Merge pull request #127 from co-cddo/feat/bops-planning

feat: BOPS walkthrough, screenshots, and password output

Author: chrisns

.github/workflows/docker-build-bops.yml

@@ -0,0 +1,196 @@
+# Build and publish BOPS container images to ghcr.io
+#
+# Builds two images in parallel:
+# - ghcr.io/co-cddo/ndx_try_aws_scenarios-bops:latest (back-office + worker)
+# - ghcr.io/co-cddo/ndx_try_aws_scenarios-bops-applicants:latest (public portal)
+#
+# Both clone their upstream repos at pinned commits, apply our overlay files,
+# and build using the upstream Dockerfile.production.
+
+name: Build BOPS Container Images
+
+on:
+  push:
+    branches: [main, feat/bops-planning]
+    paths:
+      - 'cloudformation/scenarios/bops-planning/docker/**'
+      - '.github/workflows/docker-build-bops.yml'
+  pull_request:
+    paths:
+      - 'cloudformation/scenarios/bops-planning/docker/**'
+      - '.github/workflows/docker-build-bops.yml'
+  workflow_dispatch:
+    inputs:
+      push_image:
+        description: 'Push images to registry'
+        required: false
+        default: true
+        type: boolean
+
+env:
+  REGISTRY: ghcr.io
+  # Pin to specific commits for reproducibility — update these when upgrading BOPS
+  BOPS_REPO: unboxed/bops
+  BOPS_COMMIT: main
+  BOPS_APPLICANTS_REPO: unboxed/bops-applicants
+  BOPS_APPLICANTS_COMMIT: main
+
+jobs:
+  changes:
+    name: Check for Docker changes
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    outputs:
+      docker: ${{ steps.filter.outputs.docker }}
+    steps:
+      - uses: actions/checkout@v6
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            docker:
+              - 'cloudformation/scenarios/bops-planning/docker/**'
+              - '.github/workflows/docker-build-bops.yml'
+
+  build-bops:
+    name: Build BOPS Back-Office
+    runs-on: ubuntu-latest
+    needs: [changes]
+    if: |
+      always() &&
+      (needs.changes.result == 'skipped' || needs.changes.outputs.docker == 'true')
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Clone BOPS source
+        run: |
+          git clone --depth 1 https://github.com/${{ env.BOPS_REPO }}.git bops-src
+          if [ "${{ env.BOPS_COMMIT }}" != "main" ]; then
+            cd bops-src
+            git fetch --depth 1 origin ${{ env.BOPS_COMMIT }}
+            git checkout ${{ env.BOPS_COMMIT }}
+            cd ..
+          fi
+
+      - name: Copy overlay files
+        run: |
+          mkdir -p bops-src/scripts
+          cp cloudformation/scenarios/bops-planning/docker/bops/config/initializers/default_local_authority.rb bops-src/config/initializers/
+          cp cloudformation/scenarios/bops-planning/docker/bops/scripts/seed_sample_data.rb bops-src/scripts/
+          cp cloudformation/scenarios/bops-planning/docker/bops/scripts/seed-entrypoint.sh bops-src/scripts/
+          cp cloudformation/scenarios/bops-planning/docker/bops/scripts/init-bops.sh bops-src/scripts/
+          cp cloudformation/scenarios/bops-planning/docker/bops/entrypoint.sh bops-src/
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/co-cddo/ndx_try_aws_scenarios-bops
+          tags: |
+            type=sha,prefix=sha-
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/main' }}
+
+      - name: Build and push BOPS image
+        uses: docker/build-push-action@v6
+        with:
+          context: bops-src
+          file: bops-src/Dockerfile.production
+          push: ${{ (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/bops-planning' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_image != 'false')) }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=bops
+          cache-to: type=gha,mode=max,scope=bops
+          platforms: linux/amd64
+
+      - name: Output image details
+        run: |
+          echo "## BOPS Image Built" >> $GITHUB_STEP_SUMMARY
+          echo "**Tags:**" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+
+  build-bops-applicants:
+    name: Build BOPS Applicants Portal
+    runs-on: ubuntu-latest
+    needs: [changes]
+    if: |
+      always() &&
+      (needs.changes.result == 'skipped' || needs.changes.outputs.docker == 'true')
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Clone BOPS-Applicants source
+        run: |
+          git clone --depth 1 https://github.com/${{ env.BOPS_APPLICANTS_REPO }}.git bops-applicants-src
+          if [ "${{ env.BOPS_APPLICANTS_COMMIT }}" != "main" ]; then
+            cd bops-applicants-src
+            git fetch --depth 1 origin ${{ env.BOPS_APPLICANTS_COMMIT }}
+            git checkout ${{ env.BOPS_APPLICANTS_COMMIT }}
+            cd ..
+          fi
+
+      - name: Copy overlay files
+        run: |
+          cp cloudformation/scenarios/bops-planning/docker/bops-applicants/config/initializers/default_local_authority.rb bops-applicants-src/config/initializers/
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/co-cddo/ndx_try_aws_scenarios-bops-applicants
+          tags: |
+            type=sha,prefix=sha-
+            type=raw,value=latest,enable={{is_default_branch}}
+            type=ref,event=branch,enable=${{ github.ref != 'refs/heads/main' }}
+
+      - name: Build and push BOPS-Applicants image
+        uses: docker/build-push-action@v6
+        with:
+          context: bops-applicants-src
+          file: bops-applicants-src/Dockerfile.production
+          push: ${{ (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/feat/bops-planning' || (github.event_name == 'workflow_dispatch' && github.event.inputs.push_image != 'false')) }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha,scope=bops-applicants
+          cache-to: type=gha,mode=max,scope=bops-applicants
+          platforms: linux/amd64
+
+      - name: Output image details
+        run: |
+          echo "## BOPS-Applicants Image Built" >> $GITHUB_STEP_SUMMARY
+          echo "**Tags:**" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
+          echo '```' >> $GITHUB_STEP_SUMMARY

