From 7f3bfd6ddc3b94adc23724f913bef4f405ff49e6 Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Tue, 19 Sep 2023 12:01:06 +0100 Subject: [PATCH 1/3] Remove paas workflow and action --- .github/workflows/actions/deploy/action.yml | 116 ------------ .github/workflows/build.yml | 186 -------------------- 2 files changed, 302 deletions(-) delete mode 100644 .github/workflows/actions/deploy/action.yml delete mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/actions/deploy/action.yml b/.github/workflows/actions/deploy/action.yml deleted file mode 100644 index b4c173f48..000000000 --- a/.github/workflows/actions/deploy/action.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Deploy to PaaS - -inputs: - environment: - description: The environment to deploy to Development/Test/Production/Review/Speed/UR etc - required: true - sha: - description: Commit sha to be deployed - required: true - pr: - description: Pull Request Reference - required: false - AZURE_CREDENTIALS: - required: true - KEY_VAULT: - required: true - ARM_ACCESS_KEY: - required: true - -runs: - using: composite - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: azure/login@v1 - with: - creds: ${{ inputs.AZURE_CREDENTIALS }} - - - name: Validate Key Vault Secrets - uses: DFE-Digital/github-actions/validate-key-vault-secrets@master - with: - KEY_VAULT: ${{ inputs.KEY_VAULT }} - SECRETS: | - MONITORING-KEYS - API-KEYS - INFRA-KEYS - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ inputs.KEY_VAULT}} - secret: INFRA-KEYS - key: LOGIT-API - - - name: Get Short SHA - id: sha - shell: bash - run: echo "short=$(echo "${{ inputs.sha }}" | cut -c -7)" >> $GITHUB_OUTPUT - - - name: Setup Environment Variables - id: variables - shell: bash - run: | - if [ "${{inputs.environment }}" == "Development" ] - then - echo "control=dev" >> $GITHUB_OUTPUT - echo "healthcheck=${{env.PAAS_APPLICATION_NAME}}-dev" >> $GITHUB_OUTPUT - echo "key=api.dev.terraform" >> $GITHUB_OUTPUT - echo "docker_image=${{env.DOCKER_REPOSITORY}}:sha-${{ steps.sha.outputs.short}}" >> $GITHUB_OUTPUT - - fi - - if [ "${{inputs.environment }}" == "Test" ] - then - echo "control=test" >> $GITHUB_OUTPUT - echo "healthcheck=${{env.PAAS_APPLICATION_NAME}}-test" >> $GITHUB_OUTPUT - echo "key=api.test.terraform" >> $GITHUB_OUTPUT - echo "docker_image=${{env.DOCKER_REPOSITORY}}:sha-${{ steps.sha.outputs.short}}" >> $GITHUB_OUTPUT - - fi - - if [ "${{inputs.environment }}" == "Production" ] - then - echo "control=production" >> $GITHUB_OUTPUT - echo "healthcheck=${{env.PAAS_APPLICATION_NAME}}-prod" >> $GITHUB_OUTPUT - echo "key=api.production.terraform" >> $GITHUB_OUTPUT - echo "docker_image=${{env.DOCKER_REPOSITORY}}:sha-${{ steps.sha.outputs.short}}" >> $GITHUB_OUTPUT - - fi - - - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.2.8 - - - name: Terraform ( ${{inputs.environment}} ) - shell: bash - run: | - cd terraform/paas && pwd - terraform init -backend-config=${{steps.variables.outputs.control}}.bk.vars -backend-config="key=${{steps.variables.outputs.key}}.tfstate" - terraform apply -var-file=${{steps.variables.outputs.control}}.env.tfvars -auto-approve - env: - ARM_ACCESS_KEY: ${{ inputs.ARM_ACCESS_KEY }} - TF_VAR_AZURE_CREDENTIALS: ${{ inputs.AZURE_CREDENTIALS }} - TF_VAR_paas_api_docker_image: ${{ steps.variables.outputs.docker_image}} - - - name: Smoke tests - shell: bash - run: | - tests/confidence/healthcheck.sh "${{steps.variables.outputs.healthcheck}}" "${{ steps.sha.outputs.short }}" - - - name: Log Deployment - if: always() - uses: DFE-Digital/github-actions/SendToLogit@master - with: - LOGIT-API-KEY: ${{ steps.keyvault-yaml-secret.outputs.LOGIT-API }} - logtype: "github" - JSON: | - '{"Application" : "${{env.PAAS_APPLICATION_NAME}}", - "Status" : "${{ job.status }}", - "Action" : "Deploy", - "Environment" : "${{inputs.environment}}", - "Version" : "${{ inputs.sha }}" }' diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml deleted file mode 100644 index b9896358d..000000000 --- a/.github/workflows/build.yml +++ /dev/null @@ -1,186 +0,0 @@ -name: Build -on: - repository_dispatch: - pull_request: - types: [assigned, opened, synchronize, reopened, ready_for_review] - push: - branches: - - master - -jobs: - build: - name: Build and push to Github Container Registry - runs-on: ubuntu-latest - outputs: - image: ${{steps.docker_image.outputs.IMAGE}} - steps: - - name: Check out the repo - uses: actions/checkout@v3 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK - - - name: Set up Docker Buildx - id: buildx - uses: docker/setup-buildx-action@master - with: - version: v0.9.1 # More recent buildx versions generate an OCI manifest which is incompatible with Cloud Foundry - - - name: Get Short SHA - id: vars - run: | - echo "sha_short=$(echo $GITHUB_SHA | cut -c -7)" >> $GITHUB_OUTPUT - - - name: Cache Docker layers - uses: actions/cache@v3 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- - - - name: Login to Github Container Registry - uses: docker/login-action@v2 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build - uses: docker/build-push-action@v4 - with: - push: ${{ github.ref == 'refs/heads/master' }} - builder: ${{ steps.buildx.outputs.name }} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache - tags: | - ${{env.DOCKER_REPOSITORY}}:sha-${{ steps.vars.outputs.sha_short }} - build-args: GIT_COMMIT_SHA=${{ steps.vars.outputs.sha_short }} - - - name: Slack Notification - if: failure() && github.ref == 'refs/heads/master' - uses: rtCamp/action-slack-notify@master - env: - SLACK_COLOR: ${{env.SLACK_FAILURE}} - SLACK_MESSAGE: 'The pipeline has failed to build the API image' - SLACK_TITLE: 'Failure to Build API ' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} - - development: - name: Development Deployment - needs: build - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - outputs: - release_tag: ${{steps.tag_version.outputs.pr_number}} - release_sha: ${{github.sha}} - steps: - - name: Check out the repo - uses: actions/checkout@v3 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK - - - name: Trigger Development Deployment - uses: ./.github/workflows/actions/deploy - id: deploy - with: - environment: Development - sha: ${{ github.sha }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - KEY_VAULT: ${{ secrets.KEY_VAULT }} - ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} - - - name: Generate Tag from PR Number - id: tag_version - uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master - with: - sha: ${{github.sha}} - - - name: Create a GitHub Release - id: release - if: steps.tag_version.outputs.pr_found == 1 - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ steps.tag_version.outputs.pr_number }} - release_name: Release ${{ steps.tag_version.outputs.pr_number }} - commitish: ${{github.sha}} - prerelease: false - draft: false - - - name: Copy PR Info to Release - if: steps.release.outputs.id - uses: DFE-Digital/github-actions/CopyPRtoRelease@master - with: - PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }} - RELEASE_ID: ${{ steps.release.outputs.id }} - TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - qa: - name: Quality Assurance Deployment - needs: build - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - environment: - name: Test - steps: - - name: Check out the repo - uses: actions/checkout@v3 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret - with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK - - - name: Trigger Deployment to QA - uses: ./.github/workflows/actions/deploy - id: deploy - with: - environment: Test - sha: ${{ github.sha }} - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - KEY_VAULT: ${{ secrets.KEY_VAULT }} - ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} - - - name: Slack Notification - if: failure() - uses: rtCamp/action-slack-notify@master - env: - SLACK_COLOR: ${{env.SLACK_FAILURE}} - SLACK_TITLE: Failure in Post-Development Deploy - SLACK_MESSAGE: Failure with initialising QA deployment for ${{env.APPLICATION}} - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} From 