Ephemeral environment [Do not merge]

.github/labeller.yml

@@ -0,0 +1,49 @@
+documentation:
+- changed-files:
+  - any-glob-to-any-file: docs/**
+
+terraform:
+- changed-files:
+  - any-glob-to-any-file: terraform/**
+
+github_actions:
+- changed-files:
+  - any-glob-to-any-file: .github/workflows/**
+
+docker:
+- changed-files:
+  - any-glob-to-any-file:
+    - '**/Dockerfile'
+    - '**/docker-compose*'
+
+python:
+- changed-files:
+  - any-glob-to-any-file:
+    - '**/*.py'
+    - '**/requirements*.txt'
+
+php:
+- changed-files:
+  - any-glob-to-any-file: '**/*.php'
+
+go:
+- changed-files:
+  - any-glob-to-any-file: '**/*.go'
+
+javascript:
+- changed-files:
+  - any-glob-to-any-file: '**/*.js'
+
+dependencies:
+- changed-files:
+  - any-glob-to-any-file:
+    - '**/requirements*.txt'
+    - '**/package*.json'
+    - '**/yarn*.lock'
+    - '**/Gemfile*'
+    - '**/composer*.json'
+    - '**/go.mod'
+    - '**/go.sum'
+    - '**/vendor/**'
+    - '**/node_modules/**'
+    - '**/vendor/**'

.github/workflows/_docker_build_scan_push.yml

@@ -0,0 +1,107 @@
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: write
+  statuses: none
+
+on:
+  workflow_call:
+    inputs:
+      build_latest:
+        description: Branch name
+        type: boolean
+        default: false
+      semver_tag:
+        description: Semver tag
+        required: true
+        type: string
+    outputs:
+      ecr_image_uri:
+        value: '${{ jobs.docker_build_scan_push.outputs.ecr_image_uri }}'
+        description: ECR image URI
+
+jobs:
+  docker_build_scan_push:
+    name: 'Build, Scan and Push Lambdas'
+    runs-on: ubuntu-latest
+    outputs:
+      ecr_image_uri: ${{ steps.login_ecr.outputs.registry }}/${{ matrix.data.ecr_repository }}/${{ matrix.data.name }}:${{ inputs.semver_tag }}
+    strategy:
+      matrix:
+        data:
+          - name: lpa-data-lambda
+            docker_build_directory: lambda_functions/v1
+            ecr_repository: integrations
+            dockerfile: Function
+    env:
+      sarif_file: trivy-results.sarif
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials With Assumed Role to Management
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: '${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}'
+          aws-secret-access-key: '${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}'
+          aws-region: eu-west-1
+          role-to-assume: 'arn:aws:iam::311462405659:role/integrations-ci'
+          role-duration-seconds: 900
+          role-session-name: OPGLPADataGithubAction
+
+      - name: ECR Login
+        id: login_ecr
+        uses: aws-actions/[email protected]
+        with:
+          registries: 311462405659
+
+      - name: Generate tags for Docker
+        env:
+          SEMVER_TAG: '${{ inputs.semver_tag }}'
+          ECR_REGISTRY: '${{ steps.login_ecr.outputs.registry }}'
+          ECR_REPOSITORY: '${{ matrix.data.ecr_repository }}/${{ matrix.data.name }}'
+        id: docker_tags
+        run: >
+          if ${{ inputs.build_latest }}; then
+            echo "tags=$ECR_REGISTRY/$ECR_REPOSITORY:latest,$ECR_REGISTRY/$ECR_REPOSITORY:$SEMVER_TAG" >> $GITHUB_OUTPUT
+          else
+            echo "tags=$ECR_REGISTRY/$ECR_REPOSITORY:$SEMVER_TAG" >> $GITHUB_OUTPUT
+          fi
+
+          echo "semver_tag=$ECR_REGISTRY/$ECR_REPOSITORY:$SEMVER_TAG" >>
+          $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: 'linux/amd64'
+          file: >-
+            ${{ matrix.data.docker_build_directory }}/Dockerfile-${{
+            matrix.data.dockerfile }}
+          push: true
+          tags: '${{ steps.docker_tags.outputs.tags }}'
+          provenance: false
+
+      - name: Trivy scan
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: '${{ steps.docker_tags.outputs.semver_tag }}'
+          severity: 'HIGH,CRITICAL'
+          format: sarif
+          output: '${{ env.sarif_file }}'
+
+      - name: Trivy scan upload to github
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: '${{ env.sarif_file }}'

.github/workflows/_integration_tests.yml

@@ -0,0 +1,83 @@
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: write
+  statuses: none
+
+on:
+  workflow_call:
+    inputs:
+      data_lpa_api_url:
+        description: 'The url of the data lpa api gateway'
+        required: true
+        type: string
+      working_directory:
+        description: 'Working Directory to run tests from'
+        required: true
+        type: string
+      tests_directory:
+        description: 'Directory containing Pytest tests'
+        required: true
+        type: string
+      specific_tests:
+        description: 'File path to specific Pytest tests - currently used to run 1 test as a smoke test'
+        required: false
+        type: string
+        default: ""
+    secrets:
+      AWS_ACCESS_KEY_ID_ACTIONS:
+        description: 'AWS Access Key ID'
+        required: false
+      AWS_SECRET_ACCESS_KEY_ACTIONS:
+        description: 'AWS Secret Access Key'
+        required: false
+
+jobs:
+  integration_tests:
+    name: Run integration tests
+    runs-on: ubuntu-latest
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_ACTIONS }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACTIONS }}
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Configure AWS Credentials For integration tests
+        uses: aws-actions/configure-aws-credentials@v4
+        if: ${{ env.AWS_ACCESS_KEY_ID != '' && env.AWS_SECRET_ACCESS_KEY != '' }}
+        with:
+          aws-access-key-id: ${{ env.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-1
+          role-duration-seconds: 900
+          role-session-name: GitHubActionsIntegrationTests
+
+      - name: Setup Python
+        uses: actions/setup-python@9a7ac94420f42ee15fc60ab88d0dca4be1fd5757
+        with:
+          python-version: "3.12"
+
+      - name: Install integration test requirements.txt
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r ${{ inputs.tests_directory }}/requirements.txt
+
+      - name: Run tests with Pytest
+        env:
+          DATA_LPA_API_URL: ${{ inputs.data_lpa_api_url }}
+          SPECIFIC_TESTS: ${{ inputs.specific_tests}}
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          coverage run -m pytest $SPECIFIC_TESTS -v -s
+
+      - name: Generate Coverage Report
+        working-directory: ${{ inputs.working_directory }}
+        run: |
+          coverage report -m

.github/workflows/_python_unit_tests.yml

@@ -0,0 +1,38 @@
+permissions:
+  actions: read
+  checks: read
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: write
+  statuses: none
+
+on:
+  workflow_call: null
+
+jobs:
+  run_unit_tests:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - uses: unfor19/install-aws-cli-action@v1
+
+      - name: Install flake8
+        run: pip3 install flake8
+
+      - name: Run Flask8
+        run: 'flake8 --ignore Q000,W503 lambda_functions'
+
+      - name: Build Unit Test Container
+        run: docker compose build unit-test-lpa-data 
+
+      - name: Run Unit Tests
+        run: docker compose up unit-test-lpa-data --abort-on-container-exit --exit-code-from unit-test-lpa-data || exit 1