Concourse prod (#36)

* add dynamic envs to set_pipeline.bash

* add ci_prod and ci_dev

* hide secrets

* setup releases

* check if tag contains HEAD

* add cd ..

* update file path

* remove cd ..

* echo tag

* test different string

* use tag file instead

* correct file path

* echo tag

* version tag in build image file

* add x to pipefail

* test silly string

* update set_pipeline to use hyphen

* generalise bash scripts between dev and prod

* add podman to assume_role

* verify caller identiy

* check caller identity on build image

* generalise terraform_infra.bash between dev and prod

* merge prod and dev into one file

* re

* fish conditional

* Revert "fish conditional"

This reverts commit bfb5c13.

* fix conditional on concourse-prod

* change to .sh

* update README

Author: delterr

README.md

@@ -244,18 +244,20 @@ AWS Secrets Manager so you do not need to set up anything yourself.
 
 To set the pipeline, run the following script:
 ```bash
-chmod u+x ./concourse/scripts/set_pipeline.bash
-./concourse/scripts/set_pipeline.bash KEH-TAT-UI
+chmod u+x ./concourse/scripts/set_pipeline.sh
+./concourse/scripts/set_pipeline.sh KEH-TAT-UI
 ```
 Note that you only have to run chmod the first time running the script in order to give permissions.
 This script will set the branch and pipeline name to whatever branch you are currently on. It will also set the image tag on ECR to the current commit hash at the time of setting the pipeline.
 
 The pipeline name itself will usually follow a pattern as follows: `<repo-name>-<branch-name>`
 If you wish to set a pipeline for another branch without checking out, you can run the following:
 ```bash
-./concourse/scripts/set_pipeline.bash KEH-TAT-UI <branch_name>
+./concourse/scripts/set_pipeline.sh KEH-TAT-UI <branch_name>
 ```
 