6481c5c0e1234c361358099b2dead7f316677fee Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Tue, 19 Sep 2023 12:04:31 +0100 Subject: [PATCH 2/3] Refactor workflows - Use new keyvault with separate secrets (not yaml) - Remove extra production job from build-and-deploy (only done via Manual) - Trigger on pull requests - Update manual with AKS deployment - Remove references to git api in fix-network-policy --- .github/workflows/build-and-deploy.yml | 103 ++++++++++------------- .github/workflows/build-no-cache.yml | 19 +++-- .github/workflows/fix-network-policy.yml | 35 ++++---- .github/workflows/manual.yml | 28 +++--- .github/workflows/pull_request.yml | 14 +-- .github/workflows/sonarcloud.yml | 21 +++-- .github/workflows/trello.yml | 19 +++-- 7 files changed, 126 insertions(+), 113 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index ea0604b3a..e1b7827f5 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -11,6 +11,11 @@ on: - development_aks - test_aks - production_aks + pull_request: + types: [assigned, opened, synchronize, reopened, ready_for_review] + push: + branches: + - master jobs: build: @@ -31,9 +36,9 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Retrieve Slack Webhook from KV + - name: Fetch secrets from key vault uses: azure/CLI@v1 - id: fetch-slack-webhook + id: fetch-secrets with: inlineScript: | SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) @@ -44,7 +49,7 @@ jobs: id: buildx uses: docker/setup-buildx-action@master with: - version: v0.9.1 + version: v0.9.1 # More recent buildx versions generate an OCI manifest which is incompatible with Cloud Foundry - name: Get Short SHA id: vars @@ -84,7 +89,7 @@ jobs: SLACK_COLOR: ${{env.SLACK_FAILURE}} SLACK_MESSAGE: 'The pipeline has failed to build the API image' SLACK_TITLE: 'Failure to Build API ' - SLACK_WEBHOOK: "${{ steps.fetch-slack-webhook.outputs.SLACK-WEBHOOK }}" + SLACK_WEBHOOK: "${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }}" development: name: Development Deployment @@ -104,9 +109,9 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Retrieve Slack Webhook from KV + - name: Fetch secrets from key vault uses: azure/CLI@v1 - id: fetch-slack-webhook + id: fetch-secrets with: inlineScript: | SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) @@ -121,15 +126,41 @@ jobs: sha: ${{needs.build.outputs.image_tag_sha}} azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + - name: Generate Tag from PR Number + id: tag_version + uses: DFE-Digital/github-actions/GenerateReleaseFromSHA@master + with: + sha: ${{github.sha}} + + - name: Create a GitHub Release + id: release + if: steps.tag_version.outputs.pr_found == 1 + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ steps.tag_version.outputs.pr_number }} + release_name: Release ${{ steps.tag_version.outputs.pr_number }} + commitish: ${{github.sha}} + prerelease: false + draft: false + + - name: Copy PR Info to Release + if: steps.release.outputs.id + uses: DFE-Digital/github-actions/CopyPRtoRelease@master + with: + PR_NUMBER: ${{ steps.tag_version.outputs.pr_number }} + RELEASE_ID: ${{ steps.release.outputs.id }} + TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Slack Notification if: failure() && github.ref == 'refs/heads/master' uses: rtCamp/action-slack-notify@master env: SLACK_COLOR: ${{env.SLACK_FAILURE}} - SLACK_MESSAGE: 'TEST MESSAGE' - SLACK_TITLE: 'TEST SLACK TITLE GIT API' - SLACK_WEBHOOK: '${{ steps.fetch-slack-webhook.outputs.SLACK-WEBHOOK }}' + SLACK_MESSAGE: 'Deployment to the development environment has failed' + SLACK_TITLE: 'Deployment to the development environment has failed' + SLACK_WEBHOOK: '${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }}' test: name: Test Deployment @@ -149,9 +180,9 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - name: Retrieve Slack Webhook from KV + - name: Fetch secrets from key vault uses: azure/CLI@v1 - id: fetch-slack-webhook + id: fetch-secrets with: inlineScript: | SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) @@ -171,50 +202,6 @@ jobs: uses: rtCamp/action-slack-notify@master env: SLACK_COLOR: ${{env.SLACK_FAILURE}} - SLACK_MESSAGE: 'The pipeline has failed to build the API image' - SLACK_TITLE: 'Failure to Build API ' - SLACK_WEBHOOK: "${{ steps.fetch-slack-webhook.outputs.SLACK-WEBHOOK }}" - - production: - name: Production Deployment - needs: build - if: github.ref == 'refs/heads/master' - runs-on: ubuntu-latest - environment: - name: production_aks - steps: - - name: Check out the repo - uses: actions/checkout@v3 - - - name: set-up-environment - uses: DFE-Digital/github-actions/set-up-environment@master - - - uses: Azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Retrieve Slack Webhook from KV - uses: azure/CLI@v1 - id: fetch-slack-webhook - with: - inlineScript: | - SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) - echo "::add-mask::$SECRET_VALUE" - echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT - - - name: Trigger Production Deployment - uses: ./.github/workflows/actions/deploy_v2 - id: deploy - with: - environment: production_aks - sha: ${{needs.build.outputs.image_tag_sha}} - azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Slack Notification - if: failure() && github.ref == 'refs/heads/master' - uses: rtCamp/action-slack-notify@master - env: - SLACK_COLOR: ${{env.SLACK_FAILURE}} - SLACK_MESSAGE: 'The pipeline has failed to build the API image' - SLACK_TITLE: 'Failure to Build API ' - SLACK_WEBHOOK: "${{ steps.fetch-slack-webhook.outputs.SLACK-WEBHOOK }}" + SLACK_MESSAGE: 'Deployment to the test environment has failed' + SLACK_TITLE: 'Deployment to the test environment has failed' + SLACK_WEBHOOK: "${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }}" diff --git a/.github/workflows/build-no-cache.yml b/.github/workflows/build-no-cache.yml index 44b595721..7430adaab 100644 --- a/.github/workflows/build-no-cache.yml +++ b/.github/workflows/build-no-cache.yml @@ -21,12 +21,17 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: fetch-secrets with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK, SNYK-TOKEN + inlineScript: | + SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT + SECRET_VALUE=$(az keyvault secret show --name "SNYK-TOKEN" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SNYK-TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Set up Docker Buildx uses: docker/setup-buildx-action@master @@ -53,7 +58,7 @@ jobs: - name: Run Snyk to check Docker image for vulnerabilities uses: snyk/actions/docker@master env: - SNYK_TOKEN: ${{ steps.keyvault-yaml-secret.outputs.SNYK-TOKEN }} + SNYK_TOKEN: ${{ steps.fetch-secrets.outputs.SNYK-TOKEN }} with: image: ${{ env.DOCKER_REPOSITORY }}:master args: --severity-threshold=high --file=Dockerfile @@ -69,4 +74,4 @@ jobs: SLACK_COLOR: ${{ env.SLACK_ERROR }} SLACK_MESSAGE: 'There has been a failure building the application' SLACK_TITLE: 'Failure Building Application' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }} diff --git a/.github/workflows/fix-network-policy.yml b/.github/workflows/fix-network-policy.yml index 53ff9e1b3..3d99192d5 100644 --- a/.github/workflows/fix-network-policy.yml +++ b/.github/workflows/fix-network-policy.yml @@ -1,4 +1,4 @@ -name: Fix Network policies +name: Fix Network policies on: workflow_dispatch: inputs: @@ -21,44 +21,45 @@ jobs: wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | sudo apt-key add - echo "deb https://packages.cloudfoundry.org/debian stable main" | sudo tee /etc/apt/sources.list.d/cloudfoundry-cli.list sudo apt-get update - sudo apt-get install cf7-cli - + sudo apt-get install cf7-cli + - uses: Azure/login@v1 with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: fetch-secrets with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: PAAS-USERNAME,PAAS-PASSWORD + inlineScript: | + SECRET_VALUE=$(az keyvault secret show --name "PAAS-USERNAME" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "PAAS-USERNAME=$SECRET_VALUE" >> $GITHUB_OUTPUT + SECRET_VALUE=$(az keyvault secret show --name "PAAS-PASSWORD" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "PAAS-PASSWORD=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Login to Cloud Foundry - run: cf login -a api.london.cloud.service.gov.uk -u ${{ steps.keyvault-yaml-secret.outputs.PAAS-USERNAME}} -p ${{ steps.keyvault-yaml-secret.outputs.PAAS-PASSWORD}} -s get-into-teaching - - - name: Fix Development Policies + run: cf login -a api.london.cloud.service.gov.uk -u ${{ steps.fetch-secrets.outputs.PAAS-USERNAME}} -p ${{ steps.fetch-secrets.outputs.PAAS-PASSWORD}} -s get-into-teaching + + - name: Fix Development Policies if: github.event.inputs.environment == 'Development' run: | cf target -s get-into-teaching - cf add-network-policy prometheus-dev-get-into-teaching get-into-teaching-api-dev --protocol tcp --port 8080 cf add-network-policy prometheus-dev-get-into-teaching get-into-teaching-app-dev --protocol tcp --port 3000 cf add-network-policy prometheus-dev-get-into-teaching get-teacher-training-adviser-service-dev --protocol tcp --port 3000 - - name: Fix Test Policies + - name: Fix Test Policies if: github.event.inputs.environment == 'Test' run: | cf target -s get-into-teaching-monitoring - cf add-network-policy prometheus-prod-get-into-teaching get-into-teaching-api-test -s get-into-teaching-test --protocol tcp --port 8080 cf add-network-policy prometheus-prod-get-into-teaching get-into-teaching-app-test -s get-into-teaching-test --protocol tcp --port 3000 cf add-network-policy prometheus-prod-get-into-teaching get-teacher-training-adviser-service-test -s get-into-teaching-test --protocol tcp --port 3000 cf add-network-policy prometheus-prod-get-into-teaching get-into-teaching-app-pagespeed -s get-into-teaching-test --protocol tcp --port 3000 - - name: Fix Production Policies + - name: Fix Production Policies if: github.event.inputs.environment == 'Production' run: | cf target -s get-into-teaching-monitoring - cf add-network-policy prometheus-prod-get-into-teaching get-into-teaching-api-prod -s get-into-teaching-production --protocol tcp --port 8080 cf add-network-policy prometheus-prod-get-into-teaching get-into-teaching-app-prod -s get-into-teaching-production --protocol tcp --port 3000 cf add-network-policy prometheus-prod-get-into-teaching get-teacher-training-adviser-service-prod -s get-into-teaching-production --protocol tcp --port 3000 - diff --git a/.github/workflows/manual.yml b/.github/workflows/manual.yml index 8709d313b..274995c07 100644 --- a/.github/workflows/manual.yml +++ b/.github/workflows/manual.yml @@ -32,12 +32,17 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: fetch-secrets with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK,SLACK-RELEASE-NOTE-WEBHOOK + inlineScript: | + SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT + SECRET_VALUE=$(az keyvault secret show --name "SLACK-RELEASE-NOTE-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SLACK-RELEASE-NOTE-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Get Release Id from Tag id: tag_id @@ -52,15 +57,18 @@ jobs: echo "::error ::Tag ${{ github.event.inputs.tag }} cannot be found in releases" exit 1 + - name: Get Short SHA + id: vars + run: | + echo "image_tag_sha=sha-$(echo ${{steps.tag_id.outputs.release_sha}} | cut -c -7)" >> $GITHUB_OUTPUT + - name: Trigger Deployment to ${{github.event.inputs.environment}} - uses: ./.github/workflows/actions/deploy + uses: ./.github/workflows/actions/deploy_v2 id: deploy with: environment: "${{github.event.inputs.environment}}" - sha: "${{steps.tag_id.outputs.release_sha}}" - AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }} - KEY_VAULT: ${{ secrets.KEY_VAULT }} - ARM_ACCESS_KEY: ${{ secrets.ARM_ACCESS_KEY }} + sha: "${{ steps.vars.outputs.image_tag_sha }}" + azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} - name: Slack Release Notification if: steps.tag_id.outputs.release_id && github.event.inputs.environment == 'Production' diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index b1ac49f3f..a05267296 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -15,12 +15,14 