Merge branch 'main' into carl-9484-migrate-aws-to-v2

Author: carlpartridge

.github/workflows/build-and-publish-all.yml

@@ -0,0 +1,81 @@
+name: Build and Publish All
+
+on:
+  workflow_call:
+    inputs:
+      release_version:
+        description: 'Release version/tag (or branch name)'
+        required: true
+        type: string
+      ssas_release_version:
+          description: 'Release version/tag for bcda-ssas (or branch name)'
+          required: true
+          type: string
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Release version/tag (or branch name)'
+        required: true
+        type: string
+      ssas_release_version:
+        description: 'Release version/tag for bcda-ssas (or branch name)'
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build_and_publish_api:
+    uses: ./.github/workflows/build-and-publish-api.yml
+    with:
+      release_version: ${{ inputs.release_version || 'main' }}
+    secrets: inherit
+
+  build_and_publish_worker:
+    uses: ./.github/workflows/build-and-publish-worker.yml
+    with:
+      release_version: ${{ inputs.release_version || 'main' }}
+    secrets: inherit
+
+  build_and_publish_ssas:
+    uses: CMSgov/bcda-ssas-app/.github/workflows/build-and-publish.yml@main
+    with:
+      ssas_release_version: ${{ inputs.ssas_release_version || 'main' }}
+    secrets: inherit
+  
+  post_build:
+    if: ${{ always() }}
+    name: Post Build (Cleanup, Alerts)
+    needs: [build_and_publish_api, build_and_publish_worker, build_and_publish_ssas]
+    runs-on: codebuild-bcda-app-${{github.run_id}}-${{github.run_attempt}}
+    steps:
+      - name: Success Alert
+        if: ${{ success() && needs.build_and_publish_api.result == 'success' && needs.build_and_publish_worker.result == 'success' && needs.build_and_publish_ssas.result == 'success' }}
+        uses: slackapi/slack-github-action@v2.0.0
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          # Sends to bcda-deploy
+          payload: |
+            channel: "C03S23MJFJS"
+            attachments:
+              - color: good
+                text: "SUCCESS: Build and Publish BCDA/SSAS (run: <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.run_id }}>)."
+                mrkdown_in:
+                  - text
+      - name: Failure Alert
+        if: ${{ failure() || needs.build_and_publish_api.result != 'success' || needs.build_and_publish_worker.result != 'success' || needs.build_and_publish_ssas.result != 'success' }}
+        uses: slackapi/slack-github-action@v2.0.0
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload: |
+            channel: "C03S23MJFJS"
+            attachments:
+              - color: danger
+                text: "FAILURE: Build and Publish BCDA/SSAS (run: <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.run_id }}>)."
+                mrkdown_in:
+                  - text
+                  

.github/workflows/build-and-publish-api.yml

@@ -0,0 +1,65 @@
+name: Build and publish BCDA
+
+on:
+  workflow_call:
+    inputs:
+      release_version:
+        description: 'Release version (or branch name)'
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Release version (or branch name)'
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  # FARGATE FIXME: unnecessary and causes errors when running ci_checks more than once for a single build
+  # This should be commented back in when build-and-package-all is no longer around.
+  # ci_checks:
+  #   uses: ./.github/workflows/ci-checks.yml
+  #   with:
+  #     release_version: ${{ inputs.release_version || 'main' }}
+  #   secrets: inherit
+
+  build_and_publish:
+    # needs: [ci_checks]
+    runs-on: codebuild-bcda-app-${{github.run_id}}-${{github.run_attempt}}
+    strategy:
+      matrix:
+        vars:
+          - account_id: NON_PROD_ACCOUNT_ID
+            role_to_assume: bcda-dev-github-actions
+          - account_id: PROD_ACCOUNT_ID
+            role_to_assume: bcda-prod-github-actions
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets[matrix.vars.account_id] }}:role/delegatedadmin/developer/${{ matrix.vars.role_to_assume }}
+      - name: Checkout BCDA
+        uses: actions/checkout@v4
+        with:
+          repository: CMSgov/bcda-app
+          ref: ${{ inputs.release_version }}
+      - name: Set ECR_URL
+        run: echo "ECR_URL=${{ secrets[matrix.vars.account_id] }}.dkr.ecr.us-east-1.amazonaws.com/bcda-api" >> $GITHUB_ENV
+      - name: Build BCDA
+        # Dont release main to prod, also make sure 'latest' in prod aligns with the latest release tag
+        if: ${{ matrix.vars.account_id == 'NON_PROD_ACCOUNT_ID' && inputs.release_version == 'main' }}
+        run: |
+          docker build \
+            --build-arg RELEASE_VERSION=${{ inputs.release_version || 'main' }} \
+            -t ${{ env.ECR_URL }}:latest \
+            -t ${{ env.ECR_URL }}:${{ inputs.release_version || 'main' }} \
+            -f Dockerfiles/Dockerfile.bcda .
+      - name: Push to ECR
+        if: ${{ matrix.vars.account_id == 'NON_PROD_ACCOUNT_ID' && inputs.release_version == 'main' }}
+        run: |
+          aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin '${{ env.ECR_URL }}'
+          docker image push '${{ env.ECR_URL }}' -a

