Skip to content

Commit

Permalink
Merge branch 'main' into snyk-upgrade-28dc61c02823e53ed9ad0e8ff8cdf135
Browse files Browse the repository at this point in the history
  • Loading branch information
smirnovaae authored Sep 26, 2024
2 parents d8b3584 + 5fe4c70 commit 21f038c
Show file tree
Hide file tree
Showing 76 changed files with 2,243 additions and 203 deletions.
15 changes: 15 additions & 0 deletions .github/CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Contribution expectations

The following expectations apply to each PR:

1. The PR and branch are named for [automatic linking](https://support.atlassian.com/jira-cloud-administration/docs/use-the-github-for-jira-app/) to the most relevant JIRA issue (for example, `JRA-123 Adds foo` for PR title and `jra-123-adds-foo` for branch name).
2. Reviewers are selected to include people from all teams impacted by the changes in the PR.
3. The PR has been assigned to the people who will respond to reviews and merge when ready (usually the person filing the review, but can change when a PR is handed off to someone else).
4. The PR is reasonably limited in scope to ensure:
- It doesn't bunch together disparate features, fixes, refactorings, etc.
- There isn't too much of a burden on reviewers.
- Any problems it causes have a small blast radius.
- Changes will be easier to roll back if necessary.
5. The PR includes any required documentation changes, including `README` updates and changelog or release notes entries.
6. All new and modified code is appropriately commented to make the what and why of its design reasonably clear, even to those unfamiliar with the project.
7. Any incomplete work introduced by the PR is detailed in `TODO` comments which include a JIRA ticket ID for any items that require urgent attention.
25 changes: 11 additions & 14 deletions .github/pull_request_template.md
Original file line number Diff line number Diff line change
@@ -1,24 +1,21 @@
## 🎫 Ticket

https://jira.cms.gov/browse/AB2D-xxx
https://jira.cms.gov/browse/...

## 🛠 Changes

(What was added, updated, or removed in this PR.)
<!-- What was added, updated, or removed in this PR? -->

## ℹ️ Context for reviewers
## ℹ️ Context

(Background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.)
<!-- Why were these changes made? Add background context suitable for a non-technical audience. -->

## ✅ Acceptance Validation
<!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer.
- Adds a new software dependency or dependencies.
- Modifies or invalidates one or more of our security controls.
- Stores or transmits data that was not stored or transmitted before.
- Requires additional review of security implications for other reasons. -->

(How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable.)
## 🧪 Validation

## 🔒 Security Implications

- [ ] This PR adds a new software dependency or dependencies.
- [ ] This PR modifies or invalidates one or more of our security controls.
- [ ] This PR stores or transmits data that was not stored or transmitted before.
- [ ] This PR requires additional review of its security implications for other reasons.

If any security implications apply, add Jason Ashbaugh (GitHub username: StewGoin) as a reviewer and do not merge this PR without his approval.
<!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. -->
85 changes: 85 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,85 @@
name: build

on:
workflow_call:
inputs:
environment:
required: true
type: string
module:
required: true
type: string
workflow_dispatch:
inputs:
environment:
required: true
type: choice
options:
- dev
- test
module:
required: true
type: choice
options:
- api
- worker

jobs:
build:
runs-on: self-hosted

env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
AWS_REGION: ${{ vars.AWS_REGION }}
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}

steps:
- name: Checkout Code
uses: actions/checkout@v3

- name: Setup Java
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'

- name: Install Maven 3.6.3
run: |
export PATH="$PATH:/opt/maven/bin"
echo "PATH=$PATH" >> $GITHUB_ENV
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi
tmpdir="$(mktemp -d)"
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir"
sudo rm -rf /opt/maven
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven
- name: Set env vars from AWS params in BCDA management account
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
with:
params: |
ARTIFACTORY_URL=/artifactory/url
ARTIFACTORY_USER=/artifactory/user
ARTIFACTORY_PASSWORD=/artifactory/password
- name: Build package
run: mvn -U clean package -s settings.xml -DskipTests -Dusername="${ARTIFACTORY_USER}" -Dpassword="${ARTIFACTORY_PASSWORD}" -Drepository_url="${ARTIFACTORY_URL}"

