Skip to content

Commit 32afeb8

Browse files
authored
Add Python DR orchestrator, chunked E2E testing, and restore hardening. (#91)
Introduce a Python disaster-recovery orchestrator with unified CI, chunked end-to-end backup/restore execution, and fixes validated on a live EKS cluster: RDS credential resolution, EFS CSI timing, SSL bootstrap/renewal on empty EFS, OpenEMR 8.x sqlconf format, and step-10 cleanup for restore-created Aurora outside Terraform state. Also wire backup_retention_days in Terraform and ignore local deployment credentials.
1 parent ef528d7 commit 32afeb8

155 files changed

Lines changed: 7643 additions & 1953 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/ci-cd-tests.yml

Lines changed: 224 additions & 111 deletions
Large diffs are not rendered by default.

.github/workflows/ci-contract-tests.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -25,9 +25,9 @@ permissions:
2525
jobs:
2626
contract-tests:
2727
name: Contract & Version Consistency
28-
runs-on: ubuntu-24.04
28+
runs-on: ubuntu-26.04
2929
steps:
30-
- uses: actions/checkout@v6.0.2
30+
- uses: actions/checkout@v7.0.0
3131

3232
- name: Install yq
3333
run: |
@@ -45,11 +45,11 @@ jobs:
4545

4646
terraform-validate:
4747
name: Terraform Validate (offline)
48-
runs-on: ubuntu-24.04
48+
runs-on: ubuntu-26.04
4949
steps:
50-
- uses: actions/checkout@v6.0.2
50+
- uses: actions/checkout@v7.0.0
5151

52-
- uses: hashicorp/setup-terraform@v4.0.0
52+
- uses: hashicorp/setup-terraform@v4.0.1
5353

5454
- name: Terraform fmt check
5555
run: terraform fmt -check -recursive terraform/
@@ -59,9 +59,9 @@ jobs:
5959

6060
k8s-manifest-validate:
6161
name: K8s Manifest Schema Validation
62-
runs-on: ubuntu-24.04
62+
runs-on: ubuntu-26.04
6363
steps:
64-
- uses: actions/checkout@v6.0.2
64+
- uses: actions/checkout@v7.0.0
6565

6666
- name: Install kubeconform
6767
run: |
@@ -83,9 +83,9 @@ jobs:
8383
8484
tflint:
8585
name: TFLint
86-
runs-on: ubuntu-24.04
86+
runs-on: ubuntu-26.04
8787
steps:
88-
- uses: actions/checkout@v6.0.2
88+
- uses: actions/checkout@v7.0.0
8989

9090
- uses: terraform-linters/setup-tflint@v4
9191

@@ -106,12 +106,12 @@ jobs:
106106
107107
full-bats-suite:
108108
name: Full BATS Test Suite
109-
runs-on: ubuntu-24.04
109+
runs-on: ubuntu-26.04
110110
steps:
111-
- uses: actions/checkout@v6.0.2
111+
- uses: actions/checkout@v7.0.0
112112

113113
- name: Set up Go
114-
uses: actions/setup-go@v6.4.0
114+
uses: actions/setup-go@v6.5.0
115115
with:
116116
go-version: '1.25'
117117
cache-dependency-path: console/go.sum

.github/workflows/console-ci.yml

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -58,13 +58,13 @@ jobs:
5858
# Lint and format check job
5959
lint:
6060
name: Lint and Format Check
61-
runs-on: ubuntu-24.04
61+
runs-on: ubuntu-26.04
6262
steps:
6363
- name: Checkout code
64-
uses: actions/checkout@v6.0.2
64+
uses: actions/checkout@v7.0.0
6565

6666
- name: Set up Go
67-
uses: actions/setup-go@v6.4.0
67+
uses: actions/setup-go@v6.5.0
6868
with:
6969
go-version: ${{ env.GO_VERSION }}
7070
cache-dependency-path: console/go.sum
@@ -97,13 +97,13 @@ jobs:
9797
# Unit test job
9898
test:
9999
name: Unit Tests
100-
runs-on: ubuntu-24.04
100+
runs-on: ubuntu-26.04
101101
steps:
102102
- name: Checkout code
103-
uses: actions/checkout@v6.0.2
103+
uses: actions/checkout@v7.0.0
104104

