GoCD -> GitHub Actions

.github/workflows/buildandpublish.yml

@@ -0,0 +1,178 @@
+name: Build & Publish
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read  # Required for actions/checkout
+  id-token: write # Required for requesting the JWT
+
+jobs:
+  eslint:
+    name: ESLint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'latest'
+
+      - run: npm ci
+
+      - name: ESLint
+        run: npm run lint
+
+  sonarcloud:
+    name: Unit+Integration & SonarCloud
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+
+      - name: Start LocalStack
+        uses: LocalStack/setup-localstack@v0.2.3
+
+      # https://docs.aws.amazon.com/cli/latest/reference/dynamodb/create-table.html
+      - name: Create AWS resources
+        run: |
+          awslocal dynamodb create-table --region eu-west-2 --cli-input-json file://scripts/local-test-db-scheme.json
+          awslocal s3 mb s3://test-bucket --region eu-west-2
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'latest'
+
+      - run: npm ci
+
+      - name: Run unit tests
+        run: npm run test:coverage
+        env:
+          S3_BUCKET_NAME: test-bucket
+          LOCALSTACK_URL: http://localhost:4566
+          DYNAMODB_NAME: local-test-db
+          DYNAMODB_LOCAL_ENDPOINT: http://localhost:4566
+          # LSIA... keys are valid for localstack
+          AWS_ACCESS_KEY_ID: LSIA5678901234567890
+          AWS_SECRET_ACCESS_KEY: LSIA5678901234567890
+          SERVICE_URL: http://localhost:3000
+
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@v3
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+
+  buildpublish:
+    name: Build & Publish
+    runs-on: ubuntu-latest
+    needs: [eslint, sonarcloud]
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 'latest'
+
+      - run: npm ci
+
+      - name: build
+        run: npm run build
+
+      - name: Configure AWS Credentials (Read Only)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE_ECR_HOLDING_ACCOUNT_READ_ONLY }}
+          aws-region: eu-west-2
+          mask-aws-account-id: true
+
+      - name: Login to Amazon ECR
+        id: ecr-login
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Get docker tags
+        id: get-tags
+        run: |
+          sha=$(echo ${{ github.sha }} | cut -c 1-8)
+          echo "sha=$sha" >> $GITHUB_OUTPUT
+          branchname=$(echo ${{ github.ref_name }}${{ github.head_ref }} | sed 's/^[0-9]*\/merge//g')
+          echo "branchname=$branchname" >> $GITHUB_OUTPUT
+
+      - name: Get redactor
+        run: |
+          mkdir utils/0.2.27
+          wget --quiet -O utils/0.2.27/run-with-redaction.sh https://github.com/nhsconnect/prm-deductions-support-infra/releases/download/0.2.27/run-with-redaction.sh
+          wget --quiet -O utils/0.2.27/redactor https://github.com/nhsconnect/prm-deductions-support-infra/releases/download/0.2.27/redactor
+          chmod +x utils/0.2.27/*
+
+      - name: docker build
+        env:
+          REGISTRY: ${{ steps.ecr-login.outputs.registry }}
+          REPOSITORY: ${{ secrets.ECR_REPOSITORY_NAME }}
+          SHA_TAG: ${{ steps.get-tags.outputs.sha }}
+          BRANCH_TAG: ${{ steps.get-tags.outputs.branchname }}
+        run: |
+          docker build --build-arg UTILS_VERSION=0.2.27 -t $REGISTRY/$REPOSITORY:$SHA_TAG -t $REGISTRY/$REPOSITORY:$BRANCH_TAG -t $REGISTRY/$REPOSITORY:latest .
+
+      - name: Start LocalStack
+        uses: LocalStack/setup-localstack@v0.2.3
+
+      # https://docs.aws.amazon.com/cli/latest/reference/dynamodb/create-table.html
+      - name: Create AWS resources
+        run: |
+          awslocal dynamodb create-table --region eu-west-2 --cli-input-json file://scripts/local-test-db-scheme.json
+          awslocal s3 mb s3://test-bucket --region eu-west-2
+
+      - name: docker compose
+        env:
+          S3_BUCKET_NAME: test-bucket
+          LOCALSTACK_URL: http://localhost:4566
+          DYNAMODB_NAME: local-test-db
+          DYNAMODB_LOCAL_ENDPOINT: http://localhost:4566
+          # LSIA... keys are valid for localstack
+          AWS_ACCESS_KEY_ID: LSIA5678901234567890
+          AWS_SECRET_ACCESS_KEY: LSIA5678901234567890
+          SERVICE_URL: http://localhost:3000
+          DOCKER_IMAGE: ${{ steps.ecr-login.outputs.registry }}/${{ secrets.ECR_REPOSITORY_NAME }}:latest
+        run: docker compose -f docker-compose-github-actions.yml up -d
+
+      - name: sleep
+        run: sleep 5
+
+      # Add this step in to diagnose problems running the health check
+      # - name: docker debug
+      #   run: |
+      #     echo "http://localhost:3000/health"
+      #     echo $(curl -s -o /dev/null -w "%{http_code}" http://localhost:3000/health)
+      #     echo "docker ps -a"
+      #     docker ps -a
+      #     echo "docker logs -t this-service"
+      #     docker logs -t this-service
+
+      - name: /health check
+        env:
+          SERVICE_URL: http://localhost:3000
+        run: npm run test:docker
+
+      - name: Configure AWS Credentials (Read Write)
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE_ECR_HOLDING_ACCOUNT_READ_WRITE }}
+          aws-region: eu-west-2
+          mask-aws-account-id: true
+
+      - name: docker push
+        env:
+          REGISTRY: ${{ steps.ecr-login.outputs.registry }}
+          REPOSITORY: ${{ secrets.ECR_REPOSITORY_NAME }}
+          SHA_TAG: ${{ steps.get-tags.outputs.sha }}
+          BRANCH_TAG: ${{ steps.get-tags.outputs.branchname }}
+        run: |
+          echo "Pushing to ECR... (NOT YET IMPLEMENTED!)"
+          # docker push $REGISTRY/$REPOSITORY:$SHA_TAG $REGISTRY/$REPOSITORY:$BRANCH_TAG

