ministryofjustice · jamesrwarren · Oct 10, 2023 · Oct 4, 2023
@@ -22,114 +22,15 @@ workflows:
   pull_request:
     when: << pipeline.parameters.run_pull_request >>
     jobs:
-      - build_lambda_as_image:
-          name: build and push
-          filters: {branches:{ignore:[main]}}
-
-      - run_unit_tests:
-          name: run unit tests
-          filters: {branches:{ignore:[main]}}
-
-      - terraform_pre_checks:
-          name: terraform preflight checks
-          requires: [build and push, run unit tests]
-          filters: {branches:{ignore:[main]}}
-
-      - terraform_action:
-          name: apply branch environment
-          requires: [terraform preflight checks]
-          tf_command: apply
-          filters: {branches:{ignore:[main]}}
-
-      - workspace_protection:
-          name: protect current workspace
-          requires: [terraform preflight checks]
-          filters: {branches:{ignore:[main]}}
-
-      - integration_tests:
-          name: run integration tests
-          requires: [protect current workspace, apply branch environment]
-          filters: {branches:{ignore:[main]}}
-
       - workflow_complete:
           name: workflow complete
-          requires: [run integration tests]
           filters: {branches:{ignore:[main]}}
 
   commit_to_main:
     when: << pipeline.parameters.run_commit_to_main >>
     jobs:
-      - build_lambda_as_image:
-          name: build and push
-          filters: {branches:{only:[main]}}
-
-      - terraform_action:
-          name: development apply
-          requires: [build and push]
-          tf_command: apply --auto-approve
-          tf_workspace: development
-          applycheck: true
-          filters: {branches:{only:[main]}}
-
-      - terraform_action:
-          name: preprod apply
-          requires: [development apply]
-          tf_command: apply --auto-approve
-          tf_workspace: preproduction
-          applycheck: true
-          filters: {branches:{only:[main]}}
-
-      - integration_tests:
-          name: run integration tests preprod
-          workspace: preproduction
-          requires: [preprod apply]
-          filters: {branches:{only:[main]}}
-
-      - approve:
-          name: approve release to production
-          type: approval
-          requires: [run integration tests preprod]
-          filters: {branches:{only:[main]}}
-
-      - terraform_action:
-          name: integration apply
-          requires: [approve release to production]
-          tf_command: apply --auto-approve
-          tf_workspace: integration
-          applycheck: true
-          filters: {branches:{only:[main]}}
-
-      - terraform_action:
-          name: integration apply
-          requires: [approve release to production]
-          tf_command: apply --auto-approve
-          tf_workspace: integration
-          applycheck: true
-          filters: {branches:{only:[main]}}
-
-      - terraform_action:
-         name: production apply
-         requires: [approve release to production]
-         tf_command: apply --auto-approve
-         tf_workspace: production
-         applycheck: true
-         filters: {branches:{only:[main]}}
-         pact_tag_production: true
-
-#  verify_pact:
-#    when: << pipeline.parameters.run_verify_pact >>
-#    jobs:
-#      - pact_verification:
-#          name: verify the latest pact
-
-  nightly_workspace_deletion:
-    triggers:
-      - schedule:
-          cron: "00 00 * * *"
-          filters: {branches:{only:[main]}}
-    jobs:
-      - destroy_workspaces:
-          name: destroy non protected workspaces
+      - workflow_complete:
+          name: workflow complete
           filters: {branches:{only:[main]}}
 
 orbs:
@@ -169,20 +70,6 @@ orbs:
           - run:
               name: Install Terraform
               command: sudo unzip terraform_${TF_VERSION}_linux_amd64.zip -d /bin
-# PINNING FOR NOW AS MAJOR VERSION BREAKS CODE
-#          - run:
-#              name: Get latest terraform version
-#              command: |
-#                export TERRAFORM_LATEST_VERSION=$(curl -X GET -s https://releases.hashicorp.com/terraform/ \
-#                | grep "<a href=\"/terraform/" \
-#                | awk -F'/' '{print $3}' | head -1)
-#                export TERRAFORM_SHA256SUM=$(curl -X GET -s \
-#                https://releases.hashicorp.com/terraform/"${TERRAFORM_LATEST_VERSION}"/terraform_"${TERRAFORM_LATEST_VERSION}"_SHA256SUMS \
-#                | grep "_linux_amd64.zip" \
-#                | head -1 \
-#                | awk '{print $1}')
-#                echo "export TF_VERSION=${TERRAFORM_LATEST_VERSION}" >> $BASH_ENV
-#                echo "export TF_SHA256SUM=${TERRAFORM_SHA256SUM}" >> $BASH_ENV
       pact_install:
         steps:
           - run:
@@ -546,10 +433,9 @@ jobs:
     resource_class: small
     working_directory: ~/project
     steps:
-      - slack/status:
-          channel: opg-integrations
-          failure_message: Failure of LPA Codes Workflow for Branch - ${CIRCLE_BRANCH}
-          success_message: Success of LPA Codes Workflow for Branch - ${CIRCLE_BRANCH}. Ready to Merge!
