Merge pull request #49 from sayoungestguy/develop

Deploy to prod

.devcontainer/devcontainer.json

@@ -11,8 +11,8 @@
       "VARIANT": "17-bullseye",
       // Options
       // maven and gradle wrappers are used by default, we don't need them installed globally
-      // "INSTALL_MAVEN": "true",
-      // "INSTALL_GRADLE": "false",
+      "INSTALL_MAVEN": "true",
+      "INSTALL_GRADLE": "false",
       "NODE_VERSION": "20.15.0"
     }
   },

.github/workflows/create-sit.yml

@@ -0,0 +1,26 @@
+name: Create SIT
+
+on: workflow_dispatch
+
+jobs:
+  create-sit-servers:
+    name: Create SIT Servers
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/testing-sit' # Only apply changes on main branch
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+      AWS_DEFAULT_REGION: ap-southeast-1 # Replace with your AWS region
+      TF_WORKING_DIR: ./terraform/sit # Adjust to your Terraform directory
+    steps:
+      - name: Checkout Cocde
+        uses: actions/checkout@v4
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+      - name: Terraform Init
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform init
+      - name: Terraform Apply
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform apply -auto-approve -auto-approve -var='access-key=${AWS_ACCESS_KEY_ID}' -var='secret-key=${AWS_SECRET_ACCESS_KEY}' -var='db_username=admin' -var='db_password=${DB_PASSWORD}' -var='my_ip='192.168.0.147'

.github/workflows/delete-sit.yml

@@ -0,0 +1,41 @@
+name: Destroy SIT
+
+on:
+  workflow_dispatch:
+    branches:
+      - ci-cd
+
+jobs:
+  terraform-destroy:
+    name: Terraform Destroy
+    runs-on: ubuntu-latest
+
+    # Environment variables for AWS credentials and region
+    env:
+      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+      DB_PASSWORD: ${{ secrets.DB_PASSWORD }}
+      AWS_DEFAULT_REGION: ap-southeast-1 # Replace with your AWS region
+      TF_WORKING_DIR: ./terraform/sit # Adjust to your Terraform directory
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_wrapper: false # Optional: disable wrapper script
+          terraform_version: 1.9.6 # Replace with your Terraform version
+
+      - name: Initialize Terraform
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform init
+
+      - name: Validate Terraform configuration
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform validate
+
+      - name: Terraform Destroy
+        working-directory: ${{ env.TF_WORKING_DIR }}
+        run: terraform destroy -auto-approve -var='access-key=${AWS_ACCESS_KEY_ID}' -var='secret-key=${AWS_SECRET_ACCESS_KEY}' -var='db_username=admin' -var='db_password=${DB_PASSWORD}' -var='my_ip='192.168.0.147'