+If the branch you are deploying is "main" or "master", it will trigger a deployment to the sdp-prod environment. To set the ECR image tag, you must draft a Github release pointing to the latest release of the main/master branch that has a tag in the form of vX.Y.Z. Drafting up a release will automatically deploy the latest version of the main/master branch with the associated release tag, but you can also manually trigger a build through the Concourse UI or the terminal prompt.
+
 #### Triggering a pipeline
 Once the pipeline has been set, you can manually trigger a build on the Concourse UI, or run the following command:
 ```bash

concourse/ci.yml

@@ -3,15 +3,24 @@ resources:
   type: git
   icon: github
   source:
-    uri: https://github.com/ONS-Innovation/keh-tech-audit-tool.git
+    uri: https://github.com/ONS-Innovation/keh-tech-audit-tool
     branch: ((branch))
 
+- name: release
+  type: github-release
+  icon: github
+  source:
+    owner: ONS-Innovation
+    repository: keh-tech-audit-tool
+
 jobs:
 - name:  build-and-push
   public: true
   plan:
   - get: resource-repo
-    trigger: false
+    timeout: 5m
+  - get: release
+    trigger: true
     timeout: 5m
   - task: build-image
     privileged: true
@@ -23,21 +32,27 @@ jobs:
           repository: hashicorp/terraform
       inputs:
       - name: resource-repo
+      - name: release
       params:
-        aws_account_id: ((aws_account_sdp_dev))
-        aws_role_arn: arn:aws:iam::((aws_account_sdp_dev)):role/sdp-concourse-dev
-        tag: ((tag))
+        aws_account_id: ((aws_account_sdp_((env))))
+        aws_role_arn: arn:aws:iam::((aws_account_sdp_((env)))):role/sdp-concourse-((env))
+        tat_secrets_ui: ((sdp_((env))_secrets_tat_ui))
       run: # binary used to build the image
         path: sh
         args:
         - -cx
         - |
-          chmod u+x ./resource-repo/concourse/scripts/assume_role.bash
-          chmod u+x ./resource-repo/concourse/scripts/build_image.bash
-          source ./resource-repo/concourse/scripts/assume_role.bash
-          ./resource-repo/concourse/scripts/build_image.bash
+          if [[ "((env))" == "prod" ]]; then
+            export tag=v$(cat release/version)
+          else
+            export tag=((tag))
+          fi
+          git rev-parse --abbrev-ref HEAD
+          chmod u+x ./resource-repo/concourse/scripts/assume_role.sh
+          chmod u+x ./resource-repo/concourse/scripts/build_image.sh
+          source ./resource-repo/concourse/scripts/assume_role.sh
+          ./resource-repo/concourse/scripts/build_image.sh
     timeout: 10m
-
   - task: terraform
     privileged: true
     config:
@@ -47,12 +62,22 @@ jobs:
         source: {repository: hashicorp/terraform}
       inputs:
       - name: resource-repo
+      - name: release
       params:
-        tat_secrets_ui: ((sdp_dev_secrets_tat_ui))
+        tat_secrets_ui: ((sdp_((env))_secrets_tat_ui))
         github_access_token: ((github_access_token))
-        tag: ((tag))
       run:
         path: sh
-        args: ["./resource-repo/concourse/scripts/terraform_infra.bash"]
+        args:
+        - -cx
+        - |
+          if [[ "((env))" == "prod" ]]; then
+            export tag=v$(cat release/version)
+          else 
+            export tag=((tag))
+          fi
+          chmod u+x ./resource-repo/concourse/scripts/terraform_infra.sh
+          export env=((env))
+          ./resource-repo/concourse/scripts/terraform_infra.sh
     timeout: 30m
-          
+            

concourse/scripts/assume_role.bash renamed to concourse/scripts/assume_role.sh

@@ -1,13 +1,14 @@
 set -euo pipefail
 
-apk add --no-cache aws-cli podman
+apk add --no-cache aws-cli podman jq
 
 aws sts assume-role --output text \
     --role-arn "${aws_role_arn}" \
     --role-session-name concourse-pipeline-run \
     --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
     | awk -F '\t' '{print $1 > ("AccessKeyId")}{print $2 > ("SecretAccessKey")}{print $3 > ("SessionToken")}'
 
+
 export AWS_ACCESS_KEY_ID="$(cat AccessKeyId)"
 export AWS_SECRET_ACCESS_KEY="$(cat SecretAccessKey)"
 export AWS_SESSION_TOKEN="$(cat SessionToken)"

concourse/scripts/build_image.bash

@@ -0,0 +1,14 @@
+set -euo pipefail
+
+export STORAGE_DRIVER=vfs
+export PODMAN_SYSTEMD_UNIT=concourse-task
+
+container_image=$(echo "$tat_secrets_ui" | jq -r .container_image)
+
+aws ecr get-login-password --region eu-west-2 | podman --storage-driver=vfs login --username AWS --password-stdin ${aws_account_id}.dkr.ecr.eu-west-2.amazonaws.com
+
+podman build -t ${container_image}:${tag} resource-repo
+
+podman tag ${container_image}:${tag} ${aws_account_id}.dkr.ecr.eu-west-2.amazonaws.com/${container_image}:${tag}
+
+podman push ${aws_account_id}.dkr.ecr.eu-west-2.amazonaws.com/${container_image}:${tag}

concourse/scripts/build_image.sh

@@ -1,4 +1,3 @@
-tag=$(git rev-parse HEAD)
 repo_name=${1}
 
 if [[ $# -gt 1 ]]; then
@@ -12,4 +11,17 @@ else
     branch=$(git rev-parse --abbrev-ref HEAD)
 fi
 
-fly -t aws-sdp set-pipeline -c concourse/ci.yml -p ${repo_name}-${branch} -v branch=${branch} -v tag=${tag}
+if [[ ${branch} == "main" || ${branch} == "master" ]]; then
+    env="prod"
+else
+    env="dev"
+fi
+
+if [[ ${env} == "dev" ]]; then
+    tag=$(git rev-parse HEAD)
+else
+    tag=$(git tag | tail -n 1)
+fi
+
+fly -t aws-sdp set-pipeline -c concourse/ci.yml -p ${repo_name}-${branch} -v branch=${branch} -v tag=${tag} -v env=${env}
+

concourse/scripts/set_pipeline.bash renamed to concourse/scripts/set_pipeline.sh

@@ -24,8 +24,12 @@ export AWS_SECRET_ACCESS_KEY=$aws_secret_access_key
 
 git config --global url."https://x-access-token:$github_access_token@github.com/".insteadOf "https://github.com/"
 
+if [[ ${env} != "prod" ]]; then
+    env="dev"
+fi
+
 cd resource-repo/terraform/service
-terraform init -backend-config=env/dev/backend-dev.tfbackend -reconfigure
+terraform init -backend-config=env/${env}/backend-${env}.tfbackend -reconfigure
 terraform apply \
 -var "aws_account_id=$aws_account_id" \
 -var "aws_access_key_id=$aws_access_key_id" \