DST-17030 Add workflow to deploy to MOJ Modernisation Platform

ministryofjustice · May 29, 2024 · 4acc02d · 4acc02d
1 parent 069211c
commit 4acc02d
Show file tree

Hide file tree

Showing 6 changed files with 132 additions and 8 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,16 +1,16 @@
-# To get started with Dependabot version updates, you'll need to specify which
-# package ecosystems to update and where the package manifests are located.
-# Please see the documentation for all configuration options:
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
-
 version: 2
 updates:
   - package-ecosystem: "gradle"
     directory: "/"
     schedule:
       interval: "daily"
+
   - package-ecosystem: "npm"
     directory: "/ui"
-    open-pull-requests-limit: 0    # Disable version updates for npm dependencies
+    schedule:
+      interval: "monthly" # to reduce frequency of npm updates
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
     schedule:
       interval: "daily"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -19,7 +19,6 @@ jobs:
     env:
       ecr_image_name: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management
       ghcr_image_name: ghcr.io/${{ github.repository_owner }}/delius-core-user-management
-      version: ${{ github.event.release.tag_name }}
 
     steps:
       - uses: actions/checkout@v3
@@ -55,7 +54,7 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::326912278139:role/modernisation-platform-oidc-cicd
-          role-session-name: delius-user-management-${{ github.run_number }}
+          role-session-name: delius-user-management-build-${{ github.run_number }}
           aws-region: eu-west-2
 