.github/workflows/build-and-publish-worker.yml

@@ -0,0 +1,56 @@
+name: Build and publish Worker
+
+on:
+  workflow_call:
+    inputs:
+      release_version:
+        description: 'Release version (or branch name)'
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      release_version:
+        description: 'Release version (or branch name)'
+        required: true
+        type: string
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  build_and_publish:
+    runs-on: codebuild-bcda-app-${{github.run_id}}-${{github.run_attempt}}
+    strategy:
+      matrix:
+        vars:
+          - account_id: NON_PROD_ACCOUNT_ID
+            role_to_assume: bcda-dev-github-actions
+          - account_id: PROD_ACCOUNT_ID
+            role_to_assume: bcda-prod-github-actions
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets[matrix.vars.account_id] }}:role/delegatedadmin/developer/${{ matrix.vars.role_to_assume }}
+      - name: Checkout BCDA
+        uses: actions/checkout@v4
+        with:
+          repository: CMSgov/bcda-app
+          ref: ${{ inputs.release_version }}
+      - name: Set ECR_URL
+        run: echo "ECR_URL=${{ secrets[matrix.vars.account_id] }}.dkr.ecr.us-east-1.amazonaws.com/bcda-worker" >> $GITHUB_ENV
+      - name: Build Worker
+        # Dont release main to prod, also make sure 'latest' in prod aligns with the latest release tag
+        if: ${{ matrix.vars.account_id == 'NON_PROD_ACCOUNT_ID' && inputs.release_version == 'main' }}
+        run: |
+          docker build \
+            --build-arg RELEASE_VERSION=${{ inputs.release_version || 'main' }} \
+            -t ${{ env.ECR_URL }}:latest \
+            -t ${{ env.ECR_URL }}:${{ inputs.release_version || 'main' }} \
+            -f Dockerfiles/Dockerfile.bcdaworker .
+      - name: Push to ECR
+        if: ${{ matrix.vars.account_id == 'NON_PROD_ACCOUNT_ID' && inputs.release_version == 'main' }}
+        run: |
+          aws ecr get-login-password --region us-east-1 | docker login --username AWS --password-stdin '${{ env.ECR_URL }}'
+          docker image push '${{ env.ECR_URL }}' -a

