Merge pull request #225 from NHSDigital/release/2024-06-14

Release/2024-06-14

Author: Rohoolio

.github/actions/catch-failed-step/Dockerfile

@@ -0,0 +1,7 @@
+FROM python:3.8-slim
+
+ADD requirements.txt /requirements.txt
+RUN pip install -r /requirements.txt
+
+ADD entrypoint.py /entrypoint.py
+ENTRYPOINT ["python", "/entrypoint.py"]

.github/actions/catch-failed-step/action.yml

@@ -0,0 +1,5 @@
+name: "Catch failed step"
+description: "Catches the name of the final failed step in the current workflow"
+runs:
+  using: "docker"
+  image: "Dockerfile"

.github/actions/catch-failed-step/entrypoint.py

@@ -0,0 +1,27 @@
+"""Gets the final failed step in a given workflow"""
+
+import os
+
+from github import Github
+
+DEFAULT_STEP_NAME_WHEN_NO_STEP_FAILED = "No failed steps"
+
+
+def main():
+    token = os.getenv("INPUT_GITHUB_TOKEN")
+    repo_name = os.getenv("GITHUB_REPOSITORY")
+    run_id = int(os.getenv("GITHUB_RUN_ID"))
+
+    github_client = Github(token)
+    repo = github_client.get_repo(repo_name)
+    workflow_run = repo.get_workflow_run(run_id)
+
+    failed_step_name = DEFAULT_STEP_NAME_WHEN_NO_STEP_FAILED
+    for job in workflow_run.jobs():
+        if job.conclusion == "failure":
+            failed_step_name = job.name
+    print(f"::set-output name=failed-step-name::{failed_step_name}")  # noqa
+
+
+if __name__ == "__main__":
+    main()

.github/actions/catch-failed-step/requirements.txt

@@ -0,0 +1 @@
+PyGithub

.github/workflows/_deploy.yml

@@ -24,7 +24,6 @@ env:
   WORKSPACE: ${{ inputs.workspace }}
   CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }}
   SCOPE: ${{ inputs.scope }}
-  # SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
 
 jobs:
@@ -74,9 +73,6 @@ jobs:
     needs: [get-branch-from-workflow-file, build]
     runs-on: [self-hosted, ci]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
       - uses: ./.github/actions/terraform/
         with:
           command: init
@@ -91,9 +87,6 @@ jobs:
     needs: [get-branch-from-workflow-file, terraform--init]
     runs-on: [self-hosted, ci]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
       - uses: ./.github/actions/terraform/
         with:
           command: plan
@@ -109,9 +102,6 @@ jobs:
     environment: ${{ inputs.account }}
     runs-on: [self-hosted, ci]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
       - uses: ./.github/actions/terraform/
         with:
           command: apply
@@ -126,9 +116,6 @@ jobs:
     needs: [get-branch-from-workflow-file, terraform--apply]
     runs-on: [self-hosted, ci]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
       - uses: ./.github/actions/make/
         if: ${{ env.SCOPE == 'per_workspace'}}
         with:
@@ -150,9 +137,6 @@ jobs:
     needs: [get-branch-from-workflow-file, apigee--deploy]
     runs-on: [self-hosted, ci]
     steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ needs.get-branch-from-workflow-file.outputs.branch_name }}
       - uses: ./.github/actions/make/
         with:
           command: test--smoke WORKSPACE="${{ env.WORKSPACE }}" ACCOUNT="${{ env.ACCOUNT }}"
@@ -177,16 +161,24 @@ jobs:
     runs-on: [self-hosted, ci]
 
     steps:
+      - name: Catch failed steps
+        id: catch-failed-step
+        uses: ./.github/actions/catch-failed-step
       - name: Send job result to slack
         id: slack
         uses: slackapi/[email protected]
         with:
           payload: |
             {
+              "action_url": "${{ format('{0}/{1}/actions/runs/{2}/attempts/{3}', github.server_url, github.repository, github.run_id, github.run_attempt) }}",
+              "attempt": ${{ github.run_attempt }},
               "account": "${{ env.ACCOUNT }}",
-              "environment": "${{ env.WORKSPACE }}",
-              "result": "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
-              "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}"
+              "workspace": "${{ env.WORKSPACE }}",
+              "caller": "${{ github.triggering_actor }}",
+              "scope": "${{ env.SCOPE }}",
+              "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}",
+              "result":  "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
+              "result_detail": "${{ needs.set-success.outputs.success && 'None' || steps.catch-failed-step.outputs.failed-step-name }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}

