HHS · coilysiren · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025 · Feb 19, 2025
@@ -1,19 +1,59 @@
 name: "Configure AWS Credentials"
-description: "Configure AWS Credentials for a given application and |
-  environment so that the GitHub Actions workflow can access AWS resources. |
+description: "Configure AWS Credentials for an AWS account so that |
+  the GitHub Actions workflow can access AWS resources. |
   This is a wrapper around https://github.com/aws-actions/configure-aws-credentials |
-  that first determines the account, role, and region based on the |
-  account_names_by_environment configuration in app-config"
+  that first determines the account, role, and region. |
+  Chose one of the following three authentication options: |
+  1. Authenticate by account_name |
+  2. Authenticate by network_name |
+  3. Authenticate by app_name and environment."
 inputs:
+  account_name:
+    description: "Name of account, must match <ACCOUNT_NAME> in <ACCOUNT_NAME>.<ACCOUNT_ID>.s3.tfbackend file in /infra/accounts"
+  network_name:
+    description: "Name of network, must match <NETWORK_NAME> in <NETWORK_NAME>.s3.tfbackend file in /infra/networks"
   app_name:
     description: "Name of application folder under /infra"
     required: true
   environment:
     description: 'Name of environment (dev, staging, prod) that AWS resources live in, or "shared" for resources that are shared across environments'
-    required: true
 runs:
   using: "composite"
   steps:
+    - name: Get network name from app and environment
+      id: get-network-name
+      if: ${{ inputs.app_name && inputs.environment }}
+      run: |
+        echo "Get network name for app_name=${{ inputs.app_name }} and environment=${{ inputs.environment }}"
+
+        terraform -chdir="infra/${{ inputs.app_name }}/app-config" init > /dev/null
+        terraform -chdir="infra/${{ inputs.app_name }}/app-config" apply -auto-approve > /dev/null
+
+        if [[ "${{ inputs.environment }}" == "shared" ]]; then
+          network_name=$(terraform -chdir="infra/${{ inputs.app_name }}/app-config" output -raw shared_network_name)
+        else
+          network_name=$(terraform -chdir="infra/${{ inputs.app_name }}/app-config" output -json environment_configs | jq -r ".${{ inputs.environment }}.network_name")
+        fi
+
+        echo "Network name retrieved: ${network_name}"
+        echo "network_name=${network_name}" >> "$GITHUB_OUTPUT"
+      shell: bash
+
+    - name: Get account name from network
+      id: get-account-name
+      if: ${{ inputs.network_name || steps.get-network-name.outputs.network_name }}
+      run: |
+        network_name="${{ inputs.network_name || steps.get-network-name.outputs.network_name }}"
+        echo "Get account name for network: ${network_name}"
+
+        terraform -chdir="infra/project-config" init > /dev/null
+        terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
+        account_name=$(terraform -chdir="infra/project-config" output -json network_configs | jq -r ".[\"${network_name}\"].account_name")
+
+        echo "Account name retrieved: ${account_name}"
+        echo "account_name=${account_name}" >> "$GITHUB_OUTPUT"
+      shell: bash
+
     - name: Get AWS account authentication details (AWS account, IAM role, AWS region)
       env:
         TF_LOG: INFO
@@ -24,34 +64,31 @@ runs:
 
         echo "::group::AWS account authentication details"
 
-        terraform -chdir=infra/project-config init > /dev/null
-        terraform -chdir=infra/project-config apply -auto-approve > /dev/null
-        AWS_REGION=$(terraform -chdir=infra/project-config output -raw default_region)
-        echo "AWS_REGION=$AWS_REGION"
-        GITHUB_ACTIONS_ROLE_NAME=$(terraform -chdir=infra/project-config output -raw github_actions_role_name)
-        echo "GITHUB_ACTIONS_ROLE_NAME=$GITHUB_ACTIONS_ROLE_NAME"
+        account_name="${{ inputs.account_name || steps.get-account-name.outputs.account_name }}"
 
-        terraform -chdir=infra/${{ inputs.app_name }}/app-config init > /dev/null
-        terraform -chdir=infra/${{ inputs.app_name }}/app-config apply -auto-approve > /dev/null
-        ACCOUNT_NAME=$(terraform -chdir=infra/${{ inputs.app_name }}/app-config output -json account_names_by_environment | jq -r .${{ inputs.environment }})
-        echo "ACCOUNT_NAME=$ACCOUNT_NAME"
+        terraform -chdir="infra/project-config" init > /dev/null
+        terraform -chdir="infra/project-config" apply -auto-approve > /dev/null
+        aws_region=$(terraform -chdir="infra/project-config" output -raw default_region)
+        echo "aws_region=${aws_region}"
+        github_actions_role_name=$(terraform -chdir="infra/project-config" output -raw github_actions_role_name)
+        echo "github_actions_role_name=${github_actions_role_name}"
 
