APM 6720 ecr lifecycle policy

.github/actions/scan-secrets/action.yaml

@@ -0,0 +1,10 @@
+name: "Scan secrets"
+description: "Scan secrets"
+runs:
+  using: "composite"
+  steps:
+    - name: "Scan secrets"
+      shell: bash
+      run: |
+        # Please do not change this `check=whole-history` setting, as new patterns may be added or history may be rewritten.
+        check=whole-history ./scripts/githooks/scan-secrets.sh

.gitleaksignore

@@ -0,0 +1,3 @@
+# SEE: https://github.com/gitleaks/gitleaks/blob/master/README.md#gitleaksignore
+
+cd9c0efec38c5d63053dd865e5d4e207c0760d91:docs/guides/Perform_static_analysis.md:generic-api-key:37

README.md

@@ -16,7 +16,6 @@ https://nhsd-confluence.digital.nhs.uk/spaces/APM/pages/1226682275/Pipeline+Quer
 Note: Projects running Python version 3.13 or later do not need any pipeline modifications.
 
 
-
 ## Scripts
 * `template.py` - cli for basic jinja templating
 * `test_pull_request_deployments.py` - cli for testing utils against other repositories

ansible/Makefile

@@ -43,7 +43,12 @@ create-build-env-vars: guard-build_label guard-out_dir
 	@poetry run ansible-playbook -i local create-build-env-vars.yml
 
 deploy-ecs-proxies: guard-account guard-build_label guard-service_id guard-APIGEE_ENVIRONMENT guard-PROXY_VARS_FILE
-	@poetry run ansible-playbook -i local deploy-ecs-proxies.yml
+	@echo "MAKE DEBUG: use_ecs_tag=${use_ecs_tag}"
+	@poetry run ansible-playbook -i local deploy-ecs-proxies.yml \
+		-e "use_ecs_tag=${use_ecs_tag}"
+
+deploy-ecs-proxies-retag: guard-build_label guard-service_id guard-PROXY_VARS_FILE
+	@poetry run ansible-playbook -i local deploy-ecs-proxies-retag.yml
 
 deploy-apigee-proxy: guard-FULLY_QUALIFIED_SERVICE_NAME guard-SERVICE_BASE_PATH guard-APIGEE_ENVIRONMENT guard-APIGEE_ORGANIZATION guard-APIGEE_ACCESS_TOKEN guard-PROXY_DIR guard-PING
 	@poetry run ansible-playbook -i local deploy-apigee-proxy.yml

ansible/deploy-ecs-proxies-retag.yml

@@ -0,0 +1,30 @@
+- name: deploy ecs proxies retag
+  hosts: 127.0.0.1
+  connection: local
+  gather_facts: no
+
+  vars:
+    service_id: "{{ lookup('env','service_id') }}"
+    APIGEE_ENVIRONMENT: "{{ lookup('env','APIGEE_ENVIRONMENT') }}"
+    account:  "{{ lookup('env','account') }}"
+
+  pre_tasks:
+    - name: Show CONTAINER_VARS_FILE from environment
+      debug:
+        msg: "CONTAINER_VARS_FILE={{ lookup('env','CONTAINER_VARS_FILE') }}"
+
+    - name: include container vars
+      include_vars:
+        file: "{{ lookup('env', 'CONTAINER_VARS_FILE') | expandvars | expanduser | realpath }}"
+
+    - name: Debug docker_containers
+      debug:
+        var: docker_containers
+
+    - name: Debug containers
+      debug:
+        var: containers
+
+  roles:
+    - setup-facts
+    - deploy-ecs-proxies-retag

ansible/deploy-ecs-proxies.yml

@@ -43,6 +43,19 @@
       include_vars:
         file: "{{ lookup('env', 'PROXY_VARS_FILE') | expandvars | expanduser | realpath }}"
 
+    - name: load use_ecs_tag from environment
+      set_fact:
+        use_ecs_tag: "{{ lookup('env','use_ecs_tag') | default('false') }}"
+
+    - name: normalise use_ecs_tag to boolean
+      set_fact:
+        use_ecs_tag: "{{ use_ecs_tag | lower == 'true' }}"
+
+    - name: debug use_ecs_tag type
+      debug:
+        msg: "VALUEDEPLOYYAML={{ use_ecs_tag }} TYPE={{ use_ecs_tag | type_debug }}"
+
+
   roles:
     - setup-facts
     - deploy-ecs-proxies

ansible/ecr-lifecycle/ecr_lifecycle.json

@@ -0,0 +1,36 @@
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Keep the 6 most recent ECS deployment images tagged ecs- (release images)",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["ecs-"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 6
+      },
+      "action": { "type": "expire" }
+    },
+    {
+      "rulePriority": 2,
+      "description": "Never expire the 'latest' tag",
+      "selection": {
+        "tagStatus": "tagged",
+        "tagPrefixList": ["latest"],
+        "countType": "imageCountMoreThan",
+        "countNumber": 9999
+      },
+      "action": { "type": "expire" }
+    },
+    {
+      "rulePriority": 3,
+      "description": "Keep the 6 most recent build images (all tags)",
+      "selection": {
+        "tagStatus": "any",
+        "countType": "imageCountMoreThan",
+        "countNumber": 6
+      },
+      "action": { "type": "expire" }
+    }
+  ]
+}

