declapract-typescript-ehmpathy 0.21.2 → 0.22.0

package/dist/practices/cicd-deploy-package/best-practice/.github/workflows/{publish-on-tag.yml → .publish-npm.yml}

@@ -1,18 +1,18 @@
-name: publish-on-tag
+name: .publish-npm
 
 on:
-  push:
-    tags:
-      - v*
+  workflow_call:
+    secrets:
+      npm-auth-token:
+        required: true
+        description: required credentials to authenticate with the aws account under which to publish
 
 jobs:
-  test_and_deploy:
+  publish:
     runs-on: ubuntu-20.04
     steps:
       - name: checkout
         uses: actions/checkout@v2
-        with:
-          fetch-depth: 0 # we need all commits to test:commits
 
       - name: read nvmrc
         id: nvmrc
@@ -28,11 +28,6 @@ jobs:
       - name: install
         run: npm ci
 
-      - name: tests
-        run: npm run test
-        env:
-          FORCE_COLOR: true # ensure colors are saved in jest snapshots, to be consistent with local development
-
       - name: publish
         run: npm publish
         env:

package/dist/practices/cicd-deploy-package/best-practice/.github/workflows/publish.yml

@@ -0,0 +1,21 @@
+name: publish
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  test:
+    uses: ./.github/workflows/.test.yml
+    with:
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+    secrets:
+      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+
+  publish:
+    uses: ./.github/workflows/.publish-npm.yml
+    secrets:
+      npm-auth-token: ${{ secrets.NPM_TOKEN }}

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/.deploy-sls.yml

@@ -0,0 +1,67 @@
+name: .deploy-sls
+
+on:
+  workflow_call:
+    inputs:
+      stage:
+        type: string
+        description: 'the stage to deploy to'
+        required: true
+      github-environment:
+        type: string
+        description: 'the github environment that the apply step will be executed in'
+        required: true
+      aws-region:
+        type: string
+        description: the aws region within which we should access
+        required: true
+      aws-account-id:
+        type: string
+        description: the id of the account the credentials are expected to access
+        required: true
+    secrets:
+      aws-access-key-id:
+        required: true
+        description: required credentials to authenticate with aws provider and state persistance
+      aws-secret-access-key:
+        required: true
+        description: required credentials to authenticate with aws provider and state persistance
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: read nvmrc
+        id: nvmrc
+        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
+
+      - name: set node version
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        id: credentials
+        with:
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: confirm aws credentials
+        run: |
+          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
+            && echo 'wrong aws account' && exit 1 \
+            || echo 'correct aws account';
+
+      - name: install
+        run: npm ci --ignore-scripts
+
+      - name: deploy
+        run: STAGE=${{ inputs.stage }} DEPLOYER_NAME=$GITHUB_ACTOR npm run deploy
+
+      - name: test:acceptance
+        run: STAGE=${{ inputs.stage }} npm run test:acceptance

