PLAT-4150: update ecs stack to v2.0.2

govuk-one-login · Apr 22, 2024 · e54e34d · e54e34d
1 parent f7b2ee5
commit e54e34d
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 10 deletions.
diff --git a/.github/workflows/secure-post-merge-canary.yml b/.github/workflows/secure-post-merge-canary.yml
@@ -0,0 +1,65 @@
+name: SecurePipeline Docker build, ECR push, template copy to S3
+on:
+  push:
+    branches:
+      - PLAT-4150
+
+jobs:
+  dockerBuildAndPush:
+    name: Docker build and push
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    env:
+      AWS_REGION: eu-west-2
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+
+      # - name: Set up AWS creds #push assets to S3
+      #   uses: aws-actions/configure-aws-credentials@v2
+      #   with:
+      #     role-to-assume: ${{ secrets.UPLOAD_ASSETS_GH_ACTIONS_ROLE_ARN }}
+      #     aws-region: eu-west-2
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+
+      # - name: npm build assets, zip and sign
+      #   uses: govuk-one-login/github-actions/govuk/upload-assets@main
+      #   with:
+      #     signing-key-arn: ${{ secrets.UPLOAD_ASSETS_ZIP_SIGNING_KEY }}
+      #     stack-name: 'core-front'
+      #     destination-bucket-name: ${{ secrets.UPLOAD_ASSETS_ARTIFACT_SOURCE_BUCKET_NAME }}
+
+      - name: Set up AWS creds #push to ECR and  do sam deploy
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.CANARY_GH_ACTIONS_ROLE_ARN }}
+          aws-region: eu-west-2
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+
+      - name: Login to GDS Dev Dynatrace Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: khw46367.live.dynatrace.com
+          username: khw46367
+          password: ${{ secrets.DYNATRACE_PAAS_TOKEN }}
+
+      - name: Deploy SAM app to ECR
+        uses: govuk-one-login/[email protected]
+        with:
+          artifact-bucket-name: ${{ secrets.CANARY_ARTIFACT_BUCKET_NAME }}
+          container-sign-kms-key-arn: ${{ secrets.CANARY_CONTAINER_SIGN_KMS_KEY }}
+          working-directory: ./deploy
+          docker-build-path: .
+          template-file: template.yaml
+          role-to-assume-arn: ${{ secrets.CANARY_GH_ACTIONS_ROLE_ARN }}
+          ecr-repo-name: ${{ secrets.CANARY_ECR_REPOSITORY}}
diff --git a/deploy/template.yaml b/deploy/template.yaml
@@ -37,6 +37,7 @@ Parameters:
     # Allowed values: See https://docs.aws.amazon.com/codedeploy/latest/userguide/deployment-configurations.html
     AllowedValues:
       - None
+      - ECSCanary50Percent5Minutes
       - CodeDeployDefault.ECSCanary10Percent5Minutes
       - CodeDeployDefault.ECSCanary10Percent15Minutes
       - CodeDeployDefault.ECSAllAtOnce
@@ -68,7 +69,7 @@ Conditions:
 Mappings:
   EnvironmentConfiguration:
     "130355686670": # core-dev01
-      lb400ErrorLimit: 10
+      # lb400ErrorLimit: 10
       lb500ErrorLimit: 2
       lb500ErrorWindow: 300
       tg500ErrorLimit: 10
@@ -89,7 +90,7 @@ Mappings:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables
       spotAccountArn: arn:aws:iam::738810260032:root
     "175872367215": # core-dev02
-      lb400ErrorLimit: 10
+      # lb400ErrorLimit: 10
       lb500ErrorLimit: 2
       lb500ErrorWindow: 300