+      - run:
+          name: complete
+          command: echo "workflow complete"
   destroy_workspaces:
     executor: lpa-codes/python_with_tfvars
     resource_class: small

@@ -0,0 +1,20 @@
+repo:
+  - any: ["./*"]
+
+actions:
+  - any: [".github/**"]
+
+docs:
+  - any: ["docs/**/*"]
+
+lambda:
+  - any: ["lambda_functions/**/*"]
+
+infrastructure:
+  - any: ["terraform/**/*"]
+
+scripts:
+  - any: ["scripts/**/*"]
+
+pact:
+  - any: ["pact/**/*"]
@@ -46,8 +46,10 @@ jobs:
             --enable-pending
       - name: Verify pacts are still upheld
         if: ${{ github.event_name == 'pull_request' }}
+        env:
+          HEADREF: ${{ github.head_ref }}
         run: |
           docker-compose -f docker-compose-pact.yml run --rm pact-verifier \
             --provider-version=$(git rev-parse HEAD) \
-            --provider-branch=${{ github.head_ref }} \
+            --provider-branch=${HEADREF} \
             --consumer-version-selectors='{"mainBranch": true}'
@@ -0,0 +1,53 @@
+name: "[Workflow] Cleanup PR Workspaces"
+
+on:
+  schedule:
+    # 4am every day except Sundays
+    - cron: '0 4 * * 0-6'
+
+permissions:
+  contents: read
+  security-events: none
+  pull-requests: none
+  actions: none
+  checks: none
+  deployments: none
+  issues: none
+  packages: none
+  repository-projects: none
+  statuses: none
+
+jobs:
+  terraform_environment_cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@bf085276cecdb0cc76fbbe0687a5a0e786646936
+      - uses: unfor19/install-aws-cli-action@7a427b852d87c231cb6a8ace7aff7317a6a37243
+      - uses: hashicorp/setup-terraform@8feba2b913ea459066180f9cb177f58a881cf146
+        with:
+          terraform_version: 1.5.5
+          terraform_wrapper: false
+
+      - name: Configure AWS Credentials For Terraform
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+          aws-region: eu-west-1
+          role-duration-seconds: 3600
+          role-session-name: OPGLPACodesClearupEnvs
+
+      - name: Install Terraform Workspace Manager
+        run: |
+          wget https://github.com/TomTucka/terraform-workspace-manager/releases/download/v0.3.1/terraform-workspace-manager_Linux_x86_64.tar.gz -O $HOME/terraform-workspace-manager.tar.gz
+          sudo tar -xvf $HOME/terraform-workspace-manager.tar.gz -C /usr/local/bin
+          sudo chmod +x /usr/local/bin/terraform-workspace-manager
+
+      - name: Terraform Init
+        working-directory: terraform/environment
+        run: terraform init -input=false
+
+      - name: Destroy PR Terraform Workspaces
+        working-directory: terraform/environment
+        run: |
+          ./scripts/workspace_cleanup.sh $(terraform-workspace-manager -protected-workspaces=true -aws-account-id=288342028542 -aws-iam-role=integrations-ci)
@@ -0,0 +1,100 @@
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: write
+  statuses: none
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        description: 'Tag for docker image'
+        required: true
+        type: string
+      branch_name:
+        description: 'Branch we are on'
+        required: true
+        type: string
+    secrets:
+      aws_access_key_id_actions:
+        required: true
+      aws_secret_access_key_actions:
+        required: true
+
+jobs:
+  docker_build_scan_push:
+    name: Build, Scan and Push Lambdas
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - name: 'lpa-codes'
+            path: 'lambda_functions/v1'
+            dockerfile: "Function"
+          - name: 'lpa-codes-dynamo'