         # Get the account id associated with the account name extracting the
         # ACCOUNT_ID part of the tfbackend file name which looks like
         # <ACCOUNT_NAME>.<ACCOUNT_ID>.s3.tfbackend.
-        # The cut command splits the string with period as the delimeter and
+        # The cut command splits the string with period as the delimiter and
         # extracts the second field.
-        ACCOUNT_ID=$(ls infra/accounts/$ACCOUNT_NAME.*.s3.tfbackend | cut -d. -f2)
-        echo "ACCOUNT_ID=$ACCOUNT_ID"
+        account_id=$(ls infra/accounts/${account_name}.*.s3.tfbackend | cut -d. -f2)
+        echo "account_id=${account_id}"
 
-        AWS_ROLE_TO_ASSUME=arn:aws:iam::$ACCOUNT_ID:role/$GITHUB_ACTIONS_ROLE_NAME
-        echo "AWS_ROLE_TO_ASSUME=$AWS_ROLE_TO_ASSUME"
+        aws_role_to_assume="arn:aws:iam::${account_id}:role/${github_actions_role_name}"
+        echo "aws_role_to_assume=${aws_role_to_assume}"
 
         echo "::endgroup::"
 
         echo "Setting env vars AWS_ROLE_TO_ASSUME and AWS_REGION..."
-        echo "AWS_ROLE_TO_ASSUME=$AWS_ROLE_TO_ASSUME" >> "$GITHUB_ENV"
-        echo "AWS_REGION=$AWS_REGION" >> "$GITHUB_ENV"
+        echo "AWS_ROLE_TO_ASSUME=${aws_role_to_assume}" >> "$GITHUB_ENV"
+        echo "AWS_REGION=${aws_region}" >> "$GITHUB_ENV"
       shell: bash
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4

@@ -11,6 +11,10 @@ Each app should have:
 - `ci-[app_name]`: must be created; should run linting and testing
 - `ci-[app_name]-vulnerability-scans`: calls `vulnerability-scans`
   - Based on [ci-app-vulnerability-scans](https://github.com/navapbc/template-infra/blob/main/.github/workflows/ci-app-vulnerability-scans.yml)
+- `ci-[app_name]-pr-environment-checks.yml`: calls `pr-environment-checks.yml` to create or update a pull request environment (see [pull request environments](/docs/infra/pull-request-environments.md))
+  - Based on [ci-app-pr-environment-checks.yml](/.github/workflows/ci-app-pr-environment-checks.yml)
+- `ci-[app_name]-pr-environment-destroy.yml`: calls `pr-environment-destroy.yml` to destroy the pull request environment (see [pull request environments](/docs/infra/pull-request-environments.md))
+  - Based on [ci-app-pr-environment-destroy.yml](https://github.com/navapbc/template-infra/blob/main/.github/workflows/ci-app-pr-environment-destroy.yml)
 
 ### App-agnostic workflows
 
@@ -44,4 +48,3 @@ graph TD
 ## ⛑️ Helper workflows
 
 - [`check-ci-cd-auth`](./check-ci-cd-auth.yml): verifes that the project's Github repo is able to connect to AWS
-
@@ -1,5 +1,5 @@
 name: Deploy Analytics
-run-name: Deploy ${{ github.ref_name }} to Analytics ${{ inputs.environment || (github.event_name == 'release' && 'prod') || 'nonprod'}}
+run-name: Deploy ${{ inputs.version || 'main' }} to Analytics ${{ inputs.environment || (github.event_name == 'release' && 'prod') || 'nonprod' }}
 
 on:
   push:
@@ -13,7 +13,7 @@ on:
   workflow_dispatch:
     inputs:
       environment:
-        description: "target environment"
+        description: Environment to deploy to
         required: true
         default: "dev"
         type: choice

@@ -1,5 +1,5 @@
 name: Deploy API
-run-name: Deploy ${{ github.ref_name }} to API ${{ inputs.environment || (github.event_name == 'release' && 'prod') || 'nonprod' }}
+run-name: Deploy ${{ inputs.version || 'main' }} to API ${{ inputs.environment || (github.event_name == 'release' && 'prod') || 'nonprod' }}
 
 on:
   push:
@@ -13,7 +13,7 @@ on:
   workflow_dispatch:
     inputs:
       environment:
-        description: "target environment"
+        description: Environment to deploy to
         required: true
         default: "dev"
         type: choice

