Merge branch 'main' into lauren/fix-cred-logging-alerts

.github/workflows/waf-sync-lambda-dev-deploy.yml

@@ -0,0 +1,41 @@
+name: WAF Sync Lambda Dev Deploy
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - lambda/wafsync/**
+      - .github/workflows/waf-sync-lambda-dev-deploy.yml
+
+jobs:
+  deploy-to-dev:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./lambda/wafsync
+    environment: dev
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+      - name: Build WAF Sync Lambda zip file
+        env:
+          CGO_ENABLED: 0
+        run: |
+          go build -o bootstrap main.go db.go aws.go
+          zip function.zip bootstrap
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.ACCOUNT_ID }}:role/delegatedadmin/developer/bcda-dev-github-actions
+      - name: Upload and reload
+        run: |
+          aws s3 cp --no-progress function.zip \
+            s3://bcda-dev-api-waf-sync-function/function-${{ github.sha }}.zip
+          aws lambda update-function-code --function-name bcda-dev-api-waf-sync \
+            --s3-bucket bcda-dev-api-waf-sync-function --s3-key function-${{ github.sha }}.zip

.github/workflows/waf-sync-lambda-integration-test.yml

@@ -0,0 +1,49 @@
+name: WAF Sync Lambda Integration Tests
+
+on:
+  pull_request:
+    paths:
+      - .github/workflows/waf-sync-lambda-integration-test.yml
+      - .github/workflows/waf-sync-lambda-dev-deploy.yml
+      - .github/workflows/waf-sync-lambda-test-deploy.yml
+      - .github/workflows/waf-sync-lambda-prod-deploy.yml
+      - lambda/wafsync/**
+  workflow_dispatch:
+
+# Ensure we have only one integration test running at a time
+concurrency:
+  group: waf-sync-lambda-integration-test
+
+jobs:
+  # Deploy first if triggered by pull_request
+  deploy:
+    if: ${{ github.event_name == 'pull_request' }}
+    uses: ./.github/workflows/waf-sync-lambda-dev-deploy.yml
+    secrets: inherit
+
+  trigger:
+    if: ${{ always() }}
+    needs: deploy
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./lambda/wafsync
+    outputs:
+      start_time: ${{ steps.invoke-lambda.outputs.STARTTIME }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.ACCOUNT_ID }}:role/delegatedadmin/developer/bcda-dev-github-actions
+      - name: Send event to trigger lambda function
+        id: invoke-lambda
+        run: |
+          echo "STARTTIME=`date +%s`" >> "$GITHUB_OUTPUT"
+          aws lambda invoke --function-name bcda-dev-api-waf-sync test-result.txt
+      - name: Verify result
+        run: |
+          if grep -q "errorType" test-result.txt; then cat test-result.txt; exit 1; else echo "Success"; fi

.github/workflows/waf-sync-lambda-prod-deploy.yml

@@ -0,0 +1,24 @@
+name: WAF Sync Lambda prod deploy
+
+on:
+  workflow_dispatch:
+
+jobs:
+  deploy-to-prod:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    environment: prod
+    steps:
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.ACCOUNT_ID }}:role/delegatedadmin/developer/bcda-prod-github-actions
+      - name: Promote lambda code from test to prod
+        run: |
+          aws s3 cp --no-progress \
+            s3://bcda-test-api-waf-sync-function/function-${{ github.sha }}.zip \
+            s3://bcda-prod-api-waf-sync-function/function-${{ github.sha }}.zip
+          aws lambda update-function-code --function-name bcda-prod-api-waf-sync \
+            --s3-bucket bcda-prod-api-waf-sync-function --s3-key function-${{ github.sha }}.zip

.github/workflows/waf-sync-lambda-test-deploy.yml

@@ -0,0 +1,35 @@
+name: WAF Sync Lambda test deploy
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  deploy-to-test:
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./lambda/wafsync
+    environment: test
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+      - name: Build WAF Sync Lambda zip file
+        env:
+          CGO_ENABLED: 0
+        run: |
+          go build -o bootstrap main.go db.go aws.go
+          zip function.zip bootstrap
+      - uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: ${{ vars.AWS_REGION }}
+          role-to-assume: arn:aws:iam::${{ secrets.ACCOUNT_ID }}:role/delegatedadmin/developer/bcda-test-github-actions
+      - name: Upload and reload
+        run: |
+          aws s3 cp --no-progress function.zip \
+            s3://bcda-test-api-waf-sync-function/function-${{ github.sha }}.zip
+          aws lambda update-function-code --function-name bcda-test-api-waf-sync \
+            --s3-bucket bcda-test-api-waf-sync-function --s3-key function-${{ github.sha }}.zip

