jamesrwarren · jamesrwarren · Apr 7, 2025 · Dec 30, 2024
diff --git a/.github/workflows/_sub_workflow.yml b/.github/workflows/_sub_workflow.yml
@@ -0,0 +1,37 @@
+name: "[SUB] Sub Workflow"
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  workflow_call:
+    secrets:
+      secret_to_pass:
+        required: false
+      actions_secret:
+        required: false
+    inputs:
+      environment_variable:
+        required: true
+        type: string
+
+jobs:
+  show-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: show secrets
+        env:
+          SECRET_WF_INTERNAL: ${{ secrets.secret_to_pass }}
+          SECRET_REPO_INTERNAL: ${{ secrets.actions_secret }}
+          ENVIRONMENT_VARIABLE: ${{ inputs.environment_variable }}
+        run: |
+          echo "Secret to pass based on outer env var: ${secret_to_pass}"
+          echo "Secret to not pass based on outer env var: ${secret_to_not_pass}"
+          echo "Actions repo secret: ${ACTIONS_REPO_SECRET}"
+          echo "Secret passed in: ${SECRET_WF_INTERNAL}"
+          echo "Secret defined in step: ${SECRET_REPO_INTERNAL}"
+          echo "Standard env var: ${ENVIRONMENT_VARIABLE}"
+          echo "Secret as env var in github env file: ${secret_to_env_file}"
+      - name: list all secrets
+        run: awk 'BEGIN{for(v in ENVIRON) print v}'
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
@@ -0,0 +1,44 @@
+name: Buid ECS Helper
+on:
+  pull_request:
+    branches:
+    - master
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: generate semver tag and release
+      id: semver_tag
+      uses: ministryofjustice/opg-github-actions/.github/actions/semver-tag@73bfe6f3ea05ffbc3dd278fe29c113ec1e7dcefc # v3.1.1
+      with:
+        prerelease: true
+        default_bump: "minor"
+
+    - name: Set up Go 1.13
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.13
+      id: go
+
+    - name: Get dependencies
+      run: |
+        go get -v -t -d ./...
+        if [ -f Gopkg.toml ]; then
+            curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
+            dep ensure
+        fi
+
+    - name: Build Runner
+      run: go build -mod vendor ./cmd/runner
+
+    - name: Build Stabilizer
+      run: go build -mod vendor ./cmd/stabilizer
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,49 @@
+name: Release with goreleaser
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: goreleaser
+    steps:
+
+      - name: Check out code into the Go module directory
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: generate semver tag and release
+        id: semver_tag
+        uses: ministryofjustice/opg-github-actions/.github/actions/semver-tag@73bfe6f3ea05ffbc3dd278fe29c113ec1e7dcefc # v3.1.1
+        with:
+          prerelease: false
+          release_branch: master
+          default_bump: "minor"
+
+      - name: Extract branch name
+        shell: bash
+        run: echo "##[set-output name=branch;]$(echo ${GITHUB_HEAD_REF#refs/heads/})"
+        id: extract_branch
+
+      - name: Set up Go
+        uses: actions/setup-go@v1
+        with:
+          go-version: 1.13
+        id: go
+
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/scanner.yml b/.github/workflows/scanner.yml
@@ -0,0 +1,16 @@
+name: Generate scan report
+
+on:
+  push:
+    branches:
+      - "main"
+  schedule:
+    # Every Monday, at 17:30 UTC
+    - cron: '30 17 * * 1'
+
+jobs:
+  run:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: ministryofjustice/opg-repository-scanner@latest
diff --git a/.github/workflows/workflow-pull-request-path.yml b/.github/workflows/workflow-pull-request-path.yml
@@ -0,0 +1,95 @@
+name: "[Workflow] Example Secret Scoping"
+
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  id-token: write
+  contents: write
+  security-events: write
+  pull-requests: write
+  actions: none
+  checks: none
+  deployments: none
+  issues: none
+  packages: none
+  repository-projects: none
+  statuses: none
+
+env:
+  workflow_variable: "workflow_variable"
+
+jobs:
+  secret_scoping:
+    runs-on: ubuntu-latest
+    name: create and output env vars
+    outputs:
+      secret_to_pass: ${{ steps.secrets.outputs.secret_to_pass }}
+    steps:
+      - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871 # pin@v3
+      - name: create some secret env variables
+        id: secrets
+        run: |
+          echo "secret_to_pass=secret_to_pass" >> $GITHUB_OUTPUT
+          echo "secret_to_not_pass=secret_to_not_pass" >> $GITHUB_OUTPUT
+          export secret_as_env_var_direct=secret_as_env_var_direct
+          echo "secret_to_env_file=secret_to_env_file" >> $GITHUB_ENV
+          echo "Secret as env var direct: ${secret_as_env_var_direct}"
