[NRL-1179] Add CodeBuild Runners #879

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

mattdean3-nhs merged 16 commits into develop from feature/made14-NRL-1179-codebuild-runners

Apr 24, 2025

.github/workflows/daily-build.yml

            
                      Original file line number
                      Diff line number
                      Diff line change
                  
    @@ -18,35 +18,19 @@ on:
  
    jobs:

      build:

        name: Build - develop

        runs-on: [self-hosted, ci]

        name: Build - ${{ github.ref }}

        runs-on: codebuild-nhsd-nrlf-ci-build-project-${{ github.run_id }}-${{ github.run_attempt }}

        steps:

          - name: Git clone - develop

          - name: Git clone - ${{ github.ref }}

            uses: actions/checkout@v4

            with:

              ref: develop

              ref: ${{ github.ref }}

          - name: Setup asdf cache

            uses: actions/cache@v4

            with:

              path: ~/.asdf

              key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}

              restore-keys: |

                ${{ runner.os }}-asdf-

          - name: Install asdf

            uses: asdf-vm/actions/install@v3.0.2

            with:

              asdf_branch: v0.13.1

          - name: Install zip

            run: sudo apt-get install zip

          - name: Setup Python environment

          - name: Setup environment

            run: |

              echo "${HOME}/.asdf/bin" >> $GITHUB_PATH

              poetry install --no-root

              source $(poetry env info --path)/bin/activate

          - name: Run Linting

            run: make lint

    @@ -55,7 +39,13 @@ jobs:
  
            run: make test

          - name: Build Project

            run: make build

            run: |

              echo "PATH: ${PATH}"

              echo "HOME: ${HOME}"

              echo "python: $(which python)"

              echo "asdf: $(which asdf)"

              echo "/usr/local/bin: $(ls -la /usr/local/bin)"

              make build

          - name: Configure Management Credentials

            uses: aws-actions/configure-aws-credentials@v4

Dockerfile.ci-build

-Original file line number
+Diff line change
@@ -0,0 +1,50 @@
+    FROM ubuntu:22.04
+    RUN apt update && \
+        apt upgrade -y && \
+        DEBIAN_FRONTEND=noninteractive TZ=Etc/UTC apt install -y \
+            build-essential \
+            ca-certificates \
+            curl \
+            git \
+            gnupg \
+            libbz2-dev \
+            libffi-dev \
+            libicu70 \
+            liblzma-dev \
+            libncursesw5-dev \
+            libreadline-dev \
+            libsqlite3-dev \
+            libssl-dev \
+            libxml2-dev \
+            libxmlsec1-dev \
+            llvm \
+            lsb-release \
+            make \
+            python3 \
+            tar \
+            tk-dev \
+            unzip \
+            wget \
+            xz-utils \
+            zip \
+            zlib1g-dev && \
+        apt clean && \
+        rm -rf /var/lib/apt/lists/*
+    WORKDIR /root
+    RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.13.1 && \
+        echo ". $HOME/.asdf/asdf.sh" >> ~/.bashrc && \
+        echo ". $HOME/.asdf/completions/asdf.bash" >> ~/.bashrc && \
+        echo "export ASDF_DIR=$HOME/.asdf" >> ~/.bashrc && \
+        echo "export PATH=\$ASDF_DIR/bin:\$PATH" >> ~/.bashrc && \
+        echo "export PATH=\$ASDF_DIR/shims:\$PATH" >> ~/.bashrc
+    COPY .tool-versions .
+    RUN for plugin in $(cat .tool-versions | cut -d' ' -f1); do \
+            ./.asdf/bin/asdf plugin add "${plugin}"; \
+        done && \
+        ./.asdf/bin/asdf install && \
+        ln -s $(pwd)/.asdf/shims/* /usr/local/bin/.
+    CMD [ "/bin/bash" ]

Makefile

-Original file line number
+Diff line change
@@ Expand Up / @@ -74,6 +74,28 @@ build-api-packages: ./api/consumer/* ./api/producer/* @@
     		./scripts/build-lambda-package.sh $${api} $(DIST_PATH); \
     	done
+    build-ci-image: ## Build the CI image
+    	@echo "Building the CI image"
+    	docker build \
+    		-t nhsd-nrlf-ci-build:latest \
+    		-f Dockerfile.ci-build
+    ecr-login: ## Login to NRLF ECR repo
+    	@echo "Logging into ECR"
+    	$(eval AWS_REGION := $(shell aws configure get region))
+    	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
+    	@aws ecr get-login-password --region "$(AWS_REGION)" \
+    		| docker login --username AWS --password-stdin \
+    			$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com
+    publish-ci-image: ## Publish the CI image
+    	@echo "Publishing the CI image"
+    	$(eval AWS_REGION := $(shell aws configure get region))
+    	$(eval AWS_ACCOUNT_ID := $(shell aws sts get-caller-identity | jq -r .Account))
+    	@docker tag nhsd-nrlf-ci-build:latest \
+    		$(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
+    	@docker push $(AWS_ACCOUNT_ID).dkr.ecr.$(AWS_REGION).amazonaws.com/nhsd-nrlf-ci-build:latest
     test: check-warn ## Run the unit tests
     	@echo "Running unit tests"
     	pytest --ignore=tests/smoke $(TEST_ARGS)
@@ Expand Down @@

