CCM-5100 Authentication PoC

.devcontainer/devcontainer.json

@@ -0,0 +1,104 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the
+// README at: https://github.com/devcontainers/templates/tree/main/src/jekyll
+{
+  "name": "Jekyll",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/jekyll:2-bullseye",
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  // "features": {},
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+  // Uncomment the next line to run commands after the container is created.
+  "postCreateCommand": "zsh scripts/devcontainer/postcreatecommand.sh",
+  "postStartCommand": "zsh scripts/devcontainer/poststartcommand.sh",
+  "forwardPorts": [4000],
+  // Configure tool-specific properties.
+  "customizations": {
+    "codespaces": {
+      "openFiles": ["README.md", ".github/SECURITY.md", "docs/index.md"]
+    },
+    "vscode": {
+      // Set *default* container specific settings.json values on container create.
+      "settings": {
+        "autoOpenWorkspace.enableAutoOpenIfSingleWorkspace": true,
+        "editor.formatOnSave": true,
+        "files.insertFinalNewline": true,
+        "[makefile]": {
+          "editor.insertSpaces": false,
+          "editor.detectIndentation": false
+        }
+      },
+      // Add the IDs of extensions you want installed when the container is created.
+      "extensions": [
+        "zoma.vscode-auto-open-workspace",
+        "alefragnani.bookmarks",
+        "davidanson.vscode-markdownlint",
+        "dbaeumer.vscode-eslint",
+        "donjayamanne.githistory",
+        "eamodio.gitlens",
+        "editorconfig.editorconfig",
+        "esbenp.prettier-vscode",
+        "github.codespaces",
+        "github.github-vscode-theme",
+        "github.remotehub",
+        "github.vscode-github-actions",
+        "github.vscode-pull-request-github",
+        "hediet.vscode-drawio",
+        "johnpapa.vscode-peacock",
+        "mhutchie.git-graph",
+        "ms-azuretools.vscode-docker",
+        "ms-vscode-remote.remote-containers",
+        "ms-vscode-remote.remote-wsl",
+        "ms-vscode.hexeditor",
+        "ms-vscode.live-server",
+        "ms-vsliveshare.vsliveshare",
+        "redhat.vscode-xml",
+        "streetsidesoftware.code-spell-checker-british-english",
+        "tamasfe.even-better-toml",
+        "tomoki1207.pdf",
+        "vscode-icons-team.vscode-icons",
+        "vstirbu.vscode-mermaid-preview",
+        "wayou.vscode-todo-highlight",
+        "yzane.markdown-pdf",
+        "yzhang.dictionary-completion",
+        "yzhang.markdown-all-in-one",
+        "joshx.workspace-terminals",
+        "takumii.markdowntable"
+      ]
+    }
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/aws-cli:1": {
+      "version": "latest"
+    },
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "moby": true,
+      "azureDnsAutoDetection": true,
+      "installDockerBuildx": true,
+      "installDockerComposeSwitch": true,
+      "version": "latest",
+      "dockerDashComposeVersion": "latest"
+    },
+    "ghcr.io/devcontainers/features/node:1": {
+      "nodeGypDependencies": true,
+      "version": "lts",
+      "nvmVersion": "latest"
+    },
+    "ghcr.io/devcontainers/features/github-cli:1": {
+      "installDirectlyFromGitHubRelease": true,
+      "version": "latest"
+    },
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "installZsh": true,
+      "configureZshAsDefaultShell": true,
+      "installOhMyZsh": true,
+      "installOhMyZshConfig": true,
+      "upgradePackages": true,
+      "username": "automatic",
+      "userUid": "automatic",
+      "userGid": "automatic"
+    }
+  }
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
+}

.env.template

@@ -0,0 +1,16 @@
+# These are the settings for the dev user pool
+USER_POOL_ID=eu-west-2_fhHtnXS3G
+USER_POOL_CLIENT_ID=<client ID>
+HOSTED_LOGIN_DOMAIN=nhsnotify-iam-dev-auth-userpool.auth.eu-west-2.amazoncognito.com
+
+NOTIFY_GROUP=nonprod
+NOTIFY_ENVIRONMENT=dev
+AWS_APP=d1axbs26ewhyx4
+AWS_BRANCH=main
+
+# Customise the branch or repository to deploy from an alternative source
+#TF_VAR_branch=miho6/CCM-5100-authn-poc
+#TF_VAR_repository=https://github.com/m-houston/nhs-notify-iam
+
+# Use a GitHub Personal Access Token to deploy a new Amplify integration (connect to a GitHub repo)
+TF_VAR_github_pat=<github_pat_xxxx>

