Merge branch 'main' into k6-github-actions

.github/workflows/build-and-push-image.yml

@@ -91,7 +91,7 @@ jobs:
           git push origin ${{ needs.set-env.outputs.release }}
 
       - name: Create release
-        uses: "actions/github-script@v6"
+        uses: "actions/github-script@v7"
         with:
           github-token: "${{ secrets.GITHUB_TOKEN }}"
           script: |
@@ -149,7 +149,7 @@ jobs:
           ref: ${{ github.ref }}
 
       - name: Setup node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ env.NODE_VERSION }}
 

.github/workflows/continuous-integration-dotnet.yml

@@ -40,18 +40,18 @@ jobs:
         docker compose -f "docker-compose.yml" up -d --build db
 
     - name: Setup .NET
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
         dotnet-version: ${{ env.DOTNET_VERSION }}
 
     - name: Setup JDK
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
         distribution: 'microsoft'
         java-version: ${{ env.JAVA_VERSION }}
 
     - name: Cache SonarCloud packages
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       with:
         path: ~\sonar\cache
         key: ${{ runner.os }}-sonar

.github/workflows/continuous-integration-terraform.yml

@@ -40,19 +40,19 @@ jobs:
         run: rm ./terraform/backend.tf
 
       - name: Run a Terraform init
-        uses: docker://hashicorp/terraform:1.6.6
+        uses: docker://hashicorp/terraform:1.7.3
         with:
           entrypoint: terraform
           args: -chdir=terraform init
 
       - name: Run a Terraform validate
-        uses: docker://hashicorp/terraform:1.6.6
+        uses: docker://hashicorp/terraform:1.7.3
         with:
           entrypoint: terraform
           args: -chdir=terraform validate
 
       - name: Run a Terraform format check
-        uses: docker://hashicorp/terraform:1.6.6
+        uses: docker://hashicorp/terraform:1.7.3
         with:
           entrypoint: terraform
           args: -chdir=terraform fmt -check=true -diff=true

.github/workflows/security-tests.yml

@@ -33,7 +33,7 @@ jobs:
 
       - name: Restore ZAP container from cache if exists
         id: cache-docker-zap
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/ci/cache/docker/softwaresecurityproject
           key: cache-docker-zap-${{ env.ZAP_VERSION }}
@@ -52,7 +52,7 @@ jobs:
         run: docker run --name zap_container --rm -d -v ${{ github.workspace }}/zapoutput/:/zap/wrk:rw -u zap -p ${{ env.ZAP_PORT }}:${{ env.ZAP_PORT }} -i softwaresecurityproject/zap-stable zap.sh -daemon -port ${{ env.ZAP_PORT }} -host 0.0.0.0 -config api.key=${{ secrets.ZAP_API_KEY }} -config api.addrs.addr.name=.* -config api.addrs.addr.regex=true -config network.localServers.mainProxy.alpn.enabled=false -config network.localServers.mainProxy.address=0.0.0.0
 
       - name: Set up NodeJS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 18
 

TramsDataApi.Test/FakeApi/FakeMfspApi.cs

@@ -14,26 +14,29 @@ public class FakeMfspApi
 
         public void Start()
         {
-            _server = new WebHostBuilder().UseKestrel(x => x.ListenLocalhost(5003)).Configure(app =>
+            _server = new WebHostBuilder().UseKestrel(x => x.ListenLocalhost(6784)).Configure(app =>
             {
                 app.Run(async context =>
                 {
-                    if (context.Request.Method == HttpMethods.Get && context.Request.Path == "/v2/fss/projects")
+                    if (context.Request.Method == HttpMethods.Get && context.Request.Path == "/api/v1/construct/projects")
                     {
-                        var response = new List<FssProjectResponse>()
+                        var response = new ApiResponseV2<FssProjectResponse>()
                         {
-                            new FssProjectResponse()
+                            Data = new List<FssProjectResponse>()
                             {
-                                CurrentFreeSchoolName = "This is my free school",
-                                AgeRange = "5-11",
-                                ProjectStatus = "Open",
-                            },
-                            new FssProjectResponse()
-                            {
-                                CurrentFreeSchoolName = "This is another free school",
-                                AgeRange = "11-16",
-                                ProjectStatus = "Open",
-                            },
+                                new FssProjectResponse()
+                                {
+                                    CurrentFreeSchoolName = "This is my free school",
+                                    AgeRange = "5-11",
+                                    ProjectStatus = "Open",
+                                },
+                                new FssProjectResponse()
+                                {
+                                    CurrentFreeSchoolName = "This is another free school",
+                                    AgeRange = "11-16",
+                                    ProjectStatus = "Open",
+                                },
+                            }
                         };
 
