Skip to content

Commit 40c34ab

Browse files
eddalmond1eddalmond1
committed
Merge remote-tracking branch 'origin/main' into hotfix/v1.0.0
2 parents 93d5222 + 544bf6a commit 40c34ab

File tree

103 files changed

+3918
-335
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

103 files changed

+3918
-335
lines changed

.github/workflows/base-deploy.yml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,25 @@ jobs:
8484
contents: write
8585
environment: ${{ needs.metadata.outputs.environment }}
8686
steps:
87+
- name: "Setup Terraform"
88+
uses: hashicorp/setup-terraform@v3
89+
with:
90+
terraform_version: ${{ needs.metadata.outputs.terraform_version }}
91+
92+
- name: "Install Poetry"
93+
run: |
94+
curl -sSL https://install.python-poetry.org | python3 -
95+
echo "$HOME/.local/bin" >> $GITHUB_PATH
96+
97+
- name: "Set up Python"
98+
uses: actions/setup-python@v5
99+
with:
100+
python-version: "3.13"
101+
cache: 'poetry'
102+
103+
- name: "Install dependencies"
104+
run: poetry install
105+
87106
- name: "Checkout repository at ref"
88107
uses: actions/checkout@v5
89108
with:
@@ -153,6 +172,13 @@ jobs:
153172
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
154173
make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
155174
175+
- name: "Validate Feature Toggles"
176+
env:
177+
ENV: ${{ needs.metadata.outputs.environment }}
178+
run: |
179+
pip install boto3
180+
python scripts/feature_toggle/validate_toggles.py
181+
156182
- name: "Tag and Release"
157183
if: ${{ needs.metadata.outputs.environment == 'preprod' || needs.metadata.outputs.environment == 'prod' }}
158184
env:
@@ -162,3 +188,14 @@ jobs:
162188
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
163189
GITHUB_REPOSITORY: ${{ github.repository }}
164190
run: poetry run python scripts/workflow/tag_and_release.py
191+
192+
193+
regression-tests:
194+
name: "Regression Tests"
195+
if: ${{ needs.metadata.outputs.environment == 'preprod' }}
196+
needs: deploy
197+
uses: ./.github/workflows/regression-tests.yml
198+
with:
199+
ENVIRONMENT: "preprod"
200+
VERSION_NUMBER: "main"
201+
secrets: inherit

.github/workflows/cicd-2-publish.yaml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ jobs:
9393
path: ./build
9494

9595
- name: "Configure AWS Credentials"
96-
uses: aws-actions/configure-aws-credentials@v4
96+
uses: aws-actions/configure-aws-credentials@v5
9797
with:
9898
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
9999
aws-region: eu-west-2
@@ -134,3 +134,12 @@ jobs:
134134
Author: "${{ github.actor }}"
135135
title: "Pushed to main"
136136
version: "${{ needs.metadata.outputs.version }}"
137+
138+
regression-tests:
139+
name: "Regression Tests"
140+
needs: publish
141+
uses: ./.github/workflows/regression-tests.yml
142+
with:
143+
ENVIRONMENT: "dev"
144+
VERSION_NUMBER: "main"
145+
secrets: inherit

.github/workflows/cicd-3-test-deploy.yaml

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ jobs:
7373
python-version: "3.13"
7474

7575
- name: "Configure AWS Credentials"
76-
uses: aws-actions/configure-aws-credentials@v4
76+
uses: aws-actions/configure-aws-credentials@v5
7777
with:
7878
role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/service-roles/github-actions-api-deployment-role
7979
aws-region: eu-west-2
@@ -100,3 +100,12 @@ jobs:
100100
echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
101101
make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
102102
working-directory: ./infrastructure
103+
104+
regression-tests:
105+
name: "Regression Tests"
106+
needs: deploy
107+
uses: ./.github/workflows/regression-tests.yml
108+
with:
109+
ENVIRONMENT: "test"
110+
VERSION_NUMBER: "main"
111+
secrets: inherit

.github/workflows/cicd-4-preprod-deploy.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,3 +30,4 @@ jobs:
3030
ref: ${{ inputs.ref }}
3131
release_type: ${{ inputs.release_type }}
3232
secrets: inherit
33+