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/.sql-schema-control.yml

@@ -0,0 +1,168 @@
+name: .sql-schema-control
+
+on:
+  workflow_call:
+    inputs:
+      stage:
+        type: string
+        description: 'the stage to execute against'
+        required: true
+      github-environment:
+        type: string
+        description: 'the github environment that the apply step will be executed in'
+      allow-apply:
+        type: boolean
+        description: 'whether the apply step is enabled. defaults to true on main'
+        default: ${{ github.ref == 'refs/heads/main' }}
+      aws-region:
+        type: string
+        description: the aws region within which we should access
+      aws-account-id:
+        type: string
+        description: the id of the account the credentials are expected to access
+    secrets:
+      aws-access-key-id:
+        required: true
+        description: required credentials to authenticate with aws provider for db credentials
+      aws-secret-access-key:
+        required: true
+        description: required credentials to authenticate with aws provider for db credentials
+      open-vpn-config:
+        required: true
+        description: complete openvpn config required to enter the vpn
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    outputs:
+      has-changes-planned: ${{ steps.evaluate-plan.output.has-changes-planned }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: read nvmrc
+        id: nvmrc
+        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
+
+      - name: set node version
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
+
+      - name: install
+        run: npm ci --ignore-scripts
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        id: credentials
+        with:
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: confirm aws credentials
+        run: |
+          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
+            && echo 'wrong aws account' && exit 1 \
+            || echo 'correct aws account';
+
+      - name: vpn:prepare
+        run: |
+          sudo apt update \
+          && sudo apt-get install openvpn openvpn-systemd-resolved \
+          && mkdir ~/.vpn \
+          && echo "${{ secrets.open-vpn-config }}" | base64 -d > ~/.vpn/vpn.connection.ovpn
+
+      - name: vpn:connect
+        run: |
+          # create the log file, so that we have permissions to read it
+          touch openvpn.log
+
+          # start openvpn in the background
+          sudo openvpn --config ~/.vpn/vpn.connection.ovpn --daemon --log openvpn.log
+
+          # wait until we've confirmed that it successfully connected; https://superuser.com/a/900134/425694
+          ( tail -f -n0 openvpn.log & ) | grep -q "Initialization Sequence Completed"
+
+      - name: plan
+        run: STAGE=${{ inputs.stage }} npm run provision:schema:plan | tee ./plan.log
+
+      - name: evaluate plan
+        id: evaluate-plan
+        run: |
+          # check that there was not a connection error
+          if grep "connect ETIMEDOUT" ./plan.log
+          then
+            echo "🛑 connection timed out, could not execute plan. is vpn working?"
+            exit 1
+          fi
+
+          # check whether it said there were required changes
+          if grep "Everything is up to date" ./plan.log
+          then
+            echo "has-changes-planned=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has-changes-planned=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: vpn:disconnect
+        run: sudo killall openvpn
+
+  apply:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.github-environment }}
+    needs: plan
+    if: ${{ inputs.allow-apply == true && needs.plan.outputs.has-changes-planned == 'true' }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: read nvmrc
+        id: nvmrc
+        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
+
+      - name: set node version
+        uses: actions/setup-node@v2
+        with:
+          node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
+
+      - name: install
+        run: npm ci --ignore-scripts
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        id: credentials
+        with:
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: confirm aws credentials
+        run: |
+          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
+            && echo 'wrong aws account' && exit 1 \
+            || echo 'correct aws account';
+
+      - name: vpn:prepare
+        run: |
+          sudo apt update \
+          && sudo apt-get install openvpn openvpn-systemd-resolved \
+          && mkdir ~/.vpn \
+          && echo "${{ secrets.open-vpn-config }}" | base64 -d > ~/.vpn/vpn.connection.ovpn
+
+      - name: vpn:connect
+        run: |
+          # create the log file, so that we have permissions to read it
+          touch openvpn.log
+
+          # start openvpn in the background
+          sudo openvpn --config ~/.vpn/vpn.connection.ovpn --daemon --log openvpn.log
+
+          # wait until we've confirmed that it successfully connected; https://superuser.com/a/900134/425694
+          ( tail -f -n0 openvpn.log & ) | grep -q "Initialization Sequence Completed"
+
+      - name: apply
+        run: STAGE=${{ inputs.stage }} npm run provision:schema:apply
+
+      - name: vpn:disconnect
+        run: sudo killall openvpn

