Merge branch 'develop' into bug/jale13-NRL-1411-fix-schema-issue

Author: jackleary

.github/workflows/daily-build.yml

@@ -18,35 +18,19 @@ on:
 
 jobs:
   build:
-    name: Build - develop
-    runs-on: [self-hosted, ci]
+    name: Build - ${{ github.ref }}
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
 
     steps:
-      - name: Git clone - develop
+      - name: Git clone - ${{ github.ref }}
         uses: actions/checkout@v4
         with:
-          ref: develop
+          ref: ${{ github.ref }}
 
-      - name: Setup asdf cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-
-
-      - name: Install asdf
-        uses: asdf-vm/actions/[email protected]
-        with:
-          asdf_branch: v0.13.1
-
-      - name: Install zip
-        run: sudo apt-get install zip
-
-      - name: Setup Python environment
+      - name: Setup environment
         run: |
+          echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
           poetry install --no-root
-          source $(poetry env info --path)/bin/activate
 
       - name: Run Linting
         run: make lint
@@ -55,7 +39,13 @@ jobs:
         run: make test
 
       - name: Build Project
-        run: make build
+        run: |
+          echo "PATH: ${PATH}"
+          echo "HOME: ${HOME}"
+          echo "python: $(which python)"
+          echo "asdf: $(which asdf)"
+          echo "/usr/local/bin: $(ls -la /usr/local/bin)"
+          make build
 
       - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@v4

Dockerfile.ci-build

@@ -0,0 +1,50 @@
+FROM ubuntu:22.04
+
+RUN apt update && \
+    apt upgrade -y && \
+    DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt install -y \
+        build-essential \
+        ca-certificates \
+        curl \
+        git \
+        gnupg \
+        libbz2-dev \
+        libffi-dev \
+        libicu70 \
+        liblzma-dev \
+        libncursesw5-dev \
+        libreadline-dev \
+        libsqlite3-dev \
+        libssl-dev \
+        libxml2-dev \
+        libxmlsec1-dev \
+        llvm \
+        lsb-release \
+        make \
+        python3 \
+        tar \
+        tk-dev \
+        unzip \
+        wget \
+        xz-utils \
+        zip \
+        zlib1g-dev && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /root
+RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.13.1 && \
+    echo ". $HOME/.asdf/asdf.sh" >> ~/.bashrc && \
+    echo ". $HOME/.asdf/completions/asdf.bash" >> ~/.bashrc && \
+    echo "export ASDF_DIR=$HOME/.asdf" >> ~/.bashrc && \
+    echo "export PATH=\$ASDF_DIR/bin:\$PATH" >> ~/.bashrc && \
+    echo "export PATH=\$ASDF_DIR/shims:\$PATH" >> ~/.bashrc
+
+COPY .tool-versions .
+RUN for plugin in $(cat .tool-versions | cut -d' ' -f1); do \
+        ./.asdf/bin/asdf plugin add "${plugin}"; \
+    done && \
+    ./.asdf/bin/asdf install && \
+    ln -s $(pwd)/.asdf/shims/* /usr/local/bin/.
+
+CMD [ "/bin/bash" ]

Makefile

@@ -74,6 +74,28 @@ build-api-packages: ./api/consumer/* ./api/producer/*
 		./scripts/build-lambda-package.sh $${api} $(DIST_PATH); \
 	done
 
+build-ci-image: ## Build the CI image
+	@echo "Building the CI image"
+	docker build \
+		-t nhsd-nrlf-ci-build:latest \
+		-f Dockerfile.ci-build
+
+ecr-login: ## Login to NRLF ECR repo
+	@echo "Logging into ECR"
+	$(eval AWS_REGION := $(shell aws configure get region))
+	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
+	@aws ecr get-login-password --region "$(AWS_REGION)" \
+		| docker login --username AWS --password-stdin \
+			$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com
+
+publish-ci-image: ## Publish the CI image
+	@echo "Publishing the CI image"
+	$(eval AWS_REGION := $(shell aws configure get region))
+	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
+	@docker tag nhsd-nrlf-ci-build:latest \
+		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+
 test: check-warn ## Run the unit tests
 	@echo "Running unit tests"
 	pytest --ignore=tests/smoke $(TEST_ARGS)

api/producer/deleteDocumentReference/delete_document_reference.py

@@ -40,9 +40,7 @@ def handler(
 
     if not (core_model := repository.get_by_id(pointer_id)):
         logger.log(LogReference.PRODELETE002, pointer_id=pointer_id)
-        return SpineErrorResponse.NO_RECORD_FOUND(
-            diagnostics="The requested DocumentReference could not be found",
-        )
+        return NRLResponse.RESOURCE_DOES_NOT_EXIST_DELETE()
 
     repository.delete(core_model)
 

api/producer/deleteDocumentReference/tests/test_delete_document_reference.py

@@ -140,7 +140,7 @@ def test_delete_document_reference_not_exists(repository: DocumentPointerReposit
     body = result.pop("body")
 
     assert result == {
-        "statusCode": "404",
+        "statusCode": "200",
         "headers": default_response_headers(),
         "isBase64Encoded": False,
     }
@@ -150,14 +150,14 @@ def test_delete_document_reference_not_exists(repository: DocumentPointerReposit
         "resourceType": "OperationOutcome",
         "issue": [
             {
-                "severity": "error",
-                "code": "not-found",
+                "severity": "information",
+                "code": "informational",
                 "details": {
                     "coding": [
                         {
-                            "code": "NO_RECORD_FOUND",
-                            "display": "No record found",
-                            "system": "https://fhir.nhs.uk/ValueSet/Spine-ErrorOrWarningCode-1",
+                            "code": "RESOURCE_DELETED",
+                            "display": "Resource deleted",
+                            "system": "https://fhir.nhs.uk/ValueSet/NRL-ResponseCode",
                         }
                     ]
                 },

layer/nrlf/core/response.py

@@ -117,6 +117,20 @@ def RESOURCE_DELETED(cls):
             statusCode="200",
         )
 