ansible/roles/build-ecs-proxies/tasks/main.yml

@@ -30,6 +30,29 @@
   with_items: "{{ new_repos }}"
   when: new_repos
 
+# TO DO- Add back in once confirmed lifecycle policy to be applied to all new repos.
+
+# - name: Read lifecycle policy file
+#   ansible.builtin.slurp:
+#     src: "{{ playbook_dir }}/ecr-lifecycle/ecr_lifecycle.json"
+#   register: desired_policy_raw
+#   when: new_repos | length > 0
+
+# - name: Decode lifecycle policy JSON
+#   set_fact:
+#     desired_policy_json: "{{ desired_policy_raw.content | b64decode | from_json }}"
+#   when: new_repos | length > 0
+
+# - name: Apply lifecycle policy to each new repo
+#   ansible.builtin.command: >
+#     {{ aws_cmd }} ecr put-lifecycle-policy
+#     --repository-name {{ item }}
+#     --lifecycle-policy-text '{{ desired_policy_json | to_json }}'
+#   with_items: "{{ new_repos }}"
+#   register: lifecycle_update
+#   ignore_errors: yes
+#   when: new_repos | length > 0
+
 - name: ecr login
   shell: "eval $({{ aws_cmd }} ecr get-login --no-include-email)"
   changed_when: no

ansible/roles/create-api-deployment-pre-reqs/templates/terraform/iam.tf

@@ -69,6 +69,8 @@ data "aws_iam_policy_document" "ecs-execution-role" {
       "ecr:DescribeRepositories",
       "ecr:ListImages",
       "ecr:DescribeImages",
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy",
       "s3:GetObject"
     ]
 
@@ -173,6 +175,18 @@ data "aws_iam_policy_document" "deploy-user" {
 
   }
 
+  statement {
+    actions = [
+      "ecr:GetLifecyclePolicy",
+      "ecr:PutLifecyclePolicy"
+    ]
+
+    resources = [
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}",
+      "arn:aws:ecr:${local.region}:${local.account_id}:repository/${var.service_id}_*"
+    ]
+  }
+
   statement {
     actions = [
       "s3:ListBucket",

ansible/roles/create-ecr-build-role/vars/main.yml

@@ -44,6 +44,7 @@ aws_ecs_policy:
         - "ecr:StartImageScan"
         - "ecr:StartLifecyclePolicyPreview"
         - "ecr:UploadLayerPart"
+        - "ecr:PutLifecyclePolicy"
       Resource: [
         "arn:aws:ecr:{{ aws_region }}:{{ aws_account_id }}:repository/{{ service_id }}_*"
       ]

ansible/roles/deploy-ecs-proxies-retag/tasks/main.yml

@@ -0,0 +1,95 @@
+- name: Ensure docker_containers is loaded
+  include_vars:
+    file: "{{ lookup('env', 'CONTAINER_VARS_FILE') }}"
+  when: docker_containers is not defined
+
+- name: Debug docker_containers (retag role)
+  debug:
+    var: docker_containers
+
+- name: Debug containers (retag role)
+  debug:
+    var: containers
+
+- name: Debug repo_names (retag role)
+  debug:
+    var: repo_names
+
+- name: Login to ECR
+  shell: >
+    {{ aws_cmd }} ecr get-login-password --region {{ aws_region }}
+    | docker login --username AWS --password-stdin {{ ecr_registry }}
+
+- name: Debug pulling image
+  debug:
+    msg: "Pulling {{ ecr_registry }}/{{ item }}:{{ build_label }}"
+  loop: "{{ repo_names }}"
+  loop_control:
+    label: "{{ item }}"
+
+- name: Pull existing image
+  ansible.builtin.command:
+    cmd: >
+      docker pull {{ ecr_registry }}/{{ item }}:{{ build_label }}
+  loop: "{{ repo_names }}"
+  loop_control:
+    label: "{{ item }}"
+  register: pull_results
+
+- name: Debug retagging image
+  debug:
+    msg: "Retagging {{ item.item }}:{{ build_label }} → ecs-{{ build_label }}"
+  loop: "{{ pull_results.results }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when:
+    - item.rc == 0
+    - item.item == "canary_canary-api"
+
+- name: Retag image
+  ansible.builtin.command:
+    cmd: >
+      docker tag
+      {{ ecr_registry }}/{{ item.item }}:{{ build_label }}
+      {{ ecr_registry }}/{{ item.item }}:ecs-{{ build_label }}
+  loop: "{{ pull_results.results }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when:
+    - item.rc == 0
+    - item.item == "canary_canary-api"
+
+- name: Debug pushing image
+  debug:
+    msg: "Pushing ecs-{{ build_label }} for {{ item.item }}"
+  loop: "{{ pull_results.results }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when:
+    - item.rc == 0
+    - item.item == "canary_canary-api"
+
+- name: Push new tag
+  ansible.builtin.command:
+    cmd: >
+      docker push {{ ecr_registry }}/{{ item.item }}:ecs-{{ build_label }}
+  loop: "{{ pull_results.results }}"
+  loop_control:
+    label: "{{ item.item }}"
+  when:
+    - item.rc == 0
+    - item.item == "canary_canary-api"
+
+# - name: Delete old tag from ECR
+#   ansible.builtin.command:
+#     cmd: >
+#       aws ecr batch-delete-image
+#       --repository-name {{ item.item }}
+#       --image-ids imageTag={{ build_label }}
+#       --region {{ aws_region }}
+#   loop: "{{ pull_results.results }}"
+#   loop_control:
+#     label: "{{ item.item }}"
+#   when:
+#     - item.rc == 0
+#     - item.item == "canary_canary-api"

