2024-i1-r3 beta rollup to main

.gitignore

@@ -22,7 +22,6 @@ config/regular_extracts.csv
 config/special_users.development.yml
 config/special_users.production.yml
 config/user_yubikeys.yml
-config/xsd.yml
 config/idp.yml
 config/keys/*
 db/development_structure.sql

build/dms-app/ansible/setup-server.yml

@@ -153,6 +153,7 @@
 
     - name: Make .ssh folder
       become_user: mbis_app
+      become: true
       file:
         path: ~/tmp/.ssh
         state: directory
@@ -162,15 +163,17 @@
 
     - name: generate SSH key for mbis_app directory
       become_user: mbis_app
+      become: true
       openssh_keypair:
         path: ~/tmp/.ssh/id_rsa
         type: rsa
         size: 4096
         state: present
         force: no
 
-    - name: create authorized_keys file to mbis_app directory
+    - name: create .ssh directory
       become_user: mbis_app
+      become: true
       file:
         path: ~/.ssh
         state: directory
@@ -180,6 +183,7 @@
 
     - name: create authorized_keys file to mbis_app directory
       become_user: mbis_app
+      become: true
       file:
         path: ~/.ssh/authorized_keys
         state: touch
@@ -189,10 +193,12 @@
 
     - name:  add mbis_app to authorized_key
       become_user: mbis_app
+      become: true
       shell: cat ~/tmp/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
 
     - name: copy .id_rsa keys to .ssh directory
       become_user: mbis_app
+      become: true
       copy:
         src:  ~/tmp/.ssh/id_rsa
         dest:  ~/.ssh/id_rsa
@@ -203,6 +209,7 @@
 
     - name: Delete content & directory
       become_user: mbis_app
+      become: true
       file:
         state: absent
         path: /home/mbis_app/data_management_system
@@ -259,13 +266,6 @@
             chdir: /home/mbis_app/data_management_system/
           shell: source /home/mbis_app/.bash_profile && /home/mbis_app/.rbenv/shims/bundle check
 
-        - name: Copy config.deploy.rb.j2 to config/deploy.rb
-          template:
-            src: config.deploy.rb.j2
-            dest: /home/mbis_app/data_management_system/config/deploy.rb
-            owner: mbis_app
-            group: mbis_app
-
         - name: Get Current branch
           shell: |
             git config --global init.defaultBranch main
@@ -308,13 +308,13 @@
           args:
             chdir: /home/mbis_app/data_management_system
           shell: |
-            source /home/mbis_app/.bash_profile && /home/mbis_app/.rbenv/shims/bundle exec cap localhost_live deploy:setup
+            source /home/mbis_app/.bash_profile && CAP_DEPLOY_REPOSITORY='file:///home/mbis_app/data_management_system/.git' /home/mbis_app/.rbenv/shims/bundle exec cap localhost_live deploy:setup
 
         - name: Bundle exec cap deploy:cold
           args:
             chdir: /home/mbis_app/data_management_system
           shell: |
-            source /home/mbis_app/.bash_profile && /home/mbis_app/.rbenv/shims/bundle  exec cap localhost_live deploy:cold
+            source /home/mbis_app/.bash_profile && CAP_DEPLOY_REPOSITORY='file:///home/mbis_app/data_management_system/.git' /home/mbis_app/.rbenv/shims/bundle exec cap localhost_live deploy:cold
           register: deploy_cold
           ignore_errors: true
 

config/deploy.rb

@@ -7,9 +7,11 @@
 require 'resolv'
 
 set :application, 'mbis_front'
-set :repository, 'https://github.com/NHSDigital/data_management_system.git'
-# For AWS deployments, instead use:
-# set :repository, 'file:///home/mbis_app/data_management_system/.git'
+# AWS circular deployments can override the repository by setting environment variable
+# NDR_DEPLOY_REPOSITORY, e.g. 'file:///home/mbis_app/data_management_system/.git'
+# This allows local deployment from a git working copy snapshot.
+set :repository, ENV.fetch('CAP_DEPLOY_REPOSITORY',
+                           'https://github.com/NHSDigital/data_management_system.git')
 set :scm, :git
 ssh_options[:compression] = 'none' # Avoid pointless zlib warning
 
@@ -126,6 +128,32 @@
 end
 
 namespace :app do
+  desc "Create start/stop scripts in the app user's $HOME directory"
+  task :create_sysadmin_scripts, except: { no_release: true } do
+    # TODO: Either make task ndr_dev_support:synchronise_sysadmin_scripts create these if
+    #       necessary, or move this method into ndr_dev_support gem
+    type    = fetch(:daemon_deployment) ? 'god' : 'server'
+    scripts = %W[start_#{type}.sh stop_#{type}_gracefully.sh]
+
+    touch_cmd, chmod_cmd =
+      if fetch(:out_of_bundle_gems_use_sudo, true)
+        ["sudo -i -n -u #{fetch(:application_user)} touch",
+         "sudo -i -n -u #{fetch(:application_user)} chmod 764"]
+      else
+        ['touch', 'chmod 764']
+      end
+    scripts.each do |script|
+      # source = File.join(release_path, 'script', "#{script}.sample")
+      dest = File.join(fetch(:application_home), script)
+
+      # Ensure the script exists, with the correct permissions (should be writeable
+      # by deployers, but only runnable by the application user, to prevent the wrong user
+      # attempting to start the processes.)
+      run "#{touch_cmd} #{dest}" # Ensure file exists
+      run "#{chmod_cmd} #{dest}" # Set file permissions
+    end
+  end
+
   desc <<-DESC
       [internal] Setup shared files for the just deployed release.
   DESC
@@ -145,6 +173,7 @@
   end
 end
 
+after 'deploy:setup',                       'app:create_sysadmin_scripts'
 before 'ndr_dev_support:filesystem_tweaks', 'app:move_shared'
 
 # ==========================================[ DEPLOY ]==========================================

script/start_server.sh.sample

@@ -64,7 +64,7 @@ if command -v aws >/dev/null ; then
   export SPECIAL_USERS_BASE64=$(aws  ssm get-parameters --names '/mbis/dev/special_users'  --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
   export EXCLUDED_MBISIDS_BASE64=$(aws  ssm get-parameters --names '/mbis/dev/excluded_mbisids'  --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
   export ADMIN_USERS_BASE64=$(aws  ssm get-parameters --names '/mbis/dev/admin_users'  --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
-  # CREDENTIALS=$(aws  ssm get-parameters --names '/mbis/dev/credentials'  --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
+  export CREDENTIALS_BASE64=$(aws  ssm get-parameters --names '/mbis/dev/credentials'  --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
   export PUBLIC_KEY_BASE64=$(aws  ssm get-parameters --names '/mbis/dev/public_key'  --with-decryption | jq -r '.Parameters[]' | jq -r '.Value')
 
   export STACK=live
@@ -186,6 +186,7 @@ fi
 function decode64 {
   if [ -n "$1" -a -n "$2" ]; then
     echo "$1" | base64 --decode > "$2"
+    echo "decode64: updated file $2"
   fi
 }