[DTOS-10199] Review apps pipeline

.azuredevops/pipelines/delete-review-app.yml

@@ -0,0 +1,46 @@
+trigger: none
+pr: none
+
+parameters:
+  - name: commitSHA
+    displayName: Commit SHA
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+
+stages:
+  - stage: review
+    displayName: Delete review app
+    pool:
+      name: private-pool-dev-uks
+    isSkippable: false
+
+    jobs:
+      - deployment: DeleteReviewApp
+        displayName: Delete review app
+        environment: review
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
+
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
+
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: manbrs-review
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci review terraform-destroy DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}

.azuredevops/pipelines/deploy.yml

@@ -5,54 +5,56 @@ parameters:
   - name: commitSHA
     displayName: Commit SHA
     type: string
-  - name: environments
-    type: object
-    default:
-      - dev
+  - name: environment
+    displayName: Environment
+    type: string
+  - name: prNumber
+    displayName: Pull request number
+    type: string
+    default: ''
 
 stages:
-  - ${{ each env in parameters.environments }}:
-      - stage: ${{ env }}
-        displayName: Deploy to ${{ env }} environment
-        pool:
-          name: private-pool-dev-uks
-        lockBehavior: sequential
-        isSkippable: false
+  - stage: ${{ parameters.environment }}
+    displayName: Deploy to ${{ parameters.environment }} environment
+    pool:
+      name: private-pool-dev-uks
+    lockBehavior: sequential
+    isSkippable: false
 
-        jobs:
-          - deployment: DeployApp
-            displayName: Deploy application
-            environment: ${{ env }}
-            strategy:
-              runOnce:
-                deploy:
-                  steps:
-                    - checkout: self
+    jobs:
+      - deployment: DeployApp
+        displayName: Deploy application
+        environment: ${{ parameters.environment }}
+        strategy:
+          runOnce:
+            deploy:
+              steps:
+                - checkout: self
 
-                    - task: TerraformInstaller@1
-                      displayName: Install terraform
-                      inputs:
-                        terraformVersion: 1.7.0
+                - task: TerraformInstaller@1
+                  displayName: Install terraform
+                  inputs:
+                    terraformVersion: 1.7.0
 
-                    - task: AzureCLI@2
-                      displayName: Run terraform
-                      inputs:
-                        azureSubscription: manbrs-${{ env }}
-                        scriptType: bash
-                        scriptLocation: inlineScript
-                        addSpnToEnvironment: true
-                        inlineScript: |
-                          export ARM_TENANT_ID="$tenantId"
-                          export ARM_CLIENT_ID="$servicePrincipalId"
-                          export ARM_OIDC_TOKEN="$idToken"
-                          export ARM_USE_OIDC=true
-                          make ci ${{ env }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }}
+                - task: AzureCLI@2
+                  displayName: Run terraform
+                  inputs:
+                    azureSubscription: manbrs-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: |
+                      export ARM_TENANT_ID="$tenantId"
+                      export ARM_CLIENT_ID="$servicePrincipalId"
+                      export ARM_OIDC_TOKEN="$idToken"
+                      export ARM_USE_OIDC=true
+                      make ci ${{ parameters.environment }} terraform-apply DOCKER_IMAGE_TAG=git-sha-${{ parameters.commitSHA }} PR_NUMBER=${{ parameters.prNumber }}
 
-                    - task: AzureCLI@2
-                      displayName: Run database migration
-                      inputs:
-                        azureSubscription: manbrs-${{ env }}
-                        scriptType: bash
-                        scriptLocation: inlineScript
-                        addSpnToEnvironment: true
-                        inlineScript: ./scripts/bash/db_migrate.sh ${{ env }}
+                - task: AzureCLI@2
+                  displayName: Run database migration
+                  inputs:
+                    azureSubscription: manbrs-${{ parameters.environment }}
+                    scriptType: bash
+                    scriptLocation: inlineScript
+                    addSpnToEnvironment: true
+                    inlineScript: ./scripts/bash/db_migrate.sh ${{ parameters.environment }} ${{ parameters.prNumber }}

.github/workflows/cicd-1-pull-request-closed.yaml

@@ -0,0 +1,28 @@
+name: Delete review app
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  destroy:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Delete review app pr-${{ github.event.pull_request.number }}
+    permissions:
+      id-token: write
+    runs-on: ubuntu-latest
+    environment: review
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Call deployment pipeline
+        run: |
+          az pipelines run --commit-id ${{ github.event.pull_request.head.sha }} --name "Delete review app" --org https://dev.azure.com/nhse-dtos --project dtos-manage-breast-screening \
+            --parameters commitSHA=${{ github.event.pull_request.head.sha }} prNumber=${{ github.event.pull_request.number }}

