Merge pull request #879 from NHSDigital/feature/made14-NRL-1179-codebuild-runners

[NRL-1179] Add CodeBuild Runners

Author: mattdean3-nhs

.github/workflows/daily-build.yml

@@ -18,35 +18,19 @@ on:
 
 jobs:
   build:
-    name: Build - develop
-    runs-on: [self-hosted, ci]
+    name: Build - ${{ github.ref }}
+    runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}
 
     steps:
-      - name: Git clone - develop
+      - name: Git clone - ${{ github.ref }}
         uses: actions/checkout@v4
         with:
-          ref: develop
+          ref: ${{ github.ref }}
 
-      - name: Setup asdf cache
-        uses: actions/cache@v4
-        with:
-          path: ~/.asdf
-          key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
-          restore-keys: |
-            ${{ runner.os }}-asdf-
-
-      - name: Install asdf
-        uses: asdf-vm/actions/[email protected]
-        with:
-          asdf_branch: v0.13.1
-
-      - name: Install zip
-        run: sudo apt-get install zip
-
-      - name: Setup Python environment
+      - name: Setup environment
         run: |
+          echo "${HOME}/.asdf/bin" >> $GITHUB_PATH
           poetry install --no-root
-          source $(poetry env info --path)/bin/activate
 
       - name: Run Linting
         run: make lint
@@ -55,7 +39,13 @@ jobs:
         run: make test
 
       - name: Build Project
-        run: make build
+        run: |
+          echo "PATH: ${PATH}"
+          echo "HOME: ${HOME}"
+          echo "python: $(which python)"
+          echo "asdf: $(which asdf)"
+          echo "/usr/local/bin: $(ls -la /usr/local/bin)"
+          make build
 
       - name: Configure Management Credentials
         uses: aws-actions/configure-aws-credentials@v4

Dockerfile.ci-build

@@ -0,0 +1,50 @@
+FROM ubuntu:22.04
+
+RUN apt update && \
+    apt upgrade -y && \
+    DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt install -y \
+        build-essential \
+        ca-certificates \
+        curl \
+        git \
+        gnupg \
+        libbz2-dev \
+        libffi-dev \
+        libicu70 \
+        liblzma-dev \
+        libncursesw5-dev \
+        libreadline-dev \
+        libsqlite3-dev \
+        libssl-dev \
+        libxml2-dev \
+        libxmlsec1-dev \
+        llvm \
+        lsb-release \
+        make \
+        python3 \
+        tar \
+        tk-dev \
+        unzip \
+        wget \
+        xz-utils \
+        zip \
+        zlib1g-dev && \
+    apt clean && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /root
+RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.13.1 && \
+    echo ". $HOME/.asdf/asdf.sh" >> ~/.bashrc && \
+    echo ". $HOME/.asdf/completions/asdf.bash" >> ~/.bashrc && \
+    echo "export ASDF_DIR=$HOME/.asdf" >> ~/.bashrc && \
+    echo "export PATH=\$ASDF_DIR/bin:\$PATH" >> ~/.bashrc && \
+    echo "export PATH=\$ASDF_DIR/shims:\$PATH" >> ~/.bashrc
+
+COPY .tool-versions .
+RUN for plugin in $(cat .tool-versions | cut -d' ' -f1); do \
+        ./.asdf/bin/asdf plugin add "${plugin}"; \
+    done && \
+    ./.asdf/bin/asdf install && \
+    ln -s $(pwd)/.asdf/shims/* /usr/local/bin/.
+
+CMD [ "/bin/bash" ]

Makefile

@@ -74,6 +74,28 @@ build-api-packages: ./api/consumer/* ./api/producer/*
 		./scripts/build-lambda-package.sh $${api} $(DIST_PATH); \
 	done
 