.github/workflows/merge.yml

@@ -11,6 +11,18 @@ permissions:
   actions: write
 
 jobs:
+  get-branch-from-workflow-file:
+    runs-on: [self-hosted, ci]
+    outputs:
+      branch_name: ${{ steps.get_branch.outputs.branch_name }}
+    steps:
+      - id: get_branch
+        run: |
+          workflow_ref=${{ github.workflow_ref }}
+          branch_name=${workflow_ref#*refs/heads/}
+          branch_name=${branch_name#*refs/tags/}
+          echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
+
   make-tag:
     runs-on: [self-hosted, ci]
     permissions: write-all
@@ -36,18 +48,36 @@ jobs:
     outputs:
       tag: ${{ env.tag }}
 
+  set-success:
+    name: Set Success
+    needs: [make-tag, get-branch-from-workflow-file]
+    runs-on: [self-hosted, ci]
+    steps:
+      - name: Set success env var
+        run: echo "success"
+    outputs:
+      success: "succeeded"
+
   message-slack:
     name: Notify slack of merge to main
-    needs: [make-tag]
+    needs: [make-tag, get-branch-from-workflow-file, set-success]
     runs-on: [self-hosted, ci]
     steps:
+      - name: Catch failed steps
+        id: catch-failed-step
+        uses: ./.github/actions/catch-failed-step
       - name: Send merge result to slack
         id: slack
         uses: slackapi/[email protected]
         with:
           payload: |
             {
-              "tag": "${{ needs.make-tag.outputs.tag}}"
+              "tag": "${{ needs.make-tag.outputs.tag}}",
+              "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}",
+              "caller": "${{ github.triggering_actor }}",
+              "result":  "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
+              "result_detail": "${{ needs.set-success.outputs.success && 'None' || steps.catch-failed-step.outputs.failed-step-name }}",
+              "action_url": "${{ format('{0}/{1}/actions/runs/{2}/attempts/{3}', github.server_url, github.repository, github.run_id, github.run_attempt) }}"
             }
         env:
           SLACK_WEBHOOK_URL: ${{ secrets.MAIN_MERGE_SLACK_HOOK_URL }}

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2024-06-14
+- [PI-179] Improve Slack messaging for deployments
+- [PI-385] PENTEST - reject HTTP and enable access logs on S3 buckets
+
 ## 2024-06-04
 - [PI-322] State machine lambda error messages truncated
 - [PI-346] Update now includes modify changes, plus testing suite

VERSION

@@ -1 +1 @@
-2024.06.04
+2024.06.14

changelog/2024-06-14.md

@@ -0,0 +1,2 @@
+- [PI-179] Improve Slack messaging for deployments
+- [PI-385] PENTEST - reject HTTP and enable access logs on S3 buckets

infrastructure/terraform/per_account/dev/main.tf

@@ -32,11 +32,27 @@ module "iam__api-gateway-to-cloudwatch" {
   project = local.project
 }
 
+module "bucket_access_logs" {
+  source                                = "terraform-aws-modules/s3-bucket/aws"
+  version                               = "3.15.2"
+  bucket                                = "${local.project}--${replace(terraform.workspace, "_", "-")}--s3-access-logs"
+  attach_deny_insecure_transport_policy = true
+  attach_access_log_delivery_policy     = true
+  force_destroy                         = true
+  versioning = {
+    enabled = true
+  }
+  tags = {
+    Name = "${local.project}--${replace(terraform.workspace, "_", "-")}--s3-access-logs"
+  }
+}
+
 module "bucket" {
-  source        = "terraform-aws-modules/s3-bucket/aws"
-  version       = "3.15.2"
-  bucket        = "${local.project}--${replace(terraform.workspace, "_", "-")}--test-data"
-  force_destroy = true
+  source                                = "terraform-aws-modules/s3-bucket/aws"
+  version                               = "3.15.2"
+  bucket                                = "${local.project}--${replace(terraform.workspace, "_", "-")}--test-data"
+  attach_deny_insecure_transport_policy = true
+  force_destroy                         = true
   versioning = {
     enabled = true
   }
@@ -46,10 +62,12 @@ module "bucket" {
 }
 
 module "truststore_bucket" {
-  source        = "terraform-aws-modules/s3-bucket/aws"
-  version       = "3.15.2"
-  bucket        = "${local.project}--${replace(terraform.workspace, "_", "-")}--truststore"
-  force_destroy = true
+  source                                = "terraform-aws-modules/s3-bucket/aws"
+  version                               = "3.15.2"
+  bucket                                = "${local.project}--${replace(terraform.workspace, "_", "-")}--truststore"
+  attach_deny_insecure_transport_policy = true
+  attach_access_log_delivery_policy     = true
+  force_destroy                         = true
   versioning = {
     enabled = true
   }
@@ -58,6 +76,13 @@ module "truststore_bucket" {
   }
 }
 
+resource "aws_s3_bucket_logging" "truststore_to_access_logs" {
+  bucket = module.truststore_bucket.s3_bucket_id
+
+  target_bucket = module.bucket_access_logs.s3_bucket_id
+  target_prefix = "truststore/log/"
+}
+
 module "vpc" {
   source      = "../modules/vpc"
   environment = terraform.workspace