release

.github/workflows/push.yml

@@ -9,6 +9,7 @@ on:
     branches:
       - develop
       - main
+  workflow_dispatch:
 
 permissions:
   id-token: write # This is required for requesting the JWT
@@ -24,7 +25,26 @@ env:
   SMTP_SENDER: ${{ secrets.SMTP_SENDER }}
 
 jobs:
-  build:
+
+  fetch-ecr-password:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - id: get-ecr-pw
+        run: |
+          echo "ECR_PW=$(aws ecr get-login-password --region ${{ env.AWS_REGION }} --output text)" >> "$GITHUB_OUTPUT"
+    outputs:
+      ECR_PW: ${{ steps.get-ecr-pw.outputs.ecr_pw }}
+
+  set-environment-variables:
     runs-on: ubuntu-latest
     steps:
       - name: Select Environment
@@ -45,9 +65,6 @@ jobs:
             echo "TMP_TASK_DEFINITION_ARN_PARAMETER_NAME=${{ vars.PROD_TMP_TASK_DEFINITION_ARN_PARAMETER_NAME }}" >> $GITHUB_ENV
             echo "CALLBACK_ENDPOINT_PARAMETER_NAME=${{ vars.PROD_CALLBACK_ENDPOINT_PARAMETER_NAME }}" >> $GITHUB_ENV
             echo "SES_SMTP_CREDENTIALS_SECRET_NAME=${{ vars.PROD_SES_SMTP_CREDENTIALS_SECRET_NAME }}" >> $GITHUB_ENV
-            echo "SMTP_USER=${{ secrets.PROD_SMTP_USER }}" >> $GITHUB_ENV
-            echo "SMTP_PASSWORD=${{ secrets.PROD_SMTP_PASSWORD }}" >> $GITHUB_ENV
-            echo "DD_API_KEY_SECRET_NAME=${{ secrets.PROD_DD_API_KEY_SECRET_NAME }}" >> $GITHUB_ENV
           elif [ "${{ github.ref }}" == "refs/heads/develop" ]; then
             echo "ENVIRONMENT=stage" >> $GITHUB_ENV
             echo "SERVICE_CPU=${{ vars.STAGE_SERVICE_CPU }}" >> $GITHUB_ENV
@@ -64,74 +81,146 @@ jobs:
             echo "TMP_TASK_DEFINITION_ARN_PARAMETER_NAME=${{ vars.STAGE_TMP_TASK_DEFINITION_ARN_PARAMETER_NAME }}" >> $GITHUB_ENV
             echo "CALLBACK_ENDPOINT_PARAMETER_NAME=${{ vars.STAGE_CALLBACK_ENDPOINT_PARAMETER_NAME }}" >> $GITHUB_ENV
             echo "SES_SMTP_CREDENTIALS_SECRET_NAME=${{ vars.STAGE_SES_SMTP_CREDENTIALS_SECRET_NAME }}" >> $GITHUB_ENV
-            echo "SMTP_USER=${{ secrets.STAGE_SMTP_USER }}" >> $GITHUB_ENV
-            echo "SMTP_PASSWORD=${{ secrets.STAGE_SMTP_PASSWORD }}" >> $GITHUB_ENV
-            echo "DD_API_KEY_SECRET_NAME=${{ secrets.STAGE_DD_API_KEY_SECRET_NAME }}" >> $GITHUB_ENV
           fi
+          echo "IMAGE_TAG=${{ github.sha }}" >> $GITHUB_ENV
+    outputs:
+      ENVIRONMENT: ${{ env.ENVIRONMENT }}
+      SERVICE_CPU: ${{ env.SERVICE_CPU }}
+      SERVICE_MEMORY: ${{ env.SERVICE_MEMORY }}
+      OUTBOX_TABLE_NAME_PARAMETER_NAME: ${{ env.OUTBOX_TABLE_NAME_PARAMETER_NAME }}
+      MC_EML_EFS_ACCESS_POINT_ARN_PARAMETER_NAME: ${{ env.MC_EML_EFS_ACCESS_POINT_ARN_PARAMETER_NAME }}
+      MC_EML_EFS_ACCESS_POINT_ID_PARAMETER_NAME: ${{ env.MC_EML_EFS_ACCESS_POINT_ID_PARAMETER_NAME }}
+      MC_EML_EFS_ID_PARAMETER_NAME: ${{ env.MC_EML_EFS_ID_PARAMETER_NAME }}
+      REPOSITORY_NAME_PARAMETER_NAME: ${{ env.REPOSITORY_NAME_PARAMETER_NAME }}
+      MD_REST_EFS_ID_PARAMETER_NAME: ${{ env.MD_REST_EFS_ID_PARAMETER_NAME }}
+      MD_REST_ACCESS_POINT_ID_PARAMETER_NAME: ${{ env.MD_REST_ACCESS_POINT_ID_PARAMETER_NAME }}
+      MD_REST_ACCESS_POINT_ARN_PARAMETER_NAME: ${{ env.MD_REST_ACCESS_POINT_ARN_PARAMETER_NAME }}
+      TASK_DEFINITION_ARN_PARAMETER_NAME: ${{ env.TASK_DEFINITION_ARN_PARAMETER_NAME }}
+      TMP_TASK_DEFINITION_ARN_PARAMETER_NAME: ${{ env.TMP_TASK_DEFINITION_ARN_PARAMETER_NAME }}
+      CALLBACK_ENDPOINT_PARAMETER_NAME: ${{ env.CALLBACK_ENDPOINT_PARAMETER_NAME }}
+      SES_SMTP_CREDENTIALS_SECRET_NAME: ${{ env.SES_SMTP_CREDENTIALS_SECRET_NAME }}
+      IMAGE_TAG: ${{ env.IMAGE_TAG }}
+      IMAGE_NAME: ${{ env.ENVIRONMENT }}-${{ env.SERVICE_NAME }}
 