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/.terraform.yml

@@ -0,0 +1,119 @@
+name: .terraform
+
+on:
+  workflow_call:
+    inputs:
+      working-directory:
+        type: string
+        description: 'the directory from within which to execute terraform commands'
+      github-environment:
+        type: string
+        description: 'the github environment that the apply step will be executed in'
+      allow-apply:
+        type: boolean
+        description: 'whether the apply step is enabled. defaults to true on main'
+        default: ${{ github.ref == 'refs/heads/main' }}
+      aws-region:
+        type: string
+        description: the aws region within which we should access
+      aws-account-id:
+        type: string
+        description: the id of the account the credentials are expected to access
+    secrets:
+      aws-access-key-id:
+        required: true
+        description: required credentials to authenticate with aws provider and state persistance
+      aws-secret-access-key:
+        required: true
+        description: required credentials to authenticate with aws provider and state persistance
+      github-token:
+        required: false
+        description: optional credentials to support authenticating with github provider
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    outputs:
+      has-changes-planned: ${{ steps.evaluate-plan.output.has-changes-planned }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        id: credentials
+        with:
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: confirm aws credentials
+        run: |
+          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
+            && echo 'wrong aws account' && exit 1 \
+            || echo 'correct aws account';
+
+      - name: setup terraform
+        uses: hashicorp/setup-terraform@v2
+
+      - name: terraform init
+        run: terraform init
+
+      - name: terraform validate
+        run: terraform validate
+
+      - name: terraform plan
+        id: plan
+        run: terraform plan | tee ./plan.log
+        env:
+          GITHUB_TOKEN: ${{ secrets.github-token }} # allow specifying a github token to pass to the terraform command
+
+      - name: evaluate plan
+        id: evaluate-plan
+        run: |
+          if grep "infrastructure matches the configuration" ./plan.log
+          then
+            echo "has-changes-planned=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "has-changes-planned=true" >> "$GITHUB_OUTPUT"
+          fi
+
+  apply:
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.github-environment }}
+    needs: plan
+    if: ${{ inputs.allow-apply == true && needs.plan.outputs.has-changes-planned == 'true' }}
+    defaults:
+      run:
+        working-directory: ${{ inputs.working-directory }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v3
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        id: credentials
+        with:
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
+          aws-region: ${{ inputs.aws-region }}
+
+      - name: confirm aws credentials
+        run: |
+          [[ ${{ steps.credentials.outputs.aws-account-id }} != ${{ inputs.aws-account-id }} ]] \
+            && echo 'wrong aws account' && exit 1 \
+            || echo 'correct aws account';
+
+      - name: setup terraform
+        uses: hashicorp/setup-terraform@v2
+
+      - name: terraform init
+        run: terraform init
+
+      - name: terraform apply
+        run: terraform apply
+        env:
+          GITHUB_TOKEN: ${{ secrets.github-token }} # allow specifying a github token to pass to the terraform command

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/deploy.yml

@@ -0,0 +1,45 @@
+name: deploy
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - 'main'
+      - 'master'
+
+jobs:
+  test:
+    uses: ./.github/workflows/.test.yml
+    with:
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+    secrets:
+      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+
+  dev:
+    uses: ./.github/workflows/.deploy-sls.yml
+    if: github.ref == 'refs/heads/main'
+    needs: [test]
+    with:
+      stage: dev
+      github-environment: dev
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+    secrets:
+      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+
+  prod:
+    uses: ./.github/workflows/.deploy-sls.yml
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [test]
+    with:
+      stage: prod
+      github-environment: prod
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.prod}'
+    secrets:
+      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/provision.yml

@@ -0,0 +1,72 @@
+name: provision
+
+on:
+  push:
+    tags:
+      - v*
+    branches:
+      - 'main'
+      - 'master'
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  aws-dev:
+    uses: ./.github/workflows/.terraform.yml
+    with:
+      working-directory: provision/aws/environments/dev
+      github-environment: dev
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+    secrets:
+      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+
+  aws-prod:
+    uses: ./.github/workflows/.terraform.yml
+    with:
+      working-directory: provision/aws/environments/prod
+      github-environment: prod
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.prod}'
+      allow-apply: ${{ startsWith(github.ref, 'refs/tags/') }} # only apply to prod on tags
+    secrets:
+      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+
+  github:
+    uses: ./.github/workflows/.terraform.yml
+    with:
+      working-directory: provision/github/environment
+      github-environment: prod
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.prod}'
+    secrets:
+      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+      github-token: ${{ secrets.PROVISION_GITHUB_GITHUB_TOKEN }}
+
+  sql-schema-dev:
+    uses: ./.github/workflows/.sql-schema-control.yml
+    with:
+      stage: dev
+      github-environment: dev
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+    secrets:
+      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+      open-vpn-config: ${{ secrets.DEV_OPEN_VPN_CONFIG }}
+
+  sql-schema-prod:
+    uses: ./.github/workflows/.sql-schema-control.yml
+    with:
+      stage: prod
+      github-environment: prod
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.prod}'
+      allow-apply: ${{ startsWith(github.ref, 'refs/tags/') }} # only apply to prod on tags
+    secrets:
+      aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+      open-vpn-config: ${{ secrets.PROD_OPEN_VPN_CONFIG }}

package/dist/practices/cicd-integrate/best-practice/.github/workflows/{test-on-commit.yml → .test.yml}