Dockerfiles/Dockerfile.package

@@ -1,4 +1,4 @@
-FROM golang:alpine3.20
+FROM golang:1.23-alpine3.20
 
 ENV CGO_ENABLED=0
 

Dockerfiles/Dockerfile.ssas

@@ -1,4 +1,4 @@
-FROM golang:alpine3.20 AS documentation
+FROM golang:1.23-alpine3.20 AS documentation
 RUN apk update upgrade
 RUN apk add git build-base gcc binutils-gold
 WORKDIR /go/src/github.com/CMSgov/bcda-ssas-app

Dockerfiles/Dockerfile.tests

@@ -1,4 +1,4 @@
-FROM golang:alpine3.20
+FROM golang:1.23-alpine3.20
 
 RUN apk update upgrade
 

Makefile

@@ -42,6 +42,15 @@ test:
 	$(MAKE) smoke-test
 	$(MAKE) migrations-test
 
+setup-tests:
+	# Clean up any existing data to ensure we spin up container in a known state.
+	docker compose -f docker-compose.test.yml rm -fsv tests
+	docker compose -f docker-compose.test.yml build tests
+
+# make test-path TEST_PATH="bcdaworker/worker/*.go"
+test-path: setup-tests
+	@docker compose -f docker-compose.test.yml run --rm tests go test -v $(TEST_PATH)
+
 load-fixtures:
 	docker compose -f docker-compose.migrate.yml run --rm migrate  -database "postgres://postgres:toor@db:5432/bcda?sslmode=disable" -path /go/src/github.com/CMSgov/bcda-ssas-app/db/migrations up
 	docker compose -f docker-compose.yml run ssas sh -c 'ssas --add-fixture-data'

docker-compose.test.yml

@@ -12,6 +12,7 @@ services:
       - DATABASE_URL=postgresql://postgres:toor@db:5432/bcda?sslmode=disable
       - BCDA_SSAS_CLIENT_ID=fake-client-id
       - BCDA_SSAS_SECRET=fake-secret
+      - ENV=local
       - DEPLOYMENT_TARGET=local
       - SSAS_ADMIN_SIGNING_KEY_PATH=../../../shared_files/ssas/admin_test_signing_key.pem
       - SSAS_PUBLIC_SIGNING_KEY_PATH=../../../shared_files/ssas/public_test_signing_key.pem

go.mod

@@ -1,44 +1,65 @@
 module github.com/CMSgov/bcda-ssas-app
 
-go 1.19
+go 1.23.1
 
 require (
+	github.com/aws/aws-lambda-go v1.47.0
+	github.com/aws/aws-sdk-go v1.55.5
 	github.com/go-chi/chi/v5 v5.0.7
 	github.com/go-chi/render v1.0.2
 	github.com/golang-jwt/jwt/v4 v4.5.1
+	github.com/google/uuid v1.3.0
+	github.com/jackc/pgx/v5 v5.7.1
 	github.com/joho/godotenv v1.5.1
-	github.com/lib/pq v1.10.6
+	github.com/lib/pq v1.10.9
 	github.com/newrelic/go-agent/v3 v3.18.1
+	github.com/pashagolub/pgxmock/v4 v4.3.0
 	github.com/patrickmn/go-cache v2.1.1-0.20180815053127-5633e0862627+incompatible
 	github.com/pborman/uuid v1.2.1
-	github.com/sirupsen/logrus v1.9.0
-	github.com/stretchr/testify v1.8.1
+	github.com/sirupsen/logrus v1.9.3
+	github.com/stretchr/testify v1.9.0
 	golang.org/x/crypto v0.31.0
 	gopkg.in/macaroon.v2 v2.1.0
 	gorm.io/driver/postgres v1.5.4
 	gorm.io/gorm v1.25.5
 )
 
 require (
+	github.com/fsnotify/fsnotify v1.5.4 // indirect
+	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/spf13/afero v1.8.2 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/viper v1.9.0 // indirect
+	github.com/subosito/gotenv v1.3.0 // indirect
+	gopkg.in/ini.v1 v1.66.6 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+)
+
+require (
+	github.com/CMSgov/bcda-app v0.0.0-20250102171642-27f10380b310
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/uuid v1.3.0 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect
-	github.com/jackc/pgx/v5 v5.5.4 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/rogpeppe/go-internal v1.10.0 // indirect
-	github.com/stretchr/objx v0.5.0 // indirect
-	golang.org/x/net v0.23.0 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
 	google.golang.org/grpc v1.56.3 // indirect
-	google.golang.org/protobuf v1.33.0 // indirect
+	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )