-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into AB2D-6187-p15
- Loading branch information
Showing
63 changed files
with
1,162 additions
and
305 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
name: build | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
module: | ||
required: true | ||
type: string | ||
workflow_dispatch: | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- dev | ||
- test | ||
module: | ||
required: true | ||
type: choice | ||
options: | ||
- api | ||
- worker | ||
|
||
jobs: | ||
build: | ||
runs-on: self-hosted | ||
|
||
env: | ||
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | ||
AWS_REGION: ${{ vars.AWS_REGION }} | ||
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }} | ||
|
||
steps: | ||
- name: Checkout Code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Setup Java | ||
uses: actions/setup-java@v3 | ||
with: | ||
distribution: 'temurin' | ||
java-version: '17' | ||
|
||
- name: Install Maven 3.6.3 | ||
run: | | ||
export PATH="$PATH:/opt/maven/bin" | ||
echo "PATH=$PATH" >> $GITHUB_ENV | ||
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi | ||
tmpdir="$(mktemp -d)" | ||
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir" | ||
sudo rm -rf /opt/maven | ||
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven | ||
- name: Set env vars from AWS params in BCDA management account | ||
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main | ||
with: | ||
params: | | ||
ARTIFACTORY_URL=/artifactory/url | ||
ARTIFACTORY_USER=/artifactory/user | ||
ARTIFACTORY_PASSWORD=/artifactory/password | ||
- name: Build package | ||
run: mvn -U clean package -s settings.xml -DskipTests -Dusername="${ARTIFACTORY_USER}" -Dpassword="${ARTIFACTORY_PASSWORD}" -Drepository_url="${ARTIFACTORY_URL}" | ||
|
||
- name: Assume role in AB2D Management account | ||
uses: aws-actions/configure-aws-credentials@v3 | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets.MGMT_ACCOUNT_ID }}:role/delegatedadmin/developer/ab2d-mgmt-github-actions | ||
|
||
- name: Build image and push to ECR | ||
working-directory: ./${{ inputs.module }} | ||
run: | | ||
ECR_REPO_DOMAIN="${{ secrets.MGMT_ACCOUNT_ID }}.dkr.ecr.$AWS_REGION.amazonaws.com" | ||
aws ecr get-login-password | docker login --username AWS --password-stdin "$ECR_REPO_DOMAIN" | ||
ECR_REPO_URI="$ECR_REPO_DOMAIN/ab2d_${{ inputs.module }}" | ||
SHA_SHORT=$(git rev-parse --short HEAD) | ||
echo "Building image for commit sha $SHA_SHORT" | ||
docker build \ | ||
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-$SHA_SHORT" \ | ||
-t "${ECR_REPO_URI}:ab2d-${DEPLOYMENT_ENV}-latest" . | ||
# Push to special tag for promotion if this is run on a push to main | ||
if [ "$GITHUB_REF" == "refs/heads/main" ]; then | ||
docker tag $ECR_REPO_URI:ab2d-$DEPLOYMENT_ENV-$SHA_SHORT $ECR_REPO_URI:main-$SHA_SHORT | ||
fi | ||
echo "Pushing image" | ||
docker push "${ECR_REPO_URI}" --all-tags |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
name: deploy | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
module: | ||
required: true | ||
type: string | ||
workflow_dispatch: | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- dev | ||
- test | ||
- sbx | ||
- prod | ||
- prod_test | ||
module: | ||
required: true | ||
type: choice | ||
options: | ||
- api | ||
- worker | ||
|
||
jobs: | ||
deploy: | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
id-token: write | ||
steps: | ||
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | ||
env: | ||
ACCOUNT: ${{ inputs.environment == 'prod_test' && 'prod' || inputs.environment }} | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', env.ACCOUNT)] }}:role/delegatedadmin/developer/ab2d-${{ env.ACCOUNT }}-github-actions | ||
- name: Deploy ECS service to run on latest image in ECR | ||
env: | ||
SERVICE_NAME: ab2d-${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}-${{ inputs.module }} | ||
run: | | ||
echo "Deploying service $SERVICE_NAME" | ||