@@ -1,19 +1,27 @@
-name: test-on-commit
+name: .test
 
 on:
-  push:
-    branches: # run for any branch
-      - '**'
-    tags-ignore: # but not for releases, as publish-on-tag will trigger for it
-      - '**'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
+  workflow_call:
+    inputs:
+      aws-region:
+        type: string
+        description: the aws region within which we should run the tests
+        required: true
+      aws-account-id:
+        type: string
+        description: the id of the account the credentials are expected to access
+        required: true
+    secrets:
+      aws-access-key-id:
+        required: true
+        description: required credentials to authenticate with aws the aws account against which to run the tests
+      aws-secret-access-key:
+        required: true
+        description: required credentials to authenticate with aws the aws account against which to run the tests
 
 jobs:
   install:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: checkout
         uses: actions/checkout@v2
@@ -22,14 +30,13 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: install
-        run: npm ci
+        run: npm ci --ignore-scripts
 
       - name: cache node modules
         uses: actions/cache@v2
@@ -39,7 +46,7 @@ jobs:
 
   # run tests in parallel
   test-commits:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -51,11 +58,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -67,7 +73,7 @@ jobs:
         run: npm run test:commits
 
   test-types:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -77,11 +83,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -93,7 +98,7 @@ jobs:
         run: npm run test:types
 
   test-format:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -103,11 +108,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -119,7 +123,7 @@ jobs:
         run: npm run test:format
 
   test-lint:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -129,11 +133,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -145,7 +148,7 @@ jobs:
         run: npm run test:lint
 
   test-unit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -155,11 +158,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -169,11 +171,9 @@ jobs:
 
       - name: test:unit
         run: npm run test:unit
-        env:
-          FORCE_COLOR: true # ensure colors are saved in jest snapshots, to be consistent with local development
 
   test-integration:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -183,11 +183,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -199,20 +198,24 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v1
         id: credentials
         with:
-          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
           aws-region: us-east-1
 
+      - name: confirm aws credentials
+        run: |
+          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
+            && echo 'wrong aws account' && exit 1 \
+            || echo 'correct aws account';
+
       - name: provision:integration-test-db
         run: npm run provision:integration-test-db
 
       - name: test:integration
         run: npm run test:integration
-        env:
-          FORCE_COLOR: true # ensure colors are saved in jest snapshots, to be consistent with local development
 
   test-acceptance-locally:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     needs: [install]
     steps:
       - name: checkout
@@ -222,11 +225,10 @@ jobs:
         id: nvmrc
         run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
 
-      - name: setup node
+      - name: set node version
         uses: actions/setup-node@v2
         with:
           node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
 
       - name: grab node_modules from cache
         uses: actions/cache@v2
@@ -238,54 +240,18 @@ jobs:
         uses: aws-actions/configure-aws-credentials@v1
         id: credentials
         with:
-          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: provision:integration-test-db
-        run: npm run provision:integration-test-db
-
-      - name: test:acceptance:locally
-        run: npm run test:acceptance:locally
-        env:
-          FORCE_COLOR: true # ensure colors are saved in jest snapshots, to be consistent with local development
-
-  check-provisions-github:
-    runs-on: ubuntu-20.04
-    defaults:
-      run:
-        working-directory: ./provision/github/environment
-    steps:
-      - name: checkout
-        uses: actions/checkout@v2
-
-      - name: setup terraform
-        uses: hashicorp/setup-terraform@v1
-
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
-        with:
-          aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
+          aws-access-key-id: ${{ secrets.aws-access-key-id }}
+          aws-secret-access-key: ${{ secrets.aws-secret-access-key }}
           aws-region: us-east-1
 
       - name: confirm aws credentials
         run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != '398838478359' ]] \
+          [[ ${{steps.credentials.outputs.aws-account-id}} != ${{ inputs.aws-account-id }} ]] \
             && echo 'wrong aws account' && exit 1 \
             || echo 'correct aws account';
 
-      - name: terraform init
-        id: init
-        run: terraform init
-
-      - name: terraform validate
-        id: validate
-        run: terraform validate -no-color
+      - name: provision:integration-test-db
+        run: npm run provision:integration-test-db
 