ansible/roles/deploy-ecs-proxies-retag/vars/main.yml

@@ -0,0 +1,6 @@
+---
+build_label: "{{ lookup('env', 'build_label') }}"
+containers: "{{ docker_containers | json_query('[].name') | unique | sort }}"
+repo_names: "{{ containers | map('regex_replace', '^(.*)$', service_id + '_\\1') | list }}"
+base_dir: "{{ playbook_dir }}/../.."
+

ansible/roles/deploy-ecs-proxies/tasks/main.yml

@@ -71,14 +71,23 @@
       with_filetree: "{{ '../templates' }}"
       when: item.state == 'file'
 
+    - name: debug use_ecs_tag before terraform
+      debug:
+        msg: "ANSIBLE: use_ecs_tag={{ use_ecs_tag }} TF_VAR_use_ecs_tag={{ use_ecs_tag | ternary('true','false') }}"
+
     - name: terraform plan
-      shell: "make -C {{ out_dir }}/terraform clean plan args='-no-color -lock-timeout=30m -out tfplan.out'" # noqa 305
+      shell: "TF_VAR_use_ecs_tag={{ use_ecs_tag | ternary('true','false') }} make -C {{ out_dir }}/terraform clean plan args='-no-color -lock-timeout=30m -out tfplan.out'" # noqa 305
       register: tfplan
       failed_when: tfplan.rc not in (0, 2)
       when: not do_not_terraform
 
+    - name: print full terraform plan output (lines)
+      debug:
+        var: tfplan.stdout_lines
+      when: tfplan is defined
+
     - name: terraform apply
-      shell: "make -C {{ out_dir }}/terraform apply-plan args='-no-color -lock-timeout=30m --auto-approve tfplan.out'" # noqa 305
+      shell: "TF_VAR_use_ecs_tag={{ use_ecs_tag | ternary('true','false') }} make -C {{ out_dir }}/terraform apply-plan args='-no-color -lock-timeout=30m --auto-approve tfplan.out'" # noqa 305
       register: tfapply
       when: not do_not_terraform
 

ansible/roles/deploy-ecs-proxies/templates/terraform/locals.tf

@@ -43,18 +43,41 @@ locals {
 
   }
 
-  ecs_service = [
-  {% for container in ecs_service %}
-    {{
-        (
-          container
-          | combine(
-            {'image': '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/' + service_id + '_' + container.name + ':' + build_label }
+ecs_service = [
+{% for container in ecs_service %}
+
+  # DEBUG: print the boolean value Jinja sees
+  {% if use_ecs_tag %}
+    {% set _ = print("DEBUG: use_ecs_tag = TRUE") %}
+  {% else %}
+    {% set _ = print("DEBUG: use_ecs_tag = FALSE") %}
+  {% endif %}
+
+  {% set image_tag = (
+        '${local.account_id}.dkr.ecr.eu-west-2.amazonaws.com/'
+        + service_id + '_' + container.name
+        + (
+            ":ecs-" + build_label
+            if use_ecs_tag and container.name == "canary-api"
+            else ":" + build_label
           )
-        ) | to_json
-    }},
-  {% endfor %}
-  ]
+    )
+  %}
+
+
+  {{
+      (
+        container
+        | combine(
+          {
+            'image': image_tag
+          }
+        )
+      ) | to_json
+  }},
+
+{% endfor %}
+]
 
   exposed_service = element(matchkeys(local.ecs_service, local.ecs_service.*.expose, list(true)), 0)
 

ansible/roles/deploy-ecs-proxies/templates/terraform/variables.tf

@@ -71,4 +71,9 @@ variable "autoscaling_scale_out_cooldown" {
 
 variable "deregistration_delay" {
   type = number
+}
+
+variable "use_ecs_tag" {
+  type = bool
+  description = "Whether to use ecs- prefixed tag for canary-api"
 }