DDLS-372 move to OIDC in github actions

.github/workflows/_build.yml

@@ -0,0 +1,124 @@
+name: "[Docker] Build and Push Images"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  workflow_call:
+    inputs:
+      branch_name:
+        description: "Name of the branch doing the build"
+        required: true
+        type: string
+      tag:
+        description: "Tag for docker image"
+        required: false
+        default: "latest"
+        type: string
+      push_to_ecr:
+        description: "Whether to push to ECR"
+        required: false
+        default: true
+        type: boolean
+
+jobs:
+  docker_build_scan_push:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - svc_name: "opg-incident-response"
+            docker_file: "Dockerfile.response"
+          - svc_name: "incident-response/nginx"
+            docker_file: "Dockerfile.nginx"
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v3
+
+      - name: set up docker buildx
+        uses: docker/setup-buildx-action@edfb0fe6204400c56fbfd3feba3fe9ad1adfa345
+
+      - name: export dates
+        id: cache-dates
+        run: |
+          echo "cache_date_today=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT
+          echo "cache_date_yesterday=$(date -d 'yesterday' +'%Y%m%d')" >> $GITHUB_OUTPUT
+
+      - name: cache docker layers
+        id: cache-docker
+        uses: actions/cache@8469c94c6a180dfb41a1bd7e1b46ac557ea124f1 # [email protected]
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}-${{ github.sha }}
+          restore-keys: |
+            ${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}
+            ${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_today }}
+            ${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_yesterday }}
+            ${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_yesterday }}
+
+      - name: install aws cli
+        uses: unfor19/install-aws-cli-action@46282f151073130d90347412d9c4ef0640177f22 # [email protected]
+
+      - name: configure OIDC AWS credentials for ECR push
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        uses: aws-actions/configure-aws-credentials@2cefa29f8797029f898b1baeff3e21a144128687 # [email protected]
+        with:
+          role-to-assume: arn:aws:iam::311462405659:role/incident-response-gh-actions-ecr-push
+          role-session-name: github-actions-ecr-push
+          role-duration-seconds: 900
+          aws-region: eu-west-1
+
+      - name: build docker image
+        env:
+          IMAGE_NAME: ${{ matrix.svc_name }}
+          DOCKERFILE: ${{ matrix.docker_file }}
+          BRANCH_NAME: ${{ inputs.branch_name }}
+        run: |
+          if [ "${BRANCH_NAME}" == "main" ]; then
+            docker buildx build \
+            -f ${DOCKERFILE} \
+            --cache-to=type=local,dest=/tmp/.buildx-cache-new \
+            --tag ${IMAGE_NAME}:latest \
+            --output type=docker \
+            .
+          else
+            docker buildx build \
+            -f ${DOCKERFILE} \
+            --cache-from=type=local,src=/tmp/.buildx-cache \
+            --cache-to=type=local,dest=/tmp/.buildx-cache-new \
+            --tag ${IMAGE_NAME}:latest \
+            --output type=docker \
+            .
+          fi
+
+      - name: Move cache
+        run: |
+          rm -rf /tmp/.buildx-cache
+          mv /tmp/.buildx-cache-new /tmp/.buildx-cache
+
+      - name: ecr login
+        id: login_ecr
+        uses: aws-actions/amazon-ecr-login@d5dd46d537c86e506335323688c342319bedcfe1 # [email protected]
+        with:
+          registries: 311462405659
+
+      - name: show build tag
+        env:
+          IMAGE_TAG: ${{ inputs.tag }}
+        run: echo "Tag to use - ${IMAGE_TAG}"
+
+      - name: tag and push container
+        if: ${{ github.actor != 'dependabot[bot]' }}
+        env:
+          ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }}
+          IMAGE_TAG: ${{ inputs.tag }}
+          IMAGE_NAME: ${{ matrix.svc_name }}
+          BRANCH_NAME: ${{ inputs.branch_name }}
+        run: |
+          docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG
+          if [[ "${BRANCH_NAME}" == "main" ]]; then
+            docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:latest
+            docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:main-$IMAGE_TAG
+          fi
+          docker push --all-tags $ECR_REGISTRY/$IMAGE_NAME

.github/workflows/_deploy.yml

@@ -0,0 +1,86 @@
+on:
+  workflow_call:
+    inputs:
+      workspace:
+        description: "Terraform workspace"
+        required: true
+        type: string
+      image_tag:
+        description: "Image tag to use"
+        required: false
+        type: string
+        default: ""
+      apply:
+        description: "Whether to apply terraform"
+        required: false
+        type: boolean
+        default: false
+      account_name:
+        required: false
+        type: string
+        default: development
+        description: "Account to get credentials for"
+
+jobs:
+  terraform_workflow:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v3
+
+      - uses: unfor19/install-aws-cli-action@46282f151073130d90347412d9c4ef0640177f22 # [email protected]
+
+      - id: terraform_version
+        name: get terraform version
+        uses: ministryofjustice/opg-github-actions/.github/actions/[email protected]
+        with:
+          terraform_directory: terraform
+
+      - uses: hashicorp/setup-terraform@1b93182764c8332e7679b2393cb307cbe7baf9dc # [email protected]
+        with:
+          terraform_version: ${{ steps.terraform_version.outputs.version }}
+          terraform_wrapper: false
+
+      - uses: terraform-linters/setup-tflint@v4
+        name: Setup TFLint
+        with:
+          tflint_version: v0.50.1
+
+      - name: configure OIDC AWS credentials for terraform
+        uses: aws-actions/configure-aws-credentials@2cefa29f8797029f898b1baeff3e21a144128687 # [email protected]
+        with:
+          role-to-assume: "arn:aws:iam::631181914621:role/oidc-incident-response-${{ inputs.account_name }}"
+          role-session-name: github-actions-terraform-incident-response
+          role-duration-seconds: 7400
+          aws-region: eu-west-1
+
+      - name: terraform format
+        run: terraform fmt --check --recursive
+
+      - name: TF Lint
+        run: tflint --recursive
+
+      - name: terraform init for environment
+        run: terraform init -input=false
+        working-directory: terraform
+
+      - name: terraform plan
+        env:
+          TF_WORKSPACE: ${{ inputs.workspace }}
+          TF_VAR_app_tag: ${{ inputs.image_tag }}
+        run: |
+          terraform workspace show
+          terraform plan -input=false -auto-approve --lock-timeout=300s --parallelism=200 --out=${TF_WORKSPACE}.plan > ${TF_WORKSPACE}.log
+
+      - name: output plan
+        run: cat ${TF_WORKSPACE}.log
+
+      - name: output concise plan
+        run: cat ${TF_WORKSPACE}.log | grep '\.' | grep '#' || true
+
+      - name: terraform apply
+        if: inputs.apply
+        env:
+          TF_WORKSPACE: ${{ inputs.workspace }}
+          TF_VAR_app_tag: ${{ inputs.image_tag }}
+          CI: true
+        run: terraform apply -input=false -auto-approve -parallelism=200 -lock-timeout=300s ${{ env.TF_WORKSPACE }}.plan