105105
- name: Set up Go
106-
uses: actions/setup-go@v6.4.0
106+
uses: actions/setup-go@v6.5.0
107107
with:
108108
go-version: ${{ env.GO_VERSION }}
109109
cache-dependency-path: console/go.sum
@@ -135,9 +135,9 @@ jobs:
135135
strategy:
136136
fail-fast: false
137137
matrix:
138-
os: [ubuntu-24.04, macos-14, macos-15]
138+
os: [ubuntu-26.04, macos-14, macos-15]
139139
include:
140-
- os: ubuntu-24.04
140+
- os: ubuntu-26.04
141141
goos: linux
142142
goarch: amd64
143143
artifact_name: linux-amd64
@@ -152,10 +152,10 @@ jobs:
152152

153153
steps:
154154
- name: Checkout code
155-
uses: actions/checkout@v6.0.2
155+
uses: actions/checkout@v7.0.0
156156

157157
- name: Set up Go
158-
uses: actions/setup-go@v6.4.0
158+
uses: actions/setup-go@v6.5.0
159159
with:
160160
go-version: ${{ env.GO_VERSION }}
161161
cache-dependency-path: console/go.sum
@@ -211,13 +211,13 @@ jobs:
211211
# Security scanning job - ZERO-TOLERANCE policy
212212
security:
213213
name: Security Scan (Zero-Tolerance)
214-
runs-on: ubuntu-24.04
214+
runs-on: ubuntu-26.04
215215
steps:
216216
- name: Checkout code
217-
uses: actions/checkout@v6.0.2
217+
uses: actions/checkout@v7.0.0
218218

219219
- name: Set up Go
220-
uses: actions/setup-go@v6.4.0
220+
uses: actions/setup-go@v6.5.0
221221
with:
222222
go-version: ${{ env.GO_VERSION }}
223223
cache-dependency-path: console/go.sum

.github/workflows/manual-releases.yml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
# Job 1: Determine release type and validate inputs
6363
# This job processes the workflow inputs and determines the appropriate version bump
6464
determine-release-type:
65-
runs-on: ubuntu-24.04
65+
runs-on: ubuntu-26.04
6666
outputs:
6767
release-type: ${{ steps.determine-type.outputs.release-type }} # Type of release (major/minor/patch)
6868
bump-version: ${{ steps.determine-type.outputs.bump-version }} # Version bump type for semver
@@ -88,13 +88,13 @@ jobs:
8888
# since the last tagged release
8989
check-changes:
9090
needs: determine-release-type # Wait for release type determination
91-
runs-on: ubuntu-24.04
91+
runs-on: ubuntu-26.04
9292
outputs:
9393
has-changes: ${{ steps.check-changes.outputs.has-changes }} # Boolean indicating if changes exist
9494
last-tag: ${{ steps.check-changes.outputs.last-tag }} # Last release tag for reference
9595
steps:
9696
# Step 1: Checkout repository with full history for change detection
97-
- uses: actions/checkout@v6.0.2
97+
- uses: actions/checkout@v7.0.0
9898
with:
9999
fetch-depth: 0 # Fetch complete git history for change detection
100100
token: ${{ secrets.GITHUB_TOKEN }}
@@ -129,20 +129,20 @@ jobs:
129129
create-release:
130130
needs: [determine-release-type, check-changes] # Wait for previous jobs
131131
if: needs.check-changes.outputs.has-changes == 'true' # Only run if changes exist
132-
runs-on: ubuntu-24.04
132+
runs-on: ubuntu-26.04
133133
outputs:
134134
new-version: ${{ steps.new-version.outputs.new-version }} # Calculated new version
135135
release-url: ${{ steps.create-release.outputs.html_url }} # GitHub release URL
136136
steps:
137137
# Step 1: Checkout repository with full history for release creation
138-
- uses: actions/checkout@v6.0.2
138+
- uses: actions/checkout@v7.0.0
139139
with:
140140
fetch-depth: 0 # Fetch complete git history for release notes
141141
token: ${{ secrets.GITHUB_TOKEN }}
142142

143143
# Step 2: Set up Python environment for semantic versioning
144144
- name: Setup Python
145-
uses: actions/setup-python@v6.2.0
145+
uses: actions/setup-python@v6.3.0
146146
with:
147147
python-version: ${{ env.PYTHON_VERSION }}
148148

