Merge branch 'main' into dependabot/npm_and_yarn/modules/cloudfront-l…

…ogs/lambda/semver-6.3.1

.github/actions/check-file-format/action.yaml

@@ -0,0 +1,9 @@
+name: Check File Format
+runs:
+  using: "composite"
+  steps:
+    - name: Check File Format
+      shell: bash
+      run: |
+          export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+          ./scripts/githooks/check-file-format.sh

.github/actions/check-markdown-format/action.yaml

@@ -0,0 +1,9 @@
+name: Check Markdown Format
+runs:
+  using: "composite"
+  steps:
+    - name: Check Markdown Format
+      shell: bash
+      run: |
+          export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+          ./scripts/githooks/check-markdown-format.sh

.github/actions/check-terraform-format/action.yaml

@@ -0,0 +1,9 @@
+name: Check Terraform Format
+runs:
+  using: "composite"
+  steps:
+    - name: Check Terraform Format
+      shell: bash
+      run: |
+          export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+          ./scripts/githooks/check-terraform-format.sh

.github/actions/cloc-repository/action.yaml

@@ -0,0 +1,9 @@
+name: Count lines of code in this repository
+runs:
+  using: "composite"
+  steps:
+    - name: Count lines of code in this repository
+      shell: bash
+      run: |
+          export FORMAT=default
+          ./scripts/cloc-repository.sh

.github/actions/get-metadata/action.yaml

@@ -0,0 +1,13 @@
+name: Get Metadata
+runs:
+  using: "composite"
+  steps:
+    - name: Get Metadata
+      id: metadata
+      shell: bash
+      run: |
+          datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
+          echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
+          echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
+          echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
+          echo "terraform_version=$(grep terraform .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT

.github/actions/scan-dependencies/action.yaml

@@ -0,0 +1,23 @@
+name: Scan Dependencies
+runs:
+  using: "composite"
+  steps:
+    - name: Generate SBOM File
+      shell: bash
+      run: ./scripts/sbom-generator.sh
+
+    - name: Upload SBOM Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: dependency-scan
+        path: ./sbom-spdx.json
+
+    - name: Run CVE Scanner
+      shell: bash
+      run: ./scripts/cve-scanner.sh
+
+    - name: Upload CVE Artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: dependency-scan
+        path: ./cve-scan.json

.github/actions/scan-secrets/action.yaml

@@ -0,0 +1,9 @@
+name: Scan Secrets
+runs:
+  using: "composite"
+  steps:
+    - name: Count lines of code in this repository
+      shell: bash
+      run: |
+          export ALL_FILES=true
+          ./scripts/githooks/scan-secrets.sh

.github/workflows/cicd-pipeline.yaml

@@ -2,6 +2,8 @@ name: CI/CD Pipeline
 permissions:
   contents: read
   security-events: write
+  id-token: write
+  actions: write
 
 on:
   push:
@@ -18,56 +20,82 @@ jobs:
       build_datetime: ${{ steps.metadata.outputs.build_datetime }}
       build_timestamp: ${{ steps.metadata.outputs.build_timestamp }}
       build_epoch: ${{ steps.metadata.outputs.build_epoch }}
+      terraform_version: ${{ steps.metadata.outputs.terraform_version }}
     steps:
+      - uses: actions/checkout@v3
+
       - id: metadata
-        run: |
-          datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
-          echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
-          echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
-          echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
-  
-  precommit-checks:
+        name: Get Metadata
+        uses: ./.github/actions/get-metadata
+
+      - id: cloc
+        name: Get Lines of Code
+        uses: ./.github/actions/cloc-repository
+
+  formatting-checks:
+    needs: [get-metadata]
+    runs-on: ubuntu-latest
+    name: Formatting Checks
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Check File Format
+        uses: ./.github/actions/check-file-format
+
+      - name: Check Markdown Format
+        uses: ./.github/actions/check-markdown-format
+
+      - name: Check Terraform Format
+        uses: ./.github/actions/check-terraform-format
+
+  security-scan:
     needs: [get-metadata]
     runs-on: ubuntu-latest
-    name: Pre-Commit Checks
+    name: Security Scanning
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
-      - uses: ./.github/actions/check-format/
-      - uses: ./.github/actions/scan-secrets/
+      - name: Scan Dependencies
+        uses: ./.github/actions/scan-dependencies
+
+      - name: Scan Secrets
+        uses: ./.github/actions/scan-secrets
+
 
   checkov:
     name: Checkov
     runs-on: ubuntu-latest
-    needs: [precommit-checks]
+    needs: [formatting-checks, security-scan]
 
     steps:
       - uses: actions/checkout@v3
-      
+
       - uses: actions/setup-python@v4
         with:
           python-version: '3.11'
-      
+
       - name: Install Latest Checkov
         id: install-checkov
         run: pip install --user checkov
 
