feat: DBTP-1507 Setup codepipeline notifications

codebase-pipelines/artifactstore.tf

@@ -31,13 +31,10 @@ data "aws_iam_policy_document" "artifact_store_bucket_policy" {
       type        = "*"
       identifiers = ["*"]
     }
-
     actions = [
-      "s3:*",
+      "s3:*"
     ]
-
     effect = "Deny"
-
     condition {
       test     = "Bool"
       variable = "aws:SecureTransport"
@@ -46,7 +43,24 @@ data "aws_iam_policy_document" "artifact_store_bucket_policy" {
         "false",
       ]
     }
+    resources = [
+      aws_s3_bucket.artifact_store.arn,
+      "${aws_s3_bucket.artifact_store.arn}/*",
+    ]
+  }
 
+  statement {
+    effect = "Allow"
+    principals {
+      type = "AWS"
+      identifiers = [
+        for env in local.pipeline_environments :
+        "arn:aws:iam::${env.account}:role/${var.application}-${env.name}-codebase-pipeline-deploy"
+      ]
+    }
+    actions = [
+      "s3:*"
+    ]
     resources = [
       aws_s3_bucket.artifact_store.arn,
       "${aws_s3_bucket.artifact_store.arn}/*",
@@ -70,7 +84,7 @@ resource "aws_kms_key" "artifact_store_kms_key" {
         "Sid" : "Enable IAM User Permissions",
         "Effect" : "Allow",
         "Principal" : {
-          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
+          "AWS" : [for id in local.deploy_account_ids : "arn:aws:iam::${id}:root"]
         },
         "Action" : "kms:*",
         "Resource" : "*"

