-
Notifications
You must be signed in to change notification settings - Fork 16
371 lines (358 loc) · 16.8 KB
/
end-to-end-tests-aws.yml
File metadata and controls
371 lines (358 loc) · 16.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
name: AWS
on:
workflow_call:
inputs:
git_reference_for_application_image:
description: The git reference for deploying containerized mavis application
type: string
required: true
git_reference_for_database_image:
description: The environment to build the base image against
type: string
required: false
default: next
permissions: {}
jobs:
check-development-image-presence:
name: Check if mavis docker image already exists
runs-on: ubuntu-latest
permissions:
id-token: write
outputs:
build-needed: ${{ steps.check-image.outputs.build-needed }}
application-image-git-ref: ${{ steps.check-image.outputs.GIT_REF_SHA }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
with:
role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
aws-region: eu-west-2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
repository: nhsuk/manage-vaccinations-in-schools
- name: Check if image exists
id: check-image
env:
GIT_REF: >-
${{ format('origin/{0}', inputs.git_reference_for_application_image) }}
run: |
GIT_REF_SHA=$(git rev-parse "$GIT_REF")
echo "GIT_REF_SHA=$GIT_REF_SHA" >> "$GITHUB_OUTPUT"
if aws ecr describe-images \
--repository-name mavis/development \
--image-ids "imageTag=$GIT_REF_SHA" > /dev/null 2>&1; then
echo "Docker image with given tag already exists"
echo "build-needed=false" >> "$GITHUB_OUTPUT"
else
echo "Docker image does not exist. Build needed"
echo "build-needed=true" >> "$GITHUB_OUTPUT"
fi
build-and-push-development-image:
needs: [check-development-image-presence]
if: ${{ !cancelled() && needs.check-development-image-presence.outputs.build-needed == 'true' }}
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Checkout code
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
ref: ${{ needs.check-development-image-presence.outputs.application-image-git-ref }}
repository: nhsuk/manage-vaccinations-in-schools
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
with:
role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
aws-region: eu-west-2
- name: Login to ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@19d944daaa35f0fa1d3f7f8af1d3f2e5de25c5b7 # v2.1.4
- name: Build and push mavis/development docker image
# yamllint disable rule:line-length
run: |
docker build \
--build-arg BUNDLE_WITHOUT=test \
--build-arg RAILS_ENV=development \
-t "393416225559.dkr.ecr.eu-west-2.amazonaws.com/mavis/development:${{ needs.check-development-image-presence.outputs.application-image-git-ref }}" \
.
docker push "393416225559.dkr.ecr.eu-west-2.amazonaws.com/mavis/development:${{ needs.check-development-image-presence.outputs.application-image-git-ref }}"
# yamllint enable rule:line-length
check-database-image-presence:
name: Check if database docker image already exists
runs-on: ubuntu-latest
permissions:
id-token: write
outputs:
build-needed: ${{ steps.check-image.outputs.build-needed }}
db_git_ref_sha: ${{ steps.check-image.outputs.GIT_REF_SHA }}
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
with:
role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
aws-region: eu-west-2
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
repository: nhsuk/manage-vaccinations-in-schools
- name: Check if image exists
id: check-image
env:
GIT_REF: >-
${{ format('origin/{0}', inputs.git_reference_for_database_image) }}
run: |
GIT_REF_SHA=$(git rev-parse "$GIT_REF")
echo "GIT_REF_SHA=$GIT_REF_SHA" >> "$GITHUB_OUTPUT"
if aws ecr describe-images \
--repository-name mavis/development/postgres_db \
--image-ids "imageTag=$GIT_REF_SHA" > /dev/null 2>&1; then
echo "Docker image with given tag already exists"
echo "build-needed=false" >> "$GITHUB_OUTPUT"
else
echo "Docker image does not exist. Build needed"
echo "build-needed=true" >> "$GITHUB_OUTPUT"
fi
build-and-push-database-image:
needs: [check-database-image-presence]
if: ${{ !cancelled() && needs.check-database-image-presence.outputs.build-needed == 'true' }}
permissions:
id-token: write
contents: read
uses: ./.github/workflows/build-and-push-database-image.yml
with:
github_ref: ${{ needs.check-database-image-presence.outputs.db_git_ref_sha }}
launch-dockerized-devimage:
needs:
- check-development-image-presence
- build-and-push-development-image
- check-database-image-presence
- build-and-push-database-image
if: >-
${{ !cancelled() && (needs.build-and-push-development-image.result == 'success' ||
(needs.check-development-image-presence.result == 'success' &&
needs.build-and-push-development-image.result == 'skipped')) &&
(needs.build-and-push-database-image.result == 'success' ||
(needs.check-database-image-presence.result == 'success' &&
needs.build-and-push-database-image.result == 'skipped')) }}
runs-on: ubuntu-latest
permissions:
id-token: write
outputs:
run_task_arn: ${{ steps.run-task.outputs.run-task-arn }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
with:
role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
aws-region: eu-west-2
- name: Render task definition web
id: render-task-definition-web
uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1.8.4
with:
task-definition-family: assurance-testing-mavis-development-task-definition-template
container-name: mavis-development-web
# yamllint disable-line rule:line-length
image:
393416225559.dkr.ecr.eu-west-2.amazonaws.com/mavis/development:${{
needs.check-development-image-presence.outputs.application-image-git-ref }}
- name: Render task definition database
id: render-task-definition-database
uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1.8.4
with:
task-definition: ${{ steps.render-task-definition-web.outputs.task-definition }}
container-name: mavis-development-db
# yamllint disable-line rule:line-length
image:
393416225559.dkr.ecr.eu-west-2.amazonaws.com/mavis/development/postgres_db:${{
needs.check-database-image-presence.outputs.db_git_ref_sha }}
- name: Render task definition sidekiq
id: render-task-definition-sidekiq
uses: aws-actions/amazon-ecs-render-task-definition@77954e213ba1f9f9cb016b86a1d4f6fcdea0d57e # v1.8.4
with:
task-definition: ${{ steps.render-task-definition-database.outputs.task-definition }}
container-name: mavis-development-sidekiq
# yamllint disable-line rule:line-length
image:
393416225559.dkr.ecr.eu-west-2.amazonaws.com/mavis/development:${{
needs.check-development-image-presence.outputs.application-image-git-ref }}
- name: Prepare deployment
id: prepare-deployment
run: |
file_path="assurance-testing-mavis-development-task-definition.json"
family_name="assurance-testing-mavis-development-task-definition"
jq --arg f "$family_name" '.family = $f' \
"${{ steps.render-task-definition-sidekiq.outputs.task-definition }}" > "$file_path"
subnet_id=$(aws ec2 describe-subnets \
--filters Name=tag:Name,Values=assurance-testing-subnet \
--query 'Subnets[0].SubnetId' --output text)
security_group_id=$(aws ec2 describe-security-groups \
--filters Name=group-name,Values=assurance-testing-mavis-development-sg \
--query 'SecurityGroups[0].GroupId' --output text)
echo "run-task-subnets=$subnet_id" >> "$GITHUB_OUTPUT"
echo "run-task-security-groups=$security_group_id" >> "$GITHUB_OUTPUT"
- name: Deploy task definition
uses: aws-actions/amazon-ecs-deploy-task-definition@fc8fc60f3a60ffd500fcb13b209c59d221ac8c8c # v2.6.1
id: run-task
with:
task-definition: "assurance-testing-mavis-development-task-definition.json"
cluster: assurance-testing
run-task: true
run-task-subnets: ${{ steps.prepare-deployment.outputs.run-task-subnets }}
run-task-launch-type: "FARGATE"
run-task-security-groups: ${{ steps.prepare-deployment.outputs.run-task-security-groups }}
run-task-assign-public-IP: ENABLED
wait-for-task-stability:
needs: launch-dockerized-devimage
if: ${{ !cancelled() && needs.launch-dockerized-devimage.result == 'success'}}
runs-on: ubuntu-latest
permissions:
id-token: write
outputs:
task_arn: ${{ steps.compile-outputs.outputs.task_arn }}
container_ip: ${{ steps.compile-outputs.outputs.container_ip }}
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
with:
role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
aws-region: eu-west-2
# yamllint disable rule:line-length
- name: Get container logs
run: |
TASK_ARN=$(echo '${{ needs.launch-dockerized-devimage.outputs.run_task_arn }}' | jq -r '.[0]')
# shellcheck disable=SC2001
TASK_ID=$(sed 's:^.*/::' <<< "$TASK_ARN")
WEB_CLOUDWATCH_URL="https://eu-west-2.console.aws.amazon.com/cloudwatch/home?region=eu-west-2#logsV2:log-groups/log-group/assurance-testing-ecs/log-events/assurance-testing-logs\$252Fmavis-development-web\$252F${TASK_ID}\$3Fstart\$3D$(date +%s)000\$26end\$3D$(date -d '+30 minutes' +%s)000"
SIDEKIQ_CLOUDWATCH_URL="https://eu-west-2.console.aws.amazon.com/cloudwatch/home?region=eu-west-2#logsV2:log-groups/log-group/assurance-testing-ecs/log-events/assurance-testing-logs\$252Fmavis-development-sidekiq\$252F${TASK_ID}\$3Fstart\$3D$(date +%s)000\$26end\$3D$(date -d '+30 minutes' +%s)000"
{
echo "**Task ID:** $TASK_ID"
echo "**Container Logs:** "
echo " * WEB logs: $WEB_CLOUDWATCH_URL"
echo " * SIDEKIQ logs: $SIDEKIQ_CLOUDWATCH_URL"
} >> "$GITHUB_STEP_SUMMARY"
echo "Logs for server: [web](${WEB_CLOUDWATCH_URL}) and [sidekiq](${SIDEKIQ_CLOUDWATCH_URL})"
- name: Wait for task to stabilise
run: |
set -euo pipefail
ELAPSED=0
POLL_INTERVAL=10
TASK_ARN=$(echo '${{ needs.launch-dockerized-devimage.outputs.run_task_arn }}' | jq -r '.[0]')
echo "Waiting for ECS task $TASK_ARN to become HEALTHY"
while (( ELAPSED < 300 )); do
HEALTH_STATUS=$(aws ecs describe-tasks \
--cluster "assurance-testing" \
--tasks "$TASK_ARN" \
--query 'tasks[0].healthStatus' \
--output text 2>/dev/null || echo "UNKNOWN")
LAST_EVENT=$(aws ecs describe-tasks \
--cluster "assurance-testing" \
--tasks "$TASK_ARN" \
--query 'tasks[0].lastStatus' \
--output text 2>/dev/null || echo "UNKNOWN")
case "$HEALTH_STATUS" in
"HEALTHY")
echo "Task is HEALTHY"
exit 0
;;
"UNHEALTHY")
echo "Task reported UNHEALTHY"
aws ecs describe-tasks --cluster "assurance-testing" --tasks "$TASK_ARN" --query 'tasks[0].containers[].{Name:name,Health:health,Reason:lastStatusReason}' --output table
exit 1
;;
"UNKNOWN"|"")
# Task might not exist or API error
if [[ "$LAST_EVENT" == "STOPPED" || "$LAST_EVENT" == "DEACTIVATED" ]]; then
echo "Task is no longer running (lastStatus: $LAST_EVENT)"
exit 1
fi
echo "Task not found or not reporting health yet (healthStatus: UNKNOWN, lastStatus: $LAST_EVENT). Retrying..."