@@ -1,5 +1,5 @@
-name: Deploy Frontend
-run-name: Deploy ${{ github.ref_name }} to Frontend ${{ inputs.environment || (github.event_name == 'release' && 'prod') || 'nonprod' }}
+name: Deploy frontend
+run-name: Deploy ${{ inputs.version || 'main' }} to Frontend ${{ inputs.environment || (github.event_name == 'release' && 'prod') || 'nonprod' }}
 
 on:
   push:
@@ -13,7 +13,7 @@ on:
   workflow_dispatch:
     inputs:
       environment:
-        description: "target environment"
+        description: Environment to deploy to
         required: true
         default: "dev"
         type: choice

@@ -0,0 +1,72 @@
+# This workflow checks the status of infrastructure deployments to see whether
+# infrastructure code configuration matches the actual state of the infrastructure.
+# It does this by checking that Terraform plans show an empty diff (no changes)
+# across all root modules and backend configurations.
+name: Check infra deploy status
+
+on:
+  workflow_dispatch:
+  schedule:
+    # Run every day at 07:00 UTC (3am ET, 12am PT) after engineers are likely done with work
+    - cron: "0 7 * * *"
+
+jobs:
+  collect-configs:
+    name: Collect configs
+    runs-on: ubuntu-latest
+    outputs:
+      root_module_configs: ${{ steps.collect-infra-deploy-status-check-configs.outputs.root_module_configs }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Collect root module configurations
+        id: collect-infra-deploy-status-check-configs
+        run: |
+          root_module_configs="$(./bin/infra-deploy-status-check-configs)"
+          echo "${root_module_configs}"
+          echo "root_module_configs=${root_module_configs}" >> "$GITHUB_OUTPUT"
+  check:
+    name: ${{ matrix.root_module_subdir }} ${{ matrix.backend_config_name }}
+    runs-on: ubuntu-latest
+    needs: collect-configs
+
+    # Skip this job if there are no root module configurations to check,
+    # otherwise the GitHub actions will give the error: "Matrix must define at least one vector"
+    if: ${{ needs.collect-configs.outputs.root_module_configs != '[]' }}
+
+    strategy:
+      fail-fast: false
+      matrix:
+        include: ${{ fromJson(needs.collect-configs.outputs.root_module_configs) }}
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.8.3
+          terraform_wrapper: false
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          account_name: ${{ matrix.infra_layer == 'accounts' && matrix.account_name || null }}
+          network_name: ${{ matrix.infra_layer == 'networks' && matrix.backend_config_name || null }}
+          app_name: ${{ contains(fromJSON('["build-repository", "database", "service"]'), matrix.infra_layer) && matrix.app_name || null }}
+          environment: ${{ contains(fromJSON('["build-repository", "database", "service"]'), matrix.infra_layer) && matrix.backend_config_name || null }}
+
+      - name: Check Terraform plan
+        run: |
+          echo "::group::Initialize Terraform"
+          echo terraform -chdir="infra/${{ matrix.root_module_subdir }}" init -input=false -reconfigure -backend-config="${{ matrix.backend_config_name }}.s3.tfbackend"
+          terraform -chdir="infra/${{ matrix.root_module_subdir }}" init -input=false -reconfigure -backend-config="${{ matrix.backend_config_name }}.s3.tfbackend"
+          echo "::endgroup::"
+
+          echo "::group::Check Terraform plan"
+          echo terraform -chdir="infra/${{ matrix.root_module_subdir }}" plan -input=false -detailed-exitcode ${{ matrix.extra_params }}
+          terraform -chdir="infra/${{ matrix.root_module_subdir }}" plan -input=false -detailed-exitcode ${{ matrix.extra_params }}
+          echo "::endgroup::"
+        env:
+          TF_IN_AUTOMATION: "true"
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: platform-cli-migration/v0.10.0
+_commit: platform-cli-migration/v0.13.0
 _src_path: https://github.com/navapbc/template-infra
 app_name: analytics
 template: app
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: platform-cli-migration/v0.10.0
+_commit: platform-cli-migration/v0.13.0
 _src_path: https://github.com/navapbc/template-infra
 app_name: api
 template: app
@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier
-_commit: platform-cli-migration/v0.10.0
+_commit: platform-cli-migration/v0.13.0
 _src_path: https://github.com/navapbc/template-infra
 app_name: frontend
 template: app
@@ -1,4 +1,4 @@
 # Changes here will be overwritten by Copier
-_commit: platform-cli-migration/v0.10.0
+_commit: platform-cli-migration/v0.13.0
 _src_path: https://github.com/navapbc/template-infra
 template: base
@@ -27,6 +27,15 @@ __check_defined = \
 
 
 .PHONY : \
+	e2e-build \
+	e2e-clean-report \
+	e2e-delete-image \
+	e2e-merge-reports \
+	e2e-setup-ci \
+	e2e-setup-native \
+	e2e-show-report \
+	e2e-test \
+	e2e-test-native \
 	help \
 	infra-check-app-database-roles \
 	infra-check-compliance-checkov \
@@ -43,6 +52,7 @@ __check_defined = \
 	infra-lint-scripts \
 	infra-lint-terraform \
 	infra-lint-workflows \
+	infra-module-database-role-manager \
 	infra-set-up-account \
 	infra-test-service \
 	infra-update-app-build-repository \
@@ -59,7 +69,59 @@ __check_defined = \
 	release-publish \
 	release-run-database-migrations
 