                         await context.Response.WriteAsJsonAsync(response);

TramsDataApi.Test/Integration/V3/TrustsV3IntegrationTests.cs

@@ -355,7 +355,7 @@ public async Task ShouldReturnSubsetOfTrusts_WhenSearchingTrusts_ByGroupName()
 
         [Theory]
         [InlineData("123456789")]
-        [InlineData("123")]
+        [InlineData("12345")]
         public async Task ShouldReturnSubsetOfTrusts_WhenSearchingTrusts_ByCompaniesHouseNumber(string searchString)
         {
             var companiesHouseNumber = "123456789";

TramsDataApi.Test/integration_settings.json

@@ -12,7 +12,7 @@
     "DefaultConnection": "Server=127.0.0.1,1433;Database=sip;User Id=sa;TrustServerCertificate=True;Password=StrongPassword905"
   },
   "Mfsp": {
-    "ApiEndpoint": "http://localhost:5003"
+    "ApiEndpoint": "http://localhost:6784"
   },
   "FeatureManagement": {
     "IsGetProjectsFromMfspEnabled": true

TramsDataApi/Configuration/MfspOptions.cs

@@ -3,5 +3,7 @@
     public class MfspOptions
     {
         public string ApiEndpoint { get; set; }
+
+        public string ApiKey { get; set; }
     }
 }

TramsDataApi/Startup.cs

@@ -52,6 +52,7 @@ public void ConfigureServices(IServiceCollection services)
             {
                 MfspOptions mfspOptions =  GetTypedConfigurationFor<MfspOptions>();
                 client.BaseAddress = new Uri(mfspOptions.ApiEndpoint);
+                client.DefaultRequestHeaders.Add("ApiKey", mfspOptions.ApiKey);
             });
 
             services.AddScoped<ITrustGateway, TrustGateway>();

TramsDataApi/TramsDataApi.csproj

@@ -4,6 +4,12 @@
         <UserSecretsId>1ce62ee2-ff0b-4f40-9066-cfbdae2e889f</UserSecretsId>
 		<GenerateDocumentationFile>true</GenerateDocumentationFile>
     </PropertyGroup>
+    <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|AnyCPU'">
+      <NoWarn>1701;1702;1591</NoWarn>
+    </PropertyGroup>
+    <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|AnyCPU'">
+      <NoWarn>1701;1702;1591</NoWarn>
+    </PropertyGroup>
     <ItemGroup>
       <Compile Remove="ServiceModels\**" />
       <Content Remove="ServiceModels\**" />

TramsDataApi/UseCases/GetAllFssProjects.cs

@@ -31,9 +31,9 @@ public async Task<List<FssProjectResponse>> Execute()
 
             if (useMfspApi)
             {
-                var mfspProjects = await _mfspApiClient.Get<List<FssProjectResponse>>("/v2/fss/projects");
+                var mfspProjects = await _mfspApiClient.Get<ApiResponseV2<FssProjectResponse>>("/api/v1/construct/projects");
 
-                return mfspProjects;
+                return mfspProjects.Data.ToList();
             }
 
             return _fssProjectGateway.GetAll().Select(fssProject => FssProjectResponseFactory.Create(fssProject)).ToList();

