DCMAW-11057: Push STS test image to dev and build (#338)

govuk-one-login · Jan 24, 2025 · f624de1 · f624de1
1 parent a9c5517
commit f624de1
Show file tree

Hide file tree

Showing 5 changed files with 161 additions and 110 deletions.
diff --git a/.github/workflows/job-build-and-push-test-image.yml b/.github/workflows/job-build-and-push-test-image.yml
@@ -0,0 +1,58 @@
+name: Build, Sign, Push and Tag test image
+
+on:
+  workflow_call:
+    inputs:
+      WORKING_DIRECTORY:
+        required: true
+        type: string
+    secrets:
+      GH_ACTIONS_ROLE_ARN:
+        required: true
+      TEST_IMAGE_REPOSITOR_URI:
+        required: true
+      CONTAINER_SIGN_KMS_KEY:
+        required: true
+
+jobs:
+  build-and-push:
+    name: build-and-push
+    runs-on: ubuntu-24.04
+    env:
+      IMAGE_TAG: latest
+    defaults:
+      run:
+        shell: bash
+        working-directory: ${{ inputs.WORKING_DIRECTORY }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          submodules: true
+          fetch-depth: 0
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0
+        with:
+          cosign-release: 'v1.9.0'
+
+      - name: Authenticate with AWS
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}
+
+      - name: Login to AWS ECR
+        uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1
+
+      - name: Build image
+        run: |
+          docker build -t ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG . 
+
+      - name: Push image
+        run: |
+          docker push ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG
+
+      - name: Sign image
+        run: |
+          cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG
diff --git a/.github/workflows/sts-mock-push-to-main.yml b/.github/workflows/sts-mock-push-to-main.yml
@@ -14,14 +14,15 @@ permissions:
   contents: read
   id-token: write
 
+defaults:
+  run:
+    shell: bash
+    working-directory: sts-mock
+
 jobs:
   sonar-scan:
     name: Run tests and Sonar scan
     runs-on: ubuntu-22.04
-    defaults:
-      run:
-        shell: bash
-        working-directory: sts-mock
     steps:
       - name: Check out repository code
         uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main
@@ -51,70 +52,31 @@ jobs:
         with:
           projectBaseDir: sts-mock
 
-  # build-and-push-test-image-to-dev:
-  #   name: Build and push test image to Dev
-  #   needs: sts-mock-tests-and-sonar-scan
-  #   runs-on: ubuntu-22.04
-  #   env:
-  #     STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }}      
-  #     DEV_CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
-  #     IMAGE_TAG: latest
-  #   defaults:
-  #     run:
-  #       shell: bash
-  #       working-directory: sts-mock
-  #   steps:
-  #   - name: Check out repository code
-  #     uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main
-  #     with:
-  #       submodules: true
-  #       fetch-depth: 0
-
-  #   - name: Build test image
-  #     run: |
-  #       docker build -t $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG . 
-
-  #   - name: Configure AWS credentials for DEV
-  #     uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main
-  #     with:
-  #       aws-region: eu-west-2
-  #       role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }}
-
-  #   - name: Login to Amazon ECR DEV
-  #     uses: aws-actions/amazon-ecr-login@a81a5945e74802f35ca53aa274a9e00436e6210e #main
-
-  #   - name: Push image to DEV
-  #     run: |
-  #       docker push $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
-
-  #   - name: Install Cosign
-  #     uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #main
-  #     with:
-  #       cosign-release: 'v1.9.0'
-
-  #   - name: Code sign the Docker image
-  #     id: cosign-image             
-  #     run: |
-  #       cosign sign --key awskms:///$DEV_CONTAINER_SIGN_KMS_KEY $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
+  test-image-dev:
+    name: build and push test image to dev
+    uses:
+      ./.github/workflows/job-build-and-push-test-image.yml
+    with:
+      WORKING_DIRECTORY: sts-mock
+    secrets:
+      GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }}
+      TEST_IMAGE_REPOSITOR_URI: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }}
+      CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
 
   build-and-upload-sam-artifact-to-dev:
     name: Validate & upload S3 artifact to dev
     runs-on: ubuntu-22.04
-    needs: sonar-scan
-    defaults:
-      run:
-        shell: bash
-        working-directory: sts-mock
+    needs: test-image-dev
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
         with:
           submodules: true
 
-      - name: Setup nodeJS v20
-        uses: actions/setup-node@v4
+      - name: Setup Node
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
-          node-version: 20
+          node-version-file: '.nvmrc'
           cache: npm
           cache-dependency-path: sts-mock/package-lock.json
 
@@ -147,70 +109,31 @@ jobs:
           template-file: .aws-sam/build/template.yaml
           working-directory: sts-mock
 