.github/CODEOWNERS

@@ -0,0 +1,85 @@
+# NHS Notify Code Owners
+
+* @NHSDigital/nhs-notify-iam
+
+# require review by github repo admins if changing any common github actions or platform ci/cd yaml files
+.github/actions/ @NHSDigital/nhs-notify-admins
+.github/workflows/platform_* @NHSDigital/nhs-notify-admins
+
+# require review by github repo admins if changing any of the terraform files
+infrastructure/ @NHSDigital/nhs-notify-admins
+
+# Codeowners must be final check
+/.github/CODEOWNERS @NHSDigital/nhs-notify-code-owners
+/CODEOWNERS @NHSDigital/nhs-notify-code-owners
+
+
+# Each NHS Notify repository should have clear code owners set.
+# Do not use GitHub team names, instead use the GitHub usernames
+# of the people who are responsible for the code maintenance.
+
+# This is a comment.
+# Each line is a file pattern followed by one or more owners.
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence,
+# @global-owner1 and @global-owner2 will be requested for
+# review when someone opens a pull request.
+# *       @global-owner1 @global-owner2
+
+# Order is important; the last matching pattern takes the most
+# precedence. When someone opens a pull request that only
+# modifies JS files, only @js-owner and not the global
+# owner(s) will be requested for a review.
+# *.js    @js-owner #This is an inline comment.
+
+# You can also use email addresses if you prefer. They'll be
+# used to look up users just like we do for commit author
+# emails.
+# *.go [email protected]
+
+# Teams can be specified as code owners as well. Teams should
+# be identified in the format @org/team-name. Teams must have
+# explicit write access to the repository. In this example,
+# the octocats team in the octo-org organization owns all .txt files.
+# *.txt @octo-org/octocats
+
+# In this example, @doctocat owns any files in the build/logs
+# directory at the root of the repository and any of its
+# subdirectories.
+# /build/logs/ @doctocat
+
+# The `docs/*` pattern will match files like
+# `docs/getting-started.md` but not further nested files like
+# `docs/build-app/troubleshooting.md`.
+# docs/*  [email protected]
+
+# In this example, @octocat owns any file in an apps directory
+# anywhere in your repository.
+# apps/ @octocat
+
+# In this example, @doctocat owns any file in the `/docs`
+# directory in the root of your repository and any of its
+# subdirectories.
+# /docs/ @doctocat
+
+# In this example, any change inside the `/scripts` directory
+# will require approval from @doctocat or @octocat.
+# /scripts/ @doctocat @octocat
+
+# In this example, @octocat owns any file in a `/logs` directory such as
+# `/build/logs`, `/scripts/logs`, and `/deeply/nested/logs`. Any changes
+# in a `/logs` directory will require approval from @octocat.
+# **/logs @octocat
+
+# In this example, @octocat owns any file in the `/apps`
+# directory in the root of your repository except for the `/apps/github`
+# subdirectory, as its owners are left empty.
+# /apps/ @octocat
+# /apps/github
+
+# In this example, @octocat owns any file in the `/apps`
+# directory in the root of your repository except for the `/apps/github`
+# subdirectory, as this subdirectory has its own owner @doctocat
+# /apps/ @octocat
+# /apps/github @doctocat

.github/actions/build-docs/action.yml

@@ -0,0 +1,42 @@
+name: "Build Docs"
+description: "build jekyll docs"
+inputs:
+  version:
+    description: "Version number"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 18
+    - name: Npm cli install
+      working-directory: ./docs
+      run: npm ci
+      shell: bash
+    - name: Setup Ruby
+      uses: ruby/[email protected]
+      with:
+        ruby-version: "3.1" # Not needed with a .ruby-version file
+        bundler-cache: true # runs 'bundle install' and caches installed gems automatically
+        cache-version: 0 # Increment this number if you need to re-download cached gems
+        working-directory: "./docs"
+    - name: Setup Pages
+      id: pages
+      uses: actions/configure-pages@v5
+    - name: Build with Jekyll
+      working-directory: ./docs
+      # Outputs to the './_site' directory by default
+      shell: bash
+      run: make build BASE_URL="${{ steps.pages.outputs.base_path }}" VERSION="${{ inputs.version }}"
+      #run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
+      env:
+        JEKYLL_ENV: production
+    - name: Upload artifact
+      # Automatically uploads an artifact from the './_site' directory by default
+      uses: actions/upload-pages-artifact@v3
+      with:
+        path: "docs/_site/"
+        name: jekyll-docs-${{ inputs.version }}

.github/actions/lint-terraform/action.yaml

@@ -16,5 +16,6 @@ runs:
       run: |
         stacks=${{ inputs.root-modules }}
         for dir in $(find infrastructure/environments -maxdepth 1 -mindepth 1 -type d; echo ${stacks//,/$'\n'}); do
+          dir=$dir opts='-backend=false' make terraform-init
           dir=$dir make terraform-validate
         done

