Commit summarizing all changes

Author: CLJ2006

.github/actions/scan-secrets/action.yaml

@@ -0,0 +1,10 @@
+name: "Scan secrets"
+description: "Scan secrets"
+runs:
+  using: "composite"
+  steps:
+    - name: "Scan secrets"
+      shell: bash
+      run: |
+        # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten.
+        check=whole-history ./scripts/githooks/scan-secrets.sh

.gitleaksignore

@@ -0,0 +1,3 @@
+# SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
+
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37

README.md

@@ -16,7 +16,6 @@ https://nhsd-confluence.digital.nhs.uk/spaces/APM/pages/1226682275/Pipeline+Quer
 Note: Projects running Python version 3.13 or later do not need any pipeline modifications.
 
 
-
 ## Scripts
 * `template.py` - cli for basic jinja templating
 * `test_pull_request_deployments.py` - cli for testing utils against other repositories

ansible/Makefile

@@ -43,7 +43,12 @@ create-build-env-vars: guard-build_label guard-out_dir
 	@poetry run ansible-playbook -i local create-build-env-vars.yml
 
 deploy-ecs-proxies: guard-account guard-build_label guard-service_id guard-APIGEE_ENVIRONMENT guard-PROXY_VARS_FILE
-	@poetry run ansible-playbook -i local deploy-ecs-proxies.yml
+	@echo "MAKE DEBUG: use_ecs_tag=${use_ecs_tag}"
+	@poetry run ansible-playbook -i local deploy-ecs-proxies.yml \
+		-e "use_ecs_tag=${use_ecs_tag}"
+
+deploy-ecs-proxies-retag: guard-build_label guard-service_id guard-PROXY_VARS_FILE
+	@poetry run ansible-playbook -i local deploy-ecs-proxies-retag.yml
 
 deploy-apigee-proxy: guard-FULLY_QUALIFIED_SERVICE_NAME guard-SERVICE_BASE_PATH guard-APIGEE_ENVIRONMENT guard-APIGEE_ORGANIZATION guard-APIGEE_ACCESS_TOKEN guard-PROXY_DIR guard-PING
 	@poetry run ansible-playbook -i local deploy-apigee-proxy.yml

ansible/deploy-ecs-proxies-retag.yml

@@ -0,0 +1,30 @@
+- name: deploy ecs proxies retag
+  hosts: 127.0.0.1
+  connection: local
+  gather_facts: no
+
+  vars:
+    service_id: "{{ lookup('env','service_id') }}"
+    APIGEE_ENVIRONMENT: "{{ lookup('env','APIGEE_ENVIRONMENT') }}"
+    account:  "{{ lookup('env','account') }}"
+
+  pre_tasks:
+    - name: Show CONTAINER_VARS_FILE from environment
+      debug:
+        msg: "CONTAINER_VARS_FILE={{ lookup('env','CONTAINER_VARS_FILE') }}"
+
+    - name: include container vars
+      include_vars:
+        file: "{{ lookup('env', 'CONTAINER_VARS_FILE') | expandvars | expanduser | realpath }}"
+    
+    - name: Debug docker_containers
+      debug:
+        var: docker_containers
+
+    - name: Debug containers
+      debug:
+        var: containers
+
+  roles:
+    - setup-facts
+    - deploy-ecs-proxies-retag

ansible/deploy-ecs-proxies.yml

@@ -43,6 +43,19 @@
       include_vars:
         file: "{{ lookup('env', 'PROXY_VARS_FILE') | expandvars | expanduser | realpath }}"
 
+    - name: load use_ecs_tag from environment
+      set_fact:
+        use_ecs_tag: "{{ lookup('env','use_ecs_tag') | default('false') }}"
+
+    - name: normalise use_ecs_tag to boolean
+      set_fact:
+        use_ecs_tag: "{{ use_ecs_tag | lower == 'true' }}"
+
+    - name: debug use_ecs_tag type
+      debug:
+        msg: "VALUEDEPLOYYAML={{ use_ecs_tag }} TYPE={{ use_ecs_tag | type_debug }}"
+
+
   roles:
     - setup-facts
     - deploy-ecs-proxies

ansible/ecr-lifecycle/ecr_lifecycle.json

@@ -0,0 +1,36 @@
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Keep the 6 most recent ECS deployment images tagged ecs- (release images)",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["ecs-"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 6
+      },
+      "action": { "type": "expire" }
+    },
+    {
+      "rulePriority": 2,
+      "description": "Never expire the 'latest' tag",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["latest"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 9999
+      },
+      "action": { "type": "expire" }
+    },
+    {
+      "rulePriority": 3,
+      "description": "Keep the 6 most recent build images (all tags)",
+      "selection": {
+        "tagStatus": "any",
+        "countType": "imageCountMoreThan",
+        "countNumber": 6
+      },
+      "action": { "type": "expire" }
+    }
+  ]
+}

ansible/roles/build-ecs-proxies/tasks/main.yml

@@ -30,6 +30,29 @@
   with_items: "{{ new_repos }}"
   when: new_repos
 
+# TO DO- Add back in once confirmed lifecycle policy to be applied to all new repos.
+
+# - name: Read lifecycle policy file
+#   ansible.builtin.slurp:
+#     src: "{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json"
+#   register: desired_policy_raw
+#   when: new_repos | length > 0
+
+# - name: Decode lifecycle policy JSON
+#   set_fact:
+#     desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}"
+#   when: new_repos | length > 0
+
+# - name: Apply lifecycle policy to each new repo
+#   ansible.builtin.command: >
+#     {{ aws_cmd }} ecr put-lifecycle-policy
+#     --repository-name {{ item }}
+#     --lifecycle-policy-text '{{ desired_policy_json | to_json }}'
+#   with_items: "{{ new_repos }}"
+#   register: lifecycle_update
+#   ignore_errors: yes
+#   when: new_repos | length > 0
+
 - name: ecr login
   shell: "eval $({{ aws_cmd }} ecr get-login --no-include-email)"
   changed_when: no

ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf

@@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" {
       "ecr:DescribeRepositories",
       "ecr:ListImages",
       "ecr:DescribeImages",
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy",
       "s3:GetObject"
     ]
 
@@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" {
 
   }
 
+  statement {
+    actions = [
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy"
+    ]
+
+    resources = [
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}",
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*"
+    ]
+  }
+
   statement {
     actions = [
       "s3:ListBucket",

ansible/roles/create-ecr-build-role/vars/main.yml

@@ -44,6 +44,7 @@ aws_ecs_policy:
         - "ecr:StartImageScan"
         - "ecr:StartLifecyclePolicyPreview"
         - "ecr:UploadLayerPart"
+        - "ecr:PutLifecyclePolicy"
       Resource: [
         "arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*"
       ]