Merge pull request #4 from hmcts/rule-sets-DTSPO-17918

adding config + pipeline

.github/workflows/pipeline.yaml

@@ -0,0 +1,83 @@
+name: Push
+
+on:
+  push:
+    branches:
+      - master
+
+env:
+  TF_LOG: INFO
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs: 
+  deploy-infra:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+
+    # Log into Azure with OIDC integration  
+    - name: 'Az CLI login'
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+
+    - name: Install jq
+      run: |
+        sudo apt-get install jq -y
+  
+    # List all the repos and branches that the rules are going to be applied on
+    - name: List Repositories and Branches
+      run: |
+        echo "Checking Repositories and Branches"
+        cat ./test-repos.json
+        for repo in $(jq -r '.[]' ./test-repos.json); do
+          echo "Checking repository: $repo"
+          curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \
+               -H "Accept: application/vnd.github.v3+json" \
+               https://api.github.com/repos/hmcts/$repo
+  
+          for branch in main master; do
+            echo "Checking branch: $branch in repository: $repo"
+            curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \
+                 -H "Accept: application/vnd.github.v3+json" \
+                 https://api.github.com/repos/hmcts/$repo/branches/$branch
+          done
+        done
+
+    - name: Terraform Init
+      working-directory: components
+      env:
+        STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}
+        CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}
+        RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}
+        ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+        ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME"
+
+    - name: Terraform Plan
+      working-directory: components
+      env:
+        ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+        ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
+      run: terraform plan -var="github_token=${{ secrets.PAT_TOKEN }}"
+
+    - name: Terraform Apply
+      working-directory: components
+      env:
+        ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+        ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
+      run: terraform apply -var="github_token=${{ secrets.PAT_TOKEN }}" -auto-approve

.github/workflows/pr.yaml

@@ -0,0 +1,93 @@
+name: Pull Request
+
+on:
+  pull_request:
+    branches:
+      - master
+
+env:
+  TF_LOG: INFO
+
+permissions:
+  id-token: write
+  issues: write
+  pull-requests: write
+  contents: read
+
+jobs: 
+  pr-infra-check:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v3
+
+    - name: Setup Terraform
+      uses: hashicorp/setup-terraform@v2
+
+    # Log into Azure with OIDC integration  
+    - name: 'Az CLI login'
+      uses: azure/login@v1
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+
+    - name: Install jq
+      run: sudo apt-get install jq -y
+
+    # List all the repos and branches that the rules are going to be applied on
+    - name: List Repositories and Branches
+      run: |
+          echo "Checking Repositories and Branches"
+          cat ./test-repos.json
+          for repo in $(jq -r '.[]' ./test-repos.json); do
+            echo "Checking repository: $repo"
+            curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \
+                 -H "Accept: application/vnd.github.v3+json" \
+                 https://api.github.com/repos/hmcts/$repo
+    
+            for branch in main master; do
+              echo "Checking branch: $branch in repository: $repo"
+              curl -H "Authorization: token ${{ secrets.PAT_TOKEN }}" \
+                   -H "Accept: application/vnd.github.v3+json" \
+                   https://api.github.com/repos/hmcts/$repo/branches/$branch
+            done
+          done
+
+    - name: Terraform Init
+      working-directory: components
+      env:
+        STORAGE_ACCOUNT: ${{ secrets.STORAGE_ACCOUNT }}
+        CONTAINER_NAME: ${{ secrets.CONTAINER_NAME }}
+        RESOURCE_GROUP_NAME: ${{ secrets.RESOURCE_GROUP_NAME }}
+        ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+        ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      run: terraform init -backend-config="storage_account_name=$STORAGE_ACCOUNT" -backend-config="container_name=$CONTAINER_NAME" -backend-config="resource_group_name=$RESOURCE_GROUP_NAME"
+
+    - name: Terraform format
+      working-directory: components
+      id: fmt
+      run: terraform fmt -check
+
+    - name: Terraform validate
+      working-directory: components
+      id: validate
+      env:
+        ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+        ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+      run: terraform validate
+
+    - name: Terraform plan
+      working-directory: components
+      id: plan
+      env:
+        ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+        ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+        ARM_SUBSCRIPTION_ID: ${{ secrets.DCD_CFT_SANDBOX_SUBSCRIPTION }}
+        ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+        GITHUB_TOKEN: ${{ secrets.PAT_TOKEN }}
+      run: terraform plan -var="github_token=${{ secrets.PAT_TOKEN }}"

