Merge pull request #12 from NHSDigital/AMB-0003-Terraform-check

AMB-0003-Terraform Check

.github/workflows/continuous-disintegration.yml

@@ -0,0 +1,23 @@
+name: Teardown
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  build:
+    name: Call Azure Pipeline
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get Access Token
+        id: get-access-token
+        run: |
+          echo "ACCESS_TOKEN"=$(curl 'https://app.vssps.visualstudio.com/oauth2/token' --data "client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&client_assertion=${{ secrets.PR_TEARDWN_CLIENT_SECRET }}&grant_type=refresh_token&assertion=${{ secrets.PR_TEARDWN_REFRESH_TOKEN }}&redirect_uri=https://localhost:1337/callback" | jq -r '.access_token') >> $GITHUB_OUTPUT
+
+      - name: Azure Pipelines Action
+        uses: Azure/pipelines@v1.2
+        with:
+          azure-devops-project-url: 'https://dev.azure.com/NHSD-APIM/API%20Platform'
+          azure-pipeline-name: 'immunisation-fhir-api-pr-teardown'
+          azure-pipeline-variables: '{ "action_pr_number": "${{ github.event.pull_request.number }}" }'
+          azure-devops-token: ${{ steps.get-access-token.outputs.ACCESS_TOKEN }}

Makefile

@@ -1,13 +1,13 @@
-SHELL=/bin/bash -euo pipefail
+SHELL=/usr/bin/env bash -euo pipefail
 
 #Installs dependencies using poetry.
 install-python:
+	poetry lock --no-update
 	poetry install
 
 #Installs dependencies using npm.
 install-node:
 	npm install --legacy-peer-deps
-	cd sandbox && npm install --legacy-peer-deps
 
 #Configures Git Hooks, which are scripts that run given a specified event.
 .git/hooks/pre-commit:
@@ -19,7 +19,7 @@ install: install-node install-python .git/hooks/pre-commit
 #Run the npm linting script (specified in package.json). Used to check the syntax and formatting of files.
 lint:
 	npm run lint
-	find . -name '*.py' -not -path '**/.venv/*' | xargs poetry run flake8
+	find . -name '*.py' -not -path '**/.venv/*' -not -path '**/.terraform/*'| xargs poetry run flake8
 
 #Removes build/ + dist/ directories
 clean:
@@ -30,13 +30,16 @@ clean:
 publish: clean
 	mkdir -p build
 	npm run publish 2> /dev/null
+	cp build/immunisation-batch.json sandbox/
+	cp -r specification sandbox/specification
 
 #Runs build proxy script
 build-proxy:
 	scripts/build_proxy.sh
 
 #Files to loop over in release
-_dist_include="pytest.ini poetry.lock poetry.toml pyproject.toml Makefile build/. tests"
+_dist_include="pytest.ini poetry.lock poetry.toml pyproject.toml Makefile build/. specification sandbox terraform scripts batch"
+
 
 #Create /dist/ sub-directory and copy files into directory
 release: clean publish build-proxy
@@ -59,7 +62,6 @@ TEST_CMD := @APIGEE_ACCESS_TOKEN=$(APIGEE_ACCESS_TOKEN) \
 
 PROD_TEST_CMD := $(TEST_CMD) \
 		--apigee-app-id=$(APIGEE_APP_ID) \
-		--apigee-organization=nhsd-prod \
 		--status-endpoint-api-key=$(STATUS_ENDPOINT_API_KEY)
 
 #Command to run end-to-end smoketests post-deployment to verify the environment is working
@@ -80,3 +82,6 @@ smoketest-prod:
 test-prod:
 	$(PROD_CMD) \
 	--junitxml=test-report.xml \
+
+setup-python-envs:
+	scripts/setup-python-envs.sh

azure/azure-pr-pipeline.yml

@@ -40,4 +40,4 @@ extends:
       #   proxy_path: sandbox
       #   post_deploy:
       #     - template: ./templates/run-tests.yml
-      #   trying pipeline run
+      #   trying pipeline execution

azure/azure-pr-teardown-pipeline.yml

@@ -0,0 +1,53 @@
+name: "$(SourceBranchName)+$(BuildID)"
+
+trigger: none
+pr: none
+
+resources:
+  repositories:
+    - repository: common
+      type: github
+      name: NHSDigital/api-management-utils
+      ref: refs/heads/edge
+      endpoint: NHSDigital
+
+variables:
+  - template: project.yml
+
+jobs:
+  - job: teardown
+    displayName: PR Teardown
+    timeoutInMinutes: 30
+    pool:
+      name: 'AWS-ECS'
+      vmImage: 'ubuntu-latest'
+    steps:
+      - checkout: self
+
+      - bash: |
+          echo $(action_pr_number)
+          WORKSPACE="pr-"$(ACTION_PR_NUMBER)
+          echo $WORKSPACE
+          echo "##vso[task.setvariable variable=WORKSPACE]$WORKSPACE"
+          echo "##vso[task.setvariable variable=ACTION_PR_NUMBER]$(ACTION_PR_NUMBER)"
+        displayName: Set workspace tag
+
+      - template: "azure/components/aws-assume-role.yml@common"
+        parameters:
+            role: "auto-ops"
+            profile: "apim-dev"
+            aws_account: "dev"
+
+      - bash: |
+          echo "##vso[task.setvariable variable=AWS_DEFAULT_REGION]eu-west-2"
+        displayName: Set AWS default region
+
+      - bash: |
+          export AWS_PROFILE=apim-dev
+          account_id="$(aws sts get-caller-identity --query Account --output text)"
+
+          cd terraform
+          terraform workspace select $(WORKSPACE)
+          make init && make destroy aws_account_no=${account_id} environment=$(WORKSPACE)
+        displayName: Destroy terraform PR workspace and linked resources
+        retryCountOnTaskFailure: 2

azure/templates/build.yml

@@ -3,4 +3,13 @@ steps:
       BUILDKIT_PROGRESS=plain docker build --target test -t imms-batch-build -f batch.Dockerfile .
 
