Merge pull request #5544 from nhsuk/next

Version 6.7.0

Author: thomasleese

.github/workflows/build-and-push-image.yml

@@ -99,7 +99,7 @@ jobs:
       - name: Save web image
         run: docker save -o image.tar mavis-webapp:latest
       - name: Upload web image
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: webapp-image
           path: image.tar
@@ -108,7 +108,7 @@ jobs:
       - name: Save ops image
         run: docker save -o image.tar mavis-ops:latest
       - name: Upload ops image
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ops-image
           path: image.tar
@@ -123,7 +123,7 @@ jobs:
         image_type: ["webapp", "ops"]
     steps:
       - name: Download Docker image
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: ${{ matrix.image_type }}-image
       - name: Configure AWS Credentials

.github/workflows/continuous-deployment.yml

@@ -7,7 +7,9 @@ on:
 
 jobs:
   test:
-    permissions: {}
+    permissions:
+      contents: write
+      id-token: write
     uses: ./.github/workflows/test.yml
   deploy:
     needs: test

.github/workflows/create_dockerized_db.yml

@@ -0,0 +1,73 @@
+name: Create Dockerized Database
+run-name: Creating dockerized image from ${{ github.ref_name }}
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  setup-development-database:
+    name: Setup Development Database
+    runs-on: ubuntu-latest
+    env:
+      RAILS_ENV: development
+      DATABASE_HOST: localhost
+      DATABASE_USER: postgres
+      DATABASE_PASSWORD: postgres
+      BUNDLE_WITHOUT: test
+      RAILS_MASTER_KEY: intentionally-insecure-dev-key00
+      SKIP_TEST_DATABASE: true
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
+        with:
+          node-version-file: .tool-versions
+          cache: yarn
+      - name: Build custom postgres image
+        run: |
+          echo -e "FROM postgres:16.11\n\nENV PGDATA=\"/var/lib/postgresql/mydata\"" > db.Dockerfile
+          docker build -t custom-postgres:latest -f db.Dockerfile .
+      - name: Start db container
+        run: |
+          docker run -d \
+            --name database \
+            -e "POSTGRES_HOST_AUTH_METHOD=trust" \
+            -p 5432:5432 \
+            custom-postgres:latest
+      - name: Wait for db to be ready
+        run: |
+          docker exec database bash -c '
+            until pg_isready -U postgres; do
+              echo "Waiting for postgres..."
+              sleep 2
+            done
+                '
+      - uses: ruby/setup-ruby@v1
+        with:
+          bundler-cache: true
+      - name: Populate database for testing
+        run: |
+          bin/rails db:setup
+          bin/rails feature_flags:enable_for_development
+          bin/mavis gias import
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v5
+        with:
+          role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
+          aws-region: eu-west-2
+      - name: Login to ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Commit postgres container with database
+        run: |
+          docker commit database ${{ steps.login-ecr.outputs.registry }}/mavis/development/postgres_db:latest
+      - name: Push image
+        run: |
+          docker tag ${{ steps.login-ecr.outputs.registry }}/mavis/development/postgres_db:latest ${{ steps.login-ecr.outputs.registry }}/mavis/development/postgres_db:${{ github.ref_name }}
+          docker push ${{ steps.login-ecr.outputs.registry }}/mavis/development/postgres_db --all-tags

.github/workflows/data-replication-pipeline.yml

@@ -21,15 +21,21 @@ on:
           Use code from: ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
           (Git ref to deploy, for example, a tag, branch name or commit SHA. Will use workflow ref if not provided.)
         type: string
+  workflow_call:
+    inputs:
+      environment:
+        description: Deployment environment
+        required: true
+        type: string
+      git_ref_to_deploy:
+        description: Git ref to deploy, for example, a tag, branch name or commit SHA
+        type: string
+        required: true  
 
 permissions: {}
 
 env:
   environment: ${{ inputs.environment }}
-  deployment_type: ${{ inputs.deployment_type }}
-  db_snapshot_arn: ${{ inputs.db_snapshot_arn }}
-  egress_cidr: ${{ inputs.egress_cidr }}
-  take_db_snapshot: ${{ inputs.take_db_snapshot }}
   git_ref_to_deploy: ${{ inputs.git_ref_to_deploy || github.sha }}
   aws_role: ${{ inputs.environment == 'production'
     && 'arn:aws:iam::820242920762:role/GithubDeployDataReplicationInfrastructure'
@@ -125,7 +131,7 @@ jobs:
       - name: Rename task definition file
         run: mv ${{ steps.create-task-definition.outputs.task-definition }} ${{ runner.temp }}/data-replication-task-definition.json
       - name: Upload artifact for data-replication task definition
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ inputs.environment }}-data-replication-task-definition
           path: ${{ runner.temp }}/data-replication-task-definition.json
@@ -134,7 +140,7 @@ jobs:
     name: Notify on approval required
     runs-on: ubuntu-latest
     needs: prepare-deployment
-    if: ${{ inputs.environment == 'production' }}
+    if: ${{ inputs.environment == 'production' && github.event_name == 'workflow_dispatch' }}
     steps:
       - name: Notify pending approval
         if: inputs.environment == 'production'
@@ -160,7 +166,7 @@ jobs:
     name: Wait for approval if required
     runs-on: ubuntu-latest
     needs: prepare-deployment
-    environment: ${{ inputs.environment }}
+    environment: ${{ github.event_name == 'workflow_dispatch' && inputs.environment || null }}
     steps:
       - run: echo "Proceeding with deployment to $environment environment"
 