.github/workflows/devdeploy.yml

@@ -0,0 +1,99 @@
+name: Deploy to Dev
+
+on:
+  workflow_call:
+    inputs:
+      branch:
+        required: true
+        type: string
+
+permissions:
+  contents: read  # Required for actions/checkout
+  id-token: write # Required for requesting the JWT
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    environment: dev-deploy
+    defaults:
+      run:
+        working-directory: ./terraform
+    steps:
+      - name: Set up git repo
+        uses: actions/checkout@v4
+
+      - name: Set up Terraform
+        uses: hashicorp/setup-terraform@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        id: creds
+        with:
+          role-to-assume: ${{ secrets.IAM_ROLE }}
+          aws-region: eu-west-2
+          mask-aws-account-id: true
+
+      - name: terraform fmt
+        id: fmt
+        working-directory: ./
+        run: terraform fmt -recursive -check
+
+      - name: terraform init
+        id: init
+        run: terraform init -no-color -upgrade -backend-config="bucket=${{ secrets.TF_BACKEND_BUCKET }}" -backend-config="key=${{ secrets.TF_BACKEND_KEY }}" -backend-config="dynamodb_table=${{ secrets.TF_BACKEND_DYNAMODB_TABLE }}"
+
+      - name: terraform validate
+        id: validate
+        run: terraform validate -no-color
+
+      - name: Get ECR Holding Account ID
+        id: ecr-holding-account
+        run: |
+          accountid=$(echo ${{ secrets.IAM_ROLE_ECR_HOLDING_ACCOUNT_READ_WRITE }} | sed 's/^.*:://g' | sed 's/:.*//g')
+          echo "accountid=$accountid" >> $GITHUB_OUTPUT
+
+      # Needs the AmazonEC2ContainerRegistryPowerUser role
+      - name: Login to ECR
+        uses: aws-actions/amazon-ecr-login@v2
+        with:
+          registries: "${{ steps.creds.outputs.aws-account-id }},${{ steps.ecr-holding-account.outputs.accountid }}"
+
+      - name: ECR Copy
+        id: ecr-copy
+        run: |
+          source_repo=${{ steps.ecr-holding-account.outputs.accountid }}.dkr.ecr.eu-west-2.amazonaws.com/${{ secrets.ECR_REPOSITORY_NAME }}:${{ inputs.branch }}
+          destination_repo=${{ steps.creds.outputs.aws-account-id }}.dkr.ecr.eu-west-2.amazonaws.com/${{ secrets.ECR_REPOSITORY_NAME }}:${{ inputs.branch }}
+          docker pull $source_repo
+          docker tag $source_repo $destination_repo
+          docker push $destination_repo
+
+        ## REPOSITORY SPECIFIC ##
+      - name: Setup Terraform variables
+        id: vars
+        run: |
+          cat > pipeline.auto.tfvars <<EOF
+          task_image_tag = ${{ inputs.branch }}
+          EOF
+
+      - name: terraform plan
+        id: plan
+        run: terraform plan -var-file="dev.tfvars" -no-color -out=tfplan
+
+      - name: terraform apply
+        id: apply
+        run: terraform apply -no-color tfplan
+
+      - name: Wait for ECS
+        id: ecs
+        env:
+          SERVICE_NAME: ehr-repo
+        run: aws ecs wait services-stable --region eu-west-2 --cluster dev-$SERVICE_NAME-ecs-cluster --services dev-$SERVICE_NAME-service
+
+      # TODO) Needs connecting to a VPN before it can do this...
+      # - name: /health
+      #   id: health
+      #   env:
+      #     SERVICE_NAME: ehr-repo
+      #   run: |
+      #     nslookup "$SERVICE_NAME.dev.non-prod.patient-deductions.nhs.uk"
+      #     curl -i --fail "https://$SERVICE_NAME.dev.non-prod.patient-deductions.nhs.uk/health"

