Concourse pipeline (#49)

* init concourse

* correct terraform directory

* write policy util to differetiate between data logger and dashboard

* test logic in build_image.sh

* remove whitespace

* add space before ]]

* fix typo \o/

* remove (()) notation

* export the repo name on the terraform step

* remove some env vars in terraform apply

* rename an env var...

* environment_name -> environment

* remove environment var?

* re-add previous env vars

* fix strig EOL

* cd into correct directory terraform_infra.sh

* bump hahsicorp/aws version

* rm container image

* separate out dev and prod yml files

* refactor to use api instead of concourse release for tagging

* update README and remove redundant code

* fix linting issues

* fix another linting issue...

Author: delterr

README.md

@@ -312,6 +312,53 @@ To run mypy (static type checking)
 make mypy
 ```
 
+### Deployments with Concourse
+
+#### Allowlisting your IP
+
+To setup the deployment pipeline with concourse, you must first allowlist your IP address on the Concourse
+server. IP addresses are flushed everyday at 00:00 so this must be done at the beginning of every working day
+whenever the deployment pipeline needs to be used. Follow the instructions on the Confluence page (SDP Homepage > SDP Concourse > Concourse Login) to
+login. All our pipelines run on sdp-pipeline-prod, whereas sdp-pipeline-dev is the account used for
+changes to Concourse instance itself. Make sure to export all necessary environment variables from sdp-pipeline-prod (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).
+
+#### Setting up a pipeline
+
+When setting up our pipelines, we use ecs-infra-user on sdp-dev to be able to interact with our infrastructure on AWS. The credentials for this are stored on
+AWS Secrets Manager so you do not need to set up anything yourself. Since this repository has two services that need to be deployed, you can set up a seprate
+pipeline for each by either specifying the pipeline name as `github-policy-dashboard` or `github-policy-lambda`.
+
+To set the pipeline, run the following script:
+
+```bash
+chmod u+x ./concourse/scripts/set_pipeline.sh
+./concourse/scripts/set_pipeline.sh github-policy-dashboard # for policy dashboard
+./concourse/scripts/set_pipeline.sh github-policy-lambda # for policy lambda
+
+```
+
+Note that you only have to run chmod the first time running the script in order to give permissions.
+This script will set the branch and pipeline name to whatever branch you are currently on. It will also set the image tag on ECR to the current commit hash at the time of setting the pipeline.
+
+The pipeline name itself will usually follow a pattern as follows: `<repo-name>-<branch-name>`
+If you wish to set a pipeline for another branch without checking out, you can run the following:
+
+```bash
+./concourse/scripts/set_pipeline.sh github-policy-dashboard <branch_name> # For policy dashboard
+./concourse/scripts/set_pipeline.sh github-policy-lambda <branch_name> # For policy lambda
+```
+
+If the branch you are deploying is "main" or "master", it will trigger a deployment to the sdp-prod environment. To set the ECR image tag, you must draft a Github release pointing to the latest release of the main/master branch that has a tag in the form of vX.Y.Z. Drafting up a release will automatically deploy the latest version of the main/master branch with the associated release tag, but you can also manually trigger a build through the Concourse UI or the terminal prompt.
+
+#### Triggering a pipeline
+
+Once the pipeline has been set, you can manually trigger a build on the Concourse UI, or run the following command:
+
+```bash
+fly -t aws-sdp trigger-job -j github-policy-dashboard-<branch-name>/build-and-push # For policy dashboard
+fly -t aws-sdp trigger-job -j github-policy-lambda-<branch-name>/build-and-push # For policy lambda
+```
+
 ### Markdown Linting
 
 To lint the markdown files in this repository, we use `markdownlint-cli`. This repository uses the Dockerised version of the linter, allowing it to be run without needing to install it locally.

