Merge in main

Author: robbailiff2

.github/workflows/cicd-1-pull-request.yaml

@@ -3,14 +3,12 @@ name: "CI/CD pull request"
 # The total recommended execution time for the "CI/CD Pull Request" workflow is around 20 minutes.
 
 on:
-  push:
-    branches:
-      - "**"
   pull_request:
-    types: [opened, reopened]
+    types: [opened, synchronize, reopened]
 
 jobs:
   metadata:
+    if: github.event.pull_request.draft == false
     name: "Set CI/CD metadata"
     runs-on: ubuntu-latest
     timeout-minutes: 1
@@ -69,6 +67,7 @@ jobs:
           make list-variables
   commit-stage: # Recommended maximum execution time is 2 minutes
     name: "Commit stage"
+    if: github.event.pull_request.draft == false
     needs: [metadata]
     uses: ./.github/workflows/stage-1-commit.yaml
     with:
@@ -82,6 +81,7 @@ jobs:
     secrets: inherit
   test-stage: # Recommended maximum execution time is 5 minutes
     name: "Test stage"
+    if: github.event.pull_request.draft == false
     needs: [metadata, commit-stage]
     uses: ./.github/workflows/stage-2-test.yaml
     with:

.github/workflows/cicd-2-publish.yaml

@@ -9,6 +9,10 @@ on:
     branches:
       - main
 
+concurrency:
+  group: terraform-dev
+  cancel-in-progress: false
+
 jobs:
   metadata:
     name: "Set CI/CD metadata"
@@ -100,10 +104,10 @@ jobs:
         # just planning for now for safety and until review
         run: |
           mkdir -p ./build
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
         working-directory: ./infrastructure
 
       - name: "Tag the dev deployment"
@@ -136,20 +140,14 @@ jobs:
       #     asset_path: ./build/lambda.zip
       #     asset_name: lambda-${{ needs.metadata.outputs.version }}.zip
       #     asset_content_type: application/zip
-  success:
-    name: "Success notification"
-    runs-on: ubuntu-latest
-    needs: [publish]
-    steps:
-      - name: "Check prerequisites for notification"
-        id: check
-        run: echo "secret_exist=${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL != '' }}" >> $GITHUB_OUTPUT
-      - name: "Notify on publishing packages"
-        if: steps.check.outputs.secret_exist == 'true'
-        uses: nhs-england-tools/notify-msteams-action@v1.0.0
+      - name: "Notify Slack on PR merge"
+        uses: slackapi/slack-github-action@v2.1.0
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          teams-webhook-url: ${{ secrets.TEAMS_NOTIFICATION_WEBHOOK_URL }}
-          message-title: "Notification title"
-          message-text: "This is a notification body"
-          link: ${{ github.event.pull_request.html_url }}
+          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
+          webhook-type: webhook-trigger
+          payload: |
+            status: "${{ job.status }}"
+            link: "https://github.com/${{ github.repository }}/commit/${{ github.sha }}"
+            Author: "${{ github.actor }}"
+            title: "Pushed to main"
+            version: "${{ needs.metadata.outputs.version }}"

.github/workflows/cicd-3-deploy.yaml

@@ -3,6 +3,10 @@
 
 name: "CI/CD deploy"
 
+concurrency:
+  group: terraform-deploy-${{ github.event.inputs.environment }}
+  cancel-in-progress: false
+
 on:
   workflow_dispatch:
     inputs:
@@ -18,6 +22,15 @@ on:
           - test
           - preprod
           - prod
+      release_type:
+        description: "Version bump type (patch, minor, major)"
+        required: false
+        default: "patch"
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
 
 jobs:
   metadata:
@@ -70,7 +83,7 @@ jobs:
     timeout-minutes: 10
     permissions:
       id-token: write
-      contents: read
+      contents: write
     steps:
       - name: "Setup Terraform"
         uses: hashicorp/setup-terraform@v3
@@ -124,7 +137,21 @@ jobs:
           else
             # Extract the version numbers
             IFS='.' read -r major minor patch <<< "${latest_tag#v}"
-            patch=$((patch + 1))
+            case "${{ github.event.inputs.release_type }}" in
+              major)
+              major=$((major + 1))
+              minor=0
+              patch=0
+              ;;
+              minor)
+              minor=$((minor + 1))
+              patch=0
+              ;;
+            patch|*)
+              patch=$((patch + 1))
+              ;;
+            esac
+
             next_tag="v${major}.${minor}.${patch}"
           fi
 