aws ecs update-service --cluster "$SERVICE_NAME" --service "$SERVICE_NAME" --force-new-deployment > /dev/null | ||
aws ecs wait services-stable --cluster "$SERVICE_NAME" --services "$SERVICE_NAME" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,97 @@ | ||
name: end-to-end tests | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
workflow_dispatch: # Allow manual trigger | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- dev | ||
- test | ||
- sbx | ||
default: test | ||
|
||
# Ensure we have only one e2e test running at a time in each environment | ||
concurrency: | ||
group: ${{ inputs.environment }}-e2e-test | ||
|
||
jobs: | ||
test: | ||
runs-on: self-hosted | ||
|
||
env: | ||
# Keystore location must be full path for spring framework | ||
AB2D_BFD_KEYSTORE_LOCATION: "${{ github.workspace }}/opt/ab2d/ab2d_bfd_keystore" | ||
AB2D_V2_ENABLED: 'true' | ||
ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true | ||
|
||
steps: | ||
- name: Checkout Code | ||
uses: actions/checkout@v3 | ||
|
||
- name: Setup Java | ||
uses: actions/setup-java@v3 | ||
with: | ||
distribution: 'temurin' | ||
java-version: '17' | ||
|
||
- name: Install Maven 3.6.3 | ||
run: | | ||
export PATH="$PATH:/opt/maven/bin" | ||
echo "PATH=$PATH" >> $GITHUB_ENV | ||
if mvn -v; then echo "Maven already installed" && exit 0; else echo "Installing Maven"; fi | ||
tmpdir="$(mktemp -d)" | ||
curl -LsS https://archive.apache.org/dist/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz | tar xzf - -C "$tmpdir" | ||
sudo rm -rf /opt/maven | ||
sudo mv "$tmpdir/apache-maven-3.6.3" /opt/maven | ||
- name: Set env vars from AWS params in BCDA management account | ||
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main | ||
env: | ||
AWS_REGION: ${{ vars.AWS_REGION }} | ||
with: | ||
params: | | ||
ARTIFACTORY_URL=/artifactory/url | ||
ARTIFACTORY_USER=/artifactory/user | ||
ARTIFACTORY_PASSWORD=/artifactory/password | ||
- name: Assume role in AB2D account for this environment | ||
uses: aws-actions/configure-aws-credentials@v3 | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets[format('{0}_ACCOUNT_ID', inputs.environment)] }}:role/delegatedadmin/developer/ab2d-${{ inputs.environment }}-github-actions | ||
|
||
- name: Set env vars from AWS params in AB2D account | ||
uses: cmsgov/ab2d-bcda-dpc-platform/actions/aws-params-env-action@main | ||
env: | ||
AWS_REGION: ${{ vars.AWS_REGION }} | ||
with: | ||
params: | | ||
AB2D_BFD_KEYSTORE_PASSWORD=/bfd/keystore-password | ||
OKTA_CLIENT_ID=/okta/test-pdp-100-id | ||
OKTA_CLIENT_PASSWORD=/okta/test-pdp-100-secret | ||
SECONDARY_USER_OKTA_CLIENT_ID=/okta/test-pdp-1000-id | ||
SECONDARY_USER_OKTA_CLIENT_PASSWORD=/okta/test-pdp-1000-secret | ||
- name: Create opt/ab2d directory and download keystore | ||
run: | | ||
mkdir -p opt/ab2d | ||
KEYSTORE_FILE_NAME="ab2d_${{ inputs.environment == 'test' && 'imp' || inputs.environment }}_keystore" | ||
aws s3 cp s3://ab2d-${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }}-main/$KEYSTORE_FILE_NAME $AB2D_BFD_KEYSTORE_LOCATION | ||
test -f $AB2D_BFD_KEYSTORE_LOCATION && echo "created keystore file" | ||
- name: Run e2e-bfd-test | ||
run: | | ||
mvn test -s settings.xml -pl e2e-bfd-test -am -Dtest=EndToEndBfdTests -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress | ||
- name: Run e2e-test | ||
env: | ||
E2E_ENVIRONMENT: ${{ inputs.environment == 'dev' && 'DEV' || inputs.environment == 'test' && 'IMPL' || inputs.environment == 'sbx' && 'SANDBOX' }} | ||
run: | | ||
mvn test -s settings.xml -pl e2e-test -am -Dtest=TestRunner -DfailIfNoTests=false -Dusername=$ARTIFACTORY_USER -Dpassword=$ARTIFACTORY_PASSWORD -Drepository_url=$ARTIFACTORY_URL --no-transfer-progress |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
name: promote | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
environment: | ||
required: true | ||
type: string | ||
module: | ||
required: true | ||
type: string | ||
workflow_dispatch: | ||
