-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into snyk-upgrade-28dc61c02823e53ed9ad0e8ff8cdf135
- Loading branch information
Showing
76 changed files
with
2,243 additions
and
203 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Contribution expectations | ||
|
||
The following expectations apply to each PR: | ||
|
||
1. The PR and branch are named for [automatic linking](https://support.atlassian.com/jira-cloud-administration/docs/use-the-github-for-jira-app/) to the most relevant JIRA issue (for example, `JRA-123 Adds foo` for PR title and `jra-123-adds-foo` for branch name). | ||
2. Reviewers are selected to include people from all teams impacted by the changes in the PR. | ||
3. The PR has been assigned to the people who will respond to reviews and merge when ready (usually the person filing the review, but can change when a PR is handed off to someone else). | ||
4. The PR is reasonably limited in scope to ensure: | ||
- It doesn't bunch together disparate features, fixes, refactorings, etc. | ||
- There isn't too much of a burden on reviewers. | ||
- Any problems it causes have a small blast radius. | ||
- Changes will be easier to roll back if necessary. | ||
5. The PR includes any required documentation changes, including `README` updates and changelog or release notes entries. | ||
6. All new and modified code is appropriately commented to make the what and why of its design reasonably clear, even to those unfamiliar with the project. | ||
7. Any incomplete work introduced by the PR is detailed in `TODO` comments which include a JIRA ticket ID for any items that require urgent attention. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,24 +1,21 @@ | ||
## 🎫 Ticket | ||
|
||
https://jira.cms.gov/browse/AB2D-xxx | ||
https://jira.cms.gov/browse/... | ||
|
||
## 🛠 Changes | ||
|
||
(What was added, updated, or removed in this PR.) | ||
<!-- What was added, updated, or removed in this PR? --> | ||
|
||
## ℹ️ Context for reviewers | ||
## ℹ️ Context | ||
|
||
(Background context, more in-depth details of the implementation, and anything else you'd like to call out or ask reviewers.) | ||
<!-- Why were these changes made? Add background context suitable for a non-technical audience. --> | ||
|
||
## ✅ Acceptance Validation | ||
<!-- If any of the following security implications apply, this PR must not be merged without Stephen Walter's approval. Explain in this section and add @SJWalter11 as a reviewer. | ||
- Adds a new software dependency or dependencies. | ||
- Modifies or invalidates one or more of our security controls. | ||
- Stores or transmits data that was not stored or transmitted before. | ||
- Requires additional review of security implications for other reasons. --> | ||
|
||
(How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable.) | ||
## 🧪 Validation | ||
|
||
## 🔒 Security Implications | ||
|
||
- [ ] This PR adds a new software dependency or dependencies. | ||
- [ ] This PR modifies or invalidates one or more of our security controls. | ||
- [ ] This PR stores or transmits data that was not stored or transmitted before. | ||
- [ ] This PR requires additional review of its security implications for other reasons. | ||
|
||
If any security implications apply, add Jason Ashbaugh (GitHub username: StewGoin) as a reviewer and do not merge this PR without his approval. | ||
<!-- How were the changes verified? Did you fully test the acceptance criteria in the ticket? Provide reproducible testing instructions and screenshots if applicable. --> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
name: build | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
module: | ||
required: true | ||
type: string | ||
workflow_dispatch: | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- dev | ||
- test | ||
module: | ||
required: true | ||
type: choice | ||
options: | ||
- api | ||
- worker | ||
|
||
jobs: | ||
build: | ||
runs-on: self-hosted | ||
|
||
env: | ||
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | ||
AWS_REGION: ${{ vars.AWS_REGION }} | ||