@@ -136,8 +163,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ steps.next_tag.outputs.next_tag }}
-          release_name: Release ${{ steps.next_tag.outputs.next_tag }}
+          tag_name: ${{ steps.next_tag.outputs.tag }}
+          release_name: Release ${{ steps.next_tag.outputs.tag }}
           body: |
             Auto-release created during deployment.
           draft: false

.github/workflows/stage-1-commit.yaml

@@ -97,9 +97,14 @@ jobs:
         uses: bridgecrewio/checkov-action@v12
         with:
           directory: infrastructure/
-          soft_fail: true
+          soft_fail: false
           output_format: sarif
           output_file_path: checkov-report.sarif
+      - name: Upload Checkov results to GitHub Security tab
+        uses: actions/upload-artifact@v4
+        with:
+          name: checkov_results
+          path: checkov-report.sarif
   count-lines-of-code:
     name: "Count lines of code"
     runs-on: ubuntu-latest

infrastructure/Makefile

@@ -35,7 +35,9 @@ terraform-workspace-delete: guard-env guard-stack
 
 # Runs a specified Terraform command (e.g., plan, apply) for the stack and environment.
 terraform: guard-env guard-stack guard-tf-command terraform-init terraform-workspace
-	terraform -chdir=./stacks/$(stack) $(tf-command) $(args) $(if $(filter $(tf-command),init),,--parallelism=30)
+	terraform -chdir=./stacks/$(stack) $(tf-command) $(args) \
+		$(if $(filter init,$(tf-command)),,--parallelism=30) \
+		$(if $(filter apply,$(tf-command)),-auto-approve)
 	rm -f ./terraform_outputs_$(stack).json || true
 	mkdir -p ./build
 	terraform -chdir=./stacks/$(stack) output -json > ./build/terraform_outputs_$(stack).json

infrastructure/modules/api_gateway/cloudwatch.tf

@@ -1,6 +1,6 @@
 resource "aws_cloudwatch_log_group" "api_gateway" {
   name              = "/aws/apigateway/${var.workspace}-${var.api_gateway_name}"
-  retention_in_days = 14
+  retention_in_days = 365
   tags              = var.tags
   kms_key_id        = aws_kms_key.api_gateway.arn
 

infrastructure/modules/api_gateway/iam.tf

@@ -27,7 +27,7 @@ data "aws_iam_policy_document" "api_gateway_logging" {
       "logs:GetLogEvents",
       "logs:FilterLogEvents"
     ]
-    resources = ["*"]
+    resources = [aws_cloudwatch_log_group.api_gateway.arn]
   }
 }
 

infrastructure/modules/api_gateway/outputs.tf

@@ -25,3 +25,7 @@ output "logging_policy_attachment" {
 output "iam_role_name" {
   value = aws_iam_role.api_gateway.name
 }
+
+output "kms_key_arn" {
+  value = aws_kms_key.api_gateway.arn
+}

infrastructure/modules/bootstrap/tfstate/data.tf

@@ -0,0 +1 @@
+data "aws_caller_identity" "current" {}

infrastructure/modules/bootstrap/tfstate/kms.tf

@@ -10,3 +10,21 @@ resource "aws_kms_alias" "terraform_state_bucket_cmk" {
   name          = "alias/${var.project_name}-tfstate_bucket_cmk"
   target_key_id = aws_kms_key.terraform_state_bucket_cmk.key_id
 }
+
+resource "aws_kms_key_policy" "terraform_state_bucket_cmk" {
+  key_id = aws_kms_key.terraform_state_bucket_cmk.id
+  policy = data.aws_iam_policy_document.terraform_state_bucket_cmk.json
+}
+
+data "aws_iam_policy_document" "terraform_state_bucket_cmk" {
+  statement {
+    sid    = "Enable IAM User Permissions for s3 buckets"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+    actions   = ["kms:*"]
+    resources = [aws_kms_key.terraform_state_bucket_cmk.arn]
+  }
+}