.github/workflows/deploy-all.yml

@@ -163,18 +163,35 @@ jobs:
       - name: Install tenv
         uses: cmsgov/cdap/actions/setup-tenv@8343fb96563ce4b74c4dececee9b268f42bd4a40
       - name: Init, Plan OpenTofu
+        # FARGATE FIXUP: adding fargate vars to tf plan
+        if: ${{ env.RELEASE_ENV == 'dev' }}
+        working-directory: terraform/${{ env.RELEASE_ENV }}
+        run: |
+          IFS=":@" read -r -a STRS <<< ${{ env.DATABASE_URL }}
+          export APP_DB_PW=${STRS[2]}
+          tofu init
+          tofu plan \
+            -var 'env=${{ env.RELEASE_ENV }}' \
+            -var 'ami_id=${{ env.BCDA_AMI }}' \
+            -var 'worker_ami_id=${{ env.WORKER_AMI }}' \
+            -var 'instance_type=${{ vars.INSTANCE_CLASS }}' \
+            -var 'api_image_tag=${{ env.RELEASE_VERSION }}' \
+            -var 'ssas_image_tag=${{ env.SSAS_RELEASE_VERSION }}' \
+            -var 'worker_image_tag=${{ env.RELEASE_VERSION }}' \
+            -out 'bcda-release-api-worker.tfplan'
+      - name: Init, Plan OpenTofu
+        # FARGATE FIXUP: adding fargate vars to tf plan
+        if: ${{ env.RELEASE_ENV != 'dev' }}
         working-directory: terraform/${{ env.RELEASE_ENV }}
         run: |
           IFS=":@" read -r -a STRS <<< ${{ env.DATABASE_URL }}
           export APP_DB_PW=${STRS[2]}
-          touch bcda-release-api-worker-vars.tfvars
           tofu init
           tofu plan \
             -var 'env=${{ env.RELEASE_ENV }}' \
             -var 'ami_id=${{ env.BCDA_AMI }}' \
             -var 'worker_ami_id=${{ env.WORKER_AMI }}' \
             -var 'instance_type=${{ vars.INSTANCE_CLASS }}' \
-            -var-file=bcda-release-api-worker-vars.tfvars \
             -out 'bcda-release-api-worker.tfplan'
       - name: OpenTofu Apply
         working-directory: terraform/${{ env.RELEASE_ENV }}
@@ -186,6 +203,13 @@ jobs:
           aws autoscaling start-instance-refresh --region ${{ vars.AWS_REGION }} --auto-scaling-group-name ${ASG}
           export WORKER_ASG=`aws autoscaling describe-auto-scaling-groups --region ${{ vars.AWS_REGION }} --filters "Name=tag:Name,Values=bcda-${{ env.RELEASE_ENV }}-worker" --query 'AutoScalingGroups[0].AutoScalingGroupName' --output text`
           aws autoscaling start-instance-refresh --region ${{ vars.AWS_REGION }} --auto-scaling-group-name ${WORKER_ASG}
+      - name: Refresh Deployments
+        # FARGATE FIXUP:
+        if: ${{ env.RELEASE_ENV == 'dev' }}
+        run: |
+          aws ecs update-service --cluster bcda-${{ env.RELEASE_ENV }} --service bcda-${{ env.RELEASE_ENV }}-api --force-new-deployment
+          aws ecs update-service --cluster bcda-${{ env.RELEASE_ENV }} --service bcda-${{ env.RELEASE_ENV }}-ssas --force-new-deployment
+          aws ecs update-service --cluster bcda-${{ env.RELEASE_ENV }} --service bcda-${{ env.RELEASE_ENV }}-worker --force-new-deployment
       - name: Upload notify script
         uses: actions/upload-artifact@v4
         with:
@@ -256,7 +280,7 @@ jobs:
             export IMAGE_ID=`aws ec2 describe-instances --region ${{ vars.AWS_REGION }} --filters 'Name=tag:Name,Values=bcda-${{ env.RELEASE_ENV }}-worker' 'Name=instance-state-name,Values=running' --query 'Reservations[0].Instances[*][LaunchTime,ImageId] | reverse(sort_by(@,&[0])) | [0][1]' --output text`
             # Was unable to escape the backticks (`), creating this function seems to get around that
             get_image_version () {
-                aws ec2 describe-images --region us-east-1 --image-ids ${IMAGE_ID} --query 'Images[0].Tags[?Key==`version`].Value' --output text
+                aws ec2 describe-images --region ${{ vars.AWS_REGION }} --image-ids ${IMAGE_ID} --query 'Images[0].Tags[?Key==`version`].Value' --output text
             }
             export BCDA_WORKER_VERSION=`get_image_version`
 
@@ -272,6 +296,36 @@ jobs:
               break
             fi
           done
+  
+  # # FARGATE FIXUP:
+  # This needs the 'image_tag' tag to be added to each service before this will work
+  # verify_worker_version:
+  #   needs: [deploy]
+  #   runs-on: codebuild-bcda-app-${{github.run_id}}-${{github.run_attempt}}
+  #   environment: ${{ inputs.env != '0' && inputs.env || 'dev' }}
+  #   steps:
+  #     - uses: aws-actions/configure-aws-credentials@v4
+  #       with:
+  #         aws-region: ${{ vars.AWS_REGION }}
+  #         role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/delegatedadmin/developer/${{ vars.AWS_ROLE_TO_ASSUME }}
+  #     - run: |
+  #         TRY=1
+
+  #         until [ $TRY -gt $VERIFICATION_RETRIES ]; do
+  #           WORKER_VERSION=`aws ecs --resource-arn list-tags-for-resource arn:aws:ecs:${{ vars.AWS_REGION }}:${{ secrets.AWS_ACCOUNT_ID }}:service/bcda-${{ env.RELEASE_ENV }}/bcda-${{ env.RELEASE_ENV }}-api --query "tags[?key=='image_tag'].value | [0]" --output text`
+
+  #           if [[ $WORKER_VERSION != ${{ env.RELEASE_VERSION }} ]]; then
+  #             echo "BCDA Worker expected release version: ${{ env.RELEASE_VERSION }} did not match AWS version: ${WORKER_VERSION}."
+  #             TRY=$(($TRY + 1))
+  #             if [ $TRY -gt $VERIFICATION_RETRIES ]; then
+  #               exit 1
+  #             else
+  #               sleep $VERIFICATION_SLEEP
+  #             fi
+  #           else
+  #             break
+  #           fi
+  #         done
 