.github/workflows/pr.yml

@@ -2,25 +2,34 @@
 ##
 ## 1) Visit https://github.com/nhsconnect/<repo>/settings/environments and create environments:
 ## - dev
+## - dev-deploy
 ## - test
-## - test-apply
+## - test-deploy
 ## - pre-prod
-## - pre-prod-apply
+## - pre-prod-deploy
 ## - prod
-## - prod-apply
+## - prod-deploy
 ##
-## 2) For each environment, add the following secrets:
+## 2) For pre-prod and prod environment set Deployment protection rules:
+##   - Required reviewers
+##   - (prod) Prevent self-review = true
+##   - (prod) Allow administrators to bypass configured protection rules = false
+##
+## 3) For each environment, add the following secrets:
 ## - IAM_ROLE
 ## - TF_BACKEND_BUCKET
 ## - TF_BACKEND_DYNAMODB_TABLE
 ## - TF_BACKEND_KEY
 ##
-## 3) Create the following repository secret (https://github.com/nhsconnect/<repo>/settings/secrets/actions):
+## 4) Create the following repository secrets (https://github.com/nhsconnect/<repo>/settings/secrets/actions):
 ## - ECR_REPOSITORY_NAME
+## - IAM_ROLE_ECR_HOLDING_ACCOUNT_READ_ONLY
+## - IAM_ROLE_ECR_HOLDING_ACCOUNT_READ_WRITE
 ##
-## 4) Edit the ## REPOSITORY SPECIFIC ## section below.
+## 5) Edit the ## REPOSITORY SPECIFIC ## section below.
+
+name: Terraform Plan
 
-name: PR Checks
 on:
   pull_request:
     branches:
@@ -32,26 +41,11 @@ permissions:
   pull-requests: write # Required to write comments
 
 jobs:
-  eslint:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Set up git repo
-        uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 'latest'
-
-      - run: npm ci
-
-      - name: eslint
-        run: npm run lint
-
   plan:
     strategy:
       matrix:
         environment: [dev, test, pre-prod, prod]
-    name: Terraform Plan (${{ matrix.environment }})
+    name: ${{ matrix.environment }}
     runs-on: ubuntu-latest
     environment: ${{ matrix.environment }}
     defaults:
@@ -69,6 +63,7 @@ jobs:
         with:
           role-to-assume: ${{ secrets.IAM_ROLE }}
           aws-region: eu-west-2
+          mask-aws-account-id: true
 
       - name: terraform fmt
         id: fmt
@@ -86,7 +81,7 @@ jobs:
         ## REPOSITORY SPECIFIC ##
       - name: Setup Terraform variables
         id: vars
-        run: |-
+        run: |
           IMAGE_TAG=$(aws ecr describe-images --repository-name ${{ secrets.ECR_REPOSITORY_NAME }} --query 'sort_by(imageDetails,& imagePushedAt)[-1].imageTags[0]')
           cat > pipeline.auto.tfvars <<EOF
           task_image_tag = $IMAGE_TAG