- name: Assume role in AB2D Management account
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets.MGMT_ACCOUNT_ID }}:role/delegatedadmin/developer/ab2d-mgmt-github-actions

- name: Build image and push to ECR
working-directory: ./${{ inputs.module }}
run: |
ECR_REPO_DOMAIN="${{ secrets.MGMT_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com"
aws ecr get-login-password | docker login --username AWS --password-stdin "$ECR_REPO_DOMAIN"
ECR_REPO_URI="$ECR_REPO_DOMAIN/ab2d_${{ inputs.module }}"
SHA_SHORT=$(git rev-parse --short HEAD)
echo "Building image for commit sha $SHA_SHORT"
docker build \
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-$SHA_SHORT" \
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-latest" .
echo "Pushing image"
docker push "${ECR_REPO_URI}" --all-tags
48 changes: 48 additions & 0 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: deploy

on:
workflow_call:
inputs:
environment:
required: true
type: string
module:
required: true
type: string
workflow_dispatch:
inputs:
environment:
required: true
type: choice
options:
- dev
- test
- sbx
- prod
- prod-test
module:
required: true
type: choice
options:
- api
- worker

jobs:
deploy:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
env:
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}
ACCOUNT: ${{ inputs.environment == 'prod-test' && 'prod' || inputs.environment }}

steps:
- name: Assume role in AB2D ${{ env.ACCOUNT }} account
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', env.ACCOUNT)] }}:role/delegatedadmin/developer/ab2d-${{ env.ACCOUNT }}-github-actions

- name: Deploy latest image in ECR to ECS
run: aws ecs update-service --cluster ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --service ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --force-new-deployment
97 changes: 97 additions & 0 deletions .github/workflows/e2e-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: end-to-end tests

on:
workflow_call:
inputs:
environment:
required: true
type: string
workflow_dispatch: # Allow manual trigger
inputs:
environment:
required: true
type: choice
options:
- dev
- test
- sbx
default: test

# Ensure we have only one e2e test running at a time in each environment
concurrency:
group: ${{ inputs.environment }}-e2e-test

jobs:
test:
runs-on: self-hosted

env:
# Keystore location must be full path for spring framework
AB2D_BFD_KEYSTORE_LOCATION: "${{ github.workspace }}/opt/ab2d/ab2d_bfd_keystore"
AB2D_V2_ENABLED: 'true'
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true

steps:
- name: Checkout Code
uses: actions/checkout@v3

- name: Setup Java
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'

- name: Install Maven 3.6.3
run: |
export PATH="$PATH:/opt/maven/bin"
echo "PATH=$PATH" >> $GITHUB_ENV
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi
tmpdir="$(mktemp -d)"
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir"
sudo rm -rf /opt/maven
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven
- name: Set env vars from AWS params in BCDA management account
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
env:
AWS_REGION: ${{ vars.AWS_REGION }}
with:
params: |
ARTIFACTORY_URL=/artifactory/url
ARTIFACTORY_USER=/artifactory/user
ARTIFACTORY_PASSWORD=/artifactory/password
- name: Assume role in AB2D account for this environment
uses: aws-actions/configure-aws-credentials@v3
with:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', inputs.environment)] }}:role/delegatedadmin/developer/ab2d-${{ inputs.environment }}-github-actions