   smoketests:
     needs: [migrate_db, migrate_ssas_db, deploy, verify_api_version, verify_ssas_version, verify_worker_version]

.github/workflows/dev-daily-autodeploy.yml

@@ -1,4 +1,4 @@
-# Deploy BCDA/SSAS and Worker ec2 instances to dev daily
+# Build and Deploy BCDA, SSAS, and Worker to dev daily
 name: Deploy main to dev daily
 
 on:
@@ -17,9 +17,16 @@ jobs:
       ops_release_version: main
       ssas_release_version: main
     secrets: inherit
+
+  build_and_publish_all:
+    uses: ./.github/workflows/build-and-publish-all.yml
+    with:
+      release_version: main
+      ssas_release_version: main
+    secrets: inherit
 
   deploy_all:
-    needs: [build_and_package_all]
+    needs: [build_and_package_all, build_and_publish_all]
     uses: ./.github/workflows/deploy-all.yml
     with:
       release_version: main

Dockerfiles/Dockerfile.bcda

@@ -1,6 +1,7 @@
 FROM golang:1.25.1-alpine3.22 AS builder
 
 ARG GO_FLAGS
+ARG RELEASE_VERSION=main
 
 WORKDIR /go/src/github.com/CMSgov/bcda-app
 
@@ -17,34 +18,40 @@ COPY . .
 WORKDIR /go/src/github.com/CMSgov/bcda-app/bcda
 RUN --mount=type=cache,target=/go/pkg/mod \
     --mount=type=cache,target=/root/.cache/go-build \
-    go install "$GO_FLAGS"
+    go install -ldflags "-X github.com/CMSgov/bcda-app/bcda/constants.Version=${RELEASE_VERSION}" "$GO_FLAGS"
 
 # ------------------------------------------------------------------------
 FROM golang:1.25.1-alpine3.22
 
+RUN apk update upgrade && \
+    apk add --no-cache aws-cli
+
 RUN addgroup -S -g 1010 bcda && adduser -S -G bcda -u 1010 bcda
 
 # install dev packages if the environment argument was set to development
 ARG ENVIRONMENT
-RUN [ "$ENVIRONMENT" != "development" ] || apk update upgrade && \
-    apk add bash && \
+RUN [ "$ENVIRONMENT" != "development" ] || apk add --no-cache bash && \
     go install github.com/go-delve/delve/cmd/dlv@latest
 
 WORKDIR /go/src/github.com/CMSgov/bcda-app/bcda
 
 COPY --from=builder /go/src/github.com/CMSgov/bcda-app/shared_files/ /go/src/github.com/CMSgov/bcda-app/shared_files/
 COPY --from=builder /go/src/github.com/CMSgov/bcda-app/bcda/ /go/src/github.com/CMSgov/bcda-app/bcda/
 COPY --from=builder /go/bin/ /go/bin/
+COPY --from=builder /go/src/github.com/CMSgov/bcda-app/entrypoint.sh .
 
 # configure directories
-RUN mkdir /var/fhir && chown -R bcda:bcda \
+RUN mkdir -p /var/fhir /etc/sv/api/env && chown -R bcda:bcda \
     /go/src/github.com/CMSgov/bcda-app \
     /var/fhir \
+    /etc/sv/api/env \
     /var/log 
 
 USER bcda
 
 EXPOSE 3000 3001
 
-ENTRYPOINT ["bcda"]
-CMD ["start-api"]
+ENV APP_NAME="api"
+
+ENTRYPOINT ["./entrypoint.sh"]
+CMD ["bcda", "start-api"]