+            path: 'lambda_functions/v1'
+            dockerfile: "Dynamo"
+    steps:
+      - name: Check out code
+        id: checkout_code
+        uses: actions/[email protected]
+
+      - name: Build Container
+        id: build_container
+        run: docker build --file ${{ matrix.path }}/Dockerfile-${{ matrix.dockerfile }} --tag ${{ matrix.name }}:latest ${{ matrix.path }}
+
+      - name: Trivy Image Vulnerability Scanner
+        id: trivy_scan
+        uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5
+        with:
+          image-ref: ${{ matrix.name }}:latest
+          severity: 'HIGH,CRITICAL'
+          format: 'sarif'
+          security-checks: "vuln"
+          ignore-unfixed: true
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        id: trivy_upload_sarif
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Install AWS Cli
+        uses: unfor19/install-aws-cli-action@35a9630be0168293ad2afccbe06e8e9f47678d2c
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id_actions }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key_actions }}
+          aws-region: eu-west-1
+          role-to-assume: arn:aws:iam::311462405659:role/integrations-ci
+          role-duration-seconds: 900
+          role-session-name: OPGLPACodesGithubAction
+
+      - name: Login to ECR
+        id: login_ecr
+        uses: aws-actions/amazon-ecr-login@261a7de32bda11ba01f4d75c4ed6caf3739e54be
+        with:
+          registries: 311462405659
+
+      - name: Push to ECR
+        env:
+          ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
+          ECR_REPOSITORY: integrations/${{ matrix.name }}-lambda
+          BRANCH_NAME: ${{ inputs.branch_name }}
+        run: |
+          docker tag ${{ matrix.name }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:${{ inputs.tag }}
+          if [ $BRANCH_NAME == "main" ]; then
+            docker tag ${{ matrix.name }}:latest $ECR_REGISTRY/$ECR_REPOSITORY:latest
+          fi
+            echo "skipping push for now..."
+            docker push --all-tags $ECR_REGISTRY/$ECR_REPOSITORY
@@ -0,0 +1,47 @@
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        description: 'Workspace to use'
+        required: true
+        type: string
+    secrets:
+      aws_access_key_id_actions:
+        required: true
+      aws_secret_access_key_actions:
+        required: true
+
+jobs:
+  terraform_workflow:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: '0'
+
+      - name: Configure AWS Credentials For Terraform
+        uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838
+        with:
+          aws-access-key-id: ${{ secrets.aws_access_key_id_actions }}
+          aws-secret-access-key: ${{ secrets.aws_secret_access_key_actions }}
+          aws-region: eu-west-1
+          role-duration-seconds: 3600
+          role-session-name: OPGLPACodesIntegrationTests
+
+      - name: Install dependencies
+        env:
+          ROLE: integrations-ci
+          TF_WORKSPACE: ${{ inputs.workspace }}
+        run: |
+          if [ "${TF_WORKSPACE}" == "preproduction" ]
+            then
+              echo "Running against preproduction"
+              export BRANCH="pre"
+              export ACCOUNT="492687888235"
+            else
+              echo "Running against branch environment"
+              export BRANCH="${TF_WORKSPACE}.dev"
+              export ACCOUNT="288342028542"
+            fi
+            go run load_testing.go
+        working-directory: scripts/ci_pipeline/load_testing