.github/workflows/cicd-1-pull-request.yaml

@@ -2,7 +2,7 @@ name: 'CI/CD pull request'
 
 on:
   pull_request:
-    types: [opened, reopened, synchronize]
+    types: [opened, reopened, synchronize, labeled]
 
 jobs:
   metadata:
@@ -72,3 +72,16 @@ jobs:
       terraform_version: '${{ needs.metadata.outputs.terraform_version }}'
       version: '${{ needs.metadata.outputs.version }}'
     secrets: inherit
+
+  deploy-stage:
+    if: contains(github.event.pull_request.labels.*.name, 'deploy')
+    name: Deploy stage
+    needs: [build-stage]
+    permissions:
+      id-token: write
+    uses: ./.github/workflows/stage-4-deploy.yaml
+    with:
+      environments: "[\"review\"]"
+      commit_sha: ${{ github.event.pull_request.head.sha }}
+      pr_number: ${{ github.event.pull_request.number }}
+    secrets: inherit

.github/workflows/cicd-2-main-branch.yaml

@@ -85,5 +85,6 @@ jobs:
       id-token: write
     uses: ./.github/workflows/stage-4-deploy.yaml
     with:
+      environments: "[\"review\",\"dev\"]"
       commit_sha: ${{ github.sha }}
     secrets: inherit

.github/workflows/stage-4-deploy.yaml

@@ -3,16 +3,27 @@ name: Deployment stage
 on:
   workflow_call:
     inputs:
+      environments:
+        description: List of environments to deploy to (String array)
+        required: true
+        type: string
       commit_sha:
         description: Commit SHA used to fetch ADO pipeline and docker image
         required: true
         type: string
+      pr_number:
+        description: Pull request number when used in a pull request
+        required: false
+        type: string
 
 jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-latest
-    environment: azure
+    strategy:
+      matrix:
+        environment: ${{ fromJson(inputs.environments) }}
+    environment: ${{ matrix.environment }}
 
     steps:
       - name: Checkout code
@@ -26,5 +37,5 @@ jobs:
 
       - name: Call deployment pipeline
         run: |
-          az pipelines run --commit-id ${{inputs.commit_sha}} --name "Deploy to Azure" --org https://dev.azure.com/nhse-dtos --project dtos-manage-breast-screening \
-            --parameters commitSHA=${{inputs.commit_sha}}
+          az pipelines run --commit-id ${{inputs.commit_sha}} --name "Deploy to Azure - ${{ matrix.environment }}" --org https://dev.azure.com/nhse-dtos --project dtos-manage-breast-screening \
+            --parameters commitSHA=${{inputs.commit_sha}} prNumber=${{inputs.pr_number}} environment=${{ matrix.environment }}

.gitleaksignore

@@ -10,5 +10,10 @@ manage_breast_screening/templates/components/pagination/template.njk:ipv4:26
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:10
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:11
 infrastructure/terraform/resource_group_init/core.bicep:generic-api-key:12
-infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:80
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:29
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:30
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:31
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:32
+infrastructure/terraform/resource_group_init/main.bicep:generic-api-key:33
 infrastructure/terraform/resource_group_init/storage.bicep:generic-api-key:59
+infrastructure/terraform/resource_group_init/keyVault.bicep:generic-api-key:10