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: fetch-secrets with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK + inlineScript: | + SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: set-up-environment uses: DFE-Digital/github-actions/set-up-environment@master @@ -54,4 +56,4 @@ jobs: SLACK_COLOR: ${{env.SLACK_FAILURE }} SLACK_MESSAGE: Pipeline Failure carrying out job ${{github.job}} SLACK_TITLE: 'Failure: ${{ github.workflow }}' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }} diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonarcloud.yml index 5dcbfb30f..255e74cfc 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonarcloud.yml @@ -20,12 +20,17 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: fetch-secrets with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: SLACK-WEBHOOK, SONAR-TOKEN + inlineScript: | + SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT + SECRET_VALUE=$(az keyvault secret show --name "SONAR-TOKEN" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SONAR-TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Setup .NET Core uses: actions/setup-dotnet@v3 @@ -49,7 +54,7 @@ jobs: /k:"DFE-Digital_get-into-teaching-api" \ /o:"dfe-digital" \ /n:"get-into-teaching-api" \ - /d:sonar.login="${{ steps.keyvault-yaml-secret.outputs.SONAR-TOKEN }}" \ + /d:sonar.login="${{ steps.fetch-secrets.outputs.SONAR-TOKEN }}" \ /d:sonar.host.url="https://sonarcloud.io" \ /d:sonar.cpd.exclusions="GetIntoTeachingApi/Migrations/*.cs" \ /d:sonar.cs.opencover.reportsPaths="GetIntoTeachingApiTests/coverage.opencover.xml" \ @@ -67,7 +72,7 @@ jobs: /d:sonar.log.level="DEBUG" dotnet build dotnet test --no-build --logger:trx -e:CollectCoverage=true -e:CoverletOutputFormat=opencover - dotnet sonarscanner end /d:sonar.login="${{ steps.keyvault-yaml-secret.outputs.SONAR-TOKEN }}" + dotnet sonarscanner end /d:sonar.login="${{ steps.fetch-secrets.outputs.SONAR-TOKEN }}" - name: Slack Notification if: failure() && github.ref == 'refs/heads/master' @@ -76,4 +81,4 @@ jobs: SLACK_COLOR: ${{env.SLACK_FAILURE }} SLACK_MESSAGE: Pipeline Failure carrying out job ${{github.job}} SLACK_TITLE: 'Failure: ${{ github.workflow }}' - SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }} + SLACK_WEBHOOK: ${{ steps.fetch-secrets.outputs.SLACK-WEBHOOK }} diff --git a/.github/workflows/trello.yml b/.github/workflows/trello.yml index 6fd43ca26..a06282922 100644 --- a/.github/workflows/trello.yml +++ b/.github/workflows/trello.yml @@ -14,17 +14,22 @@ jobs: with: creds: ${{ secrets.AZURE_CREDENTIALS }} - - uses: DfE-Digital/keyvault-yaml-secret@v1 - id: keyvault-yaml-secret + - name: Fetch secrets from key vault + uses: azure/CLI@v1 + id: fetch-secrets with: - keyvault: ${{ secrets.KEY_VAULT}} - secret: INFRA-KEYS - key: TRELLO-KEY , TRELLO-TOKEN + inlineScript: | + SECRET_VALUE=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "SLACK-WEBHOOK=$SECRET_VALUE" >> $GITHUB_OUTPUT + SECRET_VALUE=$(az keyvault secret show --name "TRELLO-TOKEN" --vault-name "${{ secrets.INFRA_KEY_VAULT}}" --query "value" -o tsv) + echo "::add-mask::$SECRET_VALUE" + echo "TRELLO-TOKEN=$SECRET_VALUE" >> $GITHUB_OUTPUT - name: Add Trello Comment uses: DFE-Digital/github-actions/AddTrelloComment@master with: MESSAGE: ${{ github.event.pull_request.html_url }} CARD: ${{ github.event.pull_request.body }} - TRELLO-KEY: ${{ steps.keyvault-yaml-secret.outputs.TRELLO-KEY }} - TRELLO-TOKEN: ${{ steps.keyvault-yaml-secret.outputs.TRELLO-TOKEN }} + TRELLO-KEY: ${{ steps.fetch-secrets.outputs.TRELLO-KEY }} + TRELLO-TOKEN: ${{ steps.fetch-secrets.outputs.TRELLO-TOKEN }} From 00e8dd5cee7622b829feca85a956d5839d81bde7 Mon Sep 17 00:00:00 2001 From: Colin Saliceti Date: Tue, 19 Sep 2023 12:07:23 +0100 Subject: [PATCH 3/3] Pin terraform to 1.4.6 with asdf --- .tool-versions | 1 + 1 file changed, 1 insertion(+) create mode 100644 .tool-versions diff --git a/.tool-versions b/.tool-versions new file mode 100644 index 000000000..73cebb587 --- /dev/null +++ b/.tool-versions @@ -0,0 +1 @@ +terraform 1.4.6