Add infra for Catala app (#264)

* app-catala: Install `template-infra:app` at version 0.16.0.post21.dev0+3af6525

* Add infra for catala app and use port 3400

* Disable database

* Add backends for build repo and service

* Use updated docker image

* latest version

* Update latest and add grype exceptions

* Add .dockleignore for python base image not clearing cache

* Remove build folders

* Revert app changes

* Make simple API test

* Add custom domain for app-catala in dev

* Remove app specific exceptions applied at the project level

* app-catala: Update `template-infra:app` to version 0.16.0.post21.dev0+3af6525

Author: lamroger-nava

.github/workflows/cd-app-catala.yml

@@ -0,0 +1,38 @@
+name: Deploy app-catala
+# Need to set a default value for when the workflow is triggered from a git push
+# which bypasses the default configuration for inputs
+run-name: Deploy ${{inputs.version || 'main' }} to app-catala ${{ inputs.environment || 'dev' }}
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - "app-catala/**"
+      - "bin/**"
+      - "infra/**"
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Environment to deploy to
+        required: true
+        default: "dev"
+        type: choice
+        options:
+          - dev
+          - staging
+          - prod
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to deploy
+
+jobs:
+  deploy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/deploy.yml
+    with:
+      app_name: "app-catala"
+      environment: ${{ inputs.environment || 'dev' }}
+      version: ${{ inputs.version || 'main' }}
+    secrets: inherit

.github/workflows/ci-app-catala-infra-service.yml

@@ -0,0 +1,62 @@
+name: CI Infra Service Checks - app-catala
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - infra/app-catala/service/**
+      - infra/modules/**
+      - infra/test/**
+      - .github/workflows/ci-app-catala-infra-service.yml
+  pull_request:
+    paths:
+      - infra/app-catala/service/**
+      - infra/modules/**
+      - infra/test/**
+      - .github/workflows/ci-app-catala-infra-service.yml
+  workflow_dispatch:
+    inputs:
+      version:
+        required: true
+        default: "main"
+        description: Tag or branch or SHA to test
+
+jobs:
+  build-and-publish:
+    name: Build
+    uses: ./.github/workflows/build-and-publish.yml
+    with:
+      app_name: app-catala
+      ref: ${{ inputs.version || github.ref }}
+
+  infra-test-e2e:
+    name: Test service
+    runs-on: ubuntu-latest
+    needs: [build-and-publish]
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ inputs.version || github.ref }}
+
+      - name: Set up Terraform
+        uses: ./.github/actions/setup-terraform
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: "infra/test/go.mod"
+
+      - name: Configure AWS credentials
+        uses: ./.github/actions/configure-aws-credentials
+        with:
+          app_name: app-catala
+          # Run infra CI on dev environment
+          environment: dev
+
+      - name: Run Terratest
+        run: make infra-test-service APP_NAME=app-catala

.github/workflows/ci-app-catala-pr-environment-checks.yml

@@ -0,0 +1,22 @@
+name: CI app-catala PR Environment Checks
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        required: true
+        type: string
+      commit_hash:
+        required: true
+        type: string
+  pull_request:
+
+jobs:
+  update:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/pr-environment-checks.yml
+    if: github.event_name == 'workflow_dispatch' || github.event.pull_request.state == 'open'
+    with:
+      app_name: "app-catala"
+      environment: "dev"
+      pr_number: ${{ inputs.pr_number || github.event.number }}
+      commit_hash: ${{ inputs.commit_hash || github.event.pull_request.head.sha }}

.github/workflows/ci-app-catala-pr-environment-destroy.yml

@@ -0,0 +1,18 @@
+name: CI app-catala PR Environment Destroy
+on:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        required: true
+        type: string
+  pull_request_target:
+    types: [closed]
+
+jobs:
+  destroy:
+    name: " " # GitHub UI is noisy when calling reusable workflows, so use whitespace for name to reduce noise
+    uses: ./.github/workflows/pr-environment-destroy.yml
+    with:
+      app_name: "app-catala"
+      environment: "dev"
+      pr_number: ${{ inputs.pr_number || github.event.number }}

.github/workflows/ci-app-catala-vulnerability-scans.yml

@@ -0,0 +1,28 @@
+name: CI Vulnerability Scans - app-catala
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - app-catala/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/vulnerability-scans.yml
+      - .github/workflows/ci-app-catala-vulnerability-scans.yml
+  pull_request:
+    paths:
+      - app-catala/**
+      - .grype.yml
+      - .hadolint.yaml
+      - .trivyignore
+      - .github/workflows/vulnerability-scans.yml
+      - .github/workflows/ci-app-catala-vulnerability-scans.yml
+
+jobs:
+  vulnerability-scans:
+    name: Vulnerability Scans
+    uses: ./.github/workflows/vulnerability-scans.yml
+    with:
+      app_name: "app-catala"

.strata-template-rules-engine-catala/app-catala.yml

@@ -1,5 +1,5 @@
 # Changes here will be overwritten by Copier; NEVER EDIT MANUALLY
 _commit: 4f60dcd
 _src_path: https://github.com/navapbc/strata-template-rules-engine-catala
-app_local_port: 3001
+app_local_port: 3400
 app_name: app-catala

.template-infra/app-app-catala.yml

@@ -0,0 +1,7 @@
+# Changes here will be overwritten by Copier
+_commit: v0.16.0-21-g3af6525
+_src_path: https://github.com/navapbc/template-infra
+app_has_dev_env_setup: true
+app_local_port: 3400
+app_name: app-catala
+template: app

app-catala/.dockleignore

@@ -0,0 +1,2 @@
+# Ignore apt-get cache not being cleared in python base image
+DKL-DI-0005

app-catala/.grype.yml

@@ -0,0 +1,10 @@
+ignore:
+  # These settings ignore any findings that fall into these categories
+  - fix-state: not-fixed
+  - fix-state: wont-fix
+  - fix-state: unknown
+
+  # We dont use imaplib
+  - vulnerability: CVE-2025-15366
+  # We dont use poplib
+  - vulnerability: CVE-2025-15367

app-catala/docker-compose.yml

@@ -15,7 +15,7 @@ services:
       - PY_RUN_APPROACH=local
       - PYTHONPATH=/app/
     ports:
-      - 3001:3001
+      - 3400:3400
     volumes:
       - ./:/app/
       - /app/.venv