-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #295 from ministryofjustice/DDLS-372
DDLS-372 move to OIDC in github actions
- Loading branch information
Showing
7 changed files
with
380 additions
and
285 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
name: "[Docker] Build and Push Images" | ||
|
||
defaults: | ||
run: | ||
shell: bash | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
branch_name: | ||
description: "Name of the branch doing the build" | ||
required: true | ||
type: string | ||
tag: | ||
description: "Tag for docker image" | ||
required: false | ||
default: "latest" | ||
type: string | ||
push_to_ecr: | ||
description: "Whether to push to ECR" | ||
required: false | ||
default: true | ||
type: boolean | ||
|
||
jobs: | ||
docker_build_scan_push: | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
include: | ||
- svc_name: "opg-incident-response" | ||
docker_file: "Dockerfile.response" | ||
- svc_name: "incident-response/nginx" | ||
docker_file: "Dockerfile.nginx" | ||
steps: | ||
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v3 | ||
|
||
- name: set up docker buildx | ||
uses: docker/setup-buildx-action@edfb0fe6204400c56fbfd3feba3fe9ad1adfa345 | ||
|
||
- name: export dates | ||
id: cache-dates | ||
run: | | ||
echo "cache_date_today=$(date +'%Y%m%d')" >> $GITHUB_OUTPUT | ||
echo "cache_date_yesterday=$(date -d 'yesterday' +'%Y%m%d')" >> $GITHUB_OUTPUT | ||
- name: cache docker layers | ||
id: cache-docker | ||
uses: actions/cache@8469c94c6a180dfb41a1bd7e1b46ac557ea124f1 # pin@v3.0.8 | ||
with: | ||
path: /tmp/.buildx-cache | ||
key: ${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }}-${{ github.sha }} | ||
restore-keys: | | ||
${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_today }} | ||
${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_today }} | ||
${{ matrix.svc_name }}-${{ inputs.branch_name }}-${{ steps.cache-dates.outputs.cache_date_yesterday }} | ||
${{ matrix.svc_name }}-main-${{ steps.cache-dates.outputs.cache_date_yesterday }} | ||
- name: install aws cli | ||
uses: unfor19/install-aws-cli-action@46282f151073130d90347412d9c4ef0640177f22 # pin@v1.0.3 | ||
|
||
- name: configure OIDC AWS credentials for ECR push | ||
if: ${{ github.actor != 'dependabot[bot]' }} | ||
uses: aws-actions/configure-aws-credentials@2cefa29f8797029f898b1baeff3e21a144128687 # pin@v1.7.0 | ||
with: | ||
role-to-assume: arn:aws:iam::311462405659:role/incident-response-gh-actions-ecr-push | ||
role-session-name: github-actions-ecr-push | ||
role-duration-seconds: 900 | ||
aws-region: eu-west-1 | ||
|
||
- name: build docker image | ||
env: | ||
IMAGE_NAME: ${{ matrix.svc_name }} | ||
DOCKERFILE: ${{ matrix.docker_file }} | ||
BRANCH_NAME: ${{ inputs.branch_name }} | ||
run: | | ||
if [ "${BRANCH_NAME}" == "main" ]; then | ||
docker buildx build \ | ||
-f ${DOCKERFILE} \ | ||
--cache-to=type=local,dest=/tmp/.buildx-cache-new \ | ||
--tag ${IMAGE_NAME}:latest \ | ||
--output type=docker \ | ||
. | ||
else | ||
docker buildx build \ | ||
-f ${DOCKERFILE} \ | ||
--cache-from=type=local,src=/tmp/.buildx-cache \ | ||
--cache-to=type=local,dest=/tmp/.buildx-cache-new \ | ||
--tag ${IMAGE_NAME}:latest \ | ||
--output type=docker \ | ||
. | ||
fi | ||
- name: Move cache | ||
run: | | ||
rm -rf /tmp/.buildx-cache | ||
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | ||
- name: ecr login | ||
id: login_ecr | ||
uses: aws-actions/amazon-ecr-login@d5dd46d537c86e506335323688c342319bedcfe1 # pin@v1.5.1 | ||
with: | ||
registries: 311462405659 | ||
|
||
- name: show build tag | ||
env: | ||
IMAGE_TAG: ${{ inputs.tag }} | ||
run: echo "Tag to use - ${IMAGE_TAG}" | ||
|
||