     displayName: Test lambda code
-    workingDirectory: "$(Pipeline.Workspace)/s/immunisation-batch/batch"
+    workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)/batch"
+  - bash: |
+      mkdir -p build
+      npm run publish 2> /dev/null
+      cp build/immunisation-batch.json sandbox/
+
+        cd sandbox
+      docker build -t sandbox .
+    displayName: Build sandbox image
+    workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)"

azure/templates/post-deploy.yml

@@ -73,89 +73,4 @@ steps:
       fi
     displayName: Apply Terraform
     workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)"
-    retryCountOnTaskFailure: 2
-
-  - bash: |
-      set -ex
-      if ! [[ $APIGEE_ENVIRONMENT =~ .*-*sandbox ]]; then
-        counter=0
-        base_path="$SERVICE_BASE_PATH"
-
-        endpoint="https://${APIGEE_ENVIRONMENT}.api.service.nhs.uk/${base_path}/_status"
-        while [[ $counter -lt 11 ]]; do
-          response=$(curl -H "apikey: $(status-endpoint-api-key)" -s "$endpoint")
-          response_code=$(jq -r '.checks.healthcheck.responseCode' <<< "$response")
-          response_body=$(jq -r '.checks.healthcheck.outcome' <<< "$response")
-          if [ "$response_code" -eq 200 ] && [ "$response_body" == "OK" ]; then
-              echo "Status test successful"
-              break
-          else
-              echo "Waiting for $endpoint to return a 200 response with 'OK' body..."
-              ((counter=counter+1)) # Increment counter by 1
-              echo "Attempt $counter"
-              sleep 30
-          fi
-        done
-        if [ $counter -eq 11 ]; then
-            echo "Status test failed: Maximum number of attempts reached"
-            exit 1
-        fi
-      fi
-    displayName: Waiting for TF resources to be UP
-    workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)"
-
-  - bash: |
-      set -e
-      export RELEASE_RELEASEID=$(Build.BuildId)
-      export SOURCE_COMMIT_ID=$(Build.SourceVersion)
-      export APIGEE_ENVIRONMENT="$(ENVIRONMENT)"
-      export APIGEE_USERNAME=apm-testing-internal-dev@nhs.net
-      export SERVICE_BASE_PATH="$(SERVICE_BASE_PATH)"
-      export APIGEE_ACCESS_TOKEN="$(secret.AccessToken)"
-      export PROXY_NAME="$(FULLY_QUALIFIED_SERVICE_NAME)"
-      export STATUS_API_KEY="$(status-endpoint-api-key)"
-      export AWS_DOMAIN_NAME="$(AWS_DOMAIN_NAME)"
-      export APIGEE_APP_ID=973b20ff-6e57-4248-b94f-200a18a03e37
-      echo "api key- $STATUS_API_KEY"
-
-      #Exporting the same profile with which Terraform got deployed
-      export AWS_PROFILE=apim-dev
-      aws_account_no="$(aws sts get-caller-identity --query Account --output text)"
-      echo aws_account_no: $aws_account_no
-
-      poetry lock --no-update
-      poetry install
-
-      test_cmd="poetry run python -m unittest"
-      # Run test_deployment before doing anything. This will wait until deployment is ready
-      $test_cmd -c -v -k test_deployment
-
-      if [[ $APIGEE_ENVIRONMENT =~ .*-*sandbox ]]; then
-        echo "Sandbox env tests"
-        echo "running: $test_cmd -c -v -k test_proxy.TestProxyHealthcheck -k test_deployment"
-        $test_cmd -c -v -k test_proxy.TestProxyHealthcheck -k test_deployment
-
-      elif [[ $APIGEE_ENVIRONMENT == "ref" ]]; then
-        echo "running: $test_cmd -v -c test_deployment.py test_proxy.py"
-        $test_cmd -v -c test_deployment.py test_proxy.py
-
-      elif [[ $APIGEE_ENVIRONMENT == "int" ]]; then
-        export DEFAULT_CLIENT_ID="$(INT_CLIENT_ID)"
-        export DEFAULT_CLIENT_SECRET="$(INT_CLIENT_SECRET)"
-        echo "running: $test_cmd -v -c test_deployment.py test_proxy.py"
-        $test_cmd -v -c test_deployment.py test_proxy.py
-
-      else
-        echo "running: $test_cmd -v -c"
-        $test_cmd -v -c
-      fi
-
-    workingDirectory: "$(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)/e2e"
-    displayName: Run full test suite
-
-  - task: PublishTestResults@2
-    displayName: 'Publish test results'
-    condition: always()
-    inputs:
-      testResultsFiles: '$(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)/tests/test-report.xml'
-      failTaskOnFailedTests: true
+    retryCountOnTaskFailure: 2

terraform/route53.tf

@@ -0,0 +1,15 @@
+locals {
+  zone_subdomain = var.project_short_name
+}
+
+data "aws_route53_zone" "root_zone" {
+  name = var.root_domain_name
+}
+
+locals {
+  project_zone_name = "${local.zone_subdomain}.${data.aws_route53_zone.root_zone.name}"
+}
+
+data "aws_route53_zone" "project_zone" {
+  name    = local.project_zone_name
+}