-      # Step 1: Checkout the repository
+  build-image:
+    env:
+      IMAGE_TAG: ${{ needs.set-environment-variables.outputs.IMAGE_TAG }}
+      IMAGE_NAME: ${{ needs.set-environment-variables.outputs.IMAGE_NAME }}
+    runs-on: ubuntu-latest
+    needs:
+      - set-environment-variables
+    steps:
       - name: Checkout Code
         uses: actions/checkout@v3
 
-      # Step 2: Configure AWS credentials
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
           aws-region: ${{ vars.AWS_REGION }}
 
-      # Step 3: Login to ECR registry
       - name: Login ECR
         id: login-ecr
         uses: aws-actions/amazon-ecr-login@v2
 
-      # Step 4: Build & push image
       - name: Image build
+        continue-on-error: false
         id: build-image
         env:
           ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
-          IMAGE_NAME: ${{ env.ENVIRONMENT }}-${{ env.SERVICE_NAME }}
+          IMAGE_NAME: ${{ env.IMAGE_NAME }}
+          IMAGE_TAG: ${{ env.IMAGE_TAG }}
         run: |
           docker build -t "$IMAGE_NAME:latest" -f Dockerfile .
           docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:latest
-          docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:$GITHUB_SHA
+          docker tag $IMAGE_NAME:latest $ECR_REGISTRY/$IMAGE_NAME:$IMAGE_TAG
           docker push $ECR_REGISTRY/$IMAGE_NAME --all-tags
-          echo "image=$ECR_REGISTRY/$IMAGE_NAME:$GITHUB_SHA" >> $GITHUB_OUTPUT
-          echo "image-tag=$GITHUB_SHA" >> $GITHUB_OUTPUT
 
