[PRM-227] Upgraded all OS images to latest Alpine

Author: AndyFlintAnswerDigital

services/ehr-out-service/Dockerfile

@@ -1,4 +1,9 @@
-FROM node:22.5-alpine AS builder
+FROM node:24-alpine3.23 AS builder
+
+RUN apk update && \
+    apk -u list && \
+    apk upgrade &&  \
+    rm -rf /var/cache/apk/*
 
 COPY package*.json /app/
 
@@ -7,7 +12,7 @@ WORKDIR /app
 RUN npm ci --omit=dev
 
 # production app image
-FROM alpine:3.15
+FROM alpine:3.23
 
 # take just node without npm (including npx) or yarn
 COPY --from=builder /usr/local/bin/node /usr/local/bin

services/ehr-out-service/package-lock.json

@@ -1,4 +1,4 @@
-FROM eclipse-temurin:21.0.1_12-jre-alpine
+FROM eclipse-temurin:21-jre-alpine-3.23
 
 RUN apk add --no-cache bash
 

services/ehr-transfer-service/Dockerfile

@@ -0,0 +1,217 @@
+#!/bin/bash
+
+AWS_DEFAULT_REGION="eu-west-2"
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+DOJO_IMAGE_VERSION="nhsdev/deductions-infra-dojo:a3ce7038c095298273348419769e327039009bf5"
+
+readonly EXIT_CODE_GENERAL_FAILURE=5
+readonly EXIT_CODE_DONT_USE_NHSDADMINROLE=6
+readonly EXIT_CODE_USERS_SHOULD_ASSUME_ROLE_FIRST=7
+readonly EXIT_CODE_UNHANDLED_IDENTITY=18
+
+function get_latest_commit_hash {
+  export COMMIT_HASH=$(git rev-parse HEAD | cut -c 1-7)
+}
+
+function create_build_trace_id {
+  if [ -z $GO_PIPELINE_NAME ]; then
+    export BUILD_TRACE_ID=local
+  else
+    git_hash=$(echo $GO_REVISION_GIT | cut -c 1-8)
+    candidate_build_trace_id="$GO_PIPELINE_NAME@$GO_PIPELINE_COUNTER@$GO_STAGE_NAME@$GO_STAGE_COUNTER@$GO_JOB_NAME@$git_hash"
+
+    export BUILD_TRACE_ID=$(echo "$candidate_build_trace_id" | awk '{ print substr( $0, length($0) - 62, length($0) ) }' | sed "s/^[-]*//")
+  fi
+}
+
+function get_aws_ssm_secret {
+  secret_id=$1
+  json=$(dojo -image "$DOJO_IMAGE_VERSION" "aws ssm get-parameter --with-decryption --region eu-west-2 --name $secret_id")
+  if [ $? != 0 ]; then
+    >&2 echo "Failed to obtain AWS secret from SSM: $secret_id"
+    exit $EXIT_CODE_GENERAL_FAILURE
+  fi
+  echo $json | jq -r ".Parameter.Value"
+}
+
+function _get_aws_ssm_secret {
+  secret_id=$1
+  json=$(aws ssm get-parameter --with-decryption --region "eu-west-2" --name $secret_id)
+  if [ $? != 0 ]; then
+    >&2 echo "Failed to obtain AWS secret from SSM: $secret_id"
+    exit $EXIT_CODE_GENERAL_FAILURE
+  fi
+  echo $json | jq -r ".Parameter.Value"
+}
+
+function docker_login {
+  >&2 echo Logging in to Amazon ECR...
+  eval $(dojo -image "$DOJO_IMAGE_VERSION" "aws ecr get-login --no-include-email --region $AWS_DEFAULT_REGION")
+}
+
+function _get_aws_account_id {
+    aws sts get-caller-identity | jq -r .Account
+}
+
+function get_aws_account_id {
+    AWS_ACCOUNT_ID=$(dojo -image "$DOJO_IMAGE_VERSION" "aws sts get-caller-identity | jq -r .Account")
+}
+
+function configure_docker_repository_uri {
+  docker_login
+  get_aws_account_id
+  export REPOSITORY_URI=$AWS_ACCOUNT_ID.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/$IMAGE_REPO_NAME
+}
+
+function configure_docker_registry_uri {
+  docker_login
+  get_aws_account_id
+  export REGISTRY_URI=$AWS_ACCOUNT_ID.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com