scripts/bootstrap.sh

-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ TERRAFORM_ROLE_NAME="terraform" @@
     MGMT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--mgmt-account-id"
     PROD_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--prod-account-id"
     TEST_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-account-id"
+    TEST_BACKUP_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-backup-account-id"
     DEV_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--dev-account-id"
@@ Expand Down Expand Up / @@ -59,7 +60,9 @@ function _bootstrap() { @@
           aws secretsmanager create-secret --name "${MGMT_ACCOUNT_ID_LOCATION}"
           aws secretsmanager create-secret --name "${DEV_ACCOUNT_ID_LOCATION}"
           aws secretsmanager create-secret --name "${TEST_ACCOUNT_ID_LOCATION}"
+          aws secretsmanager create-secret --name "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
           aws secretsmanager create-secret --name "${PROD_ACCOUNT_ID_LOCATION}"
+          aws secretsmanager create-secret --name "${PROFILE_PREFIX}--codebuild-github-pat"
         ;;
         #----------------
         "delete-mgmt")
@@ Expand All / @@ -80,7 +83,9 @@ function _bootstrap() { @@
           aws secretsmanager delete-secret --secret-id "${MGMT_ACCOUNT_ID_LOCATION}"
           aws secretsmanager delete-secret --secret-id "${DEV_ACCOUNT_ID_LOCATION}"
           aws secretsmanager delete-secret --secret-id "${TEST_ACCOUNT_ID_LOCATION}"
+          aws secretsmanager delete-secret --secret-id "${TEST_BACKUP_ACCOUNT_ID_LOCATION}"
           aws secretsmanager delete-secret --secret-id "${PROD_ACCOUNT_ID_LOCATION}"
+          aws secretsmanager delete-secret --secret-id "${PROFILE_PREFIX}--codebuild-github-pat"
         ;;
         #----------------
         "create-non-mgmt")
@@ Expand Down @@

terraform/account-wide-infrastructure/README.md

-Original file line number
+Diff line change
@@ Expand Up @@
     terraform apply
     ```
+    ### Build and publish the container image for CI build
+    Once all the mgmt infra has been deployed, you need to build and publish the CI image to the ECR repo.
+    To do this, first build the image as follows:
+    ```
+    make build-ci-image
+    ```
+    and then login to ECR:
+    ```
+    make ecr-login
+    ```
+    and push the image:
+    ```
+    make publish-ci-image
+    ```
     ## Deploy account wide resources
     To deploy the account wide resources, first login to the AWS mgmt account on the CLI.
@@ Expand Down @@

