Merge branch 'main' into Automation-initial-commit

.github/workflows/deploy-env.yaml

@@ -0,0 +1,160 @@
+name: Deploy - Environment
+
+on:
+  workflow_dispatch:
+
+jobs:
+  package:
+    name: 'Package Web in Docker'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./src
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Lowercase the repo name and username
+        run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+      - name: Build Web Docker Image
+        run: |
+          docker build . -t ghcr.io/${{ env.REPO }}:${{ github.sha }} -f web/CareLeavers.Web/Dockerfile
+
+      - uses: docker/login-action@v1
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push Web Docker Image
+        run: docker push ghcr.io/${{ env.REPO }}:${{ github.sha }}
+
+  terraform_dependencies:
+    name: 'Provision Terraform Dependencies'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: 'Test'
+    steps:
+      - name: 'Az CLI login'
+        uses: azure/login@v2
+        with:
+          creds: |
+            {
+                "clientId": "${{ secrets.AZURE_CLIENT_ID }}",
+                "clientSecret": "${{ secrets.AZURE_CLIENT_SECRET }}",
+                "tenantId": "${{ secrets.AZURE_TENANT_ID }}",
+                "subscriptionId": "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+            }
+
+      - name: Create TF State dependencies
+        uses: azure/cli@v2
+        with:
+          azcliversion: latest
+          inlineScript: |
+            az group create --name s186${{ vars.ENVIRONMENT_PREFIX }}-cl-tfstate --location westeurope --output none --tags "Environment=${{ vars.CIP_ENVIRONMENT }}" "Product=Design Operations" "Service=Newly onboarded" "Service offering=Design operations"
+
+            az storage account create --name s186${{ vars.ENVIRONMENT_PREFIX }}cltfstate --resource-group s186${{ vars.ENVIRONMENT_PREFIX }}-cl-tfstate --location westeurope --sku Standard_LRS
+
+            az storage container create --name tfstate --account-name s186${{ vars.ENVIRONMENT_PREFIX }}cltfstate
+
+
+  deploy_infrastructure:
+    name: 'Provision Infrastructure'
+    runs-on: ubuntu-latest
+    needs: [terraform_dependencies]
+    permissions:
+      contents: read
+      id-token: write
+    environment:
+      name: 'Test'
+    env:
+      ARM_CLIENT_ID: "${{ secrets.AZURE_CLIENT_ID }}"
+      ARM_SUBSCRIPTION_ID: "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+      ARM_TENANT_ID: "${{ secrets.AZURE_TENANT_ID }}"
+      ARM_CLIENT_SECRET: "${{ secrets.AZURE_CLIENT_SECRET }}"
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_wrapper: false
+          terraform_version: 1.10.4
+
+      - name: 'Terraform Init'
+        id: terraform_init
+        working-directory: ./src/infrastructure/terraform