TramsDataApi/appsettings.json

@@ -39,7 +39,8 @@
     }
   },
   "Mfsp": {
-    "ApiEndpoint": "<insert mfsp endpoint>"
+    "ApiEndpoint": "<insert mfsp endpoint>",
+    "ApiKey": "<insert mfsp api key>"
   },
   "FeatureManagement": {
     "IsGetProjectsFromMfspEnabled": false

terraform/.terraform-version

@@ -1 +1 @@
-1.6.6
+1.7.3

terraform/README.md

@@ -136,8 +136,8 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_azure_container_apps_hosting"></a> [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.4.7 |
-| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.3.0 |
+| <a name="module_azure_container_apps_hosting"></a> [azure\_container\_apps\_hosting](#module\_azure\_container\_apps\_hosting) | github.com/DFE-Digital/terraform-azurerm-container-apps-hosting | v1.4.9 |
+| <a name="module_azurerm_key_vault"></a> [azurerm\_key\_vault](#module\_azurerm\_key\_vault) | github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars | v0.4.0 |
 | <a name="module_statuscake-tls-monitor"></a> [statuscake-tls-monitor](#module\_statuscake-tls-monitor) | github.com/dfe-digital/terraform-statuscake-tls-monitor | v0.1.2 |
 
 ## Resources
@@ -159,6 +159,7 @@ No resources.
 | <a name="input_container_apps_allow_ips_inbound"></a> [container\_apps\_allow\_ips\_inbound](#input\_container\_apps\_allow\_ips\_inbound) | Restricts access to the Container Apps by creating a network security group rule that only allow inbound traffic from the provided list of IPs | `list(string)` | `[]` | no |
 | <a name="input_container_command"></a> [container\_command](#input\_container\_command) | Container command | `list(any)` | n/a | yes |
 | <a name="input_container_health_probe_path"></a> [container\_health\_probe\_path](#input\_container\_health\_probe\_path) | Specifies the path that is used to determine the liveness of the Container | `string` | n/a | yes |
+| <a name="input_container_scale_http_concurrency"></a> [container\_scale\_http\_concurrency](#input\_container\_scale\_http\_concurrency) | When the number of concurrent HTTP requests exceeds this value, then another replica is added. Replicas continue to add to the pool up to the max-replicas amount. | `number` | `10` | no |
 | <a name="input_container_secret_environment_variables"></a> [container\_secret\_environment\_variables](#input\_container\_secret\_environment\_variables) | Container secret environment variables | `map(string)` | n/a | yes |
 | <a name="input_dns_ns_records"></a> [dns\_ns\_records](#input\_dns\_ns\_records) | DNS NS records to add to the DNS Zone | <pre>map(<br>    object({<br>      ttl : optional(number, 300),<br>      records : list(string)<br>    })<br>  )</pre> | n/a | yes |
 | <a name="input_dns_txt_records"></a> [dns\_txt\_records](#input\_dns\_txt\_records) | DNS TXT records to add to the DNS Zone | <pre>map(<br>    object({<br>      ttl : optional(number, 300),<br>      records : list(string)<br>    })<br>  )</pre> | n/a | yes |
@@ -176,7 +177,6 @@ No resources.
 | <a name="input_existing_network_watcher_resource_group_name"></a> [existing\_network\_watcher\_resource\_group\_name](#input\_existing\_network\_watcher\_resource\_group\_name) | Existing network watcher resource group. | `string` | n/a | yes |
 | <a name="input_image_name"></a> [image\_name](#input\_image\_name) | Image name | `string` | n/a | yes |
 | <a name="input_key_vault_access_ipv4"></a> [key\_vault\_access\_ipv4](#input\_key\_vault\_access\_ipv4) | List of IPv4 Addresses that are permitted to access the Key Vault | `list(string)` | n/a | yes |
-| <a name="input_key_vault_access_users"></a> [key\_vault\_access\_users](#input\_key\_vault\_access\_users) | List of users that require access to the Key Vault where tfvars are stored. This should be a list of User Principle Names (Found in Active Directory) that need to run terraform | `list(string)` | n/a | yes |
 | <a name="input_monitor_email_receivers"></a> [monitor\_email\_receivers](#input\_monitor\_email\_receivers) | A list of email addresses that should be notified by monitoring alerts | `list(string)` | n/a | yes |
 | <a name="input_monitor_endpoint_healthcheck"></a> [monitor\_endpoint\_healthcheck](#input\_monitor\_endpoint\_healthcheck) | Specify a route that should be monitored for a 200 OK status | `string` | n/a | yes |
 | <a name="input_project_name"></a> [project\_name](#input\_project\_name) | Project name. Will be used along with `environment` as a prefix for all resources. | `string` | n/a | yes |