;;
*)
# HEALTHY/UNHEALTHY not reported yet (common in early lifecycle)
echo "Task health check in progress... (healthStatus: $HEALTH_STATUS, lastStatus: $LAST_EVENT)"
;;
esac
sleep "$POLL_INTERVAL"
ELAPSED=$((ELAPSED + POLL_INTERVAL))
done
echo "Timeout reached (300 seconds) while waiting for task to become HEALTHY"
echo "Final status:"
aws ecs describe-tasks \
--cluster "assurance-testing" \
--tasks "$TASK_ARN" \
--query 'tasks[0]' \
--output json || true
exit 1
- name: Compile outputs
id: compile-outputs
run: |
TASK_ARN=$(echo '${{ needs.launch-dockerized-devimage.outputs.run_task_arn }}' | jq -r '.[0]')
NETWORK_INTERFACE=$(aws ecs describe-tasks \
--cluster assurance-testing \
--tasks "$TASK_ARN" \
| jq -r '.tasks[0].attachments[0].details[] | select(.name == "networkInterfaceId") | .value')
CONTAINER_IP=$(aws ec2 describe-network-interfaces \
--network-interface-ids "$NETWORK_INTERFACE" \
--query 'NetworkInterfaces[0].Association.PublicIp' \
--output text)
echo "container_ip=$CONTAINER_IP" >> "$GITHUB_OUTPUT"
echo "task_arn=$TASK_ARN" >> "$GITHUB_OUTPUT"
echo "Started task: $TASK_ARN"
# yamllint enable rule:line-length
find-correct-test-branch:
needs: [wait-for-task-stability]
if: ${{ !cancelled() && needs.wait-for-task-stability.result == 'success' }}
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
test_branch: ${{ steps.check-branch.outputs.test_branch }}
steps:
- name: Check if head branch or base branch exists
id: check-branch
run: |
if git ls-remote --exit-code \
--heads https://github.com/NHSDigital/manage-vaccinations-in-schools-testing.git \
"$HEAD_REF" > /dev/null 2>&1; then
echo "test_branch=$HEAD_REF" >> "$GITHUB_OUTPUT"
elif git ls-remote --exit-code \
--heads https://github.com/NHSDigital/manage-vaccinations-in-schools-testing.git \
"$BASE_REF" > /dev/null 2>&1; then
echo "test_branch=$BASE_REF" >> "$GITHUB_OUTPUT"
else
echo "test_branch=main" >> "$GITHUB_OUTPUT"
fi
env:
HEAD_REF: ${{ github.head_ref }}
BASE_REF: ${{ github.base_ref }}
call-end-to-end-tests:
needs: [launch-dockerized-devimage, wait-for-task-stability, find-correct-test-branch]
if:
${{ !cancelled() && needs.launch-dockerized-devimage.result == 'success' &&
needs.wait-for-task-stability.result == 'success'}}
uses: ./.github/workflows/call-end-to-end-tests.yml
permissions:
contents: write
id-token: write
with:
fhir_api_tests: false
reporting_tests: true
github_ref: ${{ needs.find-correct-test-branch.outputs.test_branch }}
endpoint: http://${{ needs.wait-for-task-stability.outputs.container_ip }}:4000
stop-docker-environment:
needs: [call-end-to-end-tests, launch-dockerized-devimage, wait-for-task-stability]
if: ${{ always() && needs.launch-dockerized-devimage.result != 'skipped'}}
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@ec61189d14ec14c8efccab744f656cffd0e33f37 # v6.1.0
with:
role-to-assume: arn:aws:iam::393416225559:role/GitHubAssuranceTestRole
aws-region: eu-west-2
- name: Stop dockerized dev image
run: >-
aws ecs stop-task --cluster assurance-testing --task ${{
needs.wait-for-task-stability.outputs.task_arn }}