       - name: Run Checkov
         id: run-checkov
         run: checkov --directory . -o sarif -s --quiet
-      
+
       - name: Upload SARIF File
         uses: github/codeql-action/upload-sarif@v2
-        if: always() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch) 
+        if: always() && github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
         with:
           sarif_file: results.sarif
-    
+
   tflint:
     name: TFLint
     runs-on: ubuntu-latest
-    needs: [precommit-checks]
+    needs: [formatting-checks, security-scan]
 
     steps:
       - uses: actions/checkout@v3
@@ -77,16 +105,101 @@ jobs:
         with:
           path: ~/.tflint.d/plugins
           key: tflint-${{ hashFiles('.tflint.hcl') }}
-      
+
       - name: Setup TFLint
         uses: terraform-linters/setup-tflint@v3
         with:
           tflint_version: v0.47.0
-        
+
       - name: Init TFLint
         run: tflint --init
         env:
           GITHUB_TOKEN: ${{ github.token }}
-        
+
       - name: Run TFLint
-        run: tflint -f compact
+        run: tflint -f compact
+
+  build-example-app:
+    name: Build Example App
+    runs-on: ubuntu-latest
+    needs: [tflint, checkov]
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install asdf & tools
+        uses: asdf-vm/actions/install@v2
+
+      - name: Install Example Dependencies
+        run: make example-install
+
+      - name: Build Example App
+        run: make example-build
+
+      - name: Zip OpenNext Deployment Assets
+        run: cd example/.open-next && zip -r ../../open-next.zip . -q
+
+      - name: Store Build Artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: example-app-opennext-build
+          path: open-next.zip
+
+  deploy:
+    name: Deploy Example App
+    runs-on: ubuntu-latest
+    needs: [build-example-app]
+    if: success() && github.ref_name == 'main'
+    concurrency: example-deploy
+    environment:
+      name: Example Application
+      url: https://terraform-aws-opennext.tools.engineering.england.nhs.uk/
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install asdf & tools
+        uses: asdf-vm/actions/install@v2
+
+      - id: aws-credentials
+        name: Setup AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.DEPLOYMENT_IAM_ROLE }}
+          aws-region: eu-west-2
+
+      - name: Get Current Identity
+        run: aws sts get-caller-identity
+
+      - name: Download Build Artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: example-app-opennext-build
+
+      - name: Unzip Build Artifacts to .open-next folder
+        run: unzip -q -d example/.open-next open-next.zip
+
+      - name: Run Terraform Init
+        run: terraform -chdir=example/terraform init
+
+      - name: Run Terraform Plan
+        run: terraform -chdir=example/terraform plan -out example-app.tfplan
+
+      - name: Store Terraform Plan Artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: example-app-tfplan-output
+          path: example/terraform/example-app.tfplan
+
+      - name: Run Terraform Apply
+        run: terraform -chdir=example/terraform apply example-app.tfplan
+
+      - name: Get CloudFront Distribution ID
+        id: get_distribution_id
+        run: echo "distribution_id=$(terraform -chdir=example/terraform output -raw cloudfront_distribution_id)" >> "$GITHUB_OUTPUT"
+
+      - name: Trigger CloudFront Cache Invalidation
+        id: trigger_invalidation
+        run: echo "invalidation_id=$(aws cloudfront create-invalidation --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --paths '/*' --output text --query Invalidation.Id)" >> "$GITHUB_OUTPUT"
+
+      - name: Wait for Invalidation
+        run: aws cloudfront wait invalidation-completed --distribution-id ${{ steps.get_distribution_id.outputs.distribution_id }} --id ${{ steps.trigger_invalidation.outputs.invalidation_id }}