deploy github action testing

.github/actions/deploy/action.yml

@@ -16,9 +16,6 @@ inputs:
   slack-webhook:
     required: false
 
-outputs:
-  deploy-url:
-    value: ${{ steps.set_env_var.outputs.deploy_url }}
 
 runs:
   using: composite

.github/workflows/build-and-deploy.yml

@@ -10,183 +10,105 @@ on:
     - main
     types: [opened, reopened, synchronize, labeled]
 
-permissions:
-  contents: write
-  deployments: write
-  packages: write
-  pull-requests: write
+env:
+  TF_PATH: terraform/aks
 
 jobs:
   build:
     name: Build
     env:
       DOCKER_IMAGE: ghcr.io/dfe-digital/international-teacher-relocation-payment
     outputs:
-      docker_image: ${{ env.DOCKER_IMAGE }}
-      image_tag: ${{ env.IMAGE_TAG }}
+      docker-image-tag: ${{ steps.build-image.outputs.tag }}
     runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v4
       name: Checkout
 
-    - name: Set environment variables (push)
-      if: github.event_name == 'push'
-      run: |
-        GIT_BRANCH=${GITHUB_REF##*/}
-        echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV # GIT_BRANCH will be main for refs/heads/main
-        echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV
-
-    - name: Set environment variables (pull_request)
-      if: github.event_name == 'pull_request'
-      run: |
-        GIT_BRANCH=${GITHUB_HEAD_REF##*/}
-        echo "BRANCH_TAG=$GIT_BRANCH" >> $GITHUB_ENV
-        echo "IMAGE_TAG=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
-
-    - name: Set KV environment variables
-      if: github.actor != 'dependabot[bot]'
-      run: |
-        # tag build to the review env for vars and secrets
-        tf_vars_file=terraform/aks/config/review.tfvars.json
-        echo "KEY_VAULT_NAME=$(jq -r '.key_vault_name' ${tf_vars_file})" >> $GITHUB_ENV
-        echo "KEY_VAULT_INFRA_SECRET_NAME=$(jq -r '.key_vault_infra_secret_name' ${tf_vars_file})" >> $GITHUB_ENV
-
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-
-    - uses: azure/login@v2
-      if: github.actor != 'dependabot[bot]'
-      with:
-        creds: ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
-
-    - uses: DFE-Digital/keyvault-yaml-secret@v1
-      if: github.actor != 'dependabot[bot]'
-      id: get-secret
-      with:
-        keyvault: ${{ env.KEY_VAULT_NAME }}
-        secret: ${{ env.KEY_VAULT_INFRA_SECRET_NAME }}
-        key: SNYK_TOKEN
-
-    - name: Build Docker Image
-      uses: docker/build-push-action@v6
-      with:
-        tags: |
-          ${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
-          ${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
-        push: false
-        load: true
-        cache-to: type=inline
-        cache-from: |
-          type=registry,ref=${{env.DOCKER_IMAGE}}:main
-          type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.IMAGE_TAG}}
-          type=registry,ref=${{env.DOCKER_IMAGE}}:${{env.BRANCH_TAG}}
-        build-args: |
-          COMMIT_SHA=${{ env.IMAGE_TAG }}
-          GOVUK_NOTIFY_API_KEY=${{ secrets.GOVUK_NOTIFY_API_KEY }}
-          GOVUK_NOTIFY_GENERIC_EMAIL_TEMPLATE_ID=${{ secrets.GOVUK_NOTIFY_GENERIC_EMAIL_TEMPLATE_ID }}
-
-    - name: Push ${{ env.DOCKER_IMAGE }} images for review
-      if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
-      run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}
-
-    - name: Run Snyk to check Docker image for vulnerabilities
-      if: github.actor != 'dependabot[bot]'
-      uses: snyk/actions/docker@master
-      env:
-        SNYK_TOKEN: ${{ steps.get-secret.outputs.snyk_token }}
+    - name: Build and push docker image
+      id: build-image
+      uses: DFE-Digital/github-actions/build-docker-image@2088-create-github-workflow-templates
       with:
-        image: ${{ env.DOCKER_IMAGE }}:${{ env.IMAGE_TAG }}
-        args: --file=Dockerfile --severity-threshold=high --exclude-app-vulns
-
-    - name: Push ${{ env.DOCKER_IMAGE }} images
-      if: ${{ success() && !contains(github.event.pull_request.labels.*.name, 'deploy') }}
-      run: docker image push --all-tags ${{ env.DOCKER_IMAGE }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+        context: .
+        docker-repository: ${{ env.DOCKER_IMAGE }}
+        max-cache: true
+        reuse-cache: true
+#        snyk-token: ${{ secrets.SNYK_TOKEN }}
 