codebase-pipelines/buildspec-deploy.yml

@@ -0,0 +1,179 @@
+version: 0.2
+
+env:
+  variables:
+    DEPLOY_TIMEOUT: 1800
+  parameter-store:
+    SLACK_TOKEN: /codebuild/slack_oauth_token
+
+phases:
+  install:
+    commands:
+      - echo "Starting deployment script for ${SERVICE} service"
+      - pip install yq --quiet
+      - echo "Installing platform-helper"
+      - pip install dbt-platform-helper --quiet
+      - platform-helper --version
+      - echo "Installing regclient"
+      - curl -s -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 > /usr/local/bin/regctl
+      - chmod +x /usr/local/bin/regctl
+
+  build:
+    commands:
+      - set -e
+
+      # Extract timestamp from image config and check if it exists
+      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
+
+      - |
+        SLACK_REF=$(regctl image config "${REPOSITORY_URL}:${IMAGE_TAG}" | jq -r '.config.Labels."uk.gov.trade.digital.build.timestamp"')
+        if [ "$SLACK_REF" = "null" ] || [ -z "$SLACK_REF" ]; then
+          echo "Image contains no timestamp label"
+          exit 1
+        fi
+        echo "Found image timestamp $SLACK_REF"
+
+      - UPPERCASE_SERVICE=$(echo "${SERVICE}" | tr '[:lower:]' '[:upper:]')
+      - UPPERCASE_TAG=$(echo "${IMAGE_TAG}" | tr '[:lower:]' '[:upper:]')
+
+        # Extract the pipeline name from CODEBUILD_INITIATOR default env var
+      - |
+        PIPELINE_NAME=""
+
+        if [[ "${CODEBUILD_INITIATOR}" == codepipeline/* ]]; then 
+          PIPELINE_NAME=$(echo "${CODEBUILD_INITIATOR}" | cut -d'/' -f2) 
+          echo "Pipeline name is ${PIPELINE_NAME}"
+        else 
+          echo "ERROR: Build not triggered by CodePipeline." 
+          exit 1 
+        fi
+
+      - |
+        BUILD_ID_PREFIX=$(echo $CODEBUILD_BUILD_ID | cut -d':' -f1)
+        echo "BUILD_ID_PREFIX - ${BUILD_ID_PREFIX}"
+
+      - |
+        MESSAGE=":rocket: STARTED - Deployment for ${UPPERCASE_SERVICE} service - Build log <https://${AWS_REGION}.console.aws.amazon.com/codesuite/codebuild/${AWS_ACCOUNT_ID}/projects/${BUILD_ID_PREFIX}/build/${CODEBUILD_BUILD_ID}/?region=${AWS_REGION}|${CODEBUILD_BUILD_NUMBER}>"
+
+      - platform-helper notify add-comment "${SLACK_CHANNEL_ID}" "${SLACK_TOKEN}" "${SLACK_REF}" "${MESSAGE}"
+
+      # Check if the specified image tag exists
+      - |
+        if ! aws ecr describe-images --repository-name "${REPOSITORY_NAME}" --image-ids "imageTag=${IMAGE_TAG}" > /dev/null 2>&1; then
+          echo "Error: image tag ${IMAGE_TAG} not found in repository ${REPOSITORY_NAME}"
+          exit 1
+        fi
+
+      # Check environment exists in config
+      - |
+        if [ $(echo $ENV_CONFIG | jq 'has('\"${ENVIRONMENT}\"')') == "false" ]; then
+          echo "Error: environment ${ENVIRONMENT} not listed in environment config"
+          exit 1
+        fi
+
+      - task_family="${APPLICATION}-${ENVIRONMENT}-${SERVICE}"
+      - cluster="${APPLICATION}-${ENVIRONMENT}"
+      - image_uri="${REPOSITORY_URL}:${IMAGE_TAG}"
+
+      # Assume environment role
+      - account_id=$(echo ${ENV_CONFIG} | jq -c -r .${ENVIRONMENT}.account)
+      - assumed_role=$(aws sts assume-role --role-arn "arn:aws:iam::${account_id}:role/${APPLICATION}-${ENVIRONMENT}-codebase-pipeline-deploy" --role-session-name "${ENVIRONMENT}-codebase-pipeline-deploy")
+      - export AWS_ACCESS_KEY_ID=$(echo $assumed_role | jq -r .Credentials.AccessKeyId)
+      - export AWS_SECRET_ACCESS_KEY=$(echo $assumed_role | jq -r .Credentials.SecretAccessKey)
+      - export AWS_SESSION_TOKEN=$(echo $assumed_role | jq -r .Credentials.SessionToken)
+
+      # Get service name
+      - service_name=$(aws ecs list-services --cluster "${cluster}" | jq -r '.serviceArns[] | select(contains("'${cluster}'-'${SERVICE}'-Service"))' | cut -d '/' -f3)
+
+      # Update task definition
+      - task_definition=$(aws ecs describe-task-definition --task-definition "${task_family}")