concourse/ci.yml

@@ -0,0 +1,84 @@
+resources:
+- name: resource-repo
+  type: git
+  icon: github
+  source:
+    uri: https://github.com/ONS-Innovation/github-policy-dashboard
+    username: ((github_access_token))
+    password: x-oauth-basic
+    branch: ((branch))
+
+jobs:
+- name:  build-and-push
+  public: true
+  plan:
+  - get: resource-repo
+    timeout: 5m
+  - task: build-image
+    privileged: true
+    config:
+      platform: linux
+      image_resource:
+        type: docker-image
+        source:
+          repository: hashicorp/terraform
+      inputs:
+      - name: resource-repo
+      params:
+        aws_account_id: ((aws_account_sdp_((env))))
+        aws_role_arn: arn:aws:iam::((aws_account_sdp_((env)))):role/sdp-concourse-((env))
+        secrets: ((sdp_((env))_github_policy_dashboard_secrets))
+      run: # binary used to build the image
+        path: sh
+        args:
+        - -cx
+        - |
+          apk add --no-cache aws-cli podman jq iptables curl
+
+          export repo_name=((repo_name))
+          chmod u+x ./resource-repo/concourse/scripts/policy_util.sh
+          source ./resource-repo/concourse/scripts/policy_util.sh
+          if [[ "((env))" == "prod" ]]; then
+            tag=$(curl "https://api.github.com/repos/ONS-Innovation/github-policy-dashboard/releases" | jq -r '.[0].tag_name')
+            export tag
+          else
+            export tag=((tag))
+          fi
+          git rev-parse --abbrev-ref HEAD
+          chmod u+x ./resource-repo/concourse/scripts/assume_role.sh
+          chmod u+x ./resource-repo/concourse/scripts/build_image.sh
+          source ./resource-repo/concourse/scripts/assume_role.sh
+          ./resource-repo/concourse/scripts/build_image.sh
+    timeout: 10m
+  - task: terraform
+    privileged: true
+    config:
+      platform: linux
+      image_resource:
+        type: docker-image
+        source: {repository: hashicorp/terraform}
+      inputs:
+      - name: resource-repo
+      params:
+        secrets: ((sdp_((env))_github_policy_dashboard_secrets))
+        github_access_token: ((github_access_token))
+      run:
+        path: sh
+        args:
+        - -cx
+        - |
+          apk add --no-cache jq curl
+
+          export repo_name=((repo_name))
+          chmod u+x ./resource-repo/concourse/scripts/policy_util.sh
+          source ./resource-repo/concourse/scripts/policy_util.sh
+          if [[ "((env))" == "prod" ]]; then
+            tag=$(curl "https://api.github.com/repos/ONS-Innovation/github-policy-dashboard/releases" | jq -r '.[0].tag_name')
+            export tag
+          else 
+            export tag=((tag))
+          fi
+          chmod u+x ./resource-repo/concourse/scripts/terraform_infra.sh
+          export env=((env))
+          ./resource-repo/concourse/scripts/terraform_infra.sh
+    timeout: 30m

concourse/scripts/assume_role.sh

@@ -0,0 +1,12 @@
+set -euo pipefail
+
+aws sts assume-role --output text \
+    --role-arn "${aws_role_arn}" \
+    --role-session-name concourse-pipeline-run \
+    --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+    | awk -F '\t' '{print $1 > ("AccessKeyId")}{print $2 > ("SecretAccessKey")}{print $3 > ("SessionToken")}'
+
+
+export AWS_ACCESS_KEY_ID="$(cat AccessKeyId)"
+export AWS_SECRET_ACCESS_KEY="$(cat SecretAccessKey)"
+export AWS_SESSION_TOKEN="$(cat SessionToken)"

concourse/scripts/build_image.sh

@@ -0,0 +1,18 @@
+set -euo pipefail
+
+export STORAGE_DRIVER=vfs
+export PODMAN_SYSTEMD_UNIT=concourse-task
+
+aws ecr get-login-password --region eu-west-2 | podman --storage-driver=vfs login --username AWS --password-stdin ${aws_account_id}.dkr.ecr.eu-west-2.amazonaws.com
+
+if [[ ${repo_name} == "github-policy-dashboard" ]]; then
+    container_image=$(echo "$secrets" | jq -r .container_image)
+    podman build -t ${container_image}:${tag} resource-repo
+else 
+    container_image=$(echo "$secrets" | jq -r .container_image_lambda)
+    podman build -t ${container_image}:${tag} resource-repo/data_logger/
+fi
+