+build-ci-image: ## Build the CI image
+	@echo "Building the CI image"
+	docker build \
+		-t nhsd-nrlf-ci-build:latest \
+		-f Dockerfile.ci-build
+
+ecr-login: ## Login to NRLF ECR repo
+	@echo "Logging into ECR"
+	$(eval AWS_REGION := $(shell aws configure get region))
+	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
+	@aws ecr get-login-password --region "$(AWS_REGION)" \
+		| docker login --username AWS --password-stdin \
+			$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com
+
+publish-ci-image: ## Publish the CI image
+	@echo "Publishing the CI image"
+	$(eval AWS_REGION := $(shell aws configure get region))
+	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
+	@docker tag nhsd-nrlf-ci-build:latest \
+		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+
 test: check-warn ## Run the unit tests
 	@echo "Running unit tests"
 	pytest --ignore=tests/smoke $(TEST_ARGS)

scripts/bootstrap.sh

@@ -8,6 +8,7 @@ TERRAFORM_ROLE_NAME="terraform"
 MGMT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--mgmt-account-id"
 PROD_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--prod-account-id"
 TEST_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-account-id"
+TEST_BACKUP_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-backup-account-id"
 DEV_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--dev-account-id"
 
 
@@ -59,7 +60,9 @@ function _bootstrap() {
       aws secretsmanager create-secret --name "${MGMT_ACCOUNT_ID_LOCATION}"
       aws secretsmanager create-secret --name "${DEV_ACCOUNT_ID_LOCATION}"
       aws secretsmanager create-secret --name "${TEST_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager create-secret --name "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
       aws secretsmanager create-secret --name "${PROD_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager create-secret --name "${PROFILE_PREFIX}--codebuild-github-pat"
     ;;
     #----------------
     "delete-mgmt")
@@ -80,7 +83,9 @@ function _bootstrap() {
       aws secretsmanager delete-secret --secret-id "${MGMT_ACCOUNT_ID_LOCATION}"
       aws secretsmanager delete-secret --secret-id "${DEV_ACCOUNT_ID_LOCATION}"
       aws secretsmanager delete-secret --secret-id "${TEST_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager delete-secret --secret-id "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
       aws secretsmanager delete-secret --secret-id "${PROD_ACCOUNT_ID_LOCATION}"
+      aws secretsmanager delete-secret --secret-id "${PROFILE_PREFIX}--codebuild-github-pat"
     ;;
     #----------------
     "create-non-mgmt")

