-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
112cbaa
commit 875fe21
Showing
21 changed files
with
971 additions
and
160 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
repo: | ||
- any: ["./*"] | ||
|
||
actions: | ||
- any: [".github/**"] | ||
|
||
docs: | ||
- any: ["docs/**/*"] | ||
|
||
lambda: | ||
- any: ["lambda_functions/**/*"] | ||
|
||
infrastructure: | ||
- any: ["terraform/**/*"] | ||
|
||
scripts: | ||
- any: ["scripts/**/*"] | ||
|
||
pact: | ||
- any: ["pact/**/*"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
name: "[Workflow] Cleanup PR Workspaces" | ||
|
||
on: | ||
schedule: | ||
# 4am every day except Sundays | ||
- cron: '0 4 * * 0-6' | ||
|
||
permissions: | ||
contents: read | ||
security-events: none | ||
pull-requests: none | ||
actions: none | ||
checks: none | ||
deployments: none | ||
issues: none | ||
packages: none | ||
repository-projects: none | ||
statuses: none | ||
|
||
jobs: | ||
terraform_environment_cleanup: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936 | ||
- uses: unfor19/install-aws-cli-action@7a427b852d87c231cb6a8ace7aff7317a6a37243 | ||
- uses: hashicorp/setup-terraform@8feba2b913ea459066180f9cb177f58a881cf146 | ||
with: | ||
terraform_version: 1.5.5 | ||
terraform_wrapper: false | ||
|
||
- name: Configure AWS Credentials For Terraform | ||
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 | ||
with: | ||
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }} | ||
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }} | ||
aws-region: eu-west-1 | ||
role-duration-seconds: 3600 | ||
role-session-name: OPGLPACodesClearupEnvs | ||
|
||
- name: Install Terraform Workspace Manager | ||
run: | | ||
wget https://github.com/TomTucka/terraform-workspace-manager/releases/download/v0.3.1/terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz | ||
sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin | ||
sudo chmod +x /usr/local/bin/terraform-workspace-manager | ||
- name: Terraform Init | ||
working-directory: terraform/environment | ||
run: terraform init -input=false | ||
|
||
- name: Destroy PR Terraform Workspaces | ||
working-directory: terraform/environment | ||
run: | | ||
./scripts/workspace_cleanup.sh $(terraform-workspace-manager -protected-workspaces=true -aws-account-id=288342028542 -aws-iam-role=integrations-ci) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,100 @@ | ||
permissions: | ||
actions: read | ||
checks: read | ||
contents: read | ||
deployments: none | ||
issues: none | ||
packages: none | ||
pull-requests: none | ||
repository-projects: none | ||
security-events: write | ||
statuses: none | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
tag: | ||
description: 'Tag for docker image' | ||
required: true | ||
type: string | ||
branch_name: | ||
description: 'Branch we are on' | ||
required: true | ||
type: string | ||
secrets: | ||
aws_access_key_id_actions: | ||
required: true | ||
aws_secret_access_key_actions: | ||
required: true | ||
|
||
jobs: | ||
docker_build_scan_push: | ||
name: Build, Scan and Push Lambdas | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
include: | ||
- name: 'lpa-codes' | ||
path: 'lambda_functions/v1' | ||
dockerfile: "Function" | ||
- name: 'lpa-codes-dynamo' | ||
path: 'lambda_functions/v1' | ||
dockerfile: "Dynamo" | ||
steps: | ||
- name: Check out code | ||
id: checkout_code | ||
uses: actions/[email protected] | ||
|
||
- name: Build Container | ||
id: build_container | ||
run: docker build --file ${{ matrix.path }}/Dockerfile-${{ matrix.dockerfile }} --tag ${{ matrix.name }}:latest ${{ matrix.path }} | ||
|
||
- name: Trivy Image Vulnerability Scanner | ||
id: trivy_scan | ||
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 | ||
with: | ||
image-ref: ${{ matrix.name }}:latest | ||
severity: 'HIGH,CRITICAL' | ||
format: 'sarif' | ||
security-checks: "vuln" | ||
ignore-unfixed: true | ||
output: 'trivy-results.sarif' | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
id: trivy_upload_sarif | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: always() | ||
with: | ||
sarif_file: 'trivy-results.sarif' | ||
|
||
- name: Install AWS Cli | ||
uses: unfor19/install-aws-cli-action@35a9630be0168293ad2afccbe06e8e9f47678d2c | ||
|
||
- name: Configure AWS Credentials | ||
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 | ||
with: | ||
aws-access-key-id: ${{ secrets.aws_access_key_id_actions }} | ||
aws-secret-access-key: ${{ secrets.aws_secret_access_key_actions }} | ||
aws-region: eu-west-1 | ||
role-to-assume: arn:aws:iam::311462405659:role/integrations-ci | ||
role-duration-seconds: 900 | ||
role-session-name: OPGLPACodesGithubAction | ||
|
||
- name: Login to ECR | ||
id: login_ecr | ||
uses: aws-actions/amazon-ecr-login@261a7de32bda11ba01f4d75c4ed6caf3739e54be | ||
with: | ||
registries: 311462405659 | ||
|
||
- name: Push to ECR | ||
env: | ||
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | ||
ECR_REPOSITORY: integrations/${{ matrix.name }}-lambda | ||
BRANCH_NAME: ${{ inputs.branch_name }} | ||
run: | | ||
docker tag ${{ matrix.name }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }} | ||
if [ $BRANCH_NAME == "main" ]; then | ||
docker tag ${{ matrix.name }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest | ||
fi | ||
echo "skipping push for now..." | ||
docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
on: | ||
workflow_call: | ||
inputs: | ||
workspace: | ||
description: 'Workspace to use' | ||
required: true | ||
type: string | ||
secrets: | ||
aws_access_key_id_actions: | ||
required: true | ||
aws_secret_access_key_actions: | ||
required: true | ||
|
||
jobs: | ||
terraform_workflow: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: '0' | ||
|
||
- name: Configure AWS Credentials For Terraform | ||
uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 | ||
with: | ||
aws-access-key-id: ${{ secrets.aws_access_key_id_actions }} | ||
aws-secret-access-key: ${{ secrets.aws_secret_access_key_actions }} | ||
aws-region: eu-west-1 | ||
role-duration-seconds: 3600 | ||
role-session-name: OPGLPACodesIntegrationTests | ||
|
||
- name: Install dependencies | ||
env: | ||
ROLE: integrations-ci | ||
TF_WORKSPACE: ${{ inputs.workspace }} | ||
run: | | ||
if [ "${TF_WORKSPACE}" == "preproduction" ] | ||
then | ||
echo "Running against preproduction" | ||
export BRANCH="pre" | ||
export ACCOUNT="492687888235" | ||
else | ||
echo "Running against branch environment" | ||
export BRANCH="${TF_WORKSPACE}.dev" | ||
export ACCOUNT="288342028542" | ||
fi | ||
go run load_testing.go | ||
working-directory: scripts/ci_pipeline/load_testing |
Oops, something went wrong.