BLUEBUTTON-1787: GitHub Actions CI for Java and Terraform development (…

…#209) * Add GitHub Actions workflows for Java and Terraform development, add user for S3 ITs * Add linting job to Java CI via fmt-maven-plugin * Make maven jobs more DRY via matrix builds
CMSgov · Feb 6, 2020 · 8788ce4 · 8788ce4
1 parent 8dd9827
commit 8788ce4
Show file tree

Hide file tree

Showing 4 changed files with 130 additions and 0 deletions.
diff --git a/.github/workflows/ci-java.yml b/.github/workflows/ci-java.yml
@@ -0,0 +1,44 @@
+name: 'CI - Java'
+on:
+  pull_request:
+    paths:
+      - apps/**
+jobs:
+  mvn-job:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        java_version: [1.8]
+        mvn_command: ['verify', 'com.coveo:fmt-maven-plugin:check']
+    steps:
+      - name: 'Configure AWS credentials'
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.GA_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.GA_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+      - name: 'Checkout repo'
+        uses: actions/checkout@v2
+      - name: 'Setup JDK'
+        uses: actions/setup-java@v1
+        with:
+          java-version: ${{ matrix.java_version }}
+      - name: 'Generate maven toolchain config'
+        run: |
+          cat << EOF > ~/.m2/toolchains.xml
+          <toolchains>
+            <toolchain>
+              <type>jdk</type>
+              <provides>
+                <version>${{ matrix.java_version }}</version>
+                <vendor>OpenJDK</vendor>
+              </provides>
+              <configuration>
+                <jdkHome>$JAVA_HOME</jdkHome>
+              </configuration>
+            </toolchain>
+          </toolchains>
+          EOF
+      - name: 'Run maven ${{ matrix.mvn_commmand }}'
+        run: mvn ${{ matrix.mvn_command }}
+        working-directory: ./apps
diff --git a/.github/workflows/ci-terraform.yml b/.github/workflows/ci-terraform.yml
@@ -0,0 +1,31 @@
+name: 'CI - Terraform'
+on:
+  pull_request:
+    paths:
+      - ops/terraform/**
+jobs:
+  tf-validate:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        tf_version: [0.12.8]
+        tf_environment: [test, prod-sbx, prod, mgmt]
+        tf_resources: [stateless, stateful]
+    steps:
+      - name: 'Checkout repo'
+        uses: actions/checkout@v2
+      - name: 'Run terraform init'
+        uses: hashicorp/terraform-github-actions@master
+        with:
+          tf_actions_version: ${{ matrix.tf_version }}
+          tf_actions_subcommand: init
+          tf_actions_working_dir: ./ops/terraform/env/${{ matrix.tf_environment }}/${{ matrix.tf_resources }}/
+          tf_actions_comment: false
+          args: '-backend=false'
+      - name: 'Run terraform validate'
+        uses: hashicorp/terraform-github-actions@master
+        with:
+          tf_actions_version: ${{ matrix.tf_version }}
+          tf_actions_subcommand: validate
+          tf_actions_working_dir: ./ops/terraform/env/${{ matrix.tf_environment }}/${{ matrix.tf_resources }}/
+          tf_actions_comment: false
diff --git a/.gitignore b/.gitignore
@@ -3,6 +3,7 @@
 .*
 !.gitignore
 !.gitattributes
+!.github
 
 # OSX system files
 .DS_Store
diff --git a/ops/terraform/modules/mgmt_stateful/main.tf b/ops/terraform/modules/mgmt_stateful/main.tf
@@ -206,3 +206,57 @@ resource "aws_iam_role_policy_attachment" "packer_S3" {
   role       = aws_iam_role.packer.name
   policy_arn = aws_iam_policy.packer_s3.arn
 }
+
+# IAM policy, user, and attachment to allow GitHub Actions
+# to perform app integration testing against S3
+
+resource "aws_iam_user" "github_actions" {
+  name       = "bfd-github-actions"
+}
+
+resource "aws_iam_user_policy_attachment" "github_actions_s3its" {
+  user       = aws_iam_user.github_actions.name
+  policy_arn = aws_iam_policy.github_actions_s3its.arn
+}
+
+resource "aws_iam_policy" "github_actions_s3its" {
+  name        = "bfd-github-actions-s3its"
+  description = "GitHub Actions policy for S3 integration tests"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "BFDGitHubActionsS3ITs",
+      "Action": [
+        "s3:CreateBucket",
+        "s3:ListAllMyBuckets"
+      ],
+      "Effect": "Allow",
+      "Resource": "*"
+    },
+    {
+      "Sid": "BFDGitHubActionsS3ITsBucket",
+      "Action": [
+        "s3:DeleteBucket",
+        "s3:HeadBucket",
+        "s3:ListBucket"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::bb-test-*"
+    },
+    {
+      "Sid": "BFDGitHubActionsS3ITsObject",
+      "Action": [
+        "s3:DeleteObject",
+        "s3:GetObject",
+        "s3:PutObject"
+      ],
+      "Effect": "Allow",
+      "Resource": "arn:aws:s3:::bb-test-*/*"
+    }
+  ]
+}
+EOF
+}