+}
+
+function assume_environment_role {
+  CURRENT_DIR=$(pwd)
+  cd "$SCRIPT_DIR"
+  eval $(dojo -image "$DOJO_IMAGE_VERSION" "./aws-helpers assume_environment_role $1")
+  cd "$CURRENT_DIR"
+}
+
+function _clear_aws_env_credentials {
+  unset AWS_ACCESS_KEY_ID
+  unset AWS_SECRET_ACCESS_KEY
+  unset AWS_SESSION_TOKEN
+  unset AWS_SECURITY_TOKEN
+}
+
+function _assume_environment_role {
+  # Agent always needs to assume Deployer role in one of the destination accounts
+  # Deployer needs to assume role back in CI for
+  # People need to assume RepoAdmin role in early, non-strict (dev/test) accounts
+  # People need to assume BootstrapAdmin or RepoDeveloper role in prod-like, strict (pre-prod/prod) accounts
+  # The starting role for the agent is gocd_agent-prod in the CI account
+  # The starting role for people is their personal user in the nhsd-identities account
+  environment=$1
+  is_bootstrap_admin=$2
+  current_identity_arn=$(aws sts get-caller-identity | jq -r .Arn)
+  create_build_trace_id
+
+  if [[ $current_identity_arn =~ "gocd_agent-prod" || $current_identity_arn =~ "Deployer" ]]; then
+    assume_role_for_ci_agent "${environment}"
+  elif [[ $current_identity_arn =~ "user" || $current_identity_arn =~ "RepoAdmin" || $current_identity_arn =~ "BootstrapAdmin" || $current_identity_arn =~ "RepoDeveloper" ]]; then
+     assume_role_for_user "${environment}" "${current_identity_arn}" "${is_bootstrap_admin}"
+  elif [[ $current_identity_arn =~ "NHSDAdminRole" ]]; then
+    >&2 echo "You are using NHSDAdminRole which is now deprecated for general use. Clear assumed role with:"
+    >&2 echo "  unset AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN AWS_ACCESS_KEY_ID AWS_SECURITY_TOKEN"
+    >&2 echo "You should assume role direct from your user identity."
+    exit $EXIT_CODE_DONT_USE_NHSDADMINROLE
+  else
+    >&2 echo "_assume_environment_role does not recognise current unhandled identity $current_identity_arn."
+    exit $EXIT_CODE_UNHANDLED_IDENTITY
+  fi
+
+  if [[ ! -z $json ]]; then
+    export AWS_ACCESS_KEY_ID="$(echo "$json" | jq -r .Credentials.AccessKeyId)"
+    export AWS_SECRET_ACCESS_KEY="$(echo "$json" | jq -r .Credentials.SecretAccessKey)"
+    export AWS_SESSION_TOKEN="$(echo "$json" | jq -r .Credentials.SessionToken)"
+    export AWS_SECURITY_TOKEN=$AWS_SESSION_TOKEN
+  fi
+}
+
+function assume_role_for_ci_agent {
+  environment=$1
+  _clear_aws_env_credentials
+  
+  ROLE_NAME='Deployer'
+  ASSUME_ROLE_DURATION_CLAUSE=''
+  if [ -n "$ASSUME_ROLE_DURATION" ]; then
+    ASSUME_ROLE_DURATION_CLAUSE="--duration-seconds $ASSUME_ROLE_DURATION"
+  fi
+
+  >&2 echo "Assuming $ROLE_NAME role for CI agent in ${environment} account"
+  desired_account_id=$(_get_aws_ssm_secret "/repo/${environment}/user-input/external/aws-account-id")
+  desired_role_arn="arn:aws:iam::$desired_account_id:role/$ROLE_NAME"
+  >&2 echo "Build trace ID will be set as STS session name: $BUILD_TRACE_ID"
+
+  json="$(aws sts assume-role --role-arn "$desired_role_arn" --role-session-name "$BUILD_TRACE_ID" $ASSUME_ROLE_DURATION_CLAUSE)"
+}
