Skip to content

Commit

Permalink
UML-2732 Build and use container image for Lambda function
Browse files Browse the repository at this point in the history
  • Loading branch information
Sam Ainsworth committed Apr 23, 2024
1 parent 65276a0 commit adc15fd
Showing 31 changed files with 679 additions and 382 deletions.
49 changes: 49 additions & 0 deletions .github/labeller.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
documentation:
- changed-files:
- any-glob-to-any-file: docs/**

terraform:
- changed-files:
- any-glob-to-any-file: terraform/**

github_actions:
- changed-files:
- any-glob-to-any-file: .github/workflows/**

docker:
- changed-files:
- any-glob-to-any-file:
- '**/Dockerfile'
- '**/docker-compose*'

python:
- changed-files:
- any-glob-to-any-file:
- '**/*.py'
- '**/requirements*.txt'

php:
- changed-files:
- any-glob-to-any-file: '**/*.php'

go:
- changed-files:
- any-glob-to-any-file: '**/*.go'

javascript:
- changed-files:
- any-glob-to-any-file: '**/*.js'

dependencies:
- changed-files:
- any-glob-to-any-file:
- '**/requirements*.txt'
- '**/package*.json'
- '**/yarn*.lock'
- '**/Gemfile*'
- '**/composer*.json'
- '**/go.mod'
- '**/go.sum'
- '**/vendor/**'
- '**/node_modules/**'
- '**/vendor/**'
107 changes: 107 additions & 0 deletions .github/workflows/_docker_build_scan_push.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
permissions:
actions: read
checks: read
contents: read
deployments: none
issues: none
packages: none
pull-requests: none
repository-projects: none
security-events: write
statuses: none

on:
workflow_call:
inputs:
build_latest:
description: Branch name
type: boolean
default: false
semver_tag:
description: Semver tag
required: true
type: string
outputs:
ecr_image_uri:
value: '${{ jobs.docker_build_scan_push.outputs.ecr_image_uri }}'
description: ECR image URI

jobs:
docker_build_scan_push:
name: 'Build, Scan and Push Lambdas'
runs-on: ubuntu-latest
outputs:
ecr_image_uri: ${{ steps.login_ecr.outputs.registry }}/${{ matrix.data.ecr_repository }}/${{ matrix.data.name }}:${{ inputs.semver_tag }}
strategy:
matrix:
data:
- name: lpa-data-lambda
docker_build_directory: lambda_functions/v1
ecr_repository: integrations
dockerfile: Function
env:
sarif_file: trivy-results.sarif
steps:
- uses: actions/checkout@v4

- name: Configure AWS Credentials With Assumed Role to Management
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: '${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}'
aws-secret-access-key: '${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}'
aws-region: eu-west-1
role-to-assume: 'arn:aws:iam::311462405659:role/integrations-ci'
role-duration-seconds: 900
role-session-name: OPGLPADataGithubAction

- name: ECR Login
id: login_ecr
uses: aws-actions/[email protected]
with:
registries: 311462405659

- name: Generate tags for Docker
env:
SEMVER_TAG: '${{ inputs.semver_tag }}'
ECR_REGISTRY: '${{ steps.login_ecr.outputs.registry }}'
ECR_REPOSITORY: '${{ matrix.data.ecr_repository }}/${{ matrix.data.name }}'
id: docker_tags
run: >
if ${{ inputs.build_latest }}; then
echo "tags=$ECR_REGISTRY/$ECR_REPOSITORY:latest,$ECR_REGISTRY/$ECR_REPOSITORY:$SEMVER_TAG" >> $GITHUB_OUTPUT
else
echo "tags=$ECR_REGISTRY/$ECR_REPOSITORY:$SEMVER_TAG" >> $GITHUB_OUTPUT
fi
echo "semver_tag=$ECR_REGISTRY/$ECR_REPOSITORY:$SEMVER_TAG" >>
$GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push
uses: docker/build-push-action@v5
with:
context: .
platforms: 'linux/amd64'
file: >-
${{ matrix.data.docker_build_directory }}/Dockerfile-${{
matrix.data.dockerfile }}
push: true
tags: '${{ steps.docker_tags.outputs.tags }}'
provenance: false