terraform/account-wide-infrastructure/mgmt/codebuild.tf

-Original file line number
+Diff line change
@@ -0,0 +1,123 @@
+    data "aws_iam_policy_document" "codebuild_assume_role" {
+      statement {
+        effect = "Allow"
+        principals {
+          type        = "Service"
+          identifiers = ["codebuild.amazonaws.com"]
+        }
+        actions = [
+          "sts:AssumeRole",
+          "sts:AssumeRoleWithWebIdentity",
+          "sts:TagSession"
+        ]
+        condition {
+          test     = "StringEquals"
+          variable = "aws:SourceAccount"
+          values   = ["${data.aws_caller_identity.current.account_id}"]
+        }
+      }
+    }
+    resource "aws_iam_role" "codebuild_service_role" {
+      name               = "${local.project}-codebuild-service-role"
+      assume_role_policy = data.aws_iam_policy_document.codebuild_assume_role.json
+    }
+    data "aws_iam_policy_document" "codebuild_policy" {
+      statement {
+        effect = "Allow"
+        actions = [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:PutLogEvents",
+        ]
+        resources = ["*"]
+      }
+      statement {
+        effect = "Allow"
+        actions = [
+          "codeconnections:GetConnectionToken",
+          "codeconnections:GetConnection"
+        ]
+        resources = ["arn:aws:codestar-connections:us-east-1:123456789012:connection/guid-string"]
+      }
+      statement {
+        effect = "Allow"
+        actions = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:ListSecretVersionIds"
+        ]
+        resources = [
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
+        ]
+      }
+      statement {
+        effect = "Allow"
+        actions = [
+          "ecr:*"
+        ]
+        resources = [
+          "${aws_ecr_repository.repository.arn}",
+          "${aws_ecr_repository.repository.arn}:*"
+        ]
+      }
+    }
+    resource "aws_iam_role_policy" "codebuild_policy" {
+      role   = aws_iam_role.codebuild_service_role.name
+      policy = data.aws_iam_policy_document.codebuild_policy.json
+    }
+    resource "aws_codebuild_project" "project" {
+      name         = "${local.project}-ci-build-project"
+      description  = "NRLF CI Build Project"
+      service_role = aws_iam_role.codebuild_service_role.arn
+      artifacts {
+        type = "NO_ARTIFACTS"
+      }
+      environment {
+        compute_type                = "BUILD_GENERAL1_SMALL"
+        image                       = "${aws_ecr_repository.repository.repository_url}:latest"
+        type                        = "LINUX_CONTAINER"
+        image_pull_credentials_type = "CODEBUILD"
+      }
+      logs_config {
+        cloudwatch_logs {
+          group_name  = "${local.project}-ci-build-logs"
+          stream_name = "build-log-stream"
+        }
+      }
+      source {
+        type            = "GITHUB"
+        location        = "https://github.com/NHSDigital/NRLF"
+        git_clone_depth = 1
+      }
+      source_version     = "main"
+      project_visibility = "PRIVATE"
+    }
+    resource "aws_codebuild_webhook" "github_workflow" {
+      project_name = aws_codebuild_project.project.name
+      build_type   = "BUILD"
+      filter_group {
+        filter {
+          type    = "EVENT"
+          pattern = "WORKFLOW_JOB_QUEUED"
+        }
+      }
+      depends_on = [aws_codebuild_project.project, aws_iam_role.codebuild_service_role]
+    }

terraform/account-wide-infrastructure/mgmt/data.tf

-Original file line number
+Diff line change
@@ -1,3 +1,7 @@
+    data "aws_caller_identity" "current" {}
+    data "aws_region" "current" {}
     data "aws_dynamodb_table" "terraform_state_lock" {
       name = "${local.project}--terraform-state-lock"
     }
@@ Expand Down Expand Up / @@ -30,10 +34,18 @@ data "aws_secretsmanager_secret" "test_account_id" { @@
       name = "${local.project}--mgmt--test-account-id"
     }
+    data "aws_secretsmanager_secret" "test_backup_account_id" {
+      name = "${local.project}--mgmt--test-backup-account-id"
+    }
     data "aws_secretsmanager_secret_version" "dev_account_id" {
       secret_id = data.aws_secretsmanager_secret.dev_account_id.name
     }
     data "aws_secretsmanager_secret_version" "test_account_id" {
       secret_id = data.aws_secretsmanager_secret.test_account_id.name
     }
+    data "aws_secretsmanager_secret_version" "test_backup_account_id" {
+      secret_id = data.aws_secretsmanager_secret.test_backup_account_id.name
+    }

terraform/account-wide-infrastructure/mgmt/ecr.tf

-Original file line number
+Diff line change
@@ -0,0 +1,33 @@
+    resource "aws_ecr_repository" "repository" {
+      name                 = "${local.project}-ci-build"
+      image_tag_mutability = "MUTABLE"
+    }
+    data "aws_iam_policy_document" "codebuild_access_policy" {
+      statement {
+        sid    = "CodeBuildEcrAccess"
+        effect = "Allow"
+        principals {
+          type        = "Service"
+          identifiers = ["codebuild.amazonaws.com"]
+        }
+        actions = [
+          "ecr:GetDownloadUrlForLayer",
+          "ecr:BatchGetImage",
+          "ecr:BatchCheckLayerAvailability",
+        ]
+        condition {
+          test     = "StringEquals"
+          variable = "aws:SourceAccount"
+          values   = ["${data.aws_caller_identity.current.account_id}"]
+        }
+      }
+    }
+    resource "aws_ecr_repository_policy" "codebuild_access_policy" {
+      repository = aws_ecr_repository.repository.name
+      policy     = data.aws_iam_policy_document.codebuild_access_policy.json
+    }

terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf

-Original file line number
+Diff line change
@@ Expand Up / @@ -63,6 +63,7 @@ module "developer_policy" { @@
           Resource = [
             "arn:aws:iam::${data.aws_secretsmanager_secret_version.dev_account_id.secret_string}:role/terraform",
             "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_account_id.secret_string}:role/terraform",
+            "arn:aws:iam::${data.aws_secretsmanager_secret_version.test_backup_account_id.secret_string}:role/terraform"
           ]
         },
         {
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[NRL-1179] Add CodeBuild Runners #879

Uh oh!

Diff view

Diff view

There are no files selected for viewing

Uh oh!

Uh oh!