated in-place
  ~ resource "aws_s3_object" "origin_dist_artifact" {
      ~ etag                   = "7be77fdddec235c66f97a4f597429fbf" -> "a36c2b19a6a9c50e471fe53051800c5e"
        id                     = "dist/index.html"
      ~ source_hash            = "7be77fdddec235c66f97a4f597429fbf" -> "a36c2b19a6a9c50e471fe53051800c5e"
        tags                   = {}
      ~ version_id             = "m06Z8DFS_.8ExGWh70YCCOFFtyWr4oLr" -> (known after apply)
        # (10 unchanged attributes hidden)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.54f5b5f7.js"] will be created
+   resource "aws_s3_object" "origin_dist_artifact" {
+       acl                    = (known after apply)
+       bucket                 = "cpfreporter-origin-357150818708-us-west-2"
+       bucket_key_enabled     = (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
+       content_type           = "text/javascript"
+       etag                   = "ffa6b9edfc6666d2e66907cb9c062095"
+       force_destroy          = false
+       id                     = (known after apply)
+       key                    = "dist/static/js/app.54f5b5f7.js"
+       kms_key_id             = (known after apply)
+       server_side_encryption = "AES256"
+       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.54f5b5f7.js"
+       source_hash            = "ffa6b9edfc6666d2e66907cb9c062095"
+       storage_class          = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       version_id             = (known after apply)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.54f5b5f7.js.LICENSE.txt"] will be created
+   resource "aws_s3_object" "origin_dist_artifact" {
+       acl                    = (known after apply)
+       bucket                 = "cpfreporter-origin-357150818708-us-west-2"
+       bucket_key_enabled     = (known after apply)
+       checksum_crc32         = (known after apply)
+       checksum_crc32c        = (known after apply)
+       checksum_sha1          = (known after apply)
+       checksum_sha256        = (known after apply)
+       content_type           = "text/plain"
+       etag                   = "8d0c60a3ca38489c1bb3fd646469d4db"
+       force_destroy          = false
+       id                     = (known after apply)
+       key                    = "dist/static/js/app.54f5b5f7.js.LICENSE.txt"
+       kms_key_id             = (known after apply)
+       server_side_encryption = "AES256"
+       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.54f5b5f7.js.LICENSE.txt"
+       source_hash            = "8d0c60a3ca38489c1bb3fd646469d4db"
+       storage_class          = (known after apply)
+       tags_all               = {
+           "env"        = "staging"
+           "management" = "terraform"
+           "owner"      = "grants"
+           "repo"       = "cpf-reporter"
+           "service"    = "cpf-reporter"
+           "usage"      = "workload"
        }
+       version_id             = (known after apply)
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.a493103d.js"] will be destroyed
  # (because key ["static/js/app.a493103d.js"] is not in for_each map)
-   resource "aws_s3_object" "origin_dist_artifact" {
-       bucket                 = "cpfreporter-origin-357150818708-us-west-2" -> null
-       bucket_key_enabled     = false -> null
-       content_type           = "text/javascript" -> null
-       etag                   = "befc01b399c6d8fc93bfde9479d033fb" -> null
-       force_destroy          = false -> null
-       id                     = "dist/static/js/app.a493103d.js" -> null
-       key                    = "dist/static/js/app.a493103d.js" -> null
-       metadata               = {} -> null
-       server_side_encryption = "AES256" -> null
-       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.a493103d.js" -> null
-       source_hash            = "befc01b399c6d8fc93bfde9479d033fb" -> null
-       storage_class          = "STANDARD" -> null
-       tags                   = {} -> null
-       tags_all               = {
-           "env"        = "staging"
-           "management" = "terraform"
-           "owner"      = "grants"
-           "repo"       = "cpf-reporter"
-           "service"    = "cpf-reporter"
-           "usage"      = "workload"
        } -> null
-       version_id             = "dr4TTjdqTHu_Jvvoas1LoQcAwG4t4Jrn" -> null
    }

  # aws_s3_object.origin_dist_artifact["static/js/app.a493103d.js.LICENSE.txt"] will be destroyed
  # (because key ["static/js/app.a493103d.js.LICENSE.txt"] is not in for_each map)
-   resource "aws_s3_object" "origin_dist_artifact" {
-       bucket                 = "cpfreporter-origin-357150818708-us-west-2" -> null
-       bucket_key_enabled     = false -> null
-       content_type           = "text/plain" -> null
-       etag                   = "8d0c60a3ca38489c1bb3fd646469d4db" -> null
-       force_destroy          = false -> null
-       id                     = "dist/static/js/app.a493103d.js.LICENSE.txt" -> null
-       key                    = "dist/static/js/app.a493103d.js.LICENSE.txt" -> null
-       metadata               = {} -> null
-       server_side_encryption = "AES256" -> null
-       source                 = "/home/runner/work/cpf-reporter/cpf-reporter/web/dist/static/js/app.a493103d.js.LICENSE.txt" -> null
-       source_hash            = "8d0c60a3ca38489c1bb3fd646469d4db" -> null
-       storage_class          = "STANDARD" -> null
-       tags                   = {} -> null
-       tags_all               = {
-           "env"        = "staging"
-           "management" = "terraform"
-           "owner"      = "grants"
-           "repo"       = "cpf-reporter"
-           "service"    = "cpf-reporter"
-           "usage"      = "workload"
        } -> null
-       version_id             = "zkF4euxtUgMbefGHfhYIb1TWb8M7Y42j" -> null
    }

  # module.lambda_function-graphql.aws_lambda_function.this[0] will be updated in-place
  ~ resource "aws_lambda_function" "this" {
        id                             = "cpfreporter-graphql"
      ~ qualified_arn                  = "arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-graphql:24" -> (known after apply)
      ~ qualified_invoke_arn           = "arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:357150818708:function:cpfreporter-graphql:24/invocations" -> (known after apply)
        tags                           = {}
      ~ version                        = "24" -> (known after apply)
        # (21 unchanged attributes hidden)

      ~ environment {
          ~ variables = {
              ~ "DD_COMMIT_SHA"                      = "7bf3fa020dc09947fb1e5f41a13f0201b22d9f8e" -> "a19bf0313a1c8b71560293be0fe07f00c0b9ad8c"
              ~ "DD_TAGS"                            = "git.commit.sha:7bf3fa020dc09947fb1e5f41a13f0201b22d9f8e,git.repository_url:github.com/usdigitalresponse/cpf-reporter" -> "git.commit.sha:a19bf0313a1c8b71560293be0fe07f00c0b9ad8c,git.repository_url:github.com/usdigitalresponse/cpf-reporter"
              ~ "DD_VERSION"                         = "7bf3fa020dc09947fb1e5f41a13f0201b22d9f8e" -> "a19bf0313a1c8b71560293be0fe07f00c0b9ad8c"
                # (15 unchanged elements hidden)
            }
        }

        # (4 unchanged blocks hidden)
    }

  # module.lambda_function-graphql.aws_lambda_permission.current_version_triggers["APIGateway"] must be replaced
-/+ resource "aws_lambda_permission" "current_version_triggers" {
      ~ id                  = "APIGateway" -> (known after apply)
      ~ qualifier           = "24" # forces replacement -> (known after apply) # forces replacement
+       statement_id_prefix = (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 4 to add, 7 to change, 4 to destroy.

Changes to Outputs:
+   web_cloudfront_distribution_id = "E10LD7TGHC4SRE"

Pusher: @TylerHendrickson, Action: pull_request_target, Workflow: Continuous Integration