@@ -177,7 +183,7 @@ jobs:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download data-replication task definition artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-data-replication-task-definition

.github/workflows/deploy-application.yml

@@ -161,7 +161,7 @@ jobs:
       - name: Rename task definition file
         run: mv ${{ steps.create-task-definition.outputs.task-definition }} ${{ runner.temp }}/${{ matrix.service }}-task-definition.json
       - name: Upload artifact for ${{ matrix.service }} task definition
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: ${{ inputs.environment }}-${{ matrix.service }}-task-definition
           path: ${{ runner.temp }}/${{ matrix.service }}-task-definition.json
@@ -213,7 +213,7 @@ jobs:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download ops task definition artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-ops-task-definition
@@ -339,7 +339,7 @@ jobs:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download ${{ matrix.service }} task definition artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: ${{ runner.temp }}
           name: ${{ inputs.environment }}-${{ matrix.service }}-task-definition

.github/workflows/deploy-backup-infrastructure.yml

@@ -49,21 +49,27 @@ jobs:
         id: plan
         env:
           PERSONAL_ACCESS_TOKEN: ${{ secrets.BACKUP_MODULES_ACCESS_TOKEN }}
+          SLACK_WEBHOOK_URL: ${{ inputs.environment == 'production' && secrets.SLACK_AWS_BACKUP_PRODUCTION_WEBHOOK || secrets.SLACK_AWS_BACKUP_TEST_WEBHOOK }}
         run: |
           set -e
           git config --global url."https://foo:${PERSONAL_ACCESS_TOKEN}@github.com/NHSDigital".insteadOf "https://github.com/NHSDigital"
           terraform init -backend-config="env/$environment-backend.hcl" -upgrade
-          terraform plan -var-file="env/$environment.tfvars" \
+          terraform plan -var-file="env/$environment.tfvars" -var="slack_webhook_url=${SLACK_WEBHOOK_URL}" \
           -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
       - name: Validate the changes
         run: |
           set -e
           ../../scripts/validate_plan.sh ${{ runner.temp }}/tf_stdout
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: tfplan_infrastructure-${{ inputs.environment }}
           path: ${{ runner.temp }}/tfplan
+      - name: Upload Lambda
+        uses: actions/upload-artifact@v6
+        with:
+          name: backup_alert_lambda_${{ inputs.environment }}
+          path: terraform/backup/source/lambda/backup_alert_function.zip
 
   apply:
     name: Terraform apply
@@ -81,10 +87,15 @@ jobs:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: tfplan_infrastructure-${{ inputs.environment }}
           path: ${{ runner.temp }}
+      - name: Download Lambda zip
+        uses: actions/download-artifact@v7
+        with:
+          name: backup_alert_lambda_${{ inputs.environment }}
+          path: terraform/backup/source/lambda
       - name: Install terraform
         uses: hashicorp/setup-terraform@v3
         with:

.github/workflows/deploy-infrastructure.yml

@@ -76,7 +76,7 @@ jobs:
           fi
           ../scripts/validate_plan.sh ${{ runner.temp }}/tf_stdout
       - name: Upload artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: tfplan_infrastructure-${{ inputs.environment }}
           path: ${{ runner.temp }}/tfplan
@@ -99,7 +99,7 @@ jobs:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: tfplan_infrastructure-${{ inputs.environment }}
           path: ${{ runner.temp }}

.github/workflows/deploy-monitoring.yml

@@ -77,7 +77,7 @@ jobs:
             echo "Infrastructure changes detected"
           fi
       - name: Upload AWS plan artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: tfplan_monitoring_aws-${{ inputs.environment }}
           path: ${{ runner.temp }}/tfplan-aws
@@ -104,7 +104,7 @@ jobs:
           role-to-assume: ${{ env.aws_role }}
           aws-region: eu-west-2
       - name: Download AWS plan artifact
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: tfplan_monitoring_aws-${{ inputs.environment }}
           path: ${{ runner.temp }}