cloudformation/scenarios/bops-planning/BLUEPRINT.md

@@ -0,0 +1,95 @@
+# ISB Blueprint Registration: BOPS Planning System
+
+Register the NDX:Try BOPS Planning scenario as an Innovation Sandbox (ISB) blueprint so it auto-deploys into sandbox accounts when leases are approved.
+
+## Prerequisites
+
+- AWS Innovation Sandbox deployed in the hub account
+- Hub account ID known (referred to as `{HUB_ACCOUNT_ID}` below)
+- ISB namespace known (referred to as `{NAMESPACE}` below)
+- An S3 bucket accessible from the hub account for hosting the template (referred to as `{BUCKET}` in region `{REGION}`)
+- Ordnance Survey Vector Tiles API key (free tier from OS Data Hub)
+- BOPS and BOPS-Applicants Docker images published to ghcr.io
+
+## Step 1 — Upload Template to S3
+
+Upload the CloudFormation template to an S3 bucket accessible from the hub account:
+
+```bash
+aws s3 cp template.yaml \
+  s3://{BUCKET}/scenarios/bops-planning/template.yaml
+```
+
+**Note:** Template is ~104KB (JSON) — must use S3 URL, not inline template body.
+
+## Step 2 — Create StackSet
+
+Create a self-managed CloudFormation StackSet using ISB's roles:
+
+```bash
+aws cloudformation create-stack-set \
+  --stack-set-name ndx-try-bops-planning \
+  --template-url https://{BUCKET}.s3.{REGION}.amazonaws.com/scenarios/bops-planning/template.yaml \
+  --administration-role-arn arn:aws:iam::{HUB_ACCOUNT_ID}:role/InnovationSandbox-{NAMESPACE}-IntermediateRole \
+  --execution-role-name InnovationSandbox-{NAMESPACE}-SandboxAccountRole \
+  --managed-execution Active=true \
+  --capabilities CAPABILITY_IAM CAPABILITY_NAMED_IAM \
+  --parameters ParameterKey=OSVectorTilesApiKey,ParameterValue={YOUR_OS_API_KEY} \
+  --description "NDX:Try BOPS Planning System - Digital planning for UK councils"
+```
+
+Notes:
+- `CAPABILITY_IAM` and `CAPABILITY_NAMED_IAM` are required because the template uses explicit IAM role names matching ISB SCP patterns
+- `--managed-execution Active=true` is recommended for concurrent lease handling
+- `OSVectorTilesApiKey` parameter is required — maps will not render without it
+
+## Step 3 — Register in ISB
+
+1. Navigate to ISB admin console > **Blueprints** > **Register New Blueprint**
+2. Enter name: `ndx-try-bops-planning` (must be 1-50 chars, start with letter, alphanumeric + hyphens only)
+3. Select the `ndx-try-bops-planning` StackSet
+4. Configure deployment:
+   - Select target regions: `us-east-1`
+   - Set timeout: **40 minutes** recommended (Aurora ~10 min, Redis ~8 min, CloudFront ~10 min, seed task ~10 min — partially parallel)
+5. Configure parameter overrides:
+   - `OSVectorTilesApiKey`: Set to the OS Vector Tiles API key
+6. Review and submit
+
+## Step 4 — Associate with Lease Template
+
+1. In ISB admin console, navigate to **Lease Templates**
+2. Edit an existing lease template or create a new one
+3. In the blueprint selection step, select `ndx-try-bops-planning`
+4. Save the lease template
+
+## Verification
+
+1. Create a test lease using the template
+2. Wait for StackSet instance creation (~25-35 minutes)
+3. Verify:
+   - Stack status is `CREATE_COMPLETE`
+   - BOPS login page loads at `BOPSLoginUrl` output
+   - Login with `BOPSUsername` / retrieve password from `BOPSPassword` Secrets Manager link
+   - Dashboard shows 80 planning applications
+   - OS Maps tiles render on application detail pages
+   - Applicants portal loads at `ApplicantsPortalUrl` output
+4. Test stack deletion — should complete cleanly within 15 minutes
+
+## Troubleshooting
+
+### Seed task fails
+Check CloudWatch logs at `/ndx-bops/production` → `bops-seed` stream prefix. Common issues:
+- Database not ready: seed task retries automatically, but check Aurora cluster status
+- Ruby/Rails errors: check the seed script output for AASM transition failures
+
+### ECS services failing health checks
+- BOPS web: `/healthcheck` on port 3000 — check container logs for Rails boot errors
+- BOPS-Applicants: `/healthcheck` on port 80 — check API connectivity to BOPS
+- Allow 10 minutes for initial startup (health check grace period)
+
+### Maps not rendering
+- Verify `OSVectorTilesApiKey` parameter was provided correctly
+- Check browser console for 401 errors from OS Maps API
+
+### ISB SCP errors
+All IAM roles must start with `InnovationSandbox-ndx-`. The CDK Aspect handles this automatically, but if you see "AccessDenied" errors, check the role name in the error message.

