feat: DBTP-1507 Setup codepipeline notifications

codebase-pipelines/buildspec-deploy.yml

@@ -3,16 +3,63 @@ version: 0.2
 env:
   variables:
     DEPLOY_TIMEOUT: 1800
+  parameter-store:
+    SLACK_TOKEN: /codebuild/slack_oauth_token
 
 phases:
   install:
     commands:
+      - echo "Starting deployment script for ${SERVICE} service"
       - pip install yq --quiet
+      - echo "Installing platform-helper"
+      - pip install dbt-platform-helper --quiet
+      - platform-helper --version
+      - echo "Installing regclient"
+      - curl -s -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 > /usr/local/bin/regctl
+      - chmod +x /usr/local/bin/regctl
 
   build:
     commands:
       - set -e
 
+      # Extract timestamp from image config and check if it exists
+      - aws ecr get-login-password --region ${AWS_REGION} | docker login --username AWS --password-stdin ${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com
+
+      # construct Slack message env vars
+      - SLACK_REF=$(regctl image config "${REPOSITORY_URL}:${IMAGE_TAG}" | jq -r '.config.Labels."uk.gov.trade.digital.build.timestamp"')
+      - |
+        if [ "${SLACK_REF}" = "null" ] || [ -z "${SLACK_REF}" ]; then
+          echo "Image contains no timestamp label"
+          exit 1
+        fi
+        echo "Found image timestamp ${SLACK_REF}"
+
+      - UPPERCASE_SERVICE=$(echo "${SERVICE}" | tr '[:lower:]' '[:upper:]')
+      - UPPERCASE_TAG=$(echo "${IMAGE_TAG}" | tr '[:lower:]' '[:upper:]')
+
+        # Extract the pipeline name from CODEBUILD_INITIATOR default env var
+      - |
+        if [[ "${CODEBUILD_INITIATOR}" == codepipeline/* ]]; then 
+          PIPELINE_NAME=$(echo "${CODEBUILD_INITIATOR}" | cut -d'/' -f2) 
+          echo "Pipeline name is ${PIPELINE_NAME}"
+        else 
+          echo "ERROR: Build not triggered by CodePipeline." 
+          exit 1 
+        fi
+
+      # Construct the pipeline execution URL
+      - PIPELINE_EXECUTION_URL="https://${AWS_REGION}.console.aws.amazon.com/codesuite/codepipeline/pipelines/${PIPELINE_NAME}/executions/${PIPELINE_EXECUTION_ID}" 
+
+      - echo "Pipeline execution URL ${PIPELINE_EXECUTION_URL}"
+
+      - BUILD_ID_PREFIX=$(echo $CODEBUILD_BUILD_ID | cut -d':' -f1)
+      - echo "BUILD_ID_PREFIX - ${BUILD_ID_PREFIX}"
+
+      - |
+        MESSAGE=":rocket: STARTED - Deployment of ${UPPERCASE_SERVICE} service - Tag: ${UPPERCASE_TAG} - <https://${AWS_REGION}.console.aws.amazon.com/codesuite/codebuild/${AWS_ACCOUNT_ID}/projects/${BUILD_ID_PREFIX}/build/${CODEBUILD_BUILD_ID}/?region=${AWS_REGION}|Build log> | <${PIPELINE_EXECUTION_URL}|Pipeline execution url>"
+
+      - platform-helper notify add-comment "${SLACK_CHANNEL_ID}" "${SLACK_TOKEN}" "${SLACK_REF}" "${MESSAGE}"
+
       # Check if the specified image tag exists
       - |
         if ! aws ecr describe-images --repository-name "${REPOSITORY_NAME}" --image-ids "imageTag=${IMAGE_TAG}" > /dev/null 2>&1; then
@@ -52,7 +99,7 @@ phases:
       - cd "${CODEBUILD_SRC_DIR}"
 
       # If count is a range, get the first value otherwise get count
-      - | 
+      - |
         if [ $(yq '.count | type == "object"' copilot/web/manifest.yml) == "true" ]; then
           count=$(yq '.count.range' copilot/web/manifest.yml | tr -d '"' | cut -d '-' -f1)
         else
@@ -85,10 +132,10 @@ phases:
           sleep 10
           now=$( date +%s )
           elapsed=$(( now-start ))
-        
+
           deploy_status=$(aws ecs list-service-deployments --cluster "${cluster}" --service "${service_name}" --created-at "after=${start}" | jq -r '.serviceDeployments[0].status')
           echo "Deployment status after ${elapsed} seconds: ${deploy_status}"
-        
+
           if [[ ${elapsed} -gt ${DEPLOY_TIMEOUT} ]]; then
             echo "Error: deployment not completed in ${DEPLOY_TIMEOUT} seconds"
             exit 1
@@ -97,7 +144,34 @@ phases:
 