components/.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

components/locals.tf

@@ -0,0 +1,43 @@
+locals {
+  # Read the repositories list from the JSON file
+  repositories_list = jsondecode(file("${path.module}/../test-repos.json"))
+
+  # Filter out excluded repositories
+  included_repositories = [
+    for repo in local.repositories_list : repo
+    if !contains(var.excluded_repositories, repo)
+  ]
+
+  # Create a combination of repositories and branches
+  repo_branch_combinations = flatten([
+    for repo in local.included_repositories : [
+      for branch in var.branches : {
+        repo   = repo
+        branch = branch
+      }
+    ]
+  ])
+}
+
+locals {
+  env_display_names = {
+    sbox    = "Sandbox"
+    prod    = "Production"
+    nonprod = "Non-Production"
+    test    = "Test"
+    staging = "staging"
+  }
+  common_tags = {
+    "managedBy"          = "DevOps"
+    "solutionOwner"      = "RDO"
+    "activityName"       = "Storage Account"
+    "dataClassification" = "Internal"
+    "automation"         = ""
+    "costCentre"         = ""
+  }
+  enforced_tags = module.tags.common_tags
+}
+
+
+
+

components/main.tf

@@ -0,0 +1,69 @@
+module "tags" {
+  source      = "git::https://github.com/hmcts/terraform-module-common-tags.git?ref=master"
+  environment = var.env
+  product     = var.product
+  builtFrom   = var.builtFrom
+}
+
+resource "azurerm_resource_group" "rg" {
+  name     = var.resource_group_name
+  location = var.location
+  tags     = module.tags.common_tags
+}
+
+resource "azurerm_storage_account" "sa" {
+  name                     = var.storage_account_name
+  resource_group_name      = azurerm_resource_group.rg.name
+  location                 = azurerm_resource_group.rg.location
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  tags                     = module.tags.common_tags
+}
+
+resource "azurerm_storage_container" "tfstate" {
+  name                  = "tfstate"
+  storage_account_name  = azurerm_storage_account.sa.name
+  container_access_type = "private"
+}
+
+# Check if repositories exist
+data "github_repository" "existing_repos" {
+  for_each = { for repo in local.included_repositories : repo => repo }
+  name     = each.value
+}
+
+# Check if branches exist
+data "github_branch" "existing_branches" {
+  for_each   = { for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo if contains(keys(data.github_repository.existing_repos), combo.repo) }
+  repository = each.value.repo
+  branch     = each.value.branch
+}
+
+# Apply branch protection rules only if the branch exists
+resource "github_branch_protection_v3" "branch_protection" {
+  for_each = {
+    for combo in local.repo_branch_combinations : "${combo.repo}:${combo.branch}" => combo
+    if try(data.github_branch.existing_branches["${combo.repo}:${combo.branch}"].branch, null) != null
+  }
+
+  repository     = each.value.repo
+  branch         = each.value.branch
+  enforce_admins = false # Excludes organisation admins
+
+  required_status_checks {
+    strict   = true
+    contexts = ["ci/test", "ci/lint"]
+  }
+
+  required_pull_request_reviews {
+    dismiss_stale_reviews           = true
+    require_code_owner_reviews      = false
+    required_approving_review_count = 1 # Ensure at least 1 reviewer
+  }
+
+  restrictions {
+    users = []
+    teams = []
+    apps  = []
+  }
+}

components/outputs.tf

@@ -0,0 +1,8 @@
+output "common_tags" {
+  value = {
+    Environment = var.env
+    Product     = var.product
+    BuiltFrom   = var.builtFrom
+  }
+}
+