-      # Step 5: Deploy updated task definition stack
-      - name: Deploy CDK Stack
-        continue-on-error: false
-        uses: arnaskro/aws-cdk-v2-github-actions@v2.3.0
+  deploy-cdk:
+    env:
+      ENVIRONMENT: ${{ needs.set-environment-variables.outputs.ENVIRONMENT }}
+      IMAGE_NAME: ${{ needs.set-environment-variables.outputs.IMAGE_NAME }}
+      IMAGE_TAG: ${{ needs.set-environment-variables.outputs.IMAGE_TAG }}
+      TMP_TASK_DEFINITION_ARN_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.TMP_TASK_DEFINITION_ARN_PARAMETER_NAME }}
+      TASK_DEFINITION_ARN_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.TASK_DEFINITION_ARN_PARAMETER_NAME }}
+      SERVICE_CPU: ${{ needs.set-environment-variables.outputs.SERVICE_CPU }}
+      SERVICE_MEMORY: ${{ needs.set-environment-variables.outputs.SERVICE_MEMORY }}
+      OUTBOX_TABLE_NAME_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.OUTBOX_TABLE_NAME_PARAMETER_NAME }}
+      MC_EML_EFS_ACCESS_POINT_ARN_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.MC_EML_EFS_ACCESS_POINT_ARN_PARAMETER_NAME }}
+      MC_EML_EFS_ACCESS_POINT_ID_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.MC_EML_EFS_ACCESS_POINT_ID_PARAMETER_NAME }}
+      MC_EML_EFS_ID_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.MC_EML_EFS_ID_PARAMETER_NAME }}
+      REPOSITORY_NAME_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.REPOSITORY_NAME_PARAMETER_NAME }}
+      MD_REST_EFS_ID_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.MD_REST_EFS_ID_PARAMETER_NAME }}
+      MD_REST_ACCESS_POINT_ID_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.MD_REST_ACCESS_POINT_ID_PARAMETER_NAME }}
+      MD_REST_ACCESS_POINT_ARN_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.MD_REST_ACCESS_POINT_ARN_PARAMETER_NAME }}
+      CALLBACK_ENDPOINT_PARAMETER_NAME: ${{ needs.set-environment-variables.outputs.CALLBACK_ENDPOINT_PARAMETER_NAME }}
+      SES_SMTP_CREDENTIALS_SECRET_NAME: ${{ needs.set-environment-variables.outputs.SES_SMTP_CREDENTIALS_SECRET_NAME }}
+    runs-on: ubuntu-latest
+    needs:
+      - fetch-ecr-password
+      - set-environment-variables
+      - build-image
+    container:
+      image: 823598220965.dkr.ecr.eu-west-1.amazonaws.com/alpine-cdk-runner:0ce104344ee2d098f181b1d785bfa55fa68b6e9f
+      credentials:
+        username: AWS
+        password: ${{ needs.fetch-ecr-password.outputs.ECR_PW }}
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@v3
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
         with:
-          cdk_subcommand: 'deploy'
-          cdk_args: '-c environment=${{ env.ENVIRONMENT }} -c image_tag=${{ steps.build-image.outputs.image-tag }} --require-approval never'
-          actions_comment: false
-          working_dir: cdk
+          role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
+          aws-region: ${{ vars.AWS_REGION }}
+
+      - name: Inject cross repo shared token
+        working-directory: cdk
+        run: |
+          mv requirements.txt temp_requirements.txt
+          sed -e "s/__SHARED_TOKEN__/${{ secrets.SHARED_TOKEN }}/g" temp_requirements.txt > requirements.txt
+
+      - name: Set CDK environment variables
+        run: |
+          echo "CDK_DEFAULT_ACCOUNT=$(aws sts get-caller-identity --query Account --output text)" >> $GITHUB_ENV
+          echo "CDK_DEFAULT_REGION=${{ vars.AWS_REGION }}" >> $GITHUB_ENV
+
+      - name: Deploy CDK Stack
+        working-directory: cdk
+        run: |
+          python3 -m venv venv
+          . venv/bin/activate
+          pip install -r requirements.txt
+          cdk deploy -c environment=${{ env.ENVIRONMENT }} \
+          -c image_tag=${{ env.IMAGE_TAG }} \
+          -c dd_api_key_secret_name=${{ ( env.ENVIRONMENT == 'prod' ) && secrets.PROD_DD_API_KEY_SECRET_NAME || secrets.STAGE_DD_API_KEY_SECRET_NAME }} \
+          -c smtp_user=${{ ( env.ENVIRONMENT == 'prod' ) && secrets.PROD_SMTP_USER || secrets.STAGE_SMTP_USER }} \
+          -c smtp_password=${{ ( env.ENVIRONMENT == 'prod' ) && secrets.PROD_SMTP_PASSWORD || secrets.STAGE_SMTP_PASSWORD }} \
+          --require-approval never \
+          --all
 
-      # Step 6: Retrieve updated temporary task definition arn
       - name: Retrieve image updated task definition
         continue-on-error: false
         id: get-tmp-task-definition
         run: |
           TMP_TASK_DEFINITION_ARN=$(aws ssm get-parameter --name ${{ env.TMP_TASK_DEFINITION_ARN_PARAMETER_NAME }} --query Parameter.Value --output text)
           echo "task-definition-arn=$TMP_TASK_DEFINITION_ARN" >> $GITHUB_OUTPUT
 