terraform/account-wide-infrastructure/README.md

@@ -43,6 +43,28 @@ Once you're happy with your planned changes, you can apply them with:
 terraform apply
 ```
 
+### Build and publish the container image for CI build
+
+Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo.
+
+To do this, first build the image as follows:
+
+```
+make build-ci-image
+```
+
+and then login to ECR:
+
+```
+make ecr-login
+```
+
+and push the image:
+
+```
+make publish-ci-image
+```
+
 ## Deploy account wide resources
 
 To deploy the account wide resources, first login to the AWS mgmt account on the CLI.

terraform/account-wide-infrastructure/mgmt/codebuild.tf

@@ -0,0 +1,123 @@
+data "aws_iam_policy_document" "codebuild_assume_role" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+
+    actions = [
+      "sts:AssumeRole",
+      "sts:AssumeRoleWithWebIdentity",
+      "sts:TagSession"
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = ["${data.aws_caller_identity.current.account_id}"]
+    }
+  }
+}
+
+resource "aws_iam_role" "codebuild_service_role" {
+  name               = "${local.project}-codebuild-service-role"
+  assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role.json
+}
+
+data "aws_iam_policy_document" "codebuild_policy" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["*"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "codeconnections:GetConnectionToken",
+      "codeconnections:GetConnection"
+    ]
+    resources = ["arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string"]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "secretsmanager:GetSecretValue",
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:ListSecretVersionIds"
+    ]
+    resources = [
+      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
+    ]
+  }
+
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:*"
+    ]
+    resources = [
+      "${aws_ecr_repository.repository.arn}",
+      "${aws_ecr_repository.repository.arn}:*"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "codebuild_policy" {
+  role   = aws_iam_role.codebuild_service_role.name
+  policy = data.aws_iam_policy_document.codebuild_policy.json
+}
+
+resource "aws_codebuild_project" "project" {
+  name         = "${local.project}-ci-build-project"
+  description  = "NRLF CI Build Project"
+  service_role = aws_iam_role.codebuild_service_role.arn
+
+  artifacts {
+    type = "NO_ARTIFACTS"
+  }
+
+  environment {
+    compute_type                = "BUILD_GENERAL1_SMALL"
+    image                       = "${aws_ecr_repository.repository.repository_url}:latest"
+    type                        = "LINUX_CONTAINER"
+    image_pull_credentials_type = "CODEBUILD"
+  }
+
+  logs_config {
+    cloudwatch_logs {
+      group_name  = "${local.project}-ci-build-logs"
+      stream_name = "build-log-stream"
+    }
+  }
+
+  source {
+    type            = "GITHUB"
+    location        = "https://github.com/NHSDigital/NRLF"
+    git_clone_depth = 1
+  }
+
+  source_version     = "main"
+  project_visibility = "PRIVATE"
+}
+
+resource "aws_codebuild_webhook" "github_workflow" {
+  project_name = aws_codebuild_project.project.name
+  build_type   = "BUILD"
+  filter_group {
+    filter {
+      type    = "EVENT"
+      pattern = "WORKFLOW_JOB_QUEUED"
+    }
+  }
+  depends_on = [aws_codebuild_project.project, aws_iam_role.codebuild_service_role]
+}

terraform/account-wide-infrastructure/mgmt/data.tf

@@ -1,3 +1,7 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
 data "aws_dynamodb_table" "terraform_state_lock" {
   name = "${local.project}--terraform-state-lock"
 }
@@ -30,10 +34,18 @@ data "aws_secretsmanager_secret" "test_account_id" {
   name = "${local.project}--mgmt--test-account-id"
 }
 
+data "aws_secretsmanager_secret" "test_backup_account_id" {
+  name = "${local.project}--mgmt--test-backup-account-id"
+}
+
 data "aws_secretsmanager_secret_version" "dev_account_id" {
   secret_id = data.aws_secretsmanager_secret.dev_account_id.name
 }
 
 data "aws_secretsmanager_secret_version" "test_account_id" {
   secret_id = data.aws_secretsmanager_secret.test_account_id.name
 }
+
+data "aws_secretsmanager_secret_version" "test_backup_account_id" {
+  secret_id = data.aws_secretsmanager_secret.test_backup_account_id.name
+}

terraform/account-wide-infrastructure/mgmt/ecr.tf

@@ -0,0 +1,33 @@
+resource "aws_ecr_repository" "repository" {
+  name                 = "${local.project}-ci-build"
+  image_tag_mutability = "MUTABLE"
+}
+
+data "aws_iam_policy_document" "codebuild_access_policy" {
+  statement {
+    sid    = "CodeBuildEcrAccess"
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["codebuild.amazonaws.com"]
+    }
+
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+    ]
+
+    condition {
+      test     = "StringEquals"
+      variable = "aws:SourceAccount"
+      values   = ["${data.aws_caller_identity.current.account_id}"]
+    }
+  }
+}
+
+resource "aws_ecr_repository_policy" "codebuild_access_policy" {
+  repository = aws_ecr_repository.repository.name
+  policy     = data.aws_iam_policy_document.codebuild_access_policy.json
+}

terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf

@@ -63,6 +63,7 @@ module "developer_policy" {
       Resource = [
         "arn:aws:iam::${data.aws_secretsmanager_secret_version.dev_account_id.secret_string}:role/terraform",
         "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_account_id.secret_string}:role/terraform",
+        "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform"
       ]
     },
     {