.github/workflows/main.yml

@@ -1,11 +1,37 @@
-name: Application CI workflow
-on: [push, pull_request]
+name: ScaleUp Application CI workflow
+on:
+  push:
+    branches:
+      - '**' # Trigger on any branch push
 jobs:
-  pipeline:
-    name: scaleup pipeline
+  set-env:
+    name: Setup Environment
     runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.15.0
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+      - name: Install Node.js packages
+        run: npm install
+      - name: Cache Node Modules
+        uses: actions/cache@v3
+        with:
+          path: node_modules
+          key: ${{ runner.os }}-node-${{ hashFiles('package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-node-
+
+  package:
+    name: Package App
+    runs-on: ubuntu-latest
+    needs: set-env
     if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.pull_request.title, '[skip ci]') && !contains(github.event.pull_request.title, '[ci skip]')"
-    timeout-minutes: 40
+    timeout-minutes: 10
     env:
       NODE_VERSION: 20.15.0
       SPRING_OUTPUT_ANSI_ENABLED: DETECT
@@ -20,13 +46,199 @@ jobs:
         with:
           distribution: 'temurin'
           java-version: 17
-      - name: Install Node.js packages
-        run: npm install
+      - name: Package application
+        run: npm run java:jar:prod
+      - name: Upload Build Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: packaged-application
+          path: |
+            target/*.jar
+            target/classes
+          retention-days: 1 # Retain the build artifacts for 1 day
+
+  # Push to Docker
+  jib-build:
+    name: containerize
+    runs-on: ubuntu-latest
+    needs: package
+    env:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+      DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
+      - name: Push to Docker registry w/o IT
+        run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD} -DskipTests
+        if: github.ref != 'refs/heads/main' || github.ref != 'refs/heads/testing-uat'
+      - name: Push to Docker registry w IT
+        run: ./mvnw package -Pprod verify jib:build -Djib.to.image=shenanquek97/scaleup -Djib.to.auth.username=${DOCKER_USERNAME} -Djib.to.auth.password=${DOCKER_PASSWORD}
+        if: github.ref == 'refs/heads/main' || github.ref == 'refs/heads/testing-uat'
+
+  backend-test:
+    name: Backend Test Stage
+    runs-on: ubuntu-latest
+    needs: package
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: 17
       - name: Run backend test
         run: |
           chmod +x mvnw
           npm run ci:backend:test
+      - name: Upload Backend Test Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: backend-test-report
+          path: target/surefire-reports/*.xml
+          retention-days: 1
+
+  frontend-test:
+    name: Frontend Test Stage
+    runs-on: ubuntu-latest
+    needs: package
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.15.0
+      - name: Install Node.js Packages
+        run: npm install
       - name: Run frontend test
         run: npm run ci:frontend:test
-      - name: Package application
-        run: npm run java:jar:prod
+      - name: Upload Frontend Test Report
+        uses: actions/upload-artifact@v4
+        with:
+          name: jest-test-reports
+          path: ./target/test-results/TESTS-results-jest.xml # Adjusted to match your Jest output configuration
+          retention-days: 1
+
+  sonar:
+    name: Sonar SAST Scan
+    runs-on: ubuntu-latest
+    needs: [backend-test, frontend-test]
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 1 # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Set up JDK 17
+        uses: actions/setup-java@v3
+        with:
+          java-version: 17
+          distribution: 'zulu' # Alternative distribution options are available.
+      - name: Cache SonarCloud packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.sonar/cache
+          key: ${{ runner.os }}-sonar
+          restore-keys: ${{ runner.os }}-sonar
+      - name: Cache Maven packages
+        uses: actions/cache@v3
+        with:
+          path: ~/.m2
+          key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
+          restore-keys: ${{ runner.os }}-m2
+      - name: Build and analyze
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        if: github.ref != 'refs/heads/main'
+        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup
+      - name: Build and analyze for main
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        if: github.ref == 'refs/heads/main'
+        run: mvn -B verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=sayoungestguy_scaleup #-Dsonar.qualitygate.wait=true
+  snyk:
+    name: Vulnerability Scanning with Synk
+    needs: [backend-test, frontend-test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/maven@master
+        continue-on-error: true # To make sure that SARIF upload gets called
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          args: --sarif-file-output=snyk.sarif
+  #      - name: Upload result to GitHub Code Scanning
+  #        uses: github/codeql-action/upload-sarif@v3
+  #        with:
+  #          sarif_file: snyk.sarif
+
+  dast-scan:
+    name: DAST OWASP ZAP Scans
+    runs-on: ubuntu-latest
+    needs: [backend-test, frontend-test]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Change script permission
+        run: |
+          chmod +x script/zap-script.sh
+      - name: ZAP scan
+        run: script/zap-script.sh
+      - name: Archive production artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap report
+          path: |
+            ./zap_baseline_report.html
+          retention-days: 1
+
+  deploy-to-sit:
+    name: Deploy to SIT
+    needs: jib-build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/testing-sit' # Only apply changes on sit branch
+    env:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+    steps:
+      - name: Deploy to EC2
+        uses: appleboy/ssh-action@master
+        with:
+          host: ec2-52-77-34-58.ap-southeast-1.compute.amazonaws.com # Change this to SIT host
+          username: ubuntu
+          key: ${{ secrets.EC2_PRIVATE_KEY }}
+          port: 22
+          script: |
+            sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
+            if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then
+                sudo docker stop scaleUp
+                sudo docker rm scaleUp
+            elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then
+                sudo docker rm scaleUp
+            fi
+            sudo docker run -d -p 8080:8080 --name scaleUp  ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
+
+  deploy-to-main:
+    name: Deploy to Production
+    needs: [jib-build, dast-scan, snyk, sonar]
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' # Only apply changes on main branch
+    env:
+      DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
+    steps:
+      - name: Deploy to EC2
+        uses: appleboy/ssh-action@master
+        with:
+          host: ec2-54-255-11-22.ap-southeast-1.compute.amazonaws.com # Change to Prod host
+          username: ubuntu
+          key: ${{ secrets.EC2_PRIVATE_KEY_PROD }}
+          port: 22
+          script: |
+            sudo docker pull ${{ secrets.DOCKER_USERNAME }}/scaleup:latest
+            if [ "$(sudo docker ps -q -f name=scaleUp)" ]; then
+                sudo docker stop scaleUp
+                sudo docker rm scaleUp
+            elif [ "$(sudo docker ps -a -q -f name=scaleUp)" ]; then
+                sudo docker rm scaleUp
+            fi
+            sudo docker run -d -p 80:80 --name scaleUp  ${{ secrets.DOCKER_USERNAME }}/scaleup:latest