Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DCMAW-11057: Push STS test image to dev and build #338

Merged
merged 24 commits into from
Jan 24, 2025
Merged

DCMAW-11057: Push STS test image to dev and build #338

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
dc49f1a
DCMAW-11057: Push STS test image to dev and build
sandymay-dd Jan 15, 2025
f0bf11e
DCMAW-11057: Use nvmrc for Node version
sandymay-dd Jan 15, 2025
f031718
DCMAW-11057: move directory to env parameter
sandymay-dd Jan 15, 2025
1e85802
DCMAW-11057: move from secrets to inputs
sandymay-dd Jan 15, 2025
e1db5a3
DCMAW-10057: env fix
sandymay-dd Jan 15, 2025
b81efa7
DCMAW-11057: fix working directory
sandymay-dd Jan 15, 2025
f36a7d3
DCMAW-11057: try secrets
sandymay-dd Jan 15, 2025
f8d1cd9
DCMAW-11057: fix cosign ref
sandymay-dd Jan 15, 2025
80b3a59
DCMAW-11057: uncomment for testing
sandymay-dd Jan 15, 2025
911a814
DCMAW-11057: fix nvmrc dir
sandymay-dd Jan 15, 2025
b5a94f7
DCMAW-11057: add containerised test suite
sandymay-dd Jan 16, 2025
b43d657
Merge branch 'main' into DCMAW-11057
sandymay-dd Jan 16, 2025
1b11f75
DCMAW-11057: re-enable the rest of the workflow post testing
sandymay-dd Jan 16, 2025
2af04ba
DCMAW-11057: rename workflow file
sandymay-dd Jan 20, 2025
7a4d238
Merge branch 'main' into DCMAW-11057
sandymay-dd Jan 20, 2025
c5937f7
DCMAW-11057: remove unneeded steps
sandymay-dd Jan 20, 2025
460d12c
DCMAW-11057: clean up dockerfile
sandymay-dd Jan 20, 2025
6b33411
DCMAW-11057: testing
sandymay-dd Jan 20, 2025
6374ffe
DCMAW-11057: remove node setup
sandymay-dd Jan 20, 2025
cc027f7
DCMAW-11057: undo testing changes
sandymay-dd Jan 20, 2025
b577597
DCMAW-11057: grammar
sandymay-dd Jan 20, 2025
0715ee1
Merge branch 'main' into DCMAW-11057
sandymay-dd Jan 23, 2025
c3eacd6
DCMAW-11057: update ECR secret name to include URI
sandymay-dd Jan 24, 2025
ecaeeaa
Merge branch 'main' into DCMAW-11057
sandymay-dd Jan 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions .github/workflows/job-build-and-push-test-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
name: Build, Sign, Push and Tag test image

on:
workflow_call:
inputs:
WORKING_DIRECTORY:
required: true
type: string
secrets:
GH_ACTIONS_ROLE_ARN:
required: true
TEST_IMAGE_REPOSITOR_URI:
required: true
CONTAINER_SIGN_KMS_KEY:
required: true

jobs:
build-and-push:
name: build-and-push
runs-on: ubuntu-24.04
env:
IMAGE_TAG: latest
defaults:
run:
shell: bash
working-directory: ${{ inputs.WORKING_DIRECTORY }}
steps:
- name: Check out repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
submodules: true
fetch-depth: 0

- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0
with:
cosign-release: 'v1.9.0'

- name: Authenticate with AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4.0.2
with:
aws-region: eu-west-2
jmooney-dd marked this conversation as resolved.
Show resolved Hide resolved
role-to-assume: ${{ secrets.GH_ACTIONS_ROLE_ARN }}

- name: Login to AWS ECR
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 #v2.0.1

- name: Build image
run: |
docker build -t ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG .

- name: Push image
run: |
docker push ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG

- name: Sign image
run: |
cosign sign --key awskms:///${{ secrets.CONTAINER_SIGN_KMS_KEY }} ${{ secrets.TEST_IMAGE_REPOSITOR_URI }}:$IMAGE_TAG
143 changes: 33 additions & 110 deletions .github/workflows/sts-mock-push-to-main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ permissions:
contents: read
id-token: write

defaults:
run:
shell: bash
working-directory: sts-mock

jobs:
sonar-scan:
name: Run tests and Sonar scan
runs-on: ubuntu-22.04
defaults:
run:
shell: bash
working-directory: sts-mock
steps:
- name: Check out repository code
uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main
Expand Down Expand Up @@ -51,70 +52,31 @@ jobs:
with:
projectBaseDir: sts-mock

# build-and-push-test-image-to-dev:
# name: Build and push test image to Dev
# needs: sts-mock-tests-and-sonar-scan
# runs-on: ubuntu-22.04
# env:
# STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }}
# DEV_CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}
# IMAGE_TAG: latest
# defaults:
# run:
# shell: bash
# working-directory: sts-mock
# steps:
# - name: Check out repository code
# uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main
# with:
# submodules: true
# fetch-depth: 0

# - name: Build test image
# run: |
# docker build -t $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG .

# - name: Configure AWS credentials for DEV
# uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main
# with:
# aws-region: eu-west-2
# role-to-assume: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }}

# - name: Login to Amazon ECR DEV
# uses: aws-actions/amazon-ecr-login@a81a5945e74802f35ca53aa274a9e00436e6210e #main

# - name: Push image to DEV
# run: |
# docker push $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG

# - name: Install Cosign
# uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #main
# with:
# cosign-release: 'v1.9.0'

# - name: Code sign the Docker image
# id: cosign-image
# run: |
# cosign sign --key awskms:///$DEV_CONTAINER_SIGN_KMS_KEY $STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
test-image-dev:
name: build and push test image to dev
uses:
./.github/workflows/job-build-and-push-test-image.yml
with:
WORKING_DIRECTORY: sts-mock
secrets:
GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_DEV_GH_ACTIONS_ROLE_ARN }}
TEST_IMAGE_REPOSITOR_URI: ${{ secrets.STS_MOCK_DEV_TEST_IMAGE_REPOSITORY_URI }}
CONTAINER_SIGN_KMS_KEY: ${{ secrets.DEV_CONTAINER_SIGN_KMS_KEY }}

build-and-upload-sam-artifact-to-dev:
name: Validate & upload S3 artifact to dev
runs-on: ubuntu-22.04
needs: sonar-scan
sandymay-dd marked this conversation as resolved.
Show resolved Hide resolved
defaults:
run:
shell: bash
working-directory: sts-mock
needs: test-image-dev
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
submodules: true

- name: Setup nodeJS v20
uses: actions/setup-node@v4
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
with:
node-version: 20
node-version-file: '.nvmrc'
cache: npm
cache-dependency-path: sts-mock/package-lock.json

Expand Down Expand Up @@ -147,70 +109,31 @@ jobs:
template-file: .aws-sam/build/template.yaml
working-directory: sts-mock

# build-and-push-test-image-to-build:
# name: Build and push test image to Build
# needs: sts-mock-tests-and-sonar-scan
# runs-on: ubuntu-22.04
# env:
# STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }}
# BUILD_CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}
# IMAGE_TAG: latest
# defaults:
# run:
# shell: bash
# working-directory: sts-mock
# steps:
# - name: Check out repository code
# uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 #main
# with:
# submodules: true
# fetch-depth: 0

# - name: Build test image
# run: |
# docker build -t $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG .

# - name: Configure AWS credentials for BUILD
# uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 #main
# with:
# aws-region: eu-west-2
# role-to-assume: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }}

# - name: Login to Amazon ECR BUILD
# uses: aws-actions/amazon-ecr-login@a81a5945e74802f35ca53aa274a9e00436e6210e #main

# - name: Push image to BUILD
# run: |
# docker push $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG

# - name: Install Cosign
# uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #main
# with:
# cosign-release: 'v1.9.0'

