Merge pull request #559 from NHSDigital/feature/thju1-NRL-633-persistentPREnvironments

Tomdango · web-flow · commit 1ead1cc234e1 · 2024-04-12T13:10:57.000+01:00
NRL-633 Persistent Environments for Pull Requests
diff --git a/.github/workflows/pr-env-deploy.yml b/.github/workflows/pr-env-deploy.yml
@@ -1,28 +1,45 @@
-name: CI
+name: Deploy PR Environment
+run-name: "${{ github.event.action == 'synchronize' && 'Update' || 'Create' }} PR Environment - #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})"
 
-on: pull_request
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+concurrency:
+  group: environment-${{ github.event.pull_request.number }}
+  cancel-in-progress: false
 
 permissions:
   id-token: write
   contents: read
   actions: write
+  issues: write
+  pull-requests: write
 
 jobs:
-  set-uniquish-id:
-    # Set a uniquish ID - good enough for our purposes since it must be close enough to unique for
-    # a) Terraform / AWS to allow clean build/destroys without side-effects (e.g. we don't
-    #    want resources marked for deletion to be recreated in another CI run)
-    # b) Not to fall foul of character limits on AWS resource names: the ID must be short
-    name: Set Unique Environment ID
+  set-environment-id:
+    name: Set Environment ID
     runs-on: [self-hosted, ci]
     steps:
-      - name: Set a uniquish ID
-        id: set_uniqish_id
+      - name: Set a ID based on the branch name
+        id: set_environment_id
         run: |
-          TIME_IN_SECONDS_SINCE_MIDNIGHT=$(date -d "1970-01-01 UTC $(date +%T)" +%s)
-          echo "uniqish_id=${GITHUB_SHA::7}-${TIME_IN_SECONDS_SINCE_MIDNIGHT}" >> $GITHUB_OUTPUT
+          JIRA_TICKET=$(
+            echo '${{ github.event.pull_request.head.ref }}' | \
+            grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \
+            sed 's/-//g' | \
+            tr '[:upper:]' '[:lower:]' || \
+            true
+          )
+          BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6)
+
+          if [ -z "$JIRA_TICKET" ]; then
+            echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT
+          else
+            echo "environment_id=${JIRA_TICKET}-${BRANCH_HASH}" > $GITHUB_OUTPUT
+          fi
     outputs:
-      uniqish_id: ${{ steps.set_uniqish_id.outputs.uniqish_id }}
+      environment_id: ${{ steps.set_environment_id.outputs.environment_id }}
 
   build:
     name: Build Application
@@ -67,10 +84,23 @@ jobs:
           name: build-artifacts
           path: dist/*.zip
 
+      - name: Add Failure Pull Request Comment
+        uses: actions/github-script@v7
+        if: ${{ failure() }}
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `💥 Something went wrong while building the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
+            })
+
   deploy:
-    name: Deploy CI Environment
+    name: Deploy PR Environment
     runs-on: [self-hosted, ci]
-    needs: [set-uniquish-id, build]
+    needs: [set-environment-id, build]
+
     steps:
       - name: Git Clone - ${{ github.event.pull_request.head.ref }}
         uses: actions/checkout@v4
@@ -99,7 +129,7 @@ jobs:
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.CI_ROLE_NAME }}
-          role-session-name: github-actions-ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+          role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Retrieve Server Certificates
         run: aws s3 cp s3://nhsd-nrlf--truststore/server/dev.pem truststore/server/dev.pem
@@ -111,8 +141,8 @@ jobs:
       - name: Terraform Init
         run: |
           terraform -chdir=terraform/infrastructure init
-          terraform -chdir=terraform/infrastructure workspace new ci-${{ needs.set-uniquish-id.outputs.uniqish_id }} || \
-          terraform -chdir=terraform/infrastructure workspace select ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+          terraform -chdir=terraform/infrastructure workspace new ${{ needs.set-environment-id.outputs.environment_id }} || \
+          terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Terraform Plan
         run: |
@@ -129,6 +159,7 @@ jobs:
           path: terraform/infrastructure/tfplan*
 
       - name: Terraform Apply
+        id: terraform-apply
         run: |
           terraform -chdir=terraform/infrastructure apply tfplan
 
@@ -138,9 +169,33 @@ jobs:
           name: terraform-outputs
           path: terraform/infrastructure/output.json
 