   deploy-review-app:
     name: Deployment To Review
     concurrency: deploy_review_${{ github.event.pull_request.number }}
     if: ${{ github.event_name == 'pull_request' && contains(github.event.pull_request.labels.*.name, 'deploy') }}
     needs: [build]
     runs-on: ubuntu-latest
-    steps:
-    - name: Start review-${{ github.event.pull_request.number }} Deployment
-      uses: bobheadxi/deployments@v1
-      id: deployment
-      with:
-        env: review-${{ github.event.pull_request.number }}
-        ref: ${{ github.head_ref }}
-        step:  start
-        token: ${{ secrets.GITHUB_TOKEN }}
+    permissions:
+      id-token: write
+      pull-requests: write
+    environment:
+      name: review
+      url: ${{ steps.deploy_review.outputs.environment_url }}
 
-    - name: Checkout
-      uses: actions/checkout@v4
+    steps:
+    # - name: Checkout
+    #   uses: actions/checkout@v4
 
     - name: Deploy App to Review
       id: deploy_review
-      uses: ./.github/actions/deploy/
+      uses: DFE-Digital/github-actions/deploy-to-aks@2088-create-github-workflow-templates
       with:
         azure-credentials:  ${{ secrets.AZURE_CREDENTIALS_REVIEW }}
         environment: review
+        # github-token: ${{ secrets.GITHUB_TOKEN }}
         pr-number: ${{ github.event.pull_request.number }}
-        sha: ${{ needs.build.outputs.IMAGE_TAG }}
-
-    - name: Update review-${{ github.event.pull_request.number }} status
-      if: always()
-      uses: bobheadxi/deployments@v1
-      with:
-        env:  review-${{ github.event.pull_request.number }}
-        ref: ${{ github.head_ref }}
-        step: finish
-        token:  ${{ secrets.GITHUB_TOKEN }}
-        status: ${{ job.status }}
-        deployment_id: ${{ steps.deployment.outputs.deployment_id }}
-        env_url: ${{ steps.deploy_review.outputs.deploy-url }}
-
-  deploy-before-production:
-    name: Parallel deployment before production
-    environment:
-      name: ${{ matrix.environment }}
-      url: ${{ steps.deploy_app_before_production.outputs.deploy-url }}
-    if: ${{ success() && github.ref == 'refs/heads/main' }}
-    needs: [build]
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        environment: [qa,staging]
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Deploy app to ${{ matrix.environment }}
-      id: deploy_app_before_production
-      uses: ./.github/actions/deploy/
-      with:
-        azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }}
-        environment: ${{ matrix.environment }}
-        sha: ${{ github.sha }}
-
-  deploy-production:
-    name: Production deployment
-    environment:
-      name: production
-      url: ${{ steps.deploy_production.outputs.deploy-url }}
-    if: ${{ success() && github.ref == 'refs/heads/main' }}
-    needs: [deploy-before-production]
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-
-    - name: Deploy app to production
-      id: deploy_production
-      uses: ./.github/actions/deploy/
-      with:
-        azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION }}
-        environment: production
-        sha: ${{ github.sha }}
+        sha: ${{ needs.build.outputs.docker-image-tag }}
+        terraform-base: ${{ env.TF_PATH }}
+        healthcheck: 'healthcheck/all'
+        # gcp-wip: ${{ vars.GCP_WIP }}
+        # gcp-project-id: ${{ vars.GCP_PROJECT_ID }}
+        # db-seed: true
+
+  # deploy-before-production:
+  #   name: Parallel deployment before production
+  #   environment:
+  #     name: ${{ matrix.environment }}
+  #     url: ${{ steps.deploy_app_before_production.outputs.deploy-url }}
+  #   if: ${{ success() && github.ref == 'refs/heads/main' }}
+  #   needs: [build]
+  #   runs-on: ubuntu-latest
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       environment: [qa,staging]
+  #   steps:
+  #   - name: Checkout
+  #     uses: actions/checkout@v4
+
+  #   - name: Deploy app to ${{ matrix.environment }}
+  #     id: deploy_app_before_production
+  #     uses: ./.github/actions/deploy/
+  #     with:
+  #       azure-credentials: ${{ secrets[format('AZURE_CREDENTIALS_{0}', matrix.environment)] }}
+  #       environment: ${{ matrix.environment }}
+  #       sha: ${{ github.sha }}
+
+  # deploy-production:
+  #   name: Production deployment
+  #   environment:
+  #     name: production
+  #     url: ${{ steps.deploy_production.outputs.deploy-url }}
+  #   if: ${{ success() && github.ref == 'refs/heads/main' }}
+  #   needs: [deploy-before-production]
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #   - name: Checkout
+  #     uses: actions/checkout@v4
+
+  #   - name: Deploy app to production
+  #     id: deploy_production
+  #     uses: ./.github/actions/deploy/
+  #     with:
+  #       azure-credentials: ${{ secrets.AZURE_CREDENTIALS_PRODUCTION }}
+  #       environment: production
+  #       sha: ${{ github.sha }}