+      - name: echo out secrets
+        run: |
+          echo "Secret to pass: ${secret_to_pass}"
+          echo "Secret not to pass: ${secret_to_not_pass}"
+          echo "Secret from the repo: ${{ secrets.ACTIONS_REPO_SECRET }}"
+          echo "Secret as env var direct: ${secret_as_env_var_direct}"
+          echo "Secret as env var in github env file: ${secret_to_env_file}"
+
+  same_workflow_scoping:
+    runs-on: ubuntu-latest
+    name: show env vars in same workflow
+    env:
+      secret_to_pass: ${{ needs.secret_scoping.outputs.secret_to_pass }}
+    needs:
+      - secret_scoping
+    steps:
+      - uses: actions/checkout@3b9b8c884f6b4bb4d5be2779c26374abadae0871
+      - name: echo out secrets
+        run: |
+          echo "Secret to pass: ${secret_to_pass}"
+          echo "Secret not to pass: ${secret_to_not_pass}"
+          echo "Secret from the repo: ${{ secrets.ACTIONS_REPO_SECRET }}"
+          echo "Secret as env var direct: ${secret_as_env_var_direct}"
+          echo "Secret as env var in github env file: ${secret_to_env_file}"
+          echo "Workflow variable: ${workflow_variable}"
+      - name: list all secrets
+        run: awk 'BEGIN{for(v in ENVIRON) print v}'
+
+  run_sub_workflow_with_inherit:
+    name: build web resources
+    needs:
+      - secret_scoping
+    uses: ./.github/workflows/_sub_workflow.yml
+    with:
+      environment_variable: "environment_variable"
+    secrets: inherit
+
+  run_sub_workflow_without_inherit:
+    name: build web resources
+    needs:
+      - secret_scoping
+    uses: ./.github/workflows/_sub_workflow.yml
+    with:
+      environment_variable: "environment_variable"
+    secrets:
+      secret_to_pass: ${{ needs.secret_scoping.outputs.secret_to_pass }}
+      actions_secret: ${{ secrets.ACTIONS_REPO_SECRET }}
+
+
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,2 @@
+.idea
+*.iml
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -0,0 +1,27 @@
+# Make sure to check the documentation at http://goreleaser.com
+project_name: opg-ecs-helper
+
+release:
+  github:
+    owner: ministryofjustice
+    name: opg-ecs-helper
+
+builds:
+  - binary: ecs-runner
+    id: ecs-runner
+    main: ./cmd/runner/main.go
+    goarch:
+      - amd64
+  - binary: ecs-stabilizer
+    id: ecs-stabilizer
+    main: ./cmd/stabilizer/main.go
+    goarch:
+      - amd64
+
+archives:
+  -
+    name_template: "{{ .ProjectName }}_{{ .Os }}_{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ if .Mips }}_{{ .Mips }}{{ end }}"
+    replacements:
+      darwin: Darwin
+      linux: Linux
+      amd64: x86_64
diff --git a/LICENSE b/LICENSE
@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2023 Crown copyright (Ministry of Justice)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/README.md b/README.md
@@ -1 +1,83 @@
-# github-actions-testing
+# opg-ecs-helper
+ECS Helper in Golang: Managed by opg-org-infra &amp; Terraform
+
+## Function 
+
+### Stabilizer 
+
+Check to make sure that the tasks for the list of ECS Services provided have 
+stabilized after a deployment.
+
+### Runner
+
+Run ecs run-tasks from the commandline 
+
+## Building Locally
+
+```go
+go build -mod vendor ./cmd/runner
+```
+
+```go
+go build -mod vendor ./cmd/stabilizer
+```
+## Usage
+
+### Stabilizer
+
+You need to provide output containing a list of ECS services you want the stabilizer
+to check.
+
+```terraform
+output "Role" {
+  value = "arn:aws:iam::${local.account.id}:role/${var.default_role}"
+}
+
+output "Services" {
+  value = {
+    Cluster = aws_ecs_cluster.my_cluster.name
+    Services = [
+      aws_ecs_service.my_cool_service.name
+    ]
+  }
+}
+```
+
+By default it will look for the outputs in `terraform.output.json`. 
+Running `terraform output -json > terraform.output.json` will create the file for you.
+```bash
+aws-vault exec identity -- ecs-stabilizer
+```
+
+### Runner
+
+You need to provide a output of the tasks you want to be able to 
+run using the runner tool:
+
+```terraform
+output "Role" {
+  value = "arn:aws:iam::${local.account.id}:role/${var.default_role}"
+}
+
+output "Task" {
+  value = {
+    Cluster    = var.cluster_name
+    LaunchType = "FARGATE"
+    NetworkConfiguration = {
+      AwsvpcConfiguration = {
+        SecurityGroups = [var.security_group_id]
+        Subnets        = var.subnet_ids
+      }
+    }
+    TaskDefinition = aws_ecs_task_definition.task.arn
+  }
+}
+
+```
+
+By default it will look for the outputs in `terraform.output.json`. 
+Running `terraform output -json > terraform.output.json` will create the file for you.
+
+```bash
+aws-vault exec identity -- ecs-runner -task <task_name>
+```