This works as an MVP, so I'm going to roll it out into production #135
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test and deploy to AWS | |
on: | |
push: | |
branches: [ main ] | |
paths-ignore: | |
- '.github/workflows/codeql.yml' | |
- '.github/dependabot.yml' | |
- 'build/**' | |
- 'examples/**' | |
- '**.md' | |
workflow_dispatch: | |
permissions: | |
id-token: write # This is required for requesting the JWT for AWS authentication | |
contents: read # This is required for actions/checkout | |
jobs: | |
test-and-deploy: | |
runs-on: ubuntu-latest | |
strategy: | |
max-parallel: 1 | |
fail-fast: true | |
matrix: | |
include: | |
- environment: nonprod-aws | |
SERVICE_DOMAIN: sso.nonprod-service.security.gov.uk | |
TF_WORKSPACE: nonprod | |
AWS_REGION: eu-west-2 | |
- environment: prod-aws | |
SERVICE_DOMAIN: sso.service.security.gov.uk | |
TF_WORKSPACE: prod | |
AWS_REGION: eu-west-2 | |
environment: | |
name: ${{ matrix.environment }} | |
steps: | |
- name: Checkout this repo | |
uses: actions/checkout@v3 | |
with: | |
ref: main | |
path: main | |
- name: Read .terraform-version file | |
run: | | |
TV=$(cat main/terraform/.terraform-version | tr -d [:space:]) | |
echo "terraform_version=${TV}" | |
echo "terraform_version=${TV}" >> $GITHUB_OUTPUT | |
- uses: hashicorp/setup-terraform@v2 | |
with: | |
terraform_version: ${{ env.terraform_version }} | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.11' | |
- name: Show me files | |
run: ls -lah | |
- name: Build and test viewer-request | |
env: | |
AWS_CLOUDFRONT_KEY: ${{ secrets.AWS_CLOUDFRONT_KEY }} | |
run: | | |
cd main/ | |
chmod +x build/*.sh | |
bash build/test_viewer-request.sh | |
- name: Build and test viewer-response | |
run: | | |
cd main/ | |
chmod +x build/*.sh | |
bash build/test_viewer-response.sh | |
- name: Build and test Flask app | |
env: | |
AWS_CLOUDFRONT_KEY: ${{ secrets.AWS_CLOUDFRONT_KEY }} | |
run: | | |
cd main/ | |
chmod +x build/*.sh | |
python -V | |
bash build/build_lambda.sh | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
role-to-assume: ${{ secrets.AWS_ROLE }} | |
aws-region: ${{ matrix.AWS_REGION }} | |
- name: Test IAM credentials | |
run: aws sts get-caller-identity | |
- name: Apply Terraform | |
env: | |
AWS_CLOUDFRONT_KEY: ${{ secrets.AWS_CLOUDFRONT_KEY }} | |
AWS_REGION: ${{ matrix.AWS_REGION }} | |
TF_WORKSPACE: ${{ matrix.TF_WORKSPACE }} | |
run: | | |
cd main/ | |
chmod +x build/*.sh | |
bash build/test_viewer-request.sh | |
bash build/test_viewer-response.sh | |
bash build/build_lambda.sh | |
cd terraform/ | |
terraform workspace show | |
terraform init | |
terraform apply -auto-approve | |
- name: Deploy S3 assets | |
env: | |
S3_ASSET_BUCKET: ${{ matrix.SERVICE_DOMAIN }} | |
AWS_REGION: ${{ matrix.AWS_REGION }} | |
run: | | |
cd main/ | |
aws s3 cp assets/ "s3://${S3_ASSET_BUCKET}/assets/" --recursive | |
- name: Check deployed URLs | |
env: | |
SERVICE_DOMAIN: ${{ matrix.SERVICE_DOMAIN }} | |
TEST_CLIENT_ID: ${{ secrets.TEST_CLIENT_ID }} | |
run: | | |
echo "Checking CloudFront status" | |
curl -v "https://${SERVICE_DOMAIN}/.well-known/status" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .cfstatus.txt | |
egrep -i '< HTTP/[0123\.]+ 200' .cfstatus.txt | |
egrep -i "OK" .cfstatus.txt | |
echo "Checking Lambda status" | |
curl -v "https://${SERVICE_DOMAIN}/internal/health" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .lstatus.txt | |
egrep -i '< HTTP/[0123\.]+ 200' .lstatus.txt | |
egrep -i "IMOK" .lstatus.txt | |
echo "Checking OIDC status" | |
curl -v "https://${SERVICE_DOMAIN}/.well-known/openid-configuration" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .oidc.txt | |
egrep -i '< HTTP/[0123\.]+ 200' .oidc.txt | |
egrep -i "\"issuer\":\s*\"https://${SERVICE_DOMAIN}\"" .oidc.txt | |
echo "Checking '/' is public" | |
curl -v "https://${SERVICE_DOMAIN}/" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .www-status.txt | |
egrep -i '< HTTP/[0123\.]+ 200' .www-status.txt | |
egrep -i "<script src=\"https://${SERVICE_DOMAIN}/assets/init.js\">" .www-status.txt | |
echo "Checking '/dashboard' is private and requires auth" | |
curl -v "https://${SERVICE_DOMAIN}/dashboard" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .priv-status.txt | |
egrep -i '< HTTP/[0123\.]+ 30[0-9]' .priv-status.txt | |
grep '< location: /sign-in' .priv-status.txt | |
echo "Checking JWKs status" | |
curl -v "https://${SERVICE_DOMAIN}/.well-known/jwks.json" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .jwks.txt | |
egrep -i '< HTTP/[0123\.]+ 200' .jwks.txt | |
egrep -i "\"kid\":\s*\"[a-z]+\-[a-z0-9]+\"" .jwks.txt | |
echo "Checking /auth/token" | |
curl -v "https://${SERVICE_DOMAIN}/auth/token" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .authtoken.txt | |
egrep -i '< HTTP/[0123\.]+ 400' .authtoken.txt | |
echo "Checking /auth/profile" | |
curl -v "https://${SERVICE_DOMAIN}/auth/profile" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .authprofile.txt | |
egrep -i '< HTTP/[0123\.]+ 200' .authprofile.txt | |
egrep -i "\"sub\":\s*null" .authprofile.txt | |
echo "Checking /auth/oidc failure" | |
curl -v "https://${SERVICE_DOMAIN}/auth/oidc" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .authoidc.txt | |
egrep -i '< HTTP/[0123\.]+ 30[0-9]' .authoidc.txt | |
grep '< location: /error?type=response_type-not-set' .authoidc.txt | |
echo "Checking /auth/oidc semi-success" | |
curl -v "https://${SERVICE_DOMAIN}/auth/oidc?response_type=code&client_id=${TEST_CLIENT_ID}" \ | |
--connect-timeout 10 --max-redirs 0 --silent --stderr - > .authoidc2.txt | |
egrep -i '< HTTP/[0123\.]+ 30[0-9]' .authoidc2.txt | |
grep "< location: /sign-in?to_app=${TEST_CLIENT_ID}" .authoidc2.txt |