-      - name: terraform plan
-        id: plan
-        run: terraform plan -no-color -detailed-exitcode
-        env:
-          GITHUB_TOKEN: ${{ secrets.PROVISION_GITHUB_GITHUB_TOKEN }}
+      - name: test:acceptance:locally
+        run: npm run test:acceptance:locally

package/dist/practices/cicd-integrate/best-practice/.github/workflows/{pr-release-on-main.yml → release.yml}

@@ -1,4 +1,4 @@
-name: pr-release-on-main
+name: release
 
 on:
   push:

package/dist/practices/cicd-integrate/best-practice/.github/workflows/test.yml

@@ -0,0 +1,19 @@
+name: test
+
+on:
+  workflow_call:
+  push:
+    branches-ignore:
+      - 'main' # exclude main branch, since deploy workflow triggers on main, and calls the test workflow inside of it already
+    tags-ignore:
+      - v* # exclude tags, since deploy workflow triggers on tags, and calls the test workflow inside of it already
+
+jobs:
+  suite:
+    uses: ./.github/workflows/.test.yml
+    with:
+      aws-region: us-east-1
+      aws-account-id: '@declapract{variable.awsAccountId.dev}'
+    secrets:
+      aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
+      aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}

package/dist/practices/persist-with-rds/best-practice/package.json

@@ -13,8 +13,8 @@
   },
   "scripts": {
     "generate:dao": "npx sql-dao-generator generate && npm run fix:format",
-    "generate:schema": "npx sql-schema-generator generate -c codegen.sql.schema.yml",
-    "generate:types-from-sql": "npx sql-code-generator generate -c codegen.sql.types.yml",
+    "generate:schema": "npx sql-schema-generator generate -c codegen.sql.schema.yml && npm run fix:format",
+    "generate:types-from-sql": "npx sql-code-generator generate -c codegen.sql.types.yml && npm run fix:format",
     "provision:docker:clear": "docker rm -f $(docker ps -a -f 'publish=7821' -q) 2>/dev/null || true && echo 'ensured port is available 👍'",
     "provision:docker:up": "docker-compose -f ./provision/docker/integration-test-db/docker-compose.yml up -d --force-recreate --build --renew-anon-volumes",
     "provision:docker:await": "docker-compose -f ./provision/docker/integration-test-db/docker-compose.yml exec -T postgres /root/wait-for-postgres.sh",

package/dist/practices/serverless/best-practice/package.json

@@ -6,6 +6,7 @@
     "deploy:release": "npm run build && sls deploy --verbose --stage $STAGE",
     "deploy:send-notification": "curl -X POST -H 'Content-type: application/json' --data \"{\\\"text\\\":\\\"$([ -z $DEPLOYER_NAME ] && git config user.name || echo $DEPLOYER_NAME) has deployed $npm_package_name@v$npm_package_version:\nhttps://github.com/@declapract{variable.organizationName}/$npm_package_name/tree/v$npm_package_version\\\"}\" @declapract{variable.slackWebhookUrl}",
     "deploy:dev": "STAGE=dev npm run deploy:release",
-    "deploy:prod": "STAGE=prod npm run deploy:release && npm run deploy:send-notification"
+    "deploy:prod": "STAGE=prod npm run deploy:release && npm run deploy:send-notification",
+    "deploy": "if-env STAGE=prod && npm run deploy:prod || if-env STAGE=dev && npm run deploy:dev || echo '🛑 invalid STAGE, must be prod or dev'"
   }
 }

package/dist/practices/terraform/best-practice/provision/github/product/repository.tf