       - name: Login to Amazon ECR

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,58 @@
+name: Deploy
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: Version
+        required: true
+      environment:
+        description: Environment
+        required: true
+        type: choice
+        options:
+          - dev
+          - test
+
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: arn:aws:iam::326912278139:role/modernisation-platform-oidc-cicd
+          role-session-name: delius-user-management-deploy-${{ github.run_number }}
+
+      - name: Render values
+        shell: bash
+        run: yq eval-all 'select(fileIndex == 0) *d select(fileIndex == 1)' "deploy/values.yml" "deploy/values-$ENV.yml" | tee deploy/merged.yml
+        env:
+          ENV: ${{ inputs.environment }}
+
+      - name: Render task definition
+        run: |
+          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
+          brew install gomplate
+          old_task_definition=$(aws ecs describe-task-definition --task-definition "$TASK_DEFINITION" --include TAGS | jq '.taskDefinition | del(.containerDefinitions[0].command, .compatibilities, .taskDefinitionArn, .requiresAttributes, .revision, .status, .registeredAt, .registeredBy)')
+          new_task_definition=$(gomplate --file deploy/task-definition.yml --context values=deploy/merged.yml)
+          merged_task_definition_json=$(yq eval-all 'select(fileIndex == 0) *d select(fileIndex == 1)' <(echo "${old_task_definition}") <(echo "${new_task_definition}") --output-format json | tee task-definition.json)
+          echo "Deploying new task definition: ${merged_task_definition_json}"
+        env:
+          VERSION: ${{ inputs.version }}
+          TASK_DEFINITION: umt
+
+      - name: Deploy Amazon ECS task definition
+        uses: aws-actions/amazon-ecs-deploy-task-definition@69e7aed9b8acdd75a6c585ac669c33831ab1b9a3 # v1.5.0
+        with:
+          task-definition: task-definition.json
+          service: umt
+          cluster: delius-core-${{ inputs.environment }}-cluster
+          wait-for-service-stability: true
diff --git a/deploy/task-definition.yml b/deploy/task-definition.yml
@@ -0,0 +1,19 @@
+# Generic task-definition template
+cpu: "{{ .values.resources.cpu }}"
+memory: "{{ .values.resources.memory }}"
+containerDefinitions:
+  - image: "{{ .values.image.name }}:{{ .Env.VERSION }}"
+    healthCheck:
+      command: ["CMD-SHELL", "{{ .values.healthcheck.command }}"]
+    cpu: {{ .values.resources.cpu }}
+    memory: {{ .values.resources.memory }}
+    environment:
+    {{- range $key, $val := .values.env }}
+    - name: {{ $key }}
+      value: "{{ $val }}"
+    {{- end }}
+    secrets:
+    {{- range $key, $val := .values.secrets }}
+    - name: {{ $key }}
+      valueFrom: "{{ $val }}"
+    {{- end }}
diff --git a/deploy/values-dev.yml b/deploy/values-dev.yml
@@ -0,0 +1,15 @@
+image:
+  name: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management
+
+env:
+  LOGGING_LEVEL_UK_CO_BCONLINE_NDELIUS: DEBUG
+  DELIUS_PASSWORD-RESET_URL: https://pwm.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk/public/forgottenpassword
+  SPRING_DATASOURCE_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=OFF)(CONNECT_TIMEOUT=10)(RETRY_COUNT=3)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=delius-db-1.mis-dev.delius.probation.hmpps.dsd.io)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=DMDNDA_TAF)))
+  SPRING_LDAP_URLS: ldap://ldap.mis-dev.delius.probation.hmpps.dsd.io:389
+#  SPRING_REDIS_HOST: aws_route53_record.token_store_private_dns.fqdn
+#  SPRING_REDIS_PORT: aws_elasticache_replication_group.token_store_replication_group.port
+#  SPRING_REDIS_CLUSTER_NODES: "${aws_route53_record.token_store_private_dns.fqdn}:${aws_elasticache_replication_group.token_store_replication_group.port}"
+
+secrets:
+  SPRING_DATASOURCE_PASSWORD: "arn:aws:secretsmanager:eu-west-2:326912278139:secret:delius-core-dev-oracle-db-application-passwords-kRyWVh:delius_app_schema::"
+  SPRING_LDAP_PASSWORD: "arn:aws:ssm:eu-west-2:326912278139:parameter/delius-core-dev/LDAP_PASSWORD"
diff --git a/deploy/values.yml b/deploy/values.yml
@@ -0,0 +1,33 @@
+image:
+  name: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management
+
+healthcheck:
+  command: "curl -f http://localhost:8080/umt/actuator/health || exit 1"
+
+resources:
+  cpu: 1024    # = 1 vCPU
+  memory: 4096 # = 4GB
+
+env:
+  JAVA_OPTS: "-XX:MaxMetaspaceSize=512M -XX:MaxDirectMemorySize=128M"
+  TZ: "Europe/London"
+  SERVER_USE-FORWARD-HEADERS: "true"
+  SERVER_FORWARD-HEADERS-STRATEGY: "native"
+  SPRING_DATASOURCE_USERNAME: "delius_app_schema"
+  SPRING_DATASOURCE_TYPE: "com.zaxxer.hikari.HikariDataSource"
+  SPRING_DATASOURCE_HIKARI_MAXIMUM-POOL-SIZE: "50"
+  SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT: "org.hibernate.dialect.Oracle12cDialect"
+  SPRING_JPA_HIBERNATE_DDL-AUTO: "none"
+  SPRING_LDAP_EXPORT_USERNAME: "cn=root,dc=moj,dc=com"
+  SPRING_LDAP_USERNAME: "cn=root,dc=moj,dc=com"
+  SPRING_LDAP_USEORACLEATTRIBUTES: "false"
+  REDIS_CONFIGURE_NO-OP: "true"
+  SPRING_LDAP_BASE: "dc=moj,dc=com"
+  DELIUS_LDAP_BASE_USERS: "ou=Users"
+  DELIUS_LDAP_BASE_CLIENTS: "cn=EISUsers,ou=Users"
+  DELIUS_LDAP_BASE_ROLES: "cn=ndRoleCatalogue,ou=Users"
+  DELIUS_LDAP_BASE_ROLE-GROUPS: "cn=ndRoleGroups,ou=Users"
+  DELIUS_LDAP_BASE_GROUPS: "ou=Groups"
+  # TODO add to SSM
+  JWT_SECRET: "testing"
+  DELIUS_SECRET: "testing"