-      # Step 7: Deploy new task definition and wait for service to be stable
       - name: Deploy task definition
         id: task-definition-deploy
         run: |
           aws ecs update-service \
           --cluster ${{ env.ENVIRONMENT }} \
           --service ${{ env.SERVICE_NAME }} \
-          --task-definition ${{ steps.get-tmp-task-definition.outputs.task-definition-arn }}
+          --task-definition ${{ steps.get-tmp-task-definition.outputs.task-definition-arn }} \
+          --no-paginate
           aws ecs wait services-stable \
           --cluster ${{ env.ENVIRONMENT }} \
           --services ${{ env.SERVICE_NAME }}
 
-      # Step 8a: Update task definition ssm parameter if the deployment succeeds
       - name: Update the task definition ssm parameter
-#        if: ${{ steps.task-definition-deploy.outcome == 'success' }}
+        if: ${{ steps.task-definition-deploy.outcome == 'success' }}
         continue-on-error: false
         run: |
           aws ssm put-parameter \
@@ -140,9 +229,8 @@ jobs:
           --type String \
           --overwrite
 
-      # Step 8b: Deregister the task definition if the deployment fails
       - name: Delete task definition if deploy fails
         if: ${{ steps.task-definition-deploy.outcome == 'failure' }}
         run: |
           aws ecs deregister-task-definition \
-          --task-definition ${{ steps.get-tmp-task-definition.outputs.task-definition-arn }}
+          --task-definition ${{ steps.get-tmp-task-definition.outputs.task-definition-arn }}

.gitignore

@@ -6,9 +6,10 @@ deployments/build
 !**/.gitkeep
 
 .venv
+**/requirements.local.txt
 
 *.iml
 
 cdk/cdk.out
 
-.idea
+.idea

cdk/app.py

@@ -5,28 +5,46 @@
     Tags
 )
 
+from os import environ
+
 from get_env_variables import GetEnvVariables
 from task_definition_stack import TaskDefinitionStack
 
+from multidialogo_cdk_shared.environment_secrets_resolver import EnvironmentSecretsResolver
+from multidialogo_cdk_shared.enums import EnvironmentsEnum
+
 if __name__ == "__main__":
     app = App()
 
     selected_environment = app.node.try_get_context('environment')
     image_tag = app.node.try_get_context('image_tag')
+    dd_api_key_secret_name = app.node.try_get_context('dd_api_key_secret_name')
+    smtp_user = app.node.try_get_context('smtp_user')
+    smtp_password = app.node.try_get_context('smtp_password')
 
     env_parameters = GetEnvVariables(selected_environment).env_dict
 
-    environment = Environment(account=env_parameters['ACCOUNT_ID'], region=env_parameters['AWS_REGION'])
+    account = environ.get('CDK_DEFAULT_ACCOUNT')
+    region = environ.get('CDK_DEFAULT_REGION')
+
+    environment = Environment(account=account, region=region)
+
+    environment_secrets_resolver = EnvironmentSecretsResolver(
+        selected_environment=EnvironmentsEnum[selected_environment.upper()]
+    )
 
     TaskDefinitionStack(
         app,
         f"{env_parameters['SELECTED_ENVIRONMENT']}-multicarrier-email-daemon-task-definition-stack",
         env_parameters=env_parameters,
         image_tag=image_tag,
-        env=environment
+        env=environment,
+        environment_secrets_resolver=environment_secrets_resolver,
+        smtp_user=smtp_user,
+        smtp_password=smtp_password
     )
 
     Tags.of(app).add('env', selected_environment)
     Tags.of(app).add('ecs_cluster_name', selected_environment)
 
-    app.synth()
+    app.synth()

cdk/get_env_variables.py

@@ -21,10 +21,7 @@
     'TMP_TASK_DEFINITION_ARN_PARAMETER_NAME',
     'CALLBACK_ENDPOINT_PARAMETER_NAME',
     'SES_SMTP_CREDENTIALS_SECRET_NAME',
-    'SMTP_USER',
-    'SMTP_PASSWORD',
-    'SMTP_SENDER',
-    'DD_API_KEY_SECRET_NAME'
+    'SMTP_SENDER'
 ]
 
 class GetEnvVariables:
@@ -38,4 +35,4 @@ def __init__(
         }
 
         for i in ENVIRONMENT_VARIABLES:
-            self.env_dict[i] = os.environ[i]
+            self.env_dict[i] = os.environ[i]

cdk/requirements.txt

@@ -1,2 +1,3 @@
 aws-cdk-lib
-cdk-nag
+cdk-nag
+multidialogo_cdk_shared @ git+https://__SHARED_TOKEN__@github.com/Multidialogo/multidialogo-cdk-shared.git@main