@@ -52,18 +52,18 @@ resource "github_branch_protection" "main_branch" {
   enforce_admins          = true  # yes, even admins need to follow this (note: they can still take the time to go and change the settings temporarily for the exceptions)
   allows_deletions        = false # dont allow the `main` branch to be deleted
   allows_force_pushes     = false # dont allow `main` branch to be force pushed to
-  required_linear_history = true # no ugly merge commits, woo! 🎉
+  required_linear_history = true  # no ugly merge commits, woo! 🎉
 
   required_status_checks {
     strict = true # branch must be up to date. otherwise, we dont know if it will really pass once it is merged
     contexts = [
-      "test-commits",
-      "test-types",
-      "test-format",
-      "test-lint",
-      "test-unit",
-      "test-integration",
-      "test-acceptance-locally"
+      "suite / test-commits",
+      "suite / test-types",
+      "suite / test-format",
+      "suite / test-lint",
+      "suite / test-unit",
+      "suite / test-integration",
+      "suite / test-acceptance-locally"
     ]
   }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "declapract-typescript-ehmpathy",
-  "version": "0.21.2",
+  "version": "0.22.0",
   "description": "declapract best practices declarations for typescript",
   "main": "src/index.js",
   "repository": "ehmpathy/declapract-typescript-ehmpathy",
@@ -34,12 +34,13 @@
     "domain-objects": "0.7.5",
     "dynamodb-dao-generator": "1.0.0",
     "expect": "29.4.2",
+    "flat": "5.0.2",
     "lodash.uniq": "4.5.0",
     "type-fns": "0.7.0",
     "uuid": "3.4.0"
   },
   "peerDependencies": {
-    "declapract": "~0.10.9"
+    "declapract": "~0.10.10"
   },
   "devDependencies": {
     "@commitlint/cli": "13.1.0",

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/deploy-dev-on-main.yml

@@ -1,61 +0,0 @@
-name: deploy-dev-on-main
-
-on:
-  push:
-    branches: # only on main branch
-      - 'main'
-      - 'master'
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test-and-deploy:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0 # we need all commits to test:commits
-
-      - name: read nvmrc
-        id: nvmrc
-        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
-
-      - name: setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
-
-      - name: install
-        run: npm ci
-
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials
-        with:
-          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials.outputs.aws-account-id}} != '@declapract{variable.awsAccountId.dev}' ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
-
-      - name: provision:integration-test-db
-        run: npm run provision:integration-test-db
-
-      - name: test
-        run: npm run test
-        env:
-          FORCE_COLOR: true # ensure colors are saved in jest snapshots, to be consistent with local development
-
-      - name: deploy
-        run: DEPLOYER_NAME=$GITHUB_ACTOR npm run deploy:dev
-
-      - name: test:acceptance
-        run: STAGE=dev npm run test:acceptance

package/dist/practices/cicd-deploy-service/best-practice/.github/workflows/deploy-prod-on-tag.yml

@@ -1,76 +0,0 @@
-name: deploy-prod-on-tag
-
-on:
-  push:
-    tags:
-      - v*
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test-and-deploy:
-    runs-on: ubuntu-20.04
-    steps:
-      - name: checkout
-        uses: actions/checkout@v2
-        with:
-          fetch-depth: 0 # we need all commits to test:commits
-
-      - name: read nvmrc
-        id: nvmrc
-        run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc)
-
-      - name: setup node
-        uses: actions/setup-node@v2
-        with:
-          node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
-          cache: 'npm'
-
-      - name: install
-        run: npm ci
-
-      # test in dev env
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials-dev
-        with:
-          aws-access-key-id: ${{ secrets.DEV_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.DEV_AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials-dev.outputs.aws-account-id}} != '@declapract{variable.awsAccountId.dev}' ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
-
-      - name: provision:integration-test-db
-        run: npm run provision:integration-test-db
-
-      - name: test
-        run: npm run test
-        env:
-          FORCE_COLOR: true # ensure colors are saved in jest snapshots, to be consistent with local development
-
-      # deploy in prod env
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        id: credentials-prod
-        with:
-          aws-access-key-id: ${{ secrets.PROD_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.PROD_AWS_SECRET_ACCESS_KEY }}
-          aws-region: us-east-1
-
-      - name: confirm aws credentials
-        run: |
-          [[ ${{steps.credentials-prod.outputs.aws-account-id}} != '@declapract{variable.awsAccountId.prod}' ]] \
-            && echo 'wrong aws account' && exit 1 \
-            || echo 'correct aws account';
-
-      - name: deploy
-        run: DEPLOYER_NAME=$GITHUB_ACTOR npm run deploy:prod
-
-      - name: test:acceptance
-        run: STAGE=prod npm run test:acceptance