+        run: terraform init -backend-config="resource_group_name=s186${{ vars.ENVIRONMENT_PREFIX }}-cl-tfstate" -backend-config="storage_account_name=s186${{ vars.ENVIRONMENT_PREFIX }}cltfstate" -backend-config="container_name=tfstate" -backend-config="key=terraform.tfstate"
+
+      - name: 'Terraform Plan'
+        id: terraform_plan
+        working-directory: ./src/infrastructure/terraform
+        run: terraform plan -out plan.plan
+        env:
+          TF_VAR_github_principal: ${{ secrets.AZURE_PRINCIPAL_ID }}
+          TF_VAR_environment_prefix: ${{ vars.ENVIRONMENT_PREFIX }}
+          TF_VAR_cip_environment: ${{ vars.CIP_ENVIRONMENT }}
+          TF_VAR_contentful_delivery_api_key: ${{ secrets.CONTENTFUL_DELIVERY_API_KEY }}
+          TF_VAR_contentful_preview_api_key: ${{ secrets.CONTENTFUL_PREVIEW_API_KEY }}
+          TF_VAR_contentful_space_id: ${{ secrets.CONTENTFUL_SPACE_ID }}
+
+      - name: 'Terraform Apply'
+        id: terraform_apply
+        working-directory: ./src/infrastructure/terraform
+        run: terraform apply plan.plan
+
+  deploy-backend:
+    name: Deploy Web
+    permissions:
+      contents: none
+      id-token: write
+    runs-on: ubuntu-latest
+    needs: [ package, deploy_infrastructure ]
+    environment:
+      name: 'Test'
+
+    steps:
+      - name: Lowercase the repo name and username
+        run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}
+
+      - name: 'Az CLI login'
+        uses: azure/login@v1
+        with:
+          creds: |
+            {
+                "clientId": "${{ secrets.AZURE_CLIENT_ID }}",
+                "clientSecret": "${{ secrets.AZURE_CLIENT_SECRET }}",
+                "tenantId": "${{ secrets.AZURE_TENANT_ID }}",
+                "subscriptionId": "${{ secrets.AZURE_SUBSCRIPTION_ID }}"
+            }
+
+      - name: 'Get publishing profile'
+        run: |
+          publishingProfile=$(az webapp deployment list-publishing-profiles --name s186${{ vars.ENVIRONMENT_PREFIX }}-cl-web-app-service --slot staging --resource-group s186${{ vars.ENVIRONMENT_PREFIX }}-cl-web-rg --xml)
+          echo "PUBLISHING_PROFILE=$publishingProfile" >>${GITHUB_ENV}
+
+      - name: Deploy to Azure Web App
+        id: deploy-to-webapp
+        uses: azure/webapps-deploy@v2
+        with:
+          app-name: ${{ vars.DEV_AZURE_WEBAPP_NAME }}
+          slot-name: 'staging'
+          publish-profile: ${{ env.PUBLISHING_PROFILE }}
+          images: 'ghcr.io/${{ env.REPO }}:${{ github.sha }}'
+
+      - name: Wait for Staging to warm up
+        id: wait-for-staging
+        uses: jtalk/url-health-check-action@v4
+        with:
+          url: https://s186${{ vars.ENVIRONMENT_PREFIX }}-cl-web-fd.azurefd.net/staging-health
+          retry-delay: 3s
+          max-attempts: 5
+
+      - name: Swap slot to production
+        run: az webapp deployment slot swap --name s186${{ vars.ENVIRONMENT_PREFIX }}-cl-web-app-service --resource-group s186${{ vars.ENVIRONMENT_PREFIX }}-cl-web-rg --slot staging --target-slot production