terraform/container-apps-hosting.tf

@@ -1,5 +1,5 @@
 module "azure_container_apps_hosting" {
-  source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.4.7"
+  source = "github.com/DFE-Digital/terraform-azurerm-container-apps-hosting?ref=v1.4.9"
 
   environment    = local.environment
   project_name   = local.project_name
@@ -21,6 +21,7 @@ module "azure_container_apps_hosting" {
   image_name                             = local.image_name
   container_command                      = local.container_command
   container_secret_environment_variables = local.container_secret_environment_variables
+  container_scale_http_concurrency       = local.container_scale_http_concurrency
 
   enable_cdn_frontdoor                      = local.enable_cdn_frontdoor
   cdn_frontdoor_forwarding_protocol         = local.cdn_frontdoor_forwarding_protocol

terraform/key-vault-tfvars-secrets.tf

@@ -1,14 +1,15 @@
 module "azurerm_key_vault" {
-  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.3.0"
+  source = "github.com/DFE-Digital/terraform-azurerm-key-vault-tfvars?ref=v0.4.0"
 
-  environment                           = local.environment
-  project_name                          = local.project_name
-  existing_resource_group               = module.azure_container_apps_hosting.azurerm_resource_group_default.name
-  azure_location                        = local.azure_location
-  key_vault_access_users                = local.key_vault_access_users
-  key_vault_access_ipv4                 = local.key_vault_access_ipv4
-  tfvars_filename                       = local.tfvars_filename
-  diagnostic_log_analytics_workspace_id = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
-  diagnostic_eventhub_name              = local.enable_event_hub ? module.azure_container_apps_hosting.azurerm_eventhub_container_app.name : ""
-  tags                                  = local.tags
+  environment                             = local.environment
+  project_name                            = local.project_name
+  existing_resource_group                 = module.azure_container_apps_hosting.azurerm_resource_group_default.name
+  azure_location                          = local.azure_location
+  key_vault_access_use_rbac_authorization = true
+  key_vault_access_users                  = []
+  key_vault_access_ipv4                   = local.key_vault_access_ipv4
+  tfvars_filename                         = local.tfvars_filename
+  diagnostic_log_analytics_workspace_id   = module.azure_container_apps_hosting.azurerm_log_analytics_workspace_container_app.id
+  diagnostic_eventhub_name                = local.enable_event_hub ? module.azure_container_apps_hosting.azurerm_eventhub_container_app.name : ""
+  tags                                    = local.tags
 }

terraform/locals.tf

@@ -11,6 +11,7 @@ locals {
   image_name                                   = var.image_name
   container_command                            = var.container_command
   container_secret_environment_variables       = var.container_secret_environment_variables
+  container_scale_http_concurrency             = var.container_scale_http_concurrency
   enable_cdn_frontdoor                         = var.enable_cdn_frontdoor
   enable_event_hub                             = var.enable_event_hub
   enable_logstash_consumer                     = var.enable_logstash_consumer
@@ -19,7 +20,6 @@ locals {
   dns_zone_domain_name                         = var.dns_zone_domain_name
   dns_ns_records                               = var.dns_ns_records
   dns_txt_records                              = var.dns_txt_records
-  key_vault_access_users                       = toset(var.key_vault_access_users)
   key_vault_access_ipv4                        = var.key_vault_access_ipv4
   tfvars_filename                              = var.tfvars_filename
   enable_monitoring                            = var.enable_monitoring

terraform/statuscake-tls-monitor.tf

@@ -3,7 +3,7 @@ module "statuscake-tls-monitor" {
 
   statuscake_monitored_resource_addresses = local.statuscake_monitored_resource_addresses
   statuscake_alert_at = [ # days to alert on
-    14, 7, 3
+    40, 20, 5
   ]
   statuscake_contact_group_name            = local.statuscake_contact_group_name
   statuscake_contact_group_integrations    = local.statuscake_contact_group_integrations