+      - name: Add Success Pull Request Comment
+        uses: actions/github-script@v7
+        if: ${{ success() }}
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: "🚀 PR environment successfully deployed.\nCommit Hash: `${{ github.event.pull_request.head.sha }}`\nURL: https://${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk/"
+            })
+
+      - name: Add Failure Pull Request Comment
+        uses: actions/github-script@v7
+        if: ${{ failure() }}
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `💥 Something went wrong while deploying the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
+            })
+
   integration-test:
     name: Run Integration Tests
-    needs: [set-uniquish-id, deploy]
+    needs: [set-environment-id, deploy]
     runs-on: [self-hosted, ci]
 
     steps:
@@ -168,7 +223,7 @@ jobs:
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.CI_ROLE_NAME }}
-          role-session-name: github-actions-ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+          role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Retrieve Client Certificates
         run: |
@@ -182,21 +237,21 @@ jobs:
       - name: Configure Dev Account Credentials
         id: configure-dev-account-credentials
         run: |
-          aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-uniquish-id.outputs.uniqish_id }} --output json)
+          aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} --output json)
           echo "aws_access_key_id=$(echo $aws_credentials | jq -r '.Credentials.AccessKeyId')" >> "$GITHUB_OUTPUT"
           echo "aws_secret_access_key=$(echo $aws_credentials | jq -r '.Credentials.SecretAccessKey')" >> "$GITHUB_OUTPUT"
           echo "aws_session_token=$(echo $aws_credentials | jq -r '.Credentials.SessionToken')" >> "$GITHUB_OUTPUT"
 
       - name: Run Integration Tests
-        run: make test-features-integration TF_WORKSPACE=ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+        run: make test-features-integration TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }}
           AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }}
 
   performance-test:
     name: Run Performance Tests
-    needs: [set-uniquish-id, integration-test]
+    needs: [set-environment-id, integration-test]
     runs-on: [self-hosted, ci]
 
     steps:
@@ -226,7 +281,7 @@ jobs:
         with:
           aws-region: eu-west-2
           role-to-assume: ${{ secrets.CI_ROLE_NAME }}
-          role-session-name: github-actions-ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+          role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Pull Client Certificates
         run: make truststore-pull-client ENV=dev
@@ -238,23 +293,23 @@ jobs:
       - name: Configure Dev Account Credentials
         id: configure-dev-account-credentials
         run: |
-          aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-uniquish-id.outputs.uniqish_id }} --output json)
+          aws_credentials=$(aws sts assume-role --role-arn arn:aws:iam::${{ steps.get_account_id.outputs.aws_account_id }}:role/terraform --role-session-name github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }} --output json)
           echo "aws_access_key_id=$(echo $aws_credentials | jq -r '.Credentials.AccessKeyId')" >> "$GITHUB_OUTPUT"
           echo "aws_secret_access_key=$(echo $aws_credentials | jq -r '.Credentials.SecretAccessKey')" >> "$GITHUB_OUTPUT"
           echo "aws_session_token=$(echo $aws_credentials | jq -r '.Credentials.SessionToken')" >> "$GITHUB_OUTPUT"
 
       - name: Setup Environment Test Data
-        run: make test-performance-prepare TF_WORKSPACE=ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+        run: make test-performance-prepare TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }}
           AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }}
 
       - name: Run Performance Test - Baseline
-        run: make test-performance-baseline HOST=ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev
+        run: make test-performance-baseline HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev
 
       - name: Run Performance Test - Stress
-        run: make test-performance-stress HOST=ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev
+        run: make test-performance-stress HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev
 
       - name: Process Performance Test Outputs
         run: make test-performance-output
@@ -266,53 +321,8 @@ jobs:
           path: dist/*.png
 