README.md

@@ -110,52 +110,9 @@ To generate a new app, run:
 poetry run ./manage.py startapp <app_name> manage_breast_screening/`
 ```
 
-## Manual Deployment
+## Deployment
 
-The build pipeline builds and pushes a docker image to [Github container registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry). The app is deployed to an [Azure container app](https://azure.microsoft.com/en-us/products/container-apps) using terraform.
-
-For each environment, e.g. 'dev':
-
-1. Connect to [Azure virtual desktop](https://azure.microsoft.com/en-us/products/virtual-desktop). Ask the platform team for access with Administrator role.
-1. If not present, install the following software: terraform (version 1.7.0), git, make, jq.
-   - Run a Command prompt as administrator
-   - choco install terraform --version 1.7.0
-   - choco install terraform git make jq
-1. Open git bash
-1. Clone the repository: `git clone https://github.com/NHSDigital/dtos-manage-breast-screening.git`
-1. Enter the directory and select the branch, tag, commit...
-1. Login: `az login`
-1. Create the resource group: `make dev resource-group-init`. This is only required when creating the environment from scratch.
-1. Deploy:
-   ```shell
-   make dev terraform-plan DOCKER_IMAGE_TAG=git-sha-af32637e7e6a07e36158dcb8d7ed90be49be1xyz
-   ```
-1. The web app URL will be displayed as output. Copy it into a browser on the AVD to access the app.
-
-## Manual deployment of the review environments
-
-Review environments differ slightly from other environments. They are lightweight versions of the application and are designed to share much of the core Azure infrastructure. As a result, there is a one-to-many relationship between the container apps and the container app environment.
-
-### Step 1
-If you run the following command *without* the `PR_NUMBER` parameter, it will apply only the infrastructure module:
-
-```shell
-make review terraform-apply
-```
-
-### Step 2
-
-If you include the `PR_NUMBER` parameter, it will apply the container_app module instead of the infrastructure module:
-
-```shell
-make review terraform-apply DOCKER_IMAGE_TAG=git-sha-01ecb79d561f55be60072a093dd167fe8eb5b42e PR_NUMBER=123
-```
-
-## Continuous deployment
-
-When a PR is merged, Github actions securely triggers the deployment pipeline on the Azure devops pool running on the internal network. It currently deploys the dev environment automatically.
-
-Access [Azure devops](https://dev.azure.com/nhse-dtos/dtos-manage-breast-screening/_build?definitionId=86) to see the pipeline.
+See [Deployment](docs/infrastructure/deployment.md).
 
 ## Application secrets
 

docs/infrastructure/create-environment.md

@@ -0,0 +1,46 @@
+# Create an environment
+
+This is the initial manual process to create a new environment like review, dev, production...
+- Create the configuration files in `infrastructure/environments/[environment]`
+- Create postgres Entra ID group in DTOS Administrative Unit (AU): `postgres_manbrs_[environment]_uks_admin`
+- Run bicep from AVD: `make [environment] resource-group-init`
+- Ask CCOE to assign role:
+	- [Form for PIM](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=28f3ab4f1bf3ca1078ac4337b04bcb78&sysparm_category=114fced51bdae1502eee65b9bd4bcbdc) or [Generic infrastructure form]([https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=bd7112991bdae1502eee65b9bd4bcb3b&referrer=popular_items](https://nhsdigitallive.service-now.com/nhs_digital?id=sc_cat_item&sys_id=bd7112991bdae1502eee65b9bd4bcb3b&referrer=popular_items))
+	- Managed identity: `mi-manbrs-[environment]-uks`
+	- role: permanent PIM Groups reader on Directory
+- Create ADO group
+	- Name: `Run pipeline - [environment]`
+	- Members: `mi-manbrs-ado-[environment]-aks`. There may be more than 1 in the list. Check client id printed below the name.
+	- Permissions:
+		- View project-level information
+- Create new pipeline:
+    - Name: `Deploy to Azure - [environment]`
+    - Pipeline yaml: `.azuredevops/pipelines/deploy.yml`
+- Manage pipeline security:
+	- Add group: `Run pipeline - [environment]`
+	- Permissions:
+		- Edit queue build configuration
+		- Queue builds
+		- View build pipeline
+- Create ADO environment: [environment]
+	- Set: exclusive lock
+	- Add pipeline permission for `Deploy to Azure - [environment]` pipeline
+- Create Github environment [environment]
+- Add environment secrets, from `mi-manbrs-ado-[environment]-uks`
+	- AZURE_CLIENT_ID
+	- AZURE_SUBSCRIPTION_ID
+- Create service connection
+	- Connection type: `Azure Resource Manager`
+	- Identity type: `Managed identity`
+	- Subscription: `Digital Screening DToS - DevOps`
+	- Resource group: `rg-mi-[environment]-uks`
+	- Managed identity: `mi-manbrs-[environment]-uks`
+- Scope level: Subscription
+- Subscription: `Digital Screening DToS - Core Services Dev`
+- Service Connection Name: `manbrs-[environment]`
+- Do NOT tick: Grant access permission to all pipelines
+- Add environment to the list of environment in `deploy-stage` step of `cicd-2-main-branch.yaml`. For the review enviornment, there is a single item in `cicd-1-pull-request.yaml`.
+- Run Github workflow
+- Check ADO pipeline. You may be prompted to authorise:
+	- Pipeline: service connection
+	- Environment: service connection and agent pool