.github/workflows/ci.yml

@@ -63,8 +63,8 @@ jobs:
           ruby-version: 3.2.3
           bundler-cache: true
       # Add or replace any other lints here
-      - name: Security audit dependencies
-        run: bin/bundler-audit --update
+      # - name: Security audit dependencies
+      #   run: bin/bundler-audit --update
       - name: Security audit application code
         run: bin/brakeman -q -w2
       - name: Lint Ruby files

Makefile

@@ -17,9 +17,10 @@ install-fetch-config:
 		|| true
 
 review:
-	$(if $(APP_NAME), , $(error Missing environment variable "APP_NAME", Please specify a pr number for your review app))
+	$(if $(PR_NUMBER), , $(error Missing environment variable "PR_NUMBER", Please specify a pr number for your review app))
 	$(eval include global_config/review.sh)
 	$(eval DEPLOY_ENV=review)
+	$(eval APP_NAME=pr-${PR_NUMBER})
 	$(eval export TF_VAR_app_name=$(APP_NAME))
 	echo https://teacher-relocation-payment-$(APP_NAME).test.teacherservices.cloud will be created in aks
 
@@ -36,7 +37,10 @@ production:
 	$(eval DEPLOY_ENV=production)
 
 ci:	## Run in automation environment
-	$(eval export AUTO_APPROVE=-auto-approve)
+	$(eval DISABLE_PASSCODE=true)
+	$(eval AUTO_APPROVE=-auto-approve)
+	$(eval SP_AUTH=true)
+	$(eval SKIP_AZURE_LOGIN=true)
 
 install-terrafile: ## Install terrafile to manage terraform modules
 	[ ! -f bin/terrafile ] \
@@ -45,7 +49,7 @@ install-terrafile: ## Install terrafile to manage terraform modules
 		|| true
 
