diff --git a/.github/workflows/ci-cd-pipeline.yml b/.github/workflows/ci-cd-pipeline.yml index aee03c8..503e1d6 100644 --- a/.github/workflows/ci-cd-pipeline.yml +++ b/.github/workflows/ci-cd-pipeline.yml @@ -4,10 +4,10 @@ on: pull_request: types: [opened, synchronize, reopened] branches: - - master + - main push: branches: - - master + - main permissions: contents: write @@ -15,8 +15,6 @@ permissions: env: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS-SESSION-TOKEN: ${{ secrets.AWS_SESSION_TOKEN }} - AWS_REGION: ${{ vars.AWS_REGION }} jobs: ci: @@ -75,39 +73,40 @@ jobs: echo "$OUTPUT" fi + - name: Test + run: go test ./... + build-and-deploy: - name: Continuous Delivery Pipeline + name: CD Pipeline - Continuous Delivery Pipeline runs-on: ubuntu-latest if: github.event_name == 'push' steps: + - name: Set short git commit SHA + id: commit + uses: prompt/actions-commit-hash@v2 + - name: Checkout code uses: actions/checkout@v4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v1 - name: Set up AWS credentials - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - aws-session-token: ${{ secrets.AWS_SESSION_TOKEN }} aws-region: ${{ vars.AWS_REGION }} - name: Login to Amazon ECR - uses: aws-actions/amazon-ecr-login@v2 - - - name: Bump version and push tag - id: tag_version - uses: mathieudutour/github-tag-action@v6.2 - with: - github_token: ${{ secrets.GITHUB_TOKEN }} + id: login-ecr + uses: aws-actions/amazon-ecr-login@v1 - name: Build, tag, and push Docker image to Amazon ECR env: - ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com - ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }} - IMAGE_TAG: ${{ steps.tag_version.outputs.new_tag }} + ECR_REPOSITORY: ${{ vars.SERVICE_NAME }} + ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }} + IMAGE_TAG: ${{ steps.commit.outputs.short }} run: | IMAGE_URI="$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG" docker build -t $IMAGE_URI . @@ -115,66 +114,41 @@ jobs: echo "IMAGE_URI=$IMAGE_URI" >> $GITHUB_ENV - name: Update Kubernetes configuration + env: + SERVICE_NAME: ${{ vars.SERVICE_NAME }} + JWT_SECRET: ${{ secrets.JWT_SECRET }} + JWT_ISSUER: ${{ secrets.JWT_ISSUER }} run: | + DB_NAME=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_name" --with-decryption --output json | jq '.Parameter | .Value') + DB_HOST=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_host" --with-decryption --output json | jq '.Parameter | .Value') + DB_USERNAME=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_username" --with-decryption --output json | jq '.Parameter | .Value') + DB_PASSWORD=$(aws ssm get-parameter --name "/$SERVICE_NAME/db_password" --with-decryption --output json | jq '.Parameter | .Value') + sed -i 's|placeholder_repository_name|'"$IMAGE_URI"'|' ./infra/golang-app-deployment.yaml - cat ./infra/golang-app-deployment.yaml + sed -i 's|aws_ssm_db_name|'"$DB_NAME"'|' ./infra/configmap.yaml + sed -i 's|aws_ssm_db_host|'"$DB_HOST"'|' ./infra/configmap.yaml + sed -i 's|aws_ssm_db_username|'"$DB_USERNAME"'|' ./infra/secrets.yaml + sed -i 's|aws_ssm_db_password|'"$DB_PASSWORD"'|' ./infra/secrets.yaml + sed -i 's|git_hub_secrets_jwt_secret|'"$JWT_SECRET"'|' ./infra/secrets.yaml + sed -i 's|git_hub_secrets_jwt_issuer|'"$JWT_ISSUER"'|' ./infra/secrets.yaml - name: Install kubectl run: | curl -LO "https://dl.k8s.io/release/$(curl -sSL https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" chmod +x kubectl sudo mv kubectl /usr/local/bin/ - - - name: Update kube config - run: aws eks update-kubeconfig --name ${{ vars.AWS_EKS_CLUSTER_NAME }} --region ${{ vars.AWS_REGION }} - - name: Create Kubernetes secret - run: | - kubectl create secret generic secret-customer-service \ - --from-literal=POSTGRES_USER=${{ secrets.POSTGRES_USER }} \ - --from-literal=POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }} \ - --from-literal=JWT_SECRET=${{ secrets.JWT_SECRET }} \ - --from-literal=JWT_ISSUER=${{ secrets.JWT_ISSUER }} \ - --dry-run=client -o yaml | kubectl apply -f - - - - name: Create Kubernetes configmap - run: | - kubectl create configmap configmap-customer-service \ - --from-literal=POSTGRES_DB=${{ secrets.POSTGRES_DB }} \ - --from-literal=POSTGRES_HOST=${{ secrets.POSTGRES_HOST_CUSTOMER }} \ - --dry-run=client -o yaml | kubectl apply -f - + - name: Update kube config + env: + AWS_EKS_CLUSTER_NAME: ${{ vars.AWS_EKS_CLUSTER_NAME }} + AWS_REGION: ${{ vars.AWS_REGION }} + run: aws eks update-kubeconfig --name $AWS_EKS_CLUSTER_NAME --region $AWS_REGION - name: Deploy to Kubernetes env: - K8S_DEPLOYMENT_NAME: ${{ vars.K8S_DEPLOYMENT_NAME }} AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} run: | + kubectl config get-contexts kubectl apply -f ./infra --validate=false - kubectl rollout status deployment/$K8S_DEPLOYMENT_NAME - - - name: Update LoadBalancer Endpoint - run: | - LB_IP=$(kubectl get svc svc-customer-service -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') - echo "LoadBalancer Endpoint: $LB_IP" - curl -L \ - -X PATCH \ - -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.TOKEN_GITHUB }}" \ - -H "X-GitHub-Api-Version: 2022-11-28" \ - https://api.github.com/orgs/Food-fusion-Fiap/actions/variables/CUSTOMER_SERVICE_ENDPOINT \ - -H "Content-Type: application/json" \ - -d '{"name":"CUSTOMER_SERVICE_ENDPOINT","value":"'"$LB_IP"'","visibility": "all"}' - - # - name: Deploy to Kubernetes - # env: - # ECR_REGISTRY: ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.AWS_REGION }}.amazonaws.com - # ECR_REPOSITORY: ${{ vars.ECR_REPOSITORY }} - # IMAGE_TAG: ${{ github.sha }} - # K8S_DEPLOYMENT_NAME: ${{ vars.K8S_DEPLOYMENT_NAME }} - # K8S_DEPLOYMENT_CONTAINER_NAME: ${{ secrets.K8S_DEPLOYMENT_CONTAINER_NAME }} - # run: | - # kubectl set image deployment/$K8S_DEPLOYMENT_NAME $K8S_DEPLOYMENT_CONTAINER_NAME=$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG --record - # kubectl rollout status deployment/$K8S_DEPLOYMENT_NAME - - + kubectl rollout status deployment/customer-service diff --git a/.github/workflows/sonarcloud.yml b/.github/workflows/sonar.yml similarity index 76% rename from .github/workflows/sonarcloud.yml rename to .github/workflows/sonar.yml index 6625d90..0a06b9b 100644 --- a/.github/workflows/sonarcloud.yml +++ b/.github/workflows/sonar.yml @@ -2,9 +2,9 @@ name: SonarCloud analysis on: push: - branches: [ "master" ] + branches: [ "main" ] pull_request: - branches: [ "master" ] + branches: [ "main" ] workflow_dispatch: permissions: @@ -28,6 +28,12 @@ jobs: run: | go test -coverprofile=./cov.out ./... + +# - name: Run Gosec Security Scanner +# run: | +# go get github.com/securego/gosec/cmd/gosec +# gosec -no-fail -fmt=sonarqube -out report.json ./... + - name: Analyze with SonarCloud # You can pin the exact commit or the version. @@ -40,18 +46,20 @@ jobs: args: # Unique keys of your project and organization. You can find them in SonarCloud > Information (bottom-left menu) # mandatory - -Dsonar.projectKey=Food-fusion-Fiap_customer-service + -Dsonar.projectKey=Food-fusion-Fiap_payment-service -Dsonar.organization=food-fusion-fiap -Dsonar.tests=. -Dsonar.test.inclusions=**/*_test.go -Dsonar.sources=src/ - -Dsonar.exclusions=src/infra/**,src/adapters/**,src/utils/** + -Dsonar.exclusions=src/adapters/gateways/mocks/**,src/infra/web/routes/**,**/*_mock.go,src/infra/db/repositories/**,src/infra/external/order_service_mock/mock_order_interface.go -Dsonar.go.coverage.reportPaths=cov.out + + #-Dsonar.externalIssuesReportPaths=report.json # Comma-separated paths to directories containing main source files. #-Dsonar.sources= # optional, default is project base directory # Comma-separated paths to directories containing test source files. #-Dsonar.tests= # optional. For more info about Code Coverage, please refer to https://docs.sonarcloud.io/enriching/test-coverage/overview/ # Adds more detail to both client and server-side analysis logs, activating DEBUG mode for the scanner, and adding client-side environment variables and system properties to the server-side log of analysis report processing. #-Dsonar.verbose= # optional, default is false - # When you need the analysis to take place in a directory other than the one from which it was launched, default is . + # When you need the analysis to take place in a directory other than the one from which it was launched, default is . projectBaseDir: . diff --git a/infra/template-dev/configmap.yaml b/infra/template-dev/configmap.yaml deleted file mode 100644 index a97a55d..0000000 --- a/infra/template-dev/configmap.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: configmap-customer-service -data: - POSTGRES_DB: "postgres" - POSTGRES_HOST: "postgres.caz5uypaugvp.us-east-1.rds.amazonaws.com" diff --git a/infra/template-dev/secrets.yaml b/infra/template-dev/secrets.yaml deleted file mode 100644 index ec959ca..0000000 --- a/infra/template-dev/secrets.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: secret-customer-service -type: Opaque -stringData: - POSTGRES_USER: "postgres" - POSTGRES_PASSWORD: "postgres" - JWT_SECRET: "chave_secreta" - JWT_ISSUER: "teste"