@@ -325,7 +325,7 @@ jobs:
325325
# and generates detailed summaries for both successful and failed releases
326326
notify-completion:
327327
needs: [determine-release-type, check-changes, create-release] # Wait for all previous jobs
328-
runs-on: ubuntu-24.04
328+
runs-on: ubuntu-26.04
329329
if: always() # Run regardless of previous job outcomes
330330
steps:
331331
# Step 1: Generate comprehensive workflow summary

.github/workflows/monthly-version-check.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -61,8 +61,8 @@ on:
6161
env:
6262
VERSION_CHECK_ENABLED: "true" # Enable version checking functionality
6363
LOG_LEVEL: INFO # Logging level for detailed output
64-
TF_VERSION: "1.15.0" # Terraform version for infrastructure checks
65-
KUBECTL_VERSION: "v1.36.0" # kubectl version for Kubernetes checks
64+
TF_VERSION: "1.15.7" # Terraform version for infrastructure checks
65+
KUBECTL_VERSION: "v1.36.2" # kubectl version for Kubernetes checks
6666

6767
# Authentication Note:
6868
# This repository now prefers GitHub OIDC → AWS IAM role.
@@ -87,13 +87,13 @@ jobs:
8787
steps:
8888
# Step 1: Checkout repository with full history for version analysis
8989
- name: Checkout Repository
90-
uses: actions/checkout@v6.0.2
90+
uses: actions/checkout@v7.0.0
9191
with:
9292
fetch-depth: 0 # Fetch complete git history for comprehensive analysis
9393

9494
# Step 2: Set up Terraform for infrastructure version checking
9595
- name: Setup Terraform
96-
uses: hashicorp/setup-terraform@v4.0.0
96+
uses: hashicorp/setup-terraform@v4.0.1
9797
with:
9898
terraform_version: ${{ env.TF_VERSION }}
9999

@@ -519,7 +519,7 @@ jobs:
519519
# This job runs after the version-check job and provides feedback about the process
520520
notification:
521521
name: Send Notifications
522-
runs-on: ubuntu-24.04
522+
runs-on: ubuntu-26.04
523523
needs: version-check # Wait for version-check job to complete
524524
if: always() # Run regardless of version-check outcome
525525

.github/workflows/security-comprehensive.yml

Lines changed: 24 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -52,10 +52,10 @@ permissions:
5252

5353
env:
5454
# Tool versions for reproducibility (synced with versions.yaml)
55-
TRIVY_VERSION: '0.70.0'
56-
CHECKOV_VERSION: '3.2.526'
55+
TRIVY_VERSION: '0.72.0'
56+
CHECKOV_VERSION: '3.3.6'
5757
KICS_VERSION: 'v2.1.20'
58-
GOSEC_VERSION: 'v2.26.1'
58+
GOSEC_VERSION: 'v2.27.1'
5959
PYTHON_VERSION: '3.14'
6060
GO_VERSION: '1.25'
6161

@@ -65,12 +65,12 @@ jobs:
6565
# =====================================================================
6666
trivy-scan:
6767
name: Trivy Security Scan (Zero-Tolerance)
68-
runs-on: ubuntu-24.04
68+
runs-on: ubuntu-26.04
6969
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'trivy' || github.event_name != 'workflow_dispatch' }}
7070

7171
steps:
7272
- name: Checkout code
73-
uses: actions/checkout@v6.0.2
73+
uses: actions/checkout@v7.0.0
7474

7575
- name: Run Trivy filesystem scan (STRICT)
7676
uses: aquasecurity/trivy-action@master
@@ -139,15 +139,15 @@ jobs:
139139
# =====================================================================
140140
checkov-scan:
141141
name: Checkov IaC Scan (Zero-Tolerance)
142-
runs-on: ubuntu-24.04
142+
runs-on: ubuntu-26.04
143143
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'checkov' || github.event_name != 'workflow_dispatch' }}
144144

145145
steps:
146146
- name: Checkout code
147-
uses: actions/checkout@v6.0.2
147+
uses: actions/checkout@v7.0.0
148148

149149
- name: Set up Python
150-
uses: actions/setup-python@v6.2.0
150+
uses: actions/setup-python@v6.3.0
151151
with:
152152
python-version: ${{ env.PYTHON_VERSION }}
153153