-  # build-and-push-test-image-to-build:
-  #   name: Build and push test image to Build
-  #   needs: sts-mock-tests-and-sonar-scan  
-  #   runs-on: ubuntu-22.04
-  #   env:
-  #     STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }}      
-  #     BUILD_CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
-  #     IMAGE_TAG: latest
-  #   defaults:
-  #     run:
-  #       shell: bash
-  #       working-directory: sts-mock
-  #   steps:
-  #   - name: Check out repository code
-  #     uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main
-  #     with:
-  #       submodules: true
-  #       fetch-depth: 0
-
-  #   - name: Build test image
-  #     run: |
-  #       docker build -t $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG . 
-
-  #   - name: Configure AWS credentials for BUILD
-  #     uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main
-  #     with:
-  #       aws-region: eu-west-2
-  #       role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }}
-
-  #   - name: Login to Amazon ECR BUILD
-  #     uses: aws-actions/amazon-ecr-login@a81a5945e74802f35ca53aa274a9e00436e6210e #main
-
-  #   - name: Push image to BUILD
-  #     run: |
-  #       docker push $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
-
-  #   - name: Install Cosign
-  #     uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #main
-  #     with:
-  #       cosign-release: 'v1.9.0'
-
-  #   - name: Code sign the Docker image
-  #     id: cosign-image             
-  #     run: |
-  #       cosign sign --key awskms:///$BUILD_CONTAINER_SIGN_KMS_KEY $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
+  test-image-build:
+    name: build and push test image to build
+    uses:
+      ./.github/workflows/job-build-and-push-test-image.yml
+    with:
+      WORKING_DIRECTORY: sts-mock
+    secrets:
+      GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }}
+      TEST_IMAGE_REPOSITOR_URI: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }}
+      CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
 
   build-and-upload-sam-artifact-to-build:
     name: Validate & upload S3 artifact to Build
     runs-on: ubuntu-22.04
-    needs: sonar-scan 
-    defaults:
-      run:
-        shell: bash
-        working-directory: sts-mock
+    needs: test-image-build
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
         with:
           submodules: true
 
-      - name: Setup nodeJS v20
-        uses: actions/setup-node@v4
+      - name: Setup Node
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
         with:
-          node-version: 20
+          node-version-file: '.nvmrc'
           cache: npm
           cache-dependency-path: sts-mock/package-lock.json
 

diff --git a/sts-mock/Dockerfile b/sts-mock/Dockerfile
@@ -0,0 +1,20 @@
+FROM node:iron-alpine
+
+RUN adduser --disabled-password test
+RUN chown test .
+
+RUN apk upgrade && apk update; apk add --no-cache bash aws-cli && aws --version
+
+WORKDIR /sts-mock
+
+COPY package.json package-lock.json ./
+RUN npm clean-install --no-scripts
+
+COPY tests/ ./tests/
+COPY jest.config.ts tsconfig.json ./
+
+COPY run-tests.sh /
+RUN chmod 005 /run-tests.sh
+USER test
+
+ENTRYPOINT ["/run-tests.sh"]
diff --git a/sts-mock/run-tests-locally.sh b/sts-mock/run-tests-locally.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+set -eu
+
+stack_name=${1:-mob-sts-mock}
+
+echo "Running tests against ${stack_name}"
+
+rm -rf docker-vars.env
+
+export AWS_DEFAULT_REGION="eu-west-2"
+TEST_REPORT_DIR="results"
+ENVIRONMENT="dev"
+
+aws cloudformation describe-stacks \
+  --stack-name "$stack_name" \
+  --query 'Stacks[0].Outputs[].{key: OutputKey, value: OutputValue}' \
+  --output text >cf-output.txt
+
+eval $(awk '{ printf("export CFN_%s=\"%s\"\n", $1, $2) }' cf-output.txt)
+awk '{ printf("CFN_%s=\"%s\"\n", $1, $2) }' cf-output.txt >>docker-vars.env
+
+{
+  echo TEST_REPORT_DIR="$TEST_REPORT_DIR"
+  echo TEST_REPORT_ABSOLUTE_DIR="/results"
+  echo TEST_ENVIRONMENT="$ENVIRONMENT"
+  echo SAM_STACK_NAME="$stack_name"
+} >>docker-vars.env
+
+docker build --tag testcontainer .
+
+docker run --rm --interactive --tty \
+  --user root \
+  --env-file docker-vars.env \
+  --volume "$(pwd):/results" \
+  testcontainer
diff --git a/sts-mock/run-tests.sh b/sts-mock/run-tests.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+set -eu
+
+remove_quotes() {
+  echo "$1" | tr -d '"'
+}
+
+export STS_MOCK_API_URL=$(remove_quotes "$CFN_StsMockApiUrl")
+
+if npm run test:api; then
+    cp -rf results "$TEST_REPORT_ABSOLUTE_DIR"
+else
+    cp -rf results "$TEST_REPORT_ABSOLUTE_DIR"
+    exit 1
+fi