.github/workflows/regression-tests.yml

Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
name: E2E Regression Tests
2+
3+
on:
4+
workflow_call:
5+
inputs:
6+
ENVIRONMENT:
7+
required: true
8+
type: string
9+
VERSION_NUMBER:
10+
required: true
11+
type: string
12+
PRODUCT:
13+
type: string
14+
secrets: { }
15+
16+
jobs:
17+
regression-tests:
18+
runs-on: ubuntu-22.04
19+
steps:
20+
- name: Checkout
21+
uses: actions/checkout@v5
22+
with:
23+
fetch-depth: 0
24+
25+
- name: Cache asdf
26+
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809
27+
with:
28+
path: |
29+
~/.asdf
30+
key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}
31+
restore-keys: |
32+
${{ runner.os }}-asdf-
33+
34+
- name: Install asdf tools
35+
uses: asdf-vm/actions/install@1902764435ca0dd2f3388eea723a4f92a4eb8302
36+
with:
37+
asdf_branch: v0.15.0
38+
env:
39+
PYTHON_CONFIGURE_OPTS: --enable-shared
40+
41+
- name: Derive Python version from .tool-versions
42+
run: |
43+
PYTHON_VERSION=$(grep "^python" .tool-versions | sed 's/python //g')
44+
echo "PYTHON_VERSION=$PYTHON_VERSION" >> $GITHUB_ENV
45+
46+
- name: setup python venv
47+
uses: actions/checkout@v5
48+
- uses: actions/setup-python@v6
49+
with:
50+
python-version: '${{ env.PYTHON_VERSION }}'
51+
cache: 'poetry' # caching poetry dependencies
52+
- run: poetry install
53+
54+
- name: Run Regression Testing
55+
working-directory: scripts
56+
if: ${{ (inputs.ENVIRONMENT != 'prod') && (inputs.ENVIRONMENT != 'ref') }}
57+
env:
58+
TARGET_ENVIRONMENT: ${{ inputs.ENVIRONMENT }}
59+
VERSION_NUMBER: ${{ inputs.VERSION_NUMBER }}
60+
TESTS_TOKEN: ${{ secrets.REGRESSION_TESTS_PAT }}
61+
run: |
62+
echo Running regression tests in the "$TARGET_ENVIRONMENT" environment.
63+
poetry run python run_regression_tests.py \
64+
--env="$TARGET_ENVIRONMENT" \
65+
--token="$TESTS_TOKEN" \
66+
--regression_test_repo_tag "$VERSION_NUMBER"

.tool-versions

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,12 +6,13 @@ vale 3.11.2
66
poetry 2.1.4
77
act 0.2.77
88
nodejs 22.18.0
9+
python 3.13.5
910

1011
# ==============================================================================
1112
# The section below is reserved for Docker image versions.
1213

1314
# TODO: Move this section - consider using a different file for the repository template dependencies.
14-
docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33 # SEE: https://github.com/anchore/grype/pkgs/container/grype
15+
# docker/ghcr.io/anchore/grype v0.92.2@sha256:651e558f9ba84f2a790b3449c8a57cbbf4f34e004f7d3f14ae8f8cbeede4cd33 # SEE: https://github.com/anchore/grype/pkgs/container/grype
1516
# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
1617
# docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
1718
# docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli

Makefile

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,9 @@ _dist_include="pytest.ini poetry.lock poetry.toml pyproject.toml Makefile build/
3636
dependencies: # Install dependencies needed to build and test the project @Pipeline
3737
scripts/dependencies.sh
3838

39+
check-licenses:
40+
scripts/check_python_licenses.sh
41+
3942
.PHONY: build
4043
build: dist/lambda.zip # Build lambda.zip in dist/
4144

infrastructure/stacks/api-layer/assumed_role_permissions_boundary.tf

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,14 +15,18 @@ data "aws_iam_policy_document" "assumed_role_permissions_boundary" {
1515
"dynamodb:DeleteItem",
1616
"dynamodb:BatchWriteItem",
1717

18-
# S3 - bucket and object operations for Lambda and Firehose
18+
# S3 - bucket and object operations for Lambda, Firehose and External Role
1919
"s3:GetObject",
2020
"s3:ListBucket",
2121
"s3:PutObject",
2222
"s3:PutObjectAcl",
2323
"s3:AbortMultipartUpload",
2424
"s3:GetBucketLocation",
2525
"s3:ListBucketMultipartUploads",
26+
"s3:GetObjectTagging",
27+
"s3:PutObjectTagging",
28+
"s3:ListBucketVersions",
29+
"s3:GetObjectVersion",
2630

2731
# KMS - encryption/decryption for DynamoDB and S3
2832
"kms:Encrypt",

infrastructure/stacks/api-layer/ssm.tf

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,3 +92,25 @@ resource "aws_ssm_parameter" "splunk_hec_endpoint" {
9292
ignore_changes = [value]
9393
}
9494
}
95+
96+
resource "aws_ssm_parameter" "feature_toggles" {
97+
for_each = jsondecode(file("${path.module}/../../../scripts/feature_toggle/feature_toggle.json"))
98+
99+
name = "/${var.environment}/feature_toggles/${each.key}"
100+
#checkov:skip=CKV2_AWS_34: Since this is a feature toggle config, secure string not needed
101+
type = "String"
102+
103+
value = lookup(each.value.env_overrides, var.environment, each.value.default_state)
104+
105+
tags = {
106+
Environment = var.environment
107+
ManagedBy = "terraform"
108+
Purpose = each.value.purpose
109+
Ticket = each.value.ticket
110+
Created = each.value.created
111+
}
112+
113+
lifecycle {
114+
ignore_changes = [value]
115+
}
116+
}

0 commit comments

Comments
 (0)