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }} | ||
|
||
steps: | ||
- name: Checkout Code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Setup Java | ||
uses: actions/setup-java@v3 | ||
with: | ||
distribution: 'temurin' | ||
java-version: '17' | ||
|
||
- name: Install Maven 3.6.3 | ||
run: | | ||
export PATH="$PATH:/opt/maven/bin" | ||
echo "PATH=$PATH" >> $GITHUB_ENV | ||
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi | ||
tmpdir="$(mktemp -d)" | ||
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir" | ||
sudo rm -rf /opt/maven | ||
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven | ||
- name: Set env vars from AWS params in BCDA management account | ||
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main | ||
with: | ||
params: | | ||
ARTIFACTORY_URL=/artifactory/url | ||
ARTIFACTORY_USER=/artifactory/user | ||
ARTIFACTORY_PASSWORD=/artifactory/password | ||
- name: Build package | ||
run: mvn -U clean package -s settings.xml -DskipTests -Dusername="${ARTIFACTORY_USER}" -Dpassword="${ARTIFACTORY_PASSWORD}" -Drepository_url="${ARTIFACTORY_URL}" | ||
|
||
- name: Assume role in AB2D Management account | ||
uses: aws-actions/configure-aws-credentials@v3 | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets.MGMT_ACCOUNT_ID }}:role/delegatedadmin/developer/ab2d-mgmt-github-actions | ||
|
||
- name: Build image and push to ECR | ||
working-directory: ./${{ inputs.module }} | ||
run: | | ||
ECR_REPO_DOMAIN="${{ secrets.MGMT_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com" | ||
aws ecr get-login-password | docker login --username AWS --password-stdin "$ECR_REPO_DOMAIN" | ||
ECR_REPO_URI="$ECR_REPO_DOMAIN/ab2d_${{ inputs.module }}" | ||
SHA_SHORT=$(git rev-parse --short HEAD) | ||
echo "Building image for commit sha $SHA_SHORT" | ||
docker build \ | ||
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-$SHA_SHORT" \ | ||
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-latest" . | ||
echo "Pushing image" | ||
docker push "${ECR_REPO_URI}" --all-tags |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
name: deploy | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
module: | ||
required: true | ||
type: string | ||
workflow_dispatch: | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- dev | ||
- test | ||
- sbx | ||
- prod | ||
- prod-test | ||
module: | ||
required: true | ||
type: choice | ||
options: | ||
- api | ||
- worker | ||
|
||
jobs: | ||
deploy: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
env: | ||
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }} | ||
ACCOUNT: ${{ inputs.environment == 'prod-test' && 'prod' || inputs.environment }} | ||
|
||
steps: | ||
- name: Assume role in AB2D ${{ env.ACCOUNT }} account | ||
uses: aws-actions/configure-aws-credentials@v3 | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', env.ACCOUNT)] }}:role/delegatedadmin/developer/ab2d-${{ env.ACCOUNT }}-github-actions | ||
|
||
- name: Deploy latest image in ECR to ECS | ||
run: aws ecs update-service --cluster ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --service ab2d-${DEPLOYMENT_ENV}-${{ inputs.module }} --force-new-deployment |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
name: end-to-end tests | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
workflow_dispatch: # Allow manual trigger | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- dev | ||
- test | ||
- sbx | ||
default: test | ||
|
||
# Ensure we have only one e2e test running at a time in each environment | ||
concurrency: | ||
group: ${{ inputs.environment }}-e2e-test | ||
|
||
jobs: | ||
test: | ||
runs-on: self-hosted | ||
|
||
env: | ||
# Keystore location must be full path for spring framework | ||
AB2D_BFD_KEYSTORE_LOCATION: "${{ github.workspace }}/opt/ab2d/ab2d_bfd_keystore" | ||
AB2D_V2_ENABLED: 'true' | ||
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | ||
|
||
steps: | ||
- name: Checkout Code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Setup Java | ||
uses: actions/setup-java@v3 | ||
with: | ||
distribution: 'temurin' | ||