- name: tag and push container | ||
if: ${{ github.actor != 'dependabot[bot]' }} | ||
env: | ||
ECR_REGISTRY: ${{ steps.login_ecr.outputs.registry }} | ||
IMAGE_TAG: ${{ inputs.tag }} | ||
IMAGE_NAME: ${{ matrix.svc_name }} | ||
BRANCH_NAME: ${{ inputs.branch_name }} | ||
run: | | ||
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG | ||
if [[ "${BRANCH_NAME}" == "main" ]]; then | ||
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:latest | ||
docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:main-$IMAGE_TAG | ||
fi | ||
docker push --all-tags $ECR_REGISTRY/$IMAGE_NAME |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
on: | ||
workflow_call: | ||
inputs: | ||
workspace: | ||
description: "Terraform workspace" | ||
required: true | ||
type: string | ||
image_tag: | ||
description: "Image tag to use" | ||
required: false | ||
type: string | ||
default: "" | ||
apply: | ||
description: "Whether to apply terraform" | ||
required: false | ||
type: boolean | ||
default: false | ||
account_name: | ||
required: false | ||
type: string | ||
default: development | ||
description: "Account to get credentials for" | ||
|
||
jobs: | ||
terraform_workflow: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin@v3 | ||
|
||
- uses: unfor19/install-aws-cli-action@46282f151073130d90347412d9c4ef0640177f22 # pin@v1.0.3 | ||
|
||
- id: terraform_version | ||
name: get terraform version | ||
uses: ministryofjustice/opg-github-actions/.github/actions/terraform-version@v3.0.8 | ||
with: | ||
terraform_directory: terraform | ||
|
||
- uses: hashicorp/setup-terraform@1b93182764c8332e7679b2393cb307cbe7baf9dc # pin@v2.0.0 | ||
with: | ||
terraform_version: ${{ steps.terraform_version.outputs.version }} | ||
terraform_wrapper: false | ||
|
||
- uses: terraform-linters/setup-tflint@v4 | ||
name: Setup TFLint | ||
with: | ||
tflint_version: v0.50.1 | ||
|
||
- name: configure OIDC AWS credentials for terraform | ||
uses: aws-actions/configure-aws-credentials@2cefa29f8797029f898b1baeff3e21a144128687 # pin@v1.7.0 | ||
with: | ||
role-to-assume: "arn:aws:iam::631181914621:role/oidc-incident-response-${{ inputs.account_name }}" | ||
role-session-name: github-actions-terraform-incident-response | ||
role-duration-seconds: 7400 | ||
aws-region: eu-west-1 | ||
|
||
- name: terraform format | ||
run: terraform fmt --check --recursive | ||
working-directory: terraform | ||
|
||
- name: TF Lint | ||
run: tflint --recursive | ||
working-directory: terraform | ||
|
||
- name: terraform init for environment | ||
env: | ||
TF_WORKSPACE: ${{ inputs.workspace }} | ||
run: terraform init -input=false | ||
working-directory: terraform | ||
|
||
- name: terraform plan | ||
env: | ||
TF_WORKSPACE: ${{ inputs.workspace }} | ||
TF_VAR_app_tag: ${{ inputs.image_tag }} | ||
run: | | ||
terraform workspace show | ||
terraform plan --lock-timeout=300s --parallelism=200 --out=${TF_WORKSPACE}.plan > ${TF_WORKSPACE}.log | ||
working-directory: terraform | ||
|
||
- name: output plan | ||
env: | ||
TF_WORKSPACE: ${{ inputs.workspace }} | ||
run: cat ${TF_WORKSPACE}.log | ||
working-directory: terraform | ||
|
||
- name: output concise plan | ||
env: | ||
TF_WORKSPACE: ${{ inputs.workspace }} | ||
run: cat ${TF_WORKSPACE}.log | grep '\.' | grep '#' || true | ||
working-directory: terraform | ||
|
||
- name: terraform apply | ||
if: inputs.apply | ||
env: | ||
TF_WORKSPACE: ${{ inputs.workspace }} | ||
TF_VAR_app_tag: ${{ inputs.image_tag }} | ||
CI: true | ||
run: terraform apply -parallelism=200 -lock-timeout=300s ${{ env.TF_WORKSPACE }}.plan | ||
working-directory: terraform |
This file was deleted.
Oops, something went wrong.
Oops, something went wrong.