@@ -246,12 +246,12 @@ jobs:
246246
# =====================================================================
247247
kics-scan:
248248
name: KICS IaC Scan (Zero-Tolerance)
249-
runs-on: ubuntu-24.04
249+
runs-on: ubuntu-26.04
250250
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'kics' || github.event_name != 'workflow_dispatch' }}
251251

252252
steps:
253253
- name: Checkout code
254-
uses: actions/checkout@v6.0.2
254+
uses: actions/checkout@v7.0.0
255255

256256
- name: Run KICS scan
257257
uses: Checkmarx/kics-github-action@v2.1.20
@@ -295,34 +295,35 @@ jobs:
295295
# =====================================================================
296296
bandit-scan:
297297
name: Bandit Python Scan (Zero-Tolerance)
298-
runs-on: ubuntu-24.04
298+
runs-on: ubuntu-26.04
299299
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'bandit' || github.event_name != 'workflow_dispatch' }}
300300

301301
steps:
302302
- name: Checkout code
303-
uses: actions/checkout@v6.0.2
303+
uses: actions/checkout@v7.0.0
304304

305305
- name: Set up Python
306-
uses: actions/setup-python@v6.2.0
306+
uses: actions/setup-python@v6.3.0
307307
with:
308308
python-version: ${{ env.PYTHON_VERSION }}
309309

310310
- name: Install Bandit
311311
run: pip install bandit[toml] sarif-om jschema-to-python
312312

313-
- name: Run Bandit on warp project
313+
- name: Run Bandit on Python projects (warp + openemr_dr)
314314
run: |
315315
echo "🔍 Running Bandit Python Security Scanner..."
316-
bandit -r warp/ \
316+
bandit -r warp/ scripts/openemr_dr/ \
317+
-c scripts/openemr_dr/pyproject.toml \
317318
-f sarif \
318319
-o bandit-results.sarif \
319320
--severity-level low \
320321
--confidence-level low \
321322
-x '**/tests/**,**/test_*.py,**/*_test.py' \
322323
2>&1 | tee bandit-results.txt || true
323324
324-
# Also run with text output
325-
bandit -r warp/ \
325+
bandit -r warp/ scripts/openemr_dr/ \
326+
-c scripts/openemr_dr/pyproject.toml \
326327
-f txt \
327328
--severity-level low \
328329
--confidence-level low \
@@ -364,15 +365,15 @@ jobs:
364365
# =====================================================================
365366
gosec-scan:
366367
name: gosec Go Security Scan (Zero-Tolerance)
367-
runs-on: ubuntu-24.04
368+
runs-on: ubuntu-26.04
368369
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'gosec' || github.event_name != 'workflow_dispatch' }}
369370

370371
steps:
371372
- name: Checkout code
372-
uses: actions/checkout@v6.0.2
373+
uses: actions/checkout@v7.0.0
373374

374375
- name: Set up Go
375-
uses: actions/setup-go@v6.4.0
376+
uses: actions/setup-go@v6.5.0
376377
with:
377378
go-version: ${{ env.GO_VERSION }}
378379
cache-dependency-path: console/go.sum
@@ -422,12 +423,12 @@ jobs:
422423
# =====================================================================
423424
shellcheck-scan:
424425
name: ShellCheck Shell Scan (Zero-Tolerance)
425-
runs-on: ubuntu-24.04
426+
runs-on: ubuntu-26.04
426427
if: ${{ github.event.inputs.scan_type == 'all' || github.event.inputs.scan_type == 'shellcheck' || github.event_name != 'workflow_dispatch' }}
427428

428429
steps:
429430
- name: Checkout code
430-
uses: actions/checkout@v6.0.2
431+
uses: actions/checkout@v7.0.0
431432

432433
- name: Install ShellCheck
433434
run: |
@@ -473,7 +474,7 @@ jobs:
473474
# =====================================================================
474475
security-summary:
475476
name: Security Summary & Enforcement
476-
runs-on: ubuntu-24.04
477+
runs-on: ubuntu-26.04
477478
needs: [trivy-scan, checkov-scan, kics-scan, bandit-scan, gosec-scan, shellcheck-scan]
478479
if: always()
479480

0 commit comments

Comments
 (0)