- name: Set env vars from AWS params in AB2D account
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
env:
AWS_REGION: ${{ vars.AWS_REGION }}
with:
params: |
AB2D_BFD_KEYSTORE_PASSWORD=/bfd/keystore-password
OKTA_CLIENT_ID=/okta/test-pdp-100-id
OKTA_CLIENT_PASSWORD=/okta/test-pdp-100-secret
SECONDARY_USER_OKTA_CLIENT_ID=/okta/test-pdp-1000-id
SECONDARY_USER_OKTA_CLIENT_PASSWORD=/okta/test-pdp-1000-secret
- name: Create opt/ab2d directory and download keystore
run: |
mkdir -p opt/ab2d
KEYSTORE_FILE_NAME="ab2d_${{ inputs.environment == 'test' && 'imp' || inputs.environment }}_keystore"
aws s3 cp s3://ab2d-${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}-main/$KEYSTORE_FILE_NAME $AB2D_BFD_KEYSTORE_LOCATION
test -f $AB2D_BFD_KEYSTORE_LOCATION && echo "created keystore file"
- name: Run e2e-bfd-test
run: |
mvn test -s settings.xml -pl e2e-bfd-test -am -Dtest=EndToEndBfdTests -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress
- name: Run e2e-test
env:
E2E_ENVIRONMENT: ${{ inputs.environment == 'dev' && 'DEV' || inputs.environment == 'test' && 'IMPL' || inputs.environment == 'sbx' && 'SANDBOX' }}
run: |
mvn test -s settings.xml -pl e2e-test -am -Dtest=TestRunner -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress
47 changes: 47 additions & 0 deletions .github/workflows/pull-request.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: pull request jobs

on:
pull_request:

jobs:
unit-integration-test:
uses: ./.github/workflows/unit-integration-test.yml
secrets: inherit
build-api:
uses: ./.github/workflows/build.yml
with:
environment: test
module: api
secrets: inherit
build-worker:
uses: ./.github/workflows/build.yml
with:
environment: test
module: worker
secrets: inherit
deploy-api:
needs: build-api
permissions:
contents: read
id-token: write
uses: ./.github/workflows/deploy.yml
with:
environment: test
module: api
secrets: inherit
deploy-worker:
needs: build-worker
permissions:
contents: read
id-token: write
uses: ./.github/workflows/deploy.yml
with:
environment: test
module: worker
secrets: inherit
e2e-test:
needs: [deploy-api, deploy-worker]
uses: ./.github/workflows/e2e-test.yml
with:
environment: test
secrets: inherit
14 changes: 4 additions & 10 deletions .github/workflows/unit-integration-test.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
name: Run unit and integration tests

on:
pull_request:
workflow_call:
workflow_dispatch: # Allow manual trigger

jobs:
test:
runs-on: self-hosted

env:
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true

steps:
- name: Checkout Code
uses: actions/checkout@v3
Expand Down Expand Up @@ -37,15 +40,6 @@ jobs:
aws-region: ${{ vars.AWS_REGION }}
role-to-assume: ${{ vars.AB2D_DEV_ROLE }}

- name: Set env vars from AWS params
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main
with:
params: |
OKTA_CLIENT_ID=/okta/client-id
OKTA_CLIENT_PASSWORD=/okta/client-secret
SECONDARY_USER_OKTA_CLIENT_ID=/secondary-okta/client-id
SECONDARY_USER_OKTA_CLIENT_PASSWORD=/secondary-okta/client-secret
- name: Install Maven 3.6.3
run: |
export PATH="$PATH:/opt/maven/bin"
Expand Down
9 changes: 9 additions & 0 deletions .gitleaks.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
title = "DASG Standard"

[extend]
useDefault = true

[[rules]]
id = "mbi-detection"
description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf"
regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b'''
2 changes: 1 addition & 1 deletion .pre-commit-config.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
repos:
- repo: https://github.com/gitleaks/gitleaks
rev: v8.16.1
rev: v8.19.2
hooks:
- id: gitleaks
2 changes: 1 addition & 1 deletion api/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@
<properties>
<project.root>${basedir}/..</project.root>
<springfox.version>3.0.0</springfox.version>
<okta-jwt.version>0.5.7</okta-jwt.version>
<okta-jwt.version>0.5.8</okta-jwt.version>
<sonar.coverage.exclusions>**/JobClient.java</sonar.coverage.exclusions>
<!--
- AB2D-6099 -
Expand Down
Loading

0 comments on commit 21f038c

Please sign in to comment.