Skip to content

Commit

Permalink
DDLS-372 move to OIDC in github actions
Browse files Browse the repository at this point in the history
  • Loading branch information
jamesrwarren committed Oct 17, 2024
1 parent f7739c2 commit b4a6bb6
Show file tree
Hide file tree
Showing 7 changed files with 380 additions and 285 deletions.
124 changes: 124 additions & 0 deletions .github/workflows/_build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
name: "[Docker] Build and Push Images"

defaults:
run:
shell: bash

on:
workflow_call:
inputs:
branch_name:
description: "Name of the branch doing the build"
required: true
type: string
tag:
description: "Tag for docker image"
required: false
default: "latest"
type: string
push_to_ecr:
description: "Whether to push to ECR"
required: false
default: true
type: boolean

jobs:
docker_build_scan_push:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
include:
- svc_name: "opg-incident-response"
docker_file: "Dockerfile.response"
- svc_name: "incident-response/nginx"
docker_file: "Dockerfile.nginx"
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v3

- name: set up docker buildx
uses: docker/setup-buildx-action@edfb0fe6204400c56fbfd3feba3fe9ad1adfa345

- name: export dates
id: cache-dates
run: |
echo "cache_date_today=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
echo "cache_date_yesterday=$(date -d 'yesterday' +'%Y%m%d')" >> $GITHUB_OUTPUT
- name: cache docker layers
id: cache-docker
uses: actions/cache@8469c94c6a180dfb41a1bd7e1b46ac557ea124f1 # [email protected]
with:
path: /tmp/.buildx-cache
key: ${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}-${{ github.sha }}
restore-keys: |
${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}
${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_today }}
${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_yesterday }}
${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_yesterday }}
- name: install aws cli
uses: unfor19/install-aws-cli-action@46282f151073130d90347412d9c4ef0640177f22 # [email protected]

- name: configure OIDC AWS credentials for ECR push
if: ${{ github.actor != 'dependabot[bot]' }}
uses: aws-actions/configure-aws-credentials@2cefa29f8797029f898b1baeff3e21a144128687 # [email protected]
with:
role-to-assume: arn:aws:iam::311462405659:role/incident-response-gh-actions-ecr-push
role-session-name: github-actions-ecr-push
role-duration-seconds: 900
aws-region: eu-west-1

- name: build docker image
env:
IMAGE_NAME: ${{ matrix.svc_name }}
DOCKERFILE: ${{ matrix.docker_file }}
BRANCH_NAME: ${{ inputs.branch_name }}
run: |
if [ "${BRANCH_NAME}" == "main" ]; then
docker buildx build \
-f ${DOCKERFILE} \
--cache-to=type=local,dest=/tmp/.buildx-cache-new \
--tag ${IMAGE_NAME}:latest \
--output type=docker \
.
else
docker buildx build \
-f ${DOCKERFILE} \
--cache-from=type=local,src=/tmp/.buildx-cache \
--cache-to=type=local,dest=/tmp/.buildx-cache-new \
--tag ${IMAGE_NAME}:latest \
--output type=docker \
.
fi
- name: Move cache
run: |
rm -rf /tmp/.buildx-cache
mv /tmp/.buildx-cache-new /tmp/.buildx-cache
- name: ecr login
id: login_ecr
uses: aws-actions/amazon-ecr-login@d5dd46d537c86e506335323688c342319bedcfe1 # [email protected]
with:
registries: 311462405659

- name: show build tag
env:
IMAGE_TAG: ${{ inputs.tag }}
run: echo "Tag to use - ${IMAGE_TAG}"

- name: tag and push container
if: ${{ github.actor != 'dependabot[bot]' }}
env:
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
IMAGE_TAG: ${{ inputs.tag }}
IMAGE_NAME: ${{ matrix.svc_name }}
BRANCH_NAME: ${{ inputs.branch_name }}
run: |
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG
if [[ "${BRANCH_NAME}" == "main" ]]; then
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:latest
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:main-$IMAGE_TAG
fi
docker push --all-tags $ECR_REGISTRY/$IMAGE_NAME
98 changes: 98 additions & 0 deletions .github/workflows/_deploy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
on:
workflow_call:
inputs:
workspace:
description: "Terraform workspace"
required: true
type: string
image_tag:
description: "Image tag to use"
required: false
type: string
default: ""
apply:
description: "Whether to apply terraform"
required: false
type: boolean
default: false
account_name:
required: false
type: string
default: development
description: "Account to get credentials for"

jobs:
terraform_workflow:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v3

- uses: unfor19/install-aws-cli-action@46282f151073130d90347412d9c4ef0640177f22 # [email protected]

- id: terraform_version
name: get terraform version
uses: ministryofjustice/opg-github-actions/.github/actions/[email protected]
with:
terraform_directory: terraform

- uses: hashicorp/setup-terraform@1b93182764c8332e7679b2393cb307cbe7baf9dc # [email protected]
with:
terraform_version: ${{ steps.terraform_version.outputs.version }}
terraform_wrapper: false

- uses: terraform-linters/setup-tflint@v4
name: Setup TFLint
with:
tflint_version: v0.50.1

- name: configure OIDC AWS credentials for terraform
uses: aws-actions/configure-aws-credentials@2cefa29f8797029f898b1baeff3e21a144128687 # [email protected]
with:
role-to-assume: "arn:aws:iam::631181914621:role/oidc-incident-response-${{ inputs.account_name }}"
role-session-name: github-actions-terraform-incident-response
role-duration-seconds: 7400
aws-region: eu-west-1

- name: terraform format
run: terraform fmt --check --recursive
working-directory: terraform

- name: TF Lint
run: tflint --recursive
working-directory: terraform

- name: terraform init for environment
env:
TF_WORKSPACE: ${{ inputs.workspace }}
run: terraform init -input=false
working-directory: terraform

- name: terraform plan
env:
TF_WORKSPACE: ${{ inputs.workspace }}
TF_VAR_app_tag: ${{ inputs.image_tag }}
run: |
terraform workspace show
terraform plan --lock-timeout=300s --parallelism=200 --out=${TF_WORKSPACE}.plan > ${TF_WORKSPACE}.log
working-directory: terraform

- name: output plan
env:
TF_WORKSPACE: ${{ inputs.workspace }}
run: cat ${TF_WORKSPACE}.log
working-directory: terraform

- name: output concise plan
env:
TF_WORKSPACE: ${{ inputs.workspace }}
run: cat ${TF_WORKSPACE}.log | grep '\.' | grep '#' || true
working-directory: terraform

- name: terraform apply
if: inputs.apply
env:
TF_WORKSPACE: ${{ inputs.workspace }}
TF_VAR_app_tag: ${{ inputs.image_tag }}
CI: true
run: terraform apply -parallelism=200 -lock-timeout=300s ${{ env.TF_WORKSPACE }}.plan
working-directory: terraform
139 changes: 0 additions & 139 deletions .github/workflows/build_containers.yml

This file was deleted.

Loading

0 comments on commit b4a6bb6

Please sign in to comment.