generated from nhs-england-tools/repository-template
-
Notifications
You must be signed in to change notification settings - Fork 14
205 lines (161 loc) · 5.64 KB
/
cicd-pipeline.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
name: CI/CD Pipeline
permissions:
contents: read
security-events: write
id-token: write
actions: write
on:
push:
pull_request:
branches:
- main
types: [opened, synchronize, reopened]
jobs:
get-metadata:
name: "Get Metadata"
runs-on: ubuntu-latest
outputs:
build_datetime: ${{ steps.metadata.outputs.build_datetime }}
build_timestamp: ${{ steps.metadata.outputs.build_timestamp }}
build_epoch: ${{ steps.metadata.outputs.build_epoch }}
terraform_version: ${{ steps.metadata.outputs.terraform_version }}
steps:
- uses: actions/checkout@v3
- id: metadata
name: Get Metadata
uses: ./.github/actions/get-metadata
- id: cloc
name: Get Lines of Code
uses: ./.github/actions/cloc-repository
formatting-checks:
needs: [get-metadata]
runs-on: ubuntu-latest
name: Formatting Checks
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Check File Format
uses: ./.github/actions/check-file-format
- name: Check Markdown Format
uses: ./.github/actions/check-markdown-format
- name: Check Terraform Format
uses: ./.github/actions/check-terraform-format
security-scan:
needs: [get-metadata]
runs-on: ubuntu-latest
name: Security Scanning
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Scan Dependencies
uses: ./.github/actions/scan-dependencies
- name: Scan Secrets
uses: ./.github/actions/scan-secrets
checkov:
name: Checkov
runs-on: ubuntu-latest
needs: [formatting-checks, security-scan]
steps:
- uses: actions/checkout@v3
- uses: actions/setup-python@v4
with:
python-version: '3.11'
- name: Install Latest Checkov
id: install-checkov
run: pip install --user checkov
- name: Run Checkov
id: run-checkov
run: checkov --directory . -o sarif -s --quiet
- name: Upload SARIF File
uses: github/codeql-action/upload-sarif@v2
if: always() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
with:
sarif_file: results.sarif
tflint:
name: TFLint
runs-on: ubuntu-latest
needs: [formatting-checks, security-scan]
steps:
- uses: actions/checkout@v3
- name: Setup TFLint Cache
uses: actions/cache@v3
with:
path: ~/.tflint.d/plugins
key: tflint-${{ hashFiles('.tflint.hcl') }}
- name: Setup TFLint
uses: terraform-linters/setup-tflint@v3
with:
tflint_version: v0.47.0
- name: Init TFLint
run: tflint --init
env:
GITHUB_TOKEN: ${{ github.token }}
- name: Run TFLint
run: tflint -f compact
build-example-app:
name: Build Example App
runs-on: ubuntu-latest
needs: [tflint, checkov]
steps:
- uses: actions/checkout@v3
- name: Install asdf & tools
uses: asdf-vm/actions/install@v2
- name: Install Example Dependencies
run: make example-install
- name: Build Example App
run: make example-build
- name: Zip OpenNext Deployment Assets
run: cd example/.open-next && zip -r ../../open-next.zip . -q
- name: Store Build Artifacts
uses: actions/upload-artifact@v3
with:
name: example-app-opennext-build
path: open-next.zip
deploy:
name: Deploy Example App
runs-on: ubuntu-latest
needs: [build-example-app]
if: success() && github.ref_name == 'main'
concurrency: example-deploy
environment:
name: Example Application
url: https://terraform-aws-opennext.tools.engineering.england.nhs.uk/
steps:
- uses: actions/checkout@v3
- name: Install asdf & tools
uses: asdf-vm/actions/install@v2
- id: aws-credentials
name: Setup AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
role-to-assume: ${{ secrets.DEPLOYMENT_IAM_ROLE }}
aws-region: eu-west-2
- name: Get Current Identity
run: aws sts get-caller-identity
- name: Download Build Artifacts
uses: actions/download-artifact@v3
with:
name: example-app-opennext-build
- name: Unzip Build Artifacts to .open-next folder
run: unzip -q -d example/.open-next open-next.zip
- name: Run Terraform Init
run: terraform -chdir=example/terraform init
- name: Run Terraform Plan
run: terraform -chdir=example/terraform plan -out example-app.tfplan
- name: Store Terraform Plan Artifact
uses: actions/upload-artifact@v3
with:
name: example-app-tfplan-output
path: example/terraform/example-app.tfplan
- name: Run Terraform Apply
run: terraform -chdir=example/terraform apply example-app.tfplan
- name: Get CloudFront Distribution ID
id: get_distribution_id
run: echo "distribution_id=$(terraform -chdir=example/terraform output -raw cloudfront_distribution_id)" >> "$GITHUB_OUTPUT"
- name: Trigger CloudFront Cache Invalidation
id: trigger_invalidation
run: echo "invalidation_id=$(aws cloudfront create-invalidation --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --paths '/*' --output text --query Invalidation.Id)" >> "$GITHUB_OUTPUT"
- name: Wait for Invalidation
run: aws cloudfront wait invalidation-completed --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --id ${{ steps.trigger_invalidation.outputs.invalidation_id }}