+podman tag ${container_image}:${tag} ${aws_account_id}.dkr.ecr.eu-west-2.amazonaws.com/${container_image}:${tag}
+
+podman push ${aws_account_id}.dkr.ecr.eu-west-2.amazonaws.com/${container_image}:${tag}

concourse/scripts/policy_util.sh

@@ -0,0 +1,6 @@
+if [[ "${repo_name}" == "github-policy-dashboard" || "${repo_name}" == "github-policy-lambda" ]]; then
+    echo "${repo_name}"
+else
+    echo "Unknown repository name: ${repo_name}"
+    exit 1
+fi

concourse/scripts/set_pipeline.sh

@@ -0,0 +1,27 @@
+repo_name=${1}
+
+if [[ $# -gt 1 ]]; then
+    branch=${2}
+    git rev-parse --verify ${branch}
+    if [[ $? -ne 0 ]]; then
+        echo "Branch \"${branch}\" does not exist"
+        exit 1
+    fi
+else
+    branch=$(git rev-parse --abbrev-ref HEAD)
+fi
+
+if [[ ${branch} == "main" || ${branch} == "master" ]]; then
+    env="prod"
+else
+    env="dev"
+fi
+
+if [[ ${env} == "dev" ]]; then
+    tag=$(git rev-parse HEAD)
+else
+    tag=$(git tag | tail -n 1)
+fi
+
+fly -t aws-sdp set-pipeline -c concourse/ci.yml -p ${repo_name}-${branch} -v branch=${branch} -v tag=${tag} -v env=${env} --var repo_name=${repo_name}
+

concourse/scripts/terraform_infra.sh

@@ -0,0 +1,86 @@
+set -euo pipefail
+
+aws_account_id=$(echo "$secrets" | jq -r .aws_account_id)
+aws_access_key_id=$(echo "$secrets" | jq -r .aws_access_key_id)
+
+aws_secret_access_key=$(echo "$secrets" | jq -r .aws_secret_access_key)
+domain=$(echo "$secrets" | jq -r .domain)
+
+github_app_client_id=$(echo "$secrets" | jq -r .github_app_client_id)
+aws_secret_name=$(echo "$secrets" | jq -r .aws_secret_name)
+
+github_org=$(echo "$secrets" | jq -r .github_org)
+container_image=$(echo "$secrets" | jq -r .container_image)
+
+service_subdomain=$(echo "$secrets" | jq -r .service_subdomain)
+force_deployment=$(echo "$secrets" | jq -r .force_deployment)
+
+container_port=$(echo "$secrets" | jq -r .container_port)
+from_port=$(echo "$secrets" | jq -r .from_port)
+
+lambda_name=$(echo "$secrets" | jq -r .lambda_name)
+lambda_arch=$(echo "$secrets" | jq -r .lambda_arch)
+lambda_timeout=$(echo "$secrets" | jq -r .lambda_timeout)
+lambda_memory=$(echo "$secrets" | jq -r .lambda_memory)
+schedule=$(echo "$secrets" | jq -r .schedule)
+
+export AWS_ACCESS_KEY_ID=$aws_access_key_id
+export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key
+
+git config --global url."https://x-access-token:$github_access_token@github.com/".insteadOf "https://github.com/"
+
+if [[ ${env} != "prod" ]]; then
+    env="dev"
+fi
+
+echo ${env}
+
+
+
+if [[ ${repo_name} == "github-policy-dashboard" ]]; then
+
+cd resource-repo/terraform/dashboard
+
+terraform init -backend-config=env/${env}/backend-${env}.tfbackend -reconfigure
+
+terraform apply \
+-var "aws_account_id=$aws_account_id" \
+-var "aws_access_key_id=$aws_access_key_id" \
+-var "aws_secret_access_key=$aws_secret_access_key" \
+-var "domain=$domain" \
+-var "container_ver=${tag}" \
+-var "github_app_client_id=$github_app_client_id" \
+-var "aws_secret_name=$aws_secret_name" \
+-var "github_org=$github_org" \
+-var "container_image=$container_image" \
+-var "service_subdomain=$service_subdomain" \
+-var "force_deployment=$force_deployment" \
+-var "container_port=$container_port" \
+-var "from_port=$from_port" \
+-auto-approve
+
+    
+else 
+
+cd resource-repo/terraform/data_logger
+
+terraform init -backend-config=env/${env}/backend-${env}.tfbackend -reconfigure
+
+terraform apply \
+-var "aws_account_id=$aws_account_id" \
+-var "aws_access_key_id=$aws_access_key_id" \
+-var "aws_secret_access_key=$aws_secret_access_key" \
+-var "env_name=$domain" \
+-var "aws_secret_name=$aws_secret_name" \
+-var "github_org=$github_org" \
+-var "github_app_client_id=$github_app_client_id" \
+-var "lambda_name=$lambda_name" \
+-var "lambda_arch=$lambda_arch" \
+-var "lambda_timeout=$lambda_timeout" \
+-var "lambda_memory=$lambda_memory" \
+-var "lambda_version=${tag}" \
+-var "schedule=$schedule" \
+-auto-approve
+
+
+fi

terraform/data_logger/providers.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 5.0"
+      version = ">= 6.0.0"
     }
   }
 }