# - name: Code sign the Docker image
# id: cosign-image
# run: |
# cosign sign --key awskms:///$BUILD_CONTAINER_SIGN_KMS_KEY $STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI:$IMAGE_TAG
test-image-build:
sandymay-dd marked this conversation as resolved.
Show resolved Hide resolved
name: build and push test image to build
uses:
./.github/workflows/job-build-and-push-test-image.yml
with:
WORKING_DIRECTORY: sts-mock
sandymay-dd marked this conversation as resolved.
Show resolved Hide resolved
secrets:
GH_ACTIONS_ROLE_ARN: ${{ secrets.STS_MOCK_BUILD_GH_ACTIONS_ROLE_ARN }}
TEST_IMAGE_REPOSITOR_URI: ${{ secrets.STS_MOCK_BUILD_TEST_IMAGE_REPOSITORY_URI }}
CONTAINER_SIGN_KMS_KEY: ${{ secrets.BUILD_CONTAINER_SIGN_KMS_KEY }}

build-and-upload-sam-artifact-to-build:
name: Validate & upload S3 artifact to Build
runs-on: ubuntu-22.04
needs: sonar-scan
defaults:
run:
shell: bash
working-directory: sts-mock
needs: test-image-build
steps:
- name: Check out repository code
uses: actions/checkout@v4
with:
submodules: true

- name: Setup nodeJS v20
uses: actions/setup-node@v4
- name: Setup Node
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af #v4.1.0
with:
node-version: 20
node-version-file: '.nvmrc'
cache: npm
cache-dependency-path: sts-mock/package-lock.json

Expand Down
20 changes: 20 additions & 0 deletions sts-mock/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
FROM node:iron-alpine

RUN adduser --disabled-password test
RUN chown test .

RUN apk upgrade && apk update; apk add --no-cache bash aws-cli && aws --version

WORKDIR /sts-mock

COPY package.json package-lock.json ./
RUN npm clean-install --no-scripts

COPY tests/ ./tests/
COPY jest.config.ts tsconfig.json ./

COPY run-tests.sh /
RUN chmod 005 /run-tests.sh
USER test

ENTRYPOINT ["/run-tests.sh"]
35 changes: 35 additions & 0 deletions sts-mock/run-tests-locally.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
#!/bin/bash
set -eu

stack_name=${1:-mob-sts-mock}

echo "Running tests against ${stack_name}"

rm -rf docker-vars.env

export AWS_DEFAULT_REGION="eu-west-2"
TEST_REPORT_DIR="results"
ENVIRONMENT="dev"

aws cloudformation describe-stacks \
--stack-name "$stack_name" \
--query 'Stacks[0].Outputs[].{key: OutputKey, value: OutputValue}' \
--output text >cf-output.txt

eval $(awk '{ printf("export CFN_%s=\"%s\"\n", $1, $2) }' cf-output.txt)
awk '{ printf("CFN_%s=\"%s\"\n", $1, $2) }' cf-output.txt >>docker-vars.env

{
echo TEST_REPORT_DIR="$TEST_REPORT_DIR"
echo TEST_REPORT_ABSOLUTE_DIR="/results"
echo TEST_ENVIRONMENT="$ENVIRONMENT"
echo SAM_STACK_NAME="$stack_name"
} >>docker-vars.env

docker build --tag testcontainer .

docker run --rm --interactive --tty \
--user root \
sandymay-dd marked this conversation as resolved.
Show resolved Hide resolved
--env-file docker-vars.env \
--volume "$(pwd):/results" \
testcontainer
15 changes: 15 additions & 0 deletions sts-mock/run-tests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
#!/bin/bash
set -eu

remove_quotes() {
echo "$1" | tr -d '"'
}

export STS_MOCK_API_URL=$(remove_quotes "$CFN_StsMockApiUrl")

if npm run test:api; then
cp -rf results "$TEST_REPORT_ABSOLUTE_DIR"
else
cp -rf results "$TEST_REPORT_ABSOLUTE_DIR"
exit 1
fi