cloudformation/scenarios/bops-planning/cdk/bin/app.ts

@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+import 'source-map-support/register';
+import * as cdk from 'aws-cdk-lib';
+import { BopsPlanningStack } from '../lib/bops-planning-stack';
+
+const app = new cdk.App();
+
+new BopsPlanningStack(app, 'BopsPlanningStack', {
+  // No env — produces environment-agnostic template using CloudFormation intrinsics
+  // so the same template works in any account/region via StackSets
+  description: 'BOPS Planning System - NDX:Try Demonstration Environment',
+});

cloudformation/scenarios/bops-planning/cdk/cdk.json

@@ -0,0 +1,34 @@
+{
+  "app": "npx ts-node --prefer-ts-exts bin/app.ts",
+  "watch": {
+    "include": [
+      "**"
+    ],
+    "exclude": [
+      "README.md",
+      "cdk*.json",
+      "**/*.d.ts",
+      "**/*.js",
+      "tsconfig.json",
+      "package*.json",
+      "yarn.lock",
+      "node_modules",
+      "test",
+      "dist"
+    ]
+  },
+  "context": {
+    "@aws-cdk/aws-lambda:recognizeLayerVersion": true,
+    "@aws-cdk/core:checkSecretUsage": true,
+    "@aws-cdk/core:target-partitions": [
+      "aws"
+    ],
+    "@aws-cdk/aws-ecs:arnFormatIncludesClusterName": true,
+    "@aws-cdk/aws-rds:lowercaseDbIdentifier": true,
+    "@aws-cdk/aws-efs:denyAnonymousAccess": true,
+    "@aws-cdk/core:enablePartitionLiterals": true,
+    "@aws-cdk/aws-events:eventsTargetQueueSameAccount": true,
+    "@aws-cdk/aws-secretsmanager:useAttachedSecretResourcePolicyForSecretTargetAttachments": true
+  },
+  "output": "../cdk.out"
+}

cloudformation/scenarios/bops-planning/cdk/jest.config.js

@@ -0,0 +1,8 @@
+module.exports = {
+  testEnvironment: 'node',
+  roots: ['<rootDir>/test'],
+  testMatch: ['**/*.test.ts'],
+  transform: {
+    '^.+\\.tsx?$': 'ts-jest'
+  }
+};