.github/actions/package-terraform/action.yml

@@ -0,0 +1,17 @@
+name: "Package Terraform"
+description: "Validate and package terraform configuration as an artifact"
+inputs:
+  version:
+    description: "Version number"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Upload artifact
+      uses: actions/upload-artifact@v4
+      with:
+        path: "infrastructure"
+        name: iam-infrastructure-${{ inputs.version }}

.github/workflows/cicd-1-pull-request.yaml

@@ -1,4 +1,4 @@
-name: "CI/CD pull request"
+name: "1. CI/CD pull request"
 
 # The total recommended execution time for the "CI/CD Pull Request" workflow is around 20 minutes.
 
@@ -8,6 +8,8 @@ on:
       - "**"
   pull_request:
     types: [opened, reopened]
+    branches:
+      - main
 
 jobs:
   metadata:
@@ -23,6 +25,7 @@ jobs:
       python_version: ${{ steps.variables.outputs.python_version }}
       terraform_version: ${{ steps.variables.outputs.terraform_version }}
       version: ${{ steps.variables.outputs.version }}
+      is_version_prerelease: ${{ steps.variables.outputs.is_version_prerelease }}
       does_pull_request_exist: ${{ steps.pr_exists.outputs.does_pull_request_exist }}
     steps:
       - name: "Checkout code"
@@ -31,15 +34,18 @@ jobs:
         id: variables
         run: |
           datetime=$(date -u +'%Y-%m-%dT%H:%M:%S%z')
-          BUILD_DATETIME=$datetime make version-create-effective-file
+          BUILD_DATETIME=$datetime make version-create-effective-file dir=.
+          version=$(head -n 1 .version 2> /dev/null || echo unknown)
           echo "build_datetime_london=$(TZ=Europe/London date --date=$datetime +'%Y-%m-%dT%H:%M:%S%z')" >> $GITHUB_OUTPUT
           echo "build_datetime=$datetime" >> $GITHUB_OUTPUT
           echo "build_timestamp=$(date --date=$datetime -u +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
           echo "build_epoch=$(date --date=$datetime -u +'%s')" >> $GITHUB_OUTPUT
           echo "nodejs_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "python_version=$(grep "^nodejs" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
+          echo "version=$(echo $version)" >> $GITHUB_OUTPUT
+          echo "is_version_prerelease=$(if [[ $version == *-* ]]; then echo "true"; else echo "false"; fi)" >> $GITHUB_OUTPUT
+
       - name: "Check if pull request exists for this branch"
         id: pr_exists
         env:
@@ -65,6 +71,7 @@ jobs:
           export TERRAFORM_VERSION="${{ steps.variables.outputs.terraform_version }}"
           export VERSION="${{ steps.variables.outputs.version }}"
           export DOES_PULL_REQUEST_EXIST="${{ steps.pr_exists.outputs.does_pull_request_exist }}"
+          export IS_VERSION_PRERELEASE="${{ steps.variables.outputs.is_version_prerelease }}"
           make list-variables
   commit-stage: # Recommended maximum execution time is 2 minutes
     name: "Commit stage"
@@ -96,7 +103,7 @@ jobs:
     name: "Build stage"
     needs: [metadata, test-stage]
     uses: ./.github/workflows/stage-3-build.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) || (github.event_name == 'push' && github.ref == 'refs/heads/main')
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
@@ -110,7 +117,21 @@ jobs:
     name: "Acceptance stage"
     needs: [metadata, build-stage]
     uses: ./.github/workflows/stage-4-acceptance.yaml
-    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened'))
+    if: needs.metadata.outputs.does_pull_request_exist == 'true' || (github.event_name == 'pull_request' && (github.event.action == 'opened' || github.event.action == 'reopened')) || (github.event_name == 'push' && github.ref == 'refs/heads/main')
+    with:
+      build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
+      build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
+      build_epoch: "${{ needs.metadata.outputs.build_epoch }}"
+      nodejs_version: "${{ needs.metadata.outputs.nodejs_version }}"
+      python_version: "${{ needs.metadata.outputs.python_version }}"
+      terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
+      version: "${{ needs.metadata.outputs.version }}"
+    secrets: inherit
+  publish-stage: # Recommended maximum execution time is 10 minutes
+    name: "Publish stage"
+    needs: [metadata, acceptance-stage]
+    uses: ./.github/workflows/stage-5-publish.yaml
+    if: (github.event_name == 'push' && github.ref == 'refs/heads/main')
     with:
       build_datetime: "${{ needs.metadata.outputs.build_datetime }}"
       build_timestamp: "${{ needs.metadata.outputs.build_timestamp }}"
@@ -119,4 +140,5 @@ jobs:
       python_version: "${{ needs.metadata.outputs.python_version }}"
       terraform_version: "${{ needs.metadata.outputs.terraform_version }}"
       version: "${{ needs.metadata.outputs.version }}"
+      is_version_prerelease: "${{ needs.metadata.outputs.is_version_prerelease }}"
     secrets: inherit