       # Check deployment success
       - |
-        if [ "${deploy_status}" != "SUCCESSFUL" ]; then 
-          echo "Error: deployment did not succeed"
+        case "${deploy_status}" in
+          SUCCESSFUL)
+            STATUS_EMOJI=":large_green_circle:"
+            STATUS_TEXT="COMPLETE"
+            ;;
+          ROLLBACK_SUCCESSFUL)
+            STATUS_EMOJI=":red_circle:"
+            STATUS_TEXT="FAILED"
+            ;;
+          ROLLBACK_FAILED)
+            STATUS_EMOJI=":red_circle::warning:"
+            STATUS_TEXT="FAILED"
+            ;;
+          *)
+            STATUS_EMOJI=":large_blue_circle:"
+            STATUS_TEXT="STOP_REQUESTED/STOPPED/PENDING/IN_PROGRESS"
+            ;;
+        esac
+
+      - echo "Status emoji set to ${STATUS_EMOJI}"
+
+      - MESSAGE="${STATUS_EMOJI} ${STATUS_TEXT} - Deployment of ${UPPERCASE_TAG} to ${UPPERCASE_SERVICE} service - ${deploy_status} - <${PIPELINE_EXECUTION_URL}|Pipeline execution url>"
+
+      - platform-helper notify add-comment "${SLACK_CHANNEL_ID}" "${SLACK_TOKEN}" "${SLACK_REF}" "${MESSAGE}"
+
+      # Exit with an error code if deployment did not succeed
+      - |
+        if [ "${deploy_status}" != "SUCCESSFUL" ]; then
+          echo "Error: deployment status is ${deploy_status}"
           exit 1
         fi

codebase-pipelines/codepipeline.tf

@@ -75,11 +75,16 @@ resource "aws_codepipeline" "codebase_pipeline" {
             ProjectName = aws_codebuild_project.codebase_deploy.name
             EnvironmentVariables : jsonencode([
               { name : "APPLICATION", value : var.application },
+              { name : "AWS_REGION", value : data.aws_region.current.name },
+              { name : "AWS_ACCOUNT_ID", value : data.aws_caller_identity.current.account_id },
               { name : "ENVIRONMENT", value : stage.value.name },
-              { name : "SERVICE", value : action.value.name },
+              { name : "IMAGE_TAG", value : "#{variables.IMAGE_TAG}" },
+              { name : "PIPELINE_EXECUTION_ID", value : "#{codepipeline.PipelineExecutionId}" },
+              { name : "PREFIXED_REPOSITORY_NAME", value : local.prefixed_repository_name },
               { name : "REPOSITORY_URL", value : local.repository_url },
               { name : "REPOSITORY_NAME", value : local.ecr_name },
-              { name : "IMAGE_TAG", value : "#{variables.IMAGE_TAG}" }
+              { name : "SERVICE", value : action.value.name },
+              { name : "SLACK_CHANNEL_ID", value : var.slack_channel, type : "PARAMETER_STORE" },
             ])
           }
         }
@@ -158,11 +163,16 @@ resource "aws_codepipeline" "manual_release_pipeline" {
           ProjectName = aws_codebuild_project.codebase_deploy.name
           EnvironmentVariables : jsonencode([
             { name : "APPLICATION", value : var.application },
+            { name : "AWS_REGION", value : data.aws_region.current.name },
+            { name : "AWS_ACCOUNT_ID", value : data.aws_caller_identity.current.account_id },
             { name : "ENVIRONMENT", value : "#{variables.ENVIRONMENT}" },
-            { name : "SERVICE", value : action.value.name },
+            { name : "IMAGE_TAG", value : "#{variables.IMAGE_TAG}" },
+            { name : "PIPELINE_EXECUTION_ID", value : "#{codepipeline.PipelineExecutionId}" },
+            { name : "PREFIXED_REPOSITORY_NAME", value : local.prefixed_repository_name },
             { name : "REPOSITORY_URL", value : local.repository_url },
             { name : "REPOSITORY_NAME", value : local.ecr_name },
-            { name : "IMAGE_TAG", value : "#{variables.IMAGE_TAG}" }
+            { name : "SERVICE", value : action.value.name },
+            { name : "SLACK_CHANNEL_ID", value : var.slack_channel, type : "PARAMETER_STORE" },
           ])
         }
       }

codebase-pipelines/iam.tf

@@ -180,12 +180,23 @@ data "aws_iam_policy_document" "ecr_access_for_codebase_pipeline" {
   statement {
     effect = "Allow"
     actions = [
-      "ecr:DescribeImages"
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage",
+      "ecr:GetDownloadUrlForLayer"
     ]
     resources = [
       aws_ecr_repository.this.arn
     ]
   }
+  statement {
+    effect = "Allow"
+    actions = [
+      "ecr:GetAuthorizationToken"
+    ]
+    resources = [
+      "*"
+    ]
+  }
 }
 
 resource "aws_iam_role_policy" "artifact_store_access_for_codebase_pipeline" {
@@ -279,3 +290,22 @@ data "aws_iam_policy_document" "environment_deploy_role_access" {
     ]
   }
 }
+
+resource "aws_iam_role_policy" "deploy_ssm_access" {
+  name   = "deploy-ssm-access"
+  role   = aws_iam_role.codebase_deploy.name
+  policy = data.aws_iam_policy_document.deploy_ssm_access.json
+}
+
+data "aws_iam_policy_document" "deploy_ssm_access" {
+  statement {
+    effect = "Allow"
+    actions = [
+      "ssm:GetParameter",
+      "ssm:GetParameters"
+    ]
+    resources = [
+      "arn:aws:ssm:${local.account_region}:parameter/codebuild/slack_*"
+    ]
+  }
+}

codebase-pipelines/locals.tf

@@ -7,8 +7,9 @@ locals {
 
   account_region = "${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}"
 
-  ecr_name       = "${var.application}/${var.codebase}"
-  repository_url = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${local.ecr_name}"
+  ecr_name                 = "${var.application}/${var.codebase}"
+  prefixed_repository_name = "uktrade/${var.application}"
+  repository_url           = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${data.aws_region.current.name}.amazonaws.com/${local.ecr_name}"
 
   pipeline_branches = distinct([
     for pipeline in var.pipelines : pipeline.branch if lookup(pipeline, "branch", null) != null