inputs: | ||
environment: | ||
required: true | ||
type: choice | ||
options: | ||
- sbx | ||
- prod | ||
- prod_test | ||
module: | ||
required: true | ||
type: choice | ||
options: | ||
- api | ||
- worker | ||
|
||
permissions: | ||
contents: read | ||
id-token: write | ||
|
||
jobs: | ||
promote: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 | ||
- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | ||
with: | ||
aws-region: ${{ vars.AWS_REGION }} | ||
role-to-assume: arn:aws:iam::${{ secrets.MGMT_ACCOUNT_ID }}:role/delegatedadmin/developer/ab2d-mgmt-github-actions | ||
- name: Retag images in ECR | ||
env: | ||
DEPLOYMENT_ENV: ${{ vars[format('{0}_DEPLOYMENT_ENV', inputs.environment)] }} | ||
ECR_REPO_DOMAIN: ${{ secrets.MGMT_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com | ||
ECR_REPO: ab2d_${{ inputs.module }} | ||
run: | | ||
SHA_SHORT="$(git rev-parse --short HEAD)" | ||
TOKEN="$(aws ecr get-authorization-token --output text --query 'authorizationData[].authorizationToken')" | ||
CONTENT_TYPE="application/vnd.docker.distribution.manifest.v2+json" | ||
echo "Getting the manifest of the image tagged main-$SHA_SHORT" | ||
MANIFEST="$(curl -sS -H "Authorization: Basic $TOKEN" -H "Accept: $CONTENT_TYPE" "https://$ECR_REPO_DOMAIN/v2/$ECR_REPO/manifests/main-$SHA_SHORT")" | ||
SHA_TAG="ab2d-$DEPLOYMENT_ENV-$SHA_SHORT" | ||
echo "Adding the $SHA_TAG tag to main-$SHA_SHORT image" | ||
curl -sS -X PUT -H "Authorization: Basic $TOKEN" -H "Content-Type: $CONTENT_TYPE" -d "$MANIFEST" "https://$ECR_REPO_DOMAIN/v2/$ECR_REPO/manifests/$SHA_TAG" | ||
LATEST_TAG="ab2d-$DEPLOYMENT_ENV-latest" | ||
echo "Adding the $LATEST_TAG tag to main-$SHA_SHORT image" | ||
curl -sS -X PUT -H "Authorization: Basic $TOKEN" -H "Content-Type: $CONTENT_TYPE" -d "$MANIFEST" "https://$ECR_REPO_DOMAIN/v2/$ECR_REPO/manifests/$LATEST_TAG" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: pull request jobs | ||
|
||
on: | ||
pull_request: | ||
|
||
jobs: | ||
unit-integration-test: | ||
uses: ./.github/workflows/unit-integration-test.yml | ||
secrets: inherit | ||
build-api: | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
environment: test | ||
module: api | ||
secrets: inherit | ||
build-worker: | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
environment: test | ||
module: worker | ||
secrets: inherit | ||
deploy-api: | ||
needs: build-api | ||
permissions: | ||
contents: read | ||
id-token: write | ||
uses: ./.github/workflows/deploy.yml | ||
with: | ||
environment: test | ||
module: api | ||
secrets: inherit | ||
deploy-worker: | ||
needs: build-worker | ||
permissions: | ||
contents: read | ||
id-token: write | ||
uses: ./.github/workflows/deploy.yml | ||
with: | ||
environment: test | ||
module: worker | ||
secrets: inherit | ||
e2e-test: | ||
needs: [deploy-api, deploy-worker] | ||
uses: ./.github/workflows/e2e-test.yml | ||
with: | ||
environment: test | ||
secrets: inherit |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
name: push to main | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
|
||
jobs: | ||
build-api: | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
environment: test | ||
module: api | ||
secrets: inherit | ||
build-worker: | ||
uses: ./.github/workflows/build.yml | ||
with: | ||
environment: test | ||
module: worker | ||
secrets: inherit | ||
deploy-api: | ||
needs: build-api | ||
permissions: | ||
contents: read | ||
id-token: write | ||
uses: ./.github/workflows/deploy.yml | ||
with: | ||
environment: test | ||
module: api | ||
secrets: inherit | ||
deploy-worker: | ||
needs: build-worker | ||
permissions: | ||
contents: read | ||
id-token: write | ||
uses: ./.github/workflows/deploy.yml | ||
with: | ||
environment: test | ||
module: worker | ||
secrets: inherit | ||
e2e-test: | ||
needs: [deploy-api, deploy-worker] | ||
uses: ./.github/workflows/e2e-test.yml | ||
with: | ||
environment: test | ||
secrets: inherit |
Oops, something went wrong.