+    @classmethod
+    def RESOURCE_DOES_NOT_EXIST_DELETE(cls):
+        return cls.from_issues(
+            issues=[
+                producer_model.OperationOutcomeIssue(
+                    severity="information",
+                    code="informational",
+                    details=NRLResponseConcept.from_code("RESOURCE_DELETED"),
+                    diagnostics="The requested DocumentReference could not be found",
+                )
+            ],
+            statusCode="200",
+        )
+
 
 class SpineErrorResponse(Response):
     @classmethod

scripts/bootstrap.sh

@@ -8,6 +8,7 @@ TERRAFORM_ROLE_NAME="terraform"
 MGMT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--mgmt-account-id"
 PROD_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--prod-account-id"
 TEST_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-account-id"
+TEST_BACKUP_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-backup-account-id"
 DEV_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--dev-account-id"
 
 
@@ -59,7 +60,9 @@ function _bootstrap() {
       aws secretsmanager create-secret --name "${MGMT_ACCOUNT_ID_LOCATION}"
       aws secretsmanager create-secret --name "${DEV_ACCOUNT_ID_LOCATION}"
       aws secretsmanager create-secret --name "${TEST_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager create-secret --name "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
       aws secretsmanager create-secret --name "${PROD_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager create-secret --name "${PROFILE_PREFIX}--codebuild-github-pat"
     ;;
     #----------------
     "delete-mgmt")
@@ -80,7 +83,9 @@ function _bootstrap() {
       aws secretsmanager delete-secret --secret-id "${MGMT_ACCOUNT_ID_LOCATION}"
       aws secretsmanager delete-secret --secret-id "${DEV_ACCOUNT_ID_LOCATION}"
       aws secretsmanager delete-secret --secret-id "${TEST_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager delete-secret --secret-id "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
       aws secretsmanager delete-secret --secret-id "${PROD_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager delete-secret --secret-id "${PROFILE_PREFIX}--codebuild-github-pat"
     ;;
     #----------------
     "create-non-mgmt")

terraform/account-wide-infrastructure/README.md

@@ -43,6 +43,28 @@ Once you're happy with your planned changes, you can apply them with:
 terraform apply
 ```
 
+### Build and publish the container image for CI build
+
+Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo.
+
+To do this, first build the image as follows:
+
+```
+make build-ci-image
+```
+
+and then login to ECR:
+
+```
+make ecr-login
+```
+
+and push the image:
+
+```
+make publish-ci-image
+```
+
 ## Deploy account wide resources
 
 To deploy the account wide resources, first login to the AWS mgmt account on the CLI.

terraform/account-wide-infrastructure/mgmt/codebuild.tf

@@ -0,0 +1,123 @@
+data "aws_iam_policy_document" "codebuild_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+
+    actions = [
+      "sts:AssumeRole",
+      "sts:AssumeRoleWithWebIdentity",
+      "sts:TagSession"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = ["${data.aws_caller_identity.current.account_id}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "codebuild_service_role" {
+  name               = "${local.project}-codebuild-service-role"
+  assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role.json
+}
+
+data "aws_iam_policy_document" "codebuild_policy" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "codeconnections:GetConnectionToken",
+      "codeconnections:GetConnection"
+    ]
+    resources = ["arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds"
+    ]
+    resources = [
+      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:*"
+    ]
+    resources = [
+      "${aws_ecr_repository.repository.arn}",
+      "${aws_ecr_repository.repository.arn}:*"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "codebuild_policy" {
+  role   = aws_iam_role.codebuild_service_role.name
+  policy = data.aws_iam_policy_document.codebuild_policy.json
+}
+
+resource "aws_codebuild_project" "project" {
+  name         = "${local.project}-ci-build-project"
+  description  = "NRLF CI Build Project"
+  service_role = aws_iam_role.codebuild_service_role.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "${aws_ecr_repository.repository.repository_url}:latest"
+    type                        = "LINUX_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      group_name  = "${local.project}-ci-build-logs"
+      stream_name = "build-log-stream"
+    }
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = "https://github.com/NHSDigital/NRLF"
+    git_clone_depth = 1
+  }
+
+  source_version     = "main"
+  project_visibility = "PRIVATE"
+}
+
+resource "aws_codebuild_webhook" "github_workflow" {
+  project_name = aws_codebuild_project.project.name
+  build_type   = "BUILD"
+  filter_group {
+    filter {
+      type    = "EVENT"
+      pattern = "WORKFLOW_JOB_QUEUED"
+    }
+  }
+  depends_on = [aws_codebuild_project.project, aws_iam_role.codebuild_service_role]
+}