       - name: Cleanup Environment Test Data
-        run: make test-performance-cleanup TF_WORKSPACE=ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
+        run: make test-performance-cleanup TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
         env:
           AWS_ACCESS_KEY_ID: ${{ steps.configure-dev-account-credentials.outputs.aws_access_key_id }}
           AWS_SECRET_ACCESS_KEY: ${{ steps.configure-dev-account-credentials.outputs.aws_secret_access_key }}
           AWS_SESSION_TOKEN: ${{ steps.configure-dev-account-credentials.outputs.aws_session_token }}
-
-  destroy:
-    name: Destroy CI Environment
-    needs: [set-uniquish-id, deploy, integration-test, performance-test]
-    runs-on: [self-hosted, ci]
-    if: ${{ always() }}
-
-    steps:
-      - name: Git Clone - ${{ github.event.pull_request.head.ref }}
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-
-      - name: Setup asdf cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          aws-region: eu-west-2
-          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
-          role-session-name: github-actions-ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
-
-      - name: Get AWS Account ID
-        id: get_account_id
-        run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
-
-      - name: Terraform Init
-        run: |
-          terraform -chdir=terraform/infrastructure init
-          terraform -chdir=terraform/infrastructure workspace new ci-${{ needs.set-uniquish-id.outputs.uniqish_id }} || \
-          terraform -chdir=terraform/infrastructure workspace select ci-${{ needs.set-uniquish-id.outputs.uniqish_id }}
-
-      - name: Terraform Destroy
-        run: |
-          terraform -chdir=terraform/infrastructure destroy \
-            --var-file=etc/dev.tfvars \
-            --var assume_account=${{ steps.get_account_id.outputs.aws_account_id }} \
-            --var assume_role=terraform \
-            -auto-approve
diff --git a/.github/workflows/pr-env-destroy.yml b/.github/workflows/pr-env-destroy.yml
@@ -0,0 +1,99 @@
+name: Create PR Environment
+run-name: "Destroy PR Environment - #${{ github.event.pull_request.number }} (${{ github.event.pull_request.title }})"
+
+on:
+  pull_request:
+    types: [closed]
+
+concurrency:
+  group: environment-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+permissions:
+  id-token: write
+  contents: read
+  actions: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  set-environment-id:
+    name: Set Environment ID
+    runs-on: [self-hosted, ci]
+    steps:
+      - name: Set a ID based on the branch name
+        id: set_environment_id
+        run: |
+          JIRA_TICKET=$(
+            echo '${{ github.event.pull_request.head.ref }}' | \
+            grep -Po --color=none '[A-z]{3,4}-[0-9]{3,5}' | \
+            sed 's/-//g' | \
+            tr '[:upper:]' '[:lower:]' || \
+            true
+          )
+          BRANCH_HASH=$(echo '${{ github.event.pull_request.head.ref }}${{ github.event.pull_request.id }}' | sha256sum | head -c 6)
+
+          if [ -z "$JIRA_TICKET" ]; then
+            echo "environment_id=${BRANCH_HASH}" > $GITHUB_OUTPUT
+          else
+            echo "environment_id=${JIRA_TICKET}-${BRANCH_HASH}" > $GITHUB_OUTPUT
+          fi
+
+    outputs:
+      environment_id: ${{ steps.set_environment_id.outputs.environment_id }}
+
+  destroy:
+    name: Destroy PR Environment
+    needs: [set-environment-id]
+    runs-on: [self-hosted, ci]
+
+    steps:
+      - name: Git Clone - ${{ github.event.pull_request.head.ref }}
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Setup asdf cache
+        uses: actions/cache@v4
+        with:
+          path: ~/.asdf
+          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
+          restore-keys: |
+            ${{ runner.os }}-asdf-
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: eu-west-2
+          role-to-assume: ${{ secrets.CI_ROLE_NAME }}
+          role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
+
+      - name: Get AWS Account ID
+        id: get_account_id
+        run: echo "aws_account_id=$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--dev-account-id --query SecretString --output text)" >> "$GITHUB_OUTPUT"
+
+      - name: Terraform Init
+        run: |
+          terraform -chdir=terraform/infrastructure init
+          terraform -chdir=terraform/infrastructure workspace new ${{ needs.set-environment-id.outputs.environment_id }} || \
+          terraform -chdir=terraform/infrastructure workspace select ${{ needs.set-environment-id.outputs.environment_id }}
+
+      - name: Terraform Destroy
+        run: |
+          terraform -chdir=terraform/infrastructure destroy \
+            --var-file=etc/dev.tfvars \
+            --var assume_account=${{ steps.get_account_id.outputs.aws_account_id }} \
+            --var assume_role=terraform \
+            -auto-approve
+
+      - name: Add Failure Pull Request Comment
+        uses: actions/github-script@v7
+        if: ${{ failure() }}
+        with:
+          script: |
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: `💥 Something went wrong while destroying the pull request environment.\n[Check Output Logs](${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId})`
+            })
diff --git a/tests/features/steps/2_request.py b/tests/features/steps/2_request.py
@@ -80,6 +80,10 @@ def create_post_document_reference_step(context: Context, ods_code: str):
     doc_ref = create_test_document_reference(items)
     context.response = client.create(doc_ref.dict(exclude_none=True))
 
+    if context.response.status_code == 201:
+        doc_ref_id = context.response.headers["Location"].split("/")[-1]
+        context.add_cleanup(lambda: context.repository.delete_by_id(doc_ref_id))
+
 
 @when("producer '{ods_code}' reads a DocumentReference with ID '{doc_ref_id}'")
 def producer_read_document_reference_step(