java-version: '17' | ||
|
||
- name: Install Maven 3.6.3 | ||
run: | | ||
export PATH="$PATH:/opt/maven/bin" | ||
echo "PATH=$PATH" >> $GITHUB_ENV | ||
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi | ||
tmpdir="$(mktemp -d)" | ||
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir" | ||
sudo rm -rf /opt/maven | ||
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven | ||
- name: Set env vars from AWS params in BCDA management account | ||
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main | ||
env: | ||
AWS_REGION: ${{ vars.AWS_REGION }} | ||
with: | ||
params: | | ||
ARTIFACTORY_URL=/artifactory/url | ||
ARTIFACTORY_USER=/artifactory/user | ||
ARTIFACTORY_PASSWORD=/artifactory/password | ||
- name: Assume role in AB2D account for this environment | ||
uses: aws-actions/configure-aws-credentials@v3 | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', inputs.environment)] }}:role/delegatedadmin/developer/ab2d-${{ inputs.environment }}-github-actions | ||
|
||
- name: Set env vars from AWS params in AB2D account | ||
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main | ||
env: | ||
AWS_REGION: ${{ vars.AWS_REGION }} | ||
with: | ||
params: | | ||
AB2D_BFD_KEYSTORE_PASSWORD=/bfd/keystore-password | ||
OKTA_CLIENT_ID=/okta/test-pdp-100-id | ||
OKTA_CLIENT_PASSWORD=/okta/test-pdp-100-secret | ||
SECONDARY_USER_OKTA_CLIENT_ID=/okta/test-pdp-1000-id | ||
SECONDARY_USER_OKTA_CLIENT_PASSWORD=/okta/test-pdp-1000-secret | ||
- name: Create opt/ab2d directory and download keystore | ||
run: | | ||
mkdir -p opt/ab2d | ||
KEYSTORE_FILE_NAME="ab2d_${{ inputs.environment == 'test' && 'imp' || inputs.environment }}_keystore" | ||
aws s3 cp s3://ab2d-${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}-main/$KEYSTORE_FILE_NAME $AB2D_BFD_KEYSTORE_LOCATION | ||
test -f $AB2D_BFD_KEYSTORE_LOCATION && echo "created keystore file" | ||
- name: Run e2e-bfd-test | ||
run: | | ||
mvn test -s settings.xml -pl e2e-bfd-test -am -Dtest=EndToEndBfdTests -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress | ||
- name: Run e2e-test | ||
env: | ||
E2E_ENVIRONMENT: ${{ inputs.environment == 'dev' && 'DEV' || inputs.environment == 'test' && 'IMPL' || inputs.environment == 'sbx' && 'SANDBOX' }} | ||
run: | | ||
mvn test -s settings.xml -pl e2e-test -am -Dtest=TestRunner -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: pull request jobs | ||
|
||
on: | ||
pull_request: | ||
|
||
jobs: | ||
unit-integration-test: | ||
uses: ./.github/workflows/unit-integration-test.yml | ||
secrets: inherit | ||
build-api: | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
environment: test | ||
module: api | ||
secrets: inherit | ||
build-worker: | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
environment: test | ||
module: worker | ||
secrets: inherit | ||
deploy-api: | ||
needs: build-api | ||
permissions: | ||
contents: read | ||
id-token: write | ||
uses: ./.github/workflows/deploy.yml | ||
with: | ||
environment: test | ||
module: api | ||
secrets: inherit | ||
deploy-worker: | ||
needs: build-worker | ||
permissions: | ||
contents: read | ||
id-token: write | ||
uses: ./.github/workflows/deploy.yml | ||
with: | ||
environment: test | ||
module: worker | ||
secrets: inherit | ||
e2e-test: | ||
needs: [deploy-api, deploy-worker] | ||
uses: ./.github/workflows/e2e-test.yml | ||
with: | ||
environment: test | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
title = "DASG Standard" | ||
|
||
[extend] | ||
useDefault = true | ||
|
||
[[rules]] | ||
id = "mbi-detection" | ||
description = "Detects a potential MBI pattern based on https://www.cms.gov/medicare/new-medicare-card/understanding-the-mbi.pdf" | ||
regex = '''\b((?i)[1-9][ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]-?\d[ACDEFGHJKMNPQRTUVWXY][ACDEFGHJKMNPQRTUVWXY\d]\d-?[ACDEFGHJKMNPQRTUVWXY]{2}\d{2})\b''' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
repos: | ||
- repo: https://github.com/gitleaks/gitleaks | ||
rev: v8.16.1 | ||
rev: v8.19.2 | ||
hooks: | ||
- id: gitleaks |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.