- name: Trivy scan
uses: aquasecurity/[email protected]
with:
image-ref: '${{ steps.docker_tags.outputs.semver_tag }}'
severity: 'HIGH,CRITICAL'
format: sarif
output: '${{ env.sarif_file }}'

- name: Trivy scan upload to github
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: '${{ env.sarif_file }}'
80 changes: 80 additions & 0 deletions .github/workflows/_integration_tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
permissions:
actions: read
checks: read
contents: read
deployments: none
issues: none
packages: none
pull-requests: none
repository-projects: none
security-events: write
statuses: none

on:
workflow_call:
inputs:
environment_name:
description: 'The name of the environment'
required: true
type: string
working_directory:
description: 'Working Directory to run tests from'
required: true
type: string
tests_directory:
description: 'Directory containing Pytest tests'
required: true
type: string
secrets:
AWS_ACCESS_KEY_ID_ACTIONS:
description: 'AWS Access Key ID'
required: false
AWS_SECRET_ACCESS_KEY_ACTIONS:
description: 'AWS Secret Access Key'
required: false

jobs:
integration_tests:
name: Run integration tests
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
strategy:
matrix:
python-version: ["3.10", "3.12"]
steps:
- name: Check out code
uses: actions/checkout@v4

- name: Configure AWS Credentials For integration tests
uses: aws-actions/configure-aws-credentials@v4
if: ${{ env.AWS_ACCESS_KEY_ID != '' && env.AWS_SECRET_ACCESS_KEY != '' }}
with:
aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
role-duration-seconds: 900
role-session-name: GitHubActionsIntegrationTests

- name: Setup Python
uses: actions/setup-python@9a7ac94420f42ee15fc60ab88d0dca4be1fd5757
with:
python-version: ${{ matrix.python-version }}

- name: Install integration test requirements.txt
run: |
python -m pip install --upgrade pip
pip install -r ${{ inputs.tests_directory }}/requirements.txt
- name: Run tests with Pytest
env:
ENVIRONMENT_NAME: ${{ inputs.environment_name }}
working-directory: ${{ inputs.working_directory }}
run: |
coverage run -m pytest -v -s
- name: Generate Coverage Report
working-directory: ${{ inputs.working_directory }}
run: |
coverage report -m
41 changes: 41 additions & 0 deletions .github/workflows/_python_unit_tests.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
permissions:
actions: read
checks: read
contents: read
deployments: none
issues: none
packages: none
pull-requests: none
repository-projects: none
security-events: write
statuses: none

on:
workflow_call: null

jobs:
run_unit_tests:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: ["3.10", "3.12"]
steps:
- uses: actions/checkout@v4

- uses: actions/setup-python@v5
with:
python-version: ${{ matrix.python-version }}

- uses: unfor19/install-aws-cli-action@v1

- name: Install flake8
run: pip3 install flake8

- name: Run Flask8
run: 'flake8 --ignore Q000,W503 lambda_functions'

- name: Build Unit Test Container
run: docker compose -f docker-compose.yml build unit-test-lpa-data

- name: Run Unit Tests
run: docker compose -f docker-compose.yml up unit-test-lpa-data
68 changes: 0 additions & 68 deletions .github/workflows/deploy.yml

This file was deleted.

7 changes: 6 additions & 1 deletion .github/workflows/destroy_workspaces.yml
Original file line number Diff line number Diff line change
@@ -16,9 +16,14 @@ jobs:
runs-on: "ubuntu-latest"
steps:
- uses: actions/checkout@v4
- name: Set terraform version - environment
id: terraform_version_environment
uses: ministryofjustice/opg-github-actions/.github/actions/[email protected]
with:
terraform_directory: "./terraform/environment"
- uses: hashicorp/setup-terraform@v3
with:
terraform_version: 1.2.4
terraform_version: ${{ steps.terraform_version_environment.outputs.version }}
terraform_wrapper: false
- name: Install workspace manager
run: |
Loading

0 comments on commit adc15fd

Please sign in to comment.