 set-azure-account:
-	az account set -s ${AZ_SUBSCRIPTION}
+	[ "${SKIP_AZURE_LOGIN}" != "true" ] && az account set -s ${AZ_SUBSCRIPTION} || true
 
 terraform-init: install-terrafile set-azure-account
 	$(if $(IMAGE_TAG), , $(eval export IMAGE_TAG=main))
@@ -163,3 +167,14 @@ domain-azure-resources: set-azure-account
 	az deployment sub create -l "UK South" --template-uri "https://raw.githubusercontent.com/DFE-Digital/tra-shared-services/${ARM_TEMPLATE_TAG}/azure/resourcedeploy.json" \
 		--name "${DNS_ZONE}domains-$(shell date +%Y%m%d%H%M%S)" --parameters "resourceGroupName=${RESOURCE_NAME_PREFIX}-${DNS_ZONE}domains-rg" 'tags=${RG_TAGS}' \
 			"tfStorageAccountName=${RESOURCE_NAME_PREFIX}${DNS_ZONE}domainstf" "tfStorageContainerName=${DNS_ZONE}domains-tf"  "keyVaultName=${RESOURCE_NAME_PREFIX}-${DNS_ZONE}domains-kv" ${WHAT_IF}
+
+db-seed: get-cluster-credentials
+	$(if $(APP_NAME), , $(error can only run with PR_NUMBER))
+	kubectl -n ${NAMESPACE} exec deployment/teacher-relocation-payment-${APP_NAME} -- /bin/sh -c "cd /app && bundle exec rake db:version"
+
+smoke-test: get-cluster-credentials
+	$(if $(APP_NAME), $(eval export APP_ID=$(APP_NAME)) , $(eval export APP_ID=$(CONFIG_LONG)))
+#	kubectl -n ${NAMESPACE} exec deployment/teacher-relocation-payment-${APP_ID} -- /bin/sh -c "RAILS_ENV=${CONFIG} bundle exec rspec spec/smoke"
+	RAILS_ENV=${CONFIG} bin/rspec spec/requests/healthchecks_spec.rb"
+
+printvar-%: ; @echo $($*)

terraform/aks/config/review.yml

@@ -0,0 +1,2 @@
+---
+EXAMPLE_KEY: example.value.1

terraform/aks/output.tf

@@ -0,0 +1,11 @@
+output "url" {
+  value = [
+    module.web_application.url
+  ]
+}
+
+output "external_urls" {
+  value = [
+    "${local.external_url}"
+  ]
+}

terraform/aks/terraform.tf

@@ -23,10 +23,10 @@ provider "azurerm" {
   features {}
 
   skip_provider_registration = true
-  subscription_id            = try(local.azure_credentials.subscriptionId, null)
-  client_id                  = try(local.azure_credentials.clientId, null)
-  client_secret              = try(local.azure_credentials.clientSecret, null)
-  tenant_id                  = try(local.azure_credentials.tenantId, null)
+  # subscription_id            = try(local.azure_credentials.subscriptionId, null)
+  # client_id                  = try(local.azure_credentials.clientId, null)
+  # client_secret              = try(local.azure_credentials.clientSecret, null)
+  # tenant_id                  = try(local.azure_credentials.tenantId, null)
 }
 
 provider "kubernetes" {

terraform/aks/variables.tf

@@ -53,8 +53,12 @@ locals {
   infra_secrets     = yamldecode(data.azurerm_key_vault_secret.infra_secrets.value)
   app_config        = yamldecode(file(var.app_config_file))[var.environment]
 
+  environment_variables = yamldecode(file("${path.module}/config/${var.environment}.yml"))
+  external_url = try(local.environment_variables["EXTERNAL_URL"], module.web_application.url)
+
   app_env_values = merge(
     local.app_config,
+    local.environment_variables,
   #  sslmode not defined in database.yml?
     { DB_SSLMODE = local.postgres_ssl_mode }
   )