+
+function prompt_user_to_assume_role {
+  environment=$1
+  role_name=$2
+  echo Please assume $role_name in $environment directly from your shell
+}
+
+function assume_role_for_user {
+  environment=$1
+  current_identity_arn=$2
+  is_bootstrap_admin=$3
+  if [[ ! $current_identity_arn =~ "user" ]]; then
+    return
+  fi
+
+  if [[ $environment =~ "prod" ]]; then
+    if [[ $is_bootstrap_admin = "true" ]]; then
+      ROLE_NAME="BootstrapAdmin"
+    else
+      ROLE_NAME="RepoDeveloper"
+    fi
+  else
+    ROLE_NAME="RepoAdmin"
+  fi
+
+  prompt_user_to_assume_role $environment $ROLE_NAME
+  exit $EXIT_CODE_USERS_SHOULD_ASSUME_ROLE_FIRST
+}
+
+function promote_docker_image {
+  # e.g. deductions/ehr-repo:1ab321
+  SRC_IMAGE_NAME_AND_TAG=$1
+  ENVIRONMENT=$2
+  if [ -z "$SRC_IMAGE_NAME_AND_TAG" ]; then
+    >&2 echo "Image name and tag must be specified. e.g. deductions/ehr-repo:1ab321"
+    exit $EXIT_CODE_GENERAL_FAILURE;
+  fi
+  if [ -z "$ENVIRONMENT" ]; then
+    >&2 echo "Environment must be specified. e.g. dev"
+    exit $EXIT_CODE_GENERAL_FAILURE;
+  fi
+  declare -A from_environment_promotion_map=(["dev"]="ci" ["test"]="dev" ["pre-prod"]="test" ["prod"]="pre-prod" ["perf"]="test")
+  declare -A to_environment_promotion_map=(["dev"]="dev" ["test"]="test" ["pre-prod"]="pre-prod" ["prod"]="prod" ["perf"]="perf")
+
+  environment_from=${from_environment_promotion_map[$ENVIRONMENT]}
+  environment_to=${to_environment_promotion_map[$ENVIRONMENT]}
+
+  echo >&2 "Promoting docker image from $environment_from to $environment_to..."
+
+  assume_environment_role "$environment_from"
+  configure_docker_registry_uri
+  IMAGE_FULL_URL="$REGISTRY_URI/$SRC_IMAGE_NAME_AND_TAG"
+  echo "Pulling the image from $IMAGE_FULL_URL"
+  docker pull "$IMAGE_FULL_URL"
+  docker tag "$IMAGE_FULL_URL" "$SRC_IMAGE_NAME_AND_TAG"
+
+  assume_environment_role "$environment_to"
+  configure_docker_registry_uri
+  IMAGE_FULL_URL="$REGISTRY_URI/$SRC_IMAGE_NAME_AND_TAG"
+  docker tag "$SRC_IMAGE_NAME_AND_TAG" "$IMAGE_FULL_URL"
+  echo "Pushing the image to $IMAGE_FULL_URL"
+  docker push "$IMAGE_FULL_URL"
+}
+
+###########
+## TASKS ##
+###########
+
+command="$1"
+case "${command}" in
+  assume_environment_role)
+    _assume_environment_role $2
+    echo "export AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID"
+    echo "export AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY"
+    echo "export AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN"
+    echo "export AWS_SECURITY_TOKEN=$AWS_SESSION_TOKEN"
+  ;;
+  test_ass_duration)
+    assume_role_for_ci_agent dev
+  ;;
+esac

services/ehr-transfer-service/utils/0.2.27/aws-helpers

@@ -1,4 +1,9 @@
-FROM node:22.5-alpine AS builder
+FROM node:24-alpine3.23 AS builder
+
+RUN apk update && \
+    apk -u list && \
+    apk upgrade &&  \
+    rm -rf /var/cache/apk/* \
 
 COPY package*.json /app/
 
@@ -8,7 +13,7 @@ RUN npm install
 RUN npm ci --only=production
 
 # production app image
-FROM alpine:3.15
+FROM alpine:3.23
 
 # take just node without npm (including npx) or yarn
 COPY --from=builder /usr/local/bin/node /usr/local/bin