-
+##############################
+## End-to-end (E2E) Testing ##
+##############################
+
+e2e-build: ## Build the e2e Docker image, if not already built, using ./e2e/Dockerfile
+	docker build -t playwright-e2e -f ./e2e/Dockerfile .
+
+e2e-clean-report: ## Remove the local ./e2e/playwright-report and ./e2e/test-results folder and their contents
+	rm -rf ./e2e/playwright-report
+	rm -rf ./e2e/blob-report
+	rm -rf ./e2e/test-results
+
+e2e-delete-image: ## Delete the Docker image for e2e tests
+	@docker rmi -f playwright-e2e 2>/dev/null || echo "Docker image playwright-e2e does not exist, skipping."
+
+e2e-merge-reports: ## Merge Playwright blob reports from multiple shards into an HTML report
+	@cd e2e && npx playwright merge-reports --reporter html blob-report
+
+e2e-setup-ci: ## Setup end-to-end tests for CI
+	@cd e2e && npm ci
+	@cd e2e && npx playwright install --with-deps
+
+e2e-setup-native: ## Setup end-to-end tests
+	@cd e2e && npm install
+	@cd e2e && npx playwright install --with-deps
+
+e2e-show-report: ## Show the ./e2e/playwright-report
+	@cd e2e && npx playwright show-report
+
+e2e-test: ## Run E2E Playwright tests in a Docker container and copy the report locally
+e2e-test: e2e-build
+	@:$(call check_defined, APP_NAME, You must pass in a specific APP_NAME)
+	@:$(call check_defined, BASE_URL, You must pass in a BASE_URL)
+	docker run --rm\
+		--name playwright-e2e-container \
+		-e APP_NAME=$(APP_NAME) \
+		-e BASE_URL=$(BASE_URL) \
+		-e CURRENT_SHARD=$(CURRENT_SHARD) \
+		-e TOTAL_SHARDS=$(TOTAL_SHARDS) \
+		-e CI=$(CI) \
+		-v $(PWD)/e2e/playwright-report:/e2e/playwright-report \
+		-v $(PWD)/e2e/blob-report:/e2e/blob-report \
+		playwright-e2e
+
+e2e-test-native: ## Run end-to-end tests
+	@:$(call check_defined, APP_NAME, You must pass in a specific APP_NAME)
+	@:$(call check_defined, BASE_URL, You must pass in a BASE_URL)
+	@echo "Running e2e tests with CI=${CI}, APP_NAME=${APP_NAME}, BASE_URL=${BASE_URL}"
+	@cd e2e/$(APP_NAME) && APP_NAME=$(APP_NAME) BASE_URL=$(BASE_URL) npx playwright test $(E2E_ARGS)
+
+###########
+## Infra ##
+###########
 
 infra-set-up-account: ## Configure and create resources for current AWS profile and save tfbackend file to infra/accounts/$ACCOUNT_NAME.ACCOUNT_ID.s3.tfbackend
 	@:$(call check_defined, ACCOUNT_NAME, human readable name for account e.g. "prod" or the AWS account alias)
@@ -107,6 +169,10 @@ infra-update-app-database: ## Create or update $APP_NAME's database module for $
 	terraform -chdir="infra/$(APP_NAME)/database" init -input=false -reconfigure -backend-config="$(ENVIRONMENT).s3.tfbackend"
 	terraform -chdir="infra/$(APP_NAME)/database" apply -var="environment_name=$(ENVIRONMENT)"
 
+infra-module-database-role-manager-archive: ## Build/rebuild role manager code package for Lambda deploys
+	pip3 install -r infra/modules/database/role_manager/requirements.txt -t infra/modules/database/role_manager/vendor --upgrade
+	zip -r infra/modules/database/role_manager.zip infra/modules/database/role_manager
+
 infra-update-app-database-roles: ## Create or update database roles and schemas for $APP_NAME's database in $ENVIRONMENT
 	@:$(call check_defined, APP_NAME, the name of subdirectory of /infra that holds the application's infrastructure code)
 	@:$(call check_defined, ENVIRONMENT, the name of the application environment e.g. "prod" or "staging")
@@ -171,6 +237,10 @@ infra-format: ## Format infra code
 infra-test-service: ## Run service layer infra test suite
 	cd infra/test && go test -run TestService -v -timeout 30m
 
+#############
+## Linting ##
+#############
+
 lint-markdown: ## Lint Markdown docs for broken links
 	./bin/lint-markdown