       tg500ErrorLimit: 10
@@ -110,7 +111,7 @@ Mappings:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables
       spotAccountArn: arn:aws:iam::738810260032:root
     "457601271792": # Build
-      lb400ErrorLimit: 10
+      # lb400ErrorLimit: 10
       lb500ErrorLimit: 2
       lb500ErrorWindow: 300
       tg500ErrorLimit: 10
@@ -135,7 +136,7 @@ Mappings:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables
       spotAccountArn: arn:aws:iam::429671060046:root
     "335257547869": # Staging
-      lb400ErrorLimit: 10
+      # lb400ErrorLimit: 10
       lb500ErrorLimit: 2
       lb500ErrorWindow: 300
       tg500ErrorLimit: 10
@@ -156,7 +157,7 @@ Mappings:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables
       spotAccountArn: arn:aws:iam::444977453444:root
     "991138514218": # Integration
-      lb400ErrorLimit: 10
+      # lb400ErrorLimit: 10
       lb500ErrorLimit: 2
       lb500ErrorWindow: 300
       tg500ErrorLimit: 10
@@ -177,7 +178,7 @@ Mappings:
       dynatraceSecretArn: arn:aws:secretsmanager:eu-west-2:216552277552:secret:DynatraceNonProductionVariables
       spotAccountArn: arn:aws:iam::298945768017:root
     "075701497069": # Production
-      lb400ErrorLimit: 20
+      # lb400ErrorLimit: 20
       lb500ErrorLimit: 2
       lb500ErrorWindow: 300
       tg500ErrorLimit: 50
@@ -1601,20 +1602,21 @@ Resources:
     Type: AWS::CloudFormation::Stack
     Condition: UseCanaryDeployment
     Properties:
-      TemplateURL: "https://template-storage-templatebucket-1upzyw6v9cs42.s3.eu-west-2.amazonaws.com/ecs-canary-deployment/template.yaml?versionId=RLuCcu0SXw5m6qJPl6LeqMrzYZEUR7Xp"
+      # TemplateURL: "https://template-storage-templatebucket-1upzyw6v9cs42.s3.eu-west-2.amazonaws.com/ecs-canary-deployment/template.yaml?versionId=RLuCcu0SXw5m6qJPl6LeqMrzYZEUR7Xp"
+      TemplateURL: "https://template-storage-templatebucket-1upzyw6v9cs42.s3.eu-west-2.amazonaws.com/ecs-canary-deployment/template.yaml?versionId=9vFjXAXebnhiAago1o4zhHXwEGHub7ps" # v2.0.2
       Parameters:
         ECSClusterName: !Ref CoreFrontCluster
         ECSServiceName: !GetAtt CoreFrontService.Name
         TargetGroupName: !GetAtt PrivateLoadBalancerListenerTargetGroupECS.TargetGroupName
         LoadBalancerListenerARN: !Ref PrivateLoadBalancerListener
-        LoadBalancerFullName: !GetAtt PrivateLoadBalancer.LoadBalancerFullName
         ECSServiceTaskDefinition: !Ref ECSServiceTaskDefinition
         DeploymentStrategy: !Ref DeploymentStrategy
         VpcId: !Sub ${VpcStackName}-VpcId
         ContainerName: app
         ContainerPort: 8080
-        ELB4XXAlarmThreshold: !FindInMap [ EnvironmentConfiguration, !Ref AWS::AccountId, lb400ErrorLimit ]
-        ELB5XXAlarmThreshold: !FindInMap [ EnvironmentConfiguration, !Ref AWS::AccountId, lb500ErrorLimit ]
+        CloudWatchAlarms: !Ref FrontTargetGroup5xxPercentErrors
+        # ELB4XXAlarmThreshold: !FindInMap [ EnvironmentConfiguration, !Ref AWS::AccountId, lb400ErrorLimit ]
+        # ELB5XXAlarmThreshold: !FindInMap [ EnvironmentConfiguration, !Ref AWS::AccountId, lb500ErrorLimit ]
         PermissionsBoundary: !If
           - UsePermissionsBoundary
           - !Ref PermissionsBoundary