+      - new_task_definition=$(echo ${task_definition} | jq '.taskDefinition | .containerDefinitions |= map(if .name == '\"${SERVICE}\"' then .image = '\"${image_uri}\"' else . end) | del(.taskDefinitionArn) | del(.revision) | del(.status) | del(.requiresAttributes) | del(.compatibilities) |  del(.registeredAt)  | del(.registeredBy)')
+      - new_task_info=$(aws ecs register-task-definition --cli-input-json "${new_task_definition}")
+      - new_revision=$(echo ${new_task_info} | jq '.taskDefinition.revision')
+
+      # Get desired task count
+      - count=0
+      - cd "${CODEBUILD_SRC_DIR}"
+
+      # If count is a range, get the first value otherwise get count
+      - |
+        if [ $(yq '.count | type == "object"' copilot/web/manifest.yml) == "true" ]; then
+          count=$(yq '.count.range' copilot/web/manifest.yml | tr -d '"' | cut -d '-' -f1)
+        else
+          count=$(yq '.count' copilot/web/manifest.yml)
+        fi
+
+      # Check for environment overrides
+      - |
+        if [ $(yq '.environments.'${ENVIRONMENT}'.count | type == "object"' copilot/web/manifest.yml) == "true" ]; then
+          env_count=$(yq '.environments.'${ENVIRONMENT}'.count.range' copilot/web/manifest.yml | tr -d '"' | cut -d '-' -f1)
+        else
+          env_count=$(yq '.environments.'${ENVIRONMENT}'.count' copilot/web/manifest.yml)
+        fi
+
+      - |
+        if [[ "${env_count}" != "null" ]]; then
+          count=${env_count}
+        fi
+
+      # Start deployment
+      - echo "Deploying ${image_uri} to ${service_name} in ${cluster} with task count ${count}"
+      - start=$( date +%s )
+      - deploy_status="IN_PROGRESS"
+      - aws ecs update-service --cluster "${cluster}" --service "${service_name}" --task-definition "${task_family}:${new_revision}" --desired-count ${count} > /dev/null 2>&1
+
+      # Check deployment status
+      - |
+        while [[ "${deploy_status}" == "IN_PROGRESS" || "${deploy_status}" == "PENDING" || "${deploy_status}" == "ROLLBACK_IN_PROGRESS" ]];
+        do
+          sleep 10
+          now=$( date +%s )
+          elapsed=$(( now-start ))
+
+          deploy_status=$(aws ecs list-service-deployments --cluster "${cluster}" --service "${service_name}" --created-at "after=${start}" | jq -r '.serviceDeployments[0].status')
+          echo "Deployment status after ${elapsed} seconds: ${deploy_status}"
+
+          if [[ ${elapsed} -gt ${DEPLOY_TIMEOUT} ]]; then
+            echo "Error: deployment not completed in ${DEPLOY_TIMEOUT} seconds"
+            exit 1
+          fi
+        done
+
+      # Check deployment success
+      - |
+        case "${deploy_status}" in
+          SUCCESSFUL)
+            STATUS=":large_green_circle:"
+            ;;
+          ROLLBACK_SUCCESSFUL)
+            STATUS=":large_orange_circle::white_check_mark:"
+            ;;
+          ROLLBACK_IN_PROGRESS)
+            STATUS=":large_orange_circle::hourglass:"
+            ;;
+          ROLLBACK_FAILED)
+            STATUS=":large_orange_circle::arrow_right::red_circle:"
+            ;;
+          *)
+            STATUS=":large_blue_circle:"
+            ;;
+        esac
+        echo "Status emoji set to ${STATUS}"
+
+      # Construct the pipeline execution URL
+      - |
+        PIPELINE_EXECUTION_URL="https://${AWS_REGION}.console.aws.amazon.com/codesuite/codepipeline/pipelines/${PIPELINE_NAME}/executions/${PIPELINE_EXECUTION_ID}" 
+
+        echo "Pipeline execution URL: ${PIPELINE_EXECUTION_URL}"
+
+      - |
+        MESSAGE="${STATUS} COMPLETE - Deployment of ${UPPERCASE_TAG} to ${UPPERCASE_SERVICE} service - ${deploy_status} - <${PIPELINE_EXECUTION_URL}|Pipeline execution url>"
+
+      - platform-helper notify add-comment "${SLACK_CHANNEL_ID}" "${SLACK_TOKEN}" "${SLACK_REF}" "${MESSAGE}"
+
+      # Exit with an error code if deployment did not succeed
+      - |
+        if [ "${deploy_status}" != "SUCCESSFUL" ]; then 
+          echo "Error: deployment status is ${deploy_status}" 
+          exit 1 
+        fi

codebase-pipelines/codebuild.tf

@@ -3,7 +3,7 @@ data "aws_codestarconnections_connection" "github_codestar_connection" {
 }
 
 resource "aws_codebuild_project" "codebase_image_build" {
-  name          = "${var.application}-${var.codebase}-codebase-image-build"
+  name          = "${var.application}-${var.codebase}-codebase-pipeline-image-build"
   description   = "Publish images on push to ${var.repository}"
   build_timeout = 30
   service_role  = aws_iam_role.codebase_image_build.arn
@@ -115,12 +115,11 @@ resource "aws_codebuild_webhook" "codebuild_webhook" {
 }
 
 
-resource "aws_codebuild_project" "codebase_deploy_manifests" {
-  for_each       = local.pipeline_map
-  name           = "${var.application}-${var.codebase}-${each.value.name}-codebase-deploy-manifests"
-  description    = "Create image deploy manifests to deploy services"
-  build_timeout  = 5
-  service_role   = aws_iam_role.codebuild_manifests.arn
+resource "aws_codebuild_project" "codebase_deploy" {
+  name           = "${var.application}-${var.codebase}-codebase-pipeline-deploy"
+  description    = "Deploy specified image tag to specified environment"
+  build_timeout  = 30
+  service_role   = aws_iam_role.codebase_deploy.arn
   encryption_key = aws_kms_key.artifact_store_kms_key.arn
 
   artifacts {
@@ -137,59 +136,36 @@ resource "aws_codebuild_project" "codebase_deploy_manifests" {
     image                       = "aws/codebuild/amazonlinux2-x86_64-standard:5.0"
     type                        = "LINUX_CONTAINER"
     image_pull_credentials_type = "CODEBUILD"
+
+    environment_variable {
+      name  = "ENV_CONFIG"
+      value = jsonencode(local.base_env_config)
+    }
   }
 
   logs_config {
     cloudwatch_logs {
-      group_name  = aws_cloudwatch_log_group.codebase_deploy_manifests.name
-      stream_name = aws_cloudwatch_log_stream.codebase_deploy_manifests.name
+      group_name  = aws_cloudwatch_log_group.codebase_deploy.name
+      stream_name = aws_cloudwatch_log_stream.codebase_deploy.name
     }
   }
 
   source {
-    type = "CODEPIPELINE"
-    buildspec = templatefile("${path.module}/buildspec-manifests.yml", {
-      application = var.application,
-      environments = [
-        for env in each.value.environments : upper(env.name)
-      ],
-      services = local.service_export_names
-    })
+    type      = "CODEPIPELINE"
+    buildspec = file("${path.module}/buildspec-deploy.yml")
   }
 
   tags = local.tags
 }
 
-resource "aws_kms_key" "codebuild_kms_key" {
-  description         = "KMS Key for ${var.application} ${var.codebase} CodeBuild encryption"
-  enable_key_rotation = true
-
-  policy = jsonencode({
-    Statement = [
-      {
-        "Sid" : "Enable IAM User Permissions",
-        "Effect" : "Allow",
-        "Principal" : {
-          "AWS" : "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"
-        },
-        "Action" : "kms:*",
-        "Resource" : "*"
-      }
-    ]
-    Version = "2012-10-17"
-  })
-
-  tags = local.tags
-}
-
-resource "aws_cloudwatch_log_group" "codebase_deploy_manifests" {
+resource "aws_cloudwatch_log_group" "codebase_deploy" {
   # checkov:skip=CKV_AWS_338:Retains logs for 3 months instead of 1 year
   # checkov:skip=CKV_AWS_158:Log groups encrypted using default encryption key instead of KMS CMK
-  name              = "codebuild/${var.application}-${var.codebase}-codebase-deploy-manifests/log-group"
+  name              = "codebuild/${var.application}-${var.codebase}-codebase-deploy/log-group"
   retention_in_days = 90
 }
 
-resource "aws_cloudwatch_log_stream" "codebase_deploy_manifests" {
-  name           = "codebuild/${var.application}-${var.codebase}-codebase-deploy-manifests/log-stream"
-  log_group_name = aws_cloudwatch_log_group.codebase_deploy_manifests.name
+resource "aws_cloudwatch_log_stream" "codebase_deploy" {
+  name           = "codebuild/${var.application}-${var.codebase}-codebase-deploy/log-stream"
+  log_group_name = aws_cloudwatch_log_group.codebase_deploy.name
 }