.github/workflows/validate-deployment.yaml

@@ -0,0 +1,24 @@
+name: Validate - Deployment
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment_prefix:
+        description: 'Environment Prefix'
+        required: true
+        default: 'd01'
+        options:
+          - 'd01'
+jobs:
+  accessibility_scan:
+    name: 'Run Pa11y Accessibility Scan'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./src
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run accessibility scans
+        working-directory: ./src/e2e/pa11y
+        run: yarn pa11y-ci --sitemap https://s186${{ github.event.inputs.environment }}-cl-web-fd.azurefd.net/sitemap.xml

.gitignore

@@ -271,10 +271,6 @@ FakesAssemblies/
 # GhostDoc plugin setting file
 *.GhostDoc.xml
 
-# Node.js Tools for Visual Studio
-.ntvs_analysis.dat
-node_modules/
-
 # Visual Studio 6 build log
 *.plg
 
@@ -356,7 +352,9 @@ MigrationBackup/
 
 src/web/CareLeavers.Web/wwwroot
 
+
 # Node.js dependencies
+.ntvs_analysis.dat
 node_modules/
 package-lock.json
 yarn.lock
@@ -370,3 +368,39 @@ yarn-error.log*
 
 # Ignoring obj folder
 /obj/
+
+### Terraform ###
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

src/infrastructure/terraform/caching.tf

@@ -0,0 +1,23 @@
+resource "azurerm_resource_group" "caching-rg" {
+  name     = "${local.service_prefix}-caching-rg"
+  location = local.location
+  tags     = local.common_tags
+}
+
+resource "azurerm_redis_cache" "redis-cache" {
+  capacity            = 2
+  family              = "C"
+  location            = local.location
+  name                = "${local.service_prefix}-redis-cache"
+  resource_group_name = azurerm_resource_group.caching-rg.name
+  sku_name            = "Standard"
+  minimum_tls_version = "1.2"
+
+  tags = local.common_tags
+}
+
+resource "azurerm_key_vault_secret" "redis-cache-connection-string" {
+  key_vault_id = azurerm_key_vault.key-vault.id
+  name         = "redis-cache-connection-string"
+  value        = azurerm_redis_cache.redis-cache.primary_connection_string
+}

src/infrastructure/terraform/data.tf

@@ -0,0 +1 @@
+data "azurerm_client_config" "client" {}

src/infrastructure/terraform/frontdoor.tf

@@ -0,0 +1,78 @@
+resource "azurerm_frontdoor" "web-frontdoor" {
+  name                = local.frontdoor_name
+  resource_group_name = azurerm_resource_group.web-rg.name
+  tags                = local.common_tags
+
+  routing_rule {
+    name               = "webRoutingRule"
+    accepted_protocols = ["Http", "Https"]
+    patterns_to_match  = ["/*"]
+    frontend_endpoints = ["${local.service_prefix}-web-fd"]
+    forwarding_configuration {
+      forwarding_protocol = "MatchRequest"
+      backend_pool_name   = "${local.service_prefix}-webBackend"
+    }
+  }
+
+  routing_rule {
+    name               = "webStagingRoutingRule"
+    accepted_protocols = ["Http", "Https"]
+    patterns_to_match  = ["/staging-health"]
+    frontend_endpoints = ["${local.service_prefix}-web-fd"]
+    forwarding_configuration {
+      forwarding_protocol    = "MatchRequest"
+      backend_pool_name      = "${local.service_prefix}-webStagingBackend"
+      custom_forwarding_path = "/health"
+    }
+  }
+
+  backend_pool_load_balancing {
+    name = "${local.service_prefix}-LoadBalancingSettings"
+  }
+
+  backend_pool_health_probe {
+    name    = "${local.service_prefix}-HealthProbeSetting"
+    enabled = false
+  }
+
+  backend_pool {
+    name = "${local.service_prefix}-webBackend"
+    backend {
+      host_header = azurerm_linux_web_app.web-app-service.default_hostname
+      address     = azurerm_linux_web_app.web-app-service.default_hostname
+      http_port   = 80
+      https_port  = 443
+    }
+
+    load_balancing_name = "${local.service_prefix}-LoadBalancingSettings"
+    health_probe_name   = "${local.service_prefix}-HealthProbeSetting"
+  }
+  backend_pool {
+    name = "${local.service_prefix}-webStagingBackend"
+    backend {
+      host_header = azurerm_linux_web_app_slot.web-app-service-staging.default_hostname
+      address     = azurerm_linux_web_app_slot.web-app-service-staging.default_hostname
+      http_port   = 80
+      https_port  = 443
+    }
+
+    load_balancing_name = "${local.service_prefix}-LoadBalancingSettings"
+    health_probe_name   = "${local.service_prefix}-HealthProbeSetting"
+  }
+  backend_pool_settings {
+    enforce_backend_pools_certificate_name_check = true
+  }
+
+  frontend_endpoint {
+    name                                    = local.frontdoor_name
+    host_name                               = local.frontdoor_url
+    web_application_firewall_policy_link_id = azurerm_frontdoor_firewall_policy.web_firewall_policy.id
+  }
+}
+
+resource "azurerm_frontdoor_firewall_policy" "web_firewall_policy" {
+  name                = "webFirewallPolicy"
+  resource_group_name = azurerm_resource_group.web-rg.name
+  tags                = local.common_tags
+  mode                = "Detection"
+}