From f94be99fbb30a41207001829a94262f9b2069703 Mon Sep 17 00:00:00 2001 From: Marcus Aspin Date: Thu, 30 May 2024 14:44:25 +0100 Subject: [PATCH] DST-17030 Add workflow to deploy to MOJ Modernisation Platform (#740) * DST-17030 Add workflow to deploy to MOJ Modernisation Platform * Update password key --- .github/dependabot.yml | 12 ++++---- .github/workflows/build.yml | 3 +- .github/workflows/deploy.yml | 58 ++++++++++++++++++++++++++++++++++++ deploy/task-definition.yml | 19 ++++++++++++ deploy/values-dev.yml | 15 ++++++++++ deploy/values.yml | 33 ++++++++++++++++++++ 6 files changed, 132 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/deploy.yml create mode 100644 deploy/task-definition.yml create mode 100644 deploy/values-dev.yml create mode 100644 deploy/values.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 1bd0134a..8999b194 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,16 +1,16 @@ -# To get started with Dependabot version updates, you'll need to specify which -# package ecosystems to update and where the package manifests are located. -# Please see the documentation for all configuration options: -# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates - version: 2 updates: - package-ecosystem: "gradle" directory: "/" schedule: interval: "daily" + - package-ecosystem: "npm" directory: "/ui" - open-pull-requests-limit: 0 # Disable version updates for npm dependencies + schedule: + interval: "monthly" # to reduce frequency of npm updates + + - package-ecosystem: "github-actions" + directory: "/" schedule: interval: "daily" diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc26cbf3..fd31cf8c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,7 +19,6 @@ jobs: env: ecr_image_name: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management ghcr_image_name: ghcr.io/${{ github.repository_owner }}/delius-core-user-management - version: ${{ github.event.release.tag_name }} steps: - uses: actions/checkout@v3 @@ -55,7 +54,7 @@ jobs: uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::326912278139:role/modernisation-platform-oidc-cicd - role-session-name: delius-user-management-${{ github.run_number }} + role-session-name: delius-user-management-build-${{ github.run_number }} aws-region: eu-west-2 - name: Login to Amazon ECR diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml new file mode 100644 index 00000000..87b7865b --- /dev/null +++ b/.github/workflows/deploy.yml @@ -0,0 +1,58 @@ +name: Deploy + +on: + workflow_dispatch: + inputs: + version: + description: Version + required: true + environment: + description: Environment + required: true + type: choice + options: + - dev + - test + +permissions: + id-token: write # Required for OIDC + contents: read + +jobs: + deploy: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + aws-region: eu-west-2 + role-to-assume: arn:aws:iam::326912278139:role/modernisation-platform-oidc-cicd + role-session-name: delius-user-management-deploy-${{ github.run_number }} + + - name: Render values + shell: bash + run: yq eval-all 'select(fileIndex == 0) *d select(fileIndex == 1)' "deploy/values.yml" "deploy/values-$ENV.yml" | tee deploy/merged.yml + env: + ENV: ${{ inputs.environment }} + + - name: Render task definition + run: | + eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" + brew install gomplate + old_task_definition=$(aws ecs describe-task-definition --task-definition "$TASK_DEFINITION" --include TAGS | jq '.taskDefinition | del(.containerDefinitions[0].command, .compatibilities, .taskDefinitionArn, .requiresAttributes, .revision, .status, .registeredAt, .registeredBy)') + new_task_definition=$(gomplate --file deploy/task-definition.yml --context values=deploy/merged.yml) + merged_task_definition_json=$(yq eval-all 'select(fileIndex == 0) *d select(fileIndex == 1)' <(echo "${old_task_definition}") <(echo "${new_task_definition}") --output-format json | tee task-definition.json) + echo "Deploying new task definition: ${merged_task_definition_json}" + env: + VERSION: ${{ inputs.version }} + TASK_DEFINITION: umt + + - name: Deploy Amazon ECS task definition + uses: aws-actions/amazon-ecs-deploy-task-definition@69e7aed9b8acdd75a6c585ac669c33831ab1b9a3 # v1.5.0 + with: + task-definition: task-definition.json + service: umt + cluster: delius-core-${{ inputs.environment }}-cluster + wait-for-service-stability: true diff --git a/deploy/task-definition.yml b/deploy/task-definition.yml new file mode 100644 index 00000000..05158938 --- /dev/null +++ b/deploy/task-definition.yml @@ -0,0 +1,19 @@ +# Generic task-definition template +cpu: "{{ .values.resources.cpu }}" +memory: "{{ .values.resources.memory }}" +containerDefinitions: + - image: "{{ .values.image.name }}:{{ .Env.VERSION }}" + healthCheck: + command: ["CMD-SHELL", "{{ .values.healthcheck.command }}"] + cpu: {{ .values.resources.cpu }} + memory: {{ .values.resources.memory }} + environment: + {{- range $key, $val := .values.env }} + - name: {{ $key }} + value: "{{ $val }}" + {{- end }} + secrets: + {{- range $key, $val := .values.secrets }} + - name: {{ $key }} + valueFrom: "{{ $val }}" + {{- end }} \ No newline at end of file diff --git a/deploy/values-dev.yml b/deploy/values-dev.yml new file mode 100644 index 00000000..c5e12fb1 --- /dev/null +++ b/deploy/values-dev.yml @@ -0,0 +1,15 @@ +image: + name: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management + +env: + LOGGING_LEVEL_UK_CO_BCONLINE_NDELIUS: DEBUG + DELIUS_PASSWORD-RESET_URL: https://pwm.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk/public/forgottenpassword + SPRING_DATASOURCE_URL: jdbc:oracle:thin:@(DESCRIPTION=(LOAD_BALANCE=OFF)(CONNECT_TIMEOUT=10)(RETRY_COUNT=3)(ADDRESS_LIST=(ADDRESS=(PROTOCOL=tcp)(HOST=delius-db-1.mis-dev.delius.probation.hmpps.dsd.io)(PORT=1521)))(CONNECT_DATA=(SERVICE_NAME=DMDNDA_TAF))) + SPRING_LDAP_URLS: ldap://ldap.mis-dev.delius.probation.hmpps.dsd.io:389 +# SPRING_REDIS_HOST: aws_route53_record.token_store_private_dns.fqdn +# SPRING_REDIS_PORT: aws_elasticache_replication_group.token_store_replication_group.port +# SPRING_REDIS_CLUSTER_NODES: "${aws_route53_record.token_store_private_dns.fqdn}:${aws_elasticache_replication_group.token_store_replication_group.port}" + +secrets: + SPRING_DATASOURCE_PASSWORD: "arn:aws:secretsmanager:eu-west-2:326912278139:secret:delius-core-dev-oracle-db-application-passwords-kRyWVh:delius_app_schema::" + SPRING_LDAP_PASSWORD: "arn:aws:ssm:eu-west-2:326912278139:parameter/delius-core-dev/LDAP_BIND_PASSWORD" diff --git a/deploy/values.yml b/deploy/values.yml new file mode 100644 index 00000000..ea53cd1a --- /dev/null +++ b/deploy/values.yml @@ -0,0 +1,33 @@ +image: + name: 374269020027.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management + +healthcheck: + command: "curl -f http://localhost:8080/umt/actuator/health || exit 1" + +resources: + cpu: 1024 # = 1 vCPU + memory: 4096 # = 4GB + +env: + JAVA_OPTS: "-XX:MaxMetaspaceSize=512M -XX:MaxDirectMemorySize=128M" + TZ: "Europe/London" + SERVER_USE-FORWARD-HEADERS: "true" + SERVER_FORWARD-HEADERS-STRATEGY: "native" + SPRING_DATASOURCE_USERNAME: "delius_app_schema" + SPRING_DATASOURCE_TYPE: "com.zaxxer.hikari.HikariDataSource" + SPRING_DATASOURCE_HIKARI_MAXIMUM-POOL-SIZE: "50" + SPRING_JPA_PROPERTIES_HIBERNATE_DIALECT: "org.hibernate.dialect.Oracle12cDialect" + SPRING_JPA_HIBERNATE_DDL-AUTO: "none" + SPRING_LDAP_EXPORT_USERNAME: "cn=root,dc=moj,dc=com" + SPRING_LDAP_USERNAME: "cn=root,dc=moj,dc=com" + SPRING_LDAP_USEORACLEATTRIBUTES: "false" + REDIS_CONFIGURE_NO-OP: "true" + SPRING_LDAP_BASE: "dc=moj,dc=com" + DELIUS_LDAP_BASE_USERS: "ou=Users" + DELIUS_LDAP_BASE_CLIENTS: "cn=EISUsers,ou=Users" + DELIUS_LDAP_BASE_ROLES: "cn=ndRoleCatalogue,ou=Users" + DELIUS_LDAP_BASE_ROLE-GROUPS: "cn=ndRoleGroups,ou=Users" + DELIUS_LDAP_BASE_GROUPS: "ou=Groups" + # TODO add to SSM + JWT_SECRET: "testing" + DELIUS_SECRET: "testing"