From 45e67d9c6ecca2dd211de841be4212fead7c1fcd Mon Sep 17 00:00:00 2001 From: edmundcraske2-nhs Date: Tue, 25 Jun 2024 17:26:51 +0100 Subject: [PATCH 1/4] CCM-5156 create subdomains for each account Create an 'acct' tf component to run in each AWS account Also clean up some cruft and add some basic READMEs --- terraform/README | 3 + terraform/components/acct/.terraform-version | 1 + terraform/components/acct/README | 5 ++ .../components/acct/locals_tfscaffold.tf | 45 +++++++++++++ terraform/components/acct/outputs.tf | 19 ++++++ terraform/components/acct/provider_aws.tf | 18 ++++++ .../acct/route53_delegation_set_main.tf | 3 + .../components/acct/route53_zone_subdomain.tf | 7 ++ terraform/components/acct/variables.tf | 64 +++++++++++++++++++ terraform/components/acct/versions.tf | 10 +++ terraform/etc/env_eu-west-2_example.tfvars | 7 ++ terraform/etc/env_eu-west-2_exampleenv.tfvars | 10 --- terraform/etc/global.tfvars | 5 +- terraform/etc/group_examplegroup.tfvars | 1 - .../versions_eg-region-1_exampleenv.tfvars | 2 - 15 files changed, 186 insertions(+), 14 deletions(-) create mode 100644 terraform/README create mode 100644 terraform/components/acct/.terraform-version create mode 100644 terraform/components/acct/README create mode 100644 terraform/components/acct/locals_tfscaffold.tf create mode 100644 terraform/components/acct/outputs.tf create mode 100644 terraform/components/acct/provider_aws.tf create mode 100644 terraform/components/acct/route53_delegation_set_main.tf create mode 100644 terraform/components/acct/route53_zone_subdomain.tf create mode 100644 terraform/components/acct/variables.tf create mode 100644 terraform/components/acct/versions.tf create mode 100644 terraform/etc/env_eu-west-2_example.tfvars delete mode 100644 terraform/etc/env_eu-west-2_exampleenv.tfvars delete mode 100644 terraform/etc/group_examplegroup.tfvars delete mode 100644 terraform/etc/versions_eg-region-1_exampleenv.tfvars diff --git a/terraform/README b/terraform/README new file mode 100644 index 0000000..838d177 --- /dev/null +++ b/terraform/README @@ -0,0 +1,3 @@ +This is an implementation of https://github.com/tfutils/tfscaffold for NHS Notify + +Update the `etc/global.tfvars` file according to your NHS Notify Domain, and follow https://github.com/tfutils/tfscaffold?tab=readme-ov-file#bootstrapping to get your tfstate s3 bucket set up diff --git a/terraform/components/acct/.terraform-version b/terraform/components/acct/.terraform-version new file mode 100644 index 0000000..631f790 --- /dev/null +++ b/terraform/components/acct/.terraform-version @@ -0,0 +1 @@ +latest:^1\.8\. diff --git a/terraform/components/acct/README b/terraform/components/acct/README new file mode 100644 index 0000000..d214887 --- /dev/null +++ b/terraform/components/acct/README @@ -0,0 +1,5 @@ +README for 'acct' component - Account-level resources + +This component is intended to be run to set up things (such as a DNS subdomain) at the account level, and this should be run for each account belonging to the Notify Domain - i.e. there should be a nonprod and prod environment .tfvars + +Copy the `env_eu-west-2_example.tfvars` file in the `etc` directory and adjust as needed for nonprod and prod for your NHS Notify Domain. diff --git a/terraform/components/acct/locals_tfscaffold.tf b/terraform/components/acct/locals_tfscaffold.tf new file mode 100644 index 0000000..e5084cd --- /dev/null +++ b/terraform/components/acct/locals_tfscaffold.tf @@ -0,0 +1,45 @@ +locals { + terraform_state_bucket = format( + "%s-tfscaffold-%s-%s", + var.project, + var.aws_account_id, + var.region, + ) + + csi = replace( + format( + "%s-%s-%s", + var.project, + var.environment, + var.component, + ), + "_", + "", + ) + + # CSI for use in resources with a global namespace, i.e. S3 Buckets + csi_global = replace( + format( + "%s-%s-%s-%s-%s", + var.project, + var.aws_account_id, + var.region, + var.environment, + var.component, + ), + "_", + "", + ) + + default_tags = merge( + var.default_tags, + { + Project = var.project + Environment = var.environment + Component = var.component + Group = var.group + NHSNotifyDomain = var.nhs_notify_domain + Name = local.csi + }, + ) +} diff --git a/terraform/components/acct/outputs.tf b/terraform/components/acct/outputs.tf new file mode 100644 index 0000000..5bc3418 --- /dev/null +++ b/terraform/components/acct/outputs.tf @@ -0,0 +1,19 @@ +output "aws_account_id" { + value = var.aws_account_id +} + +output "r53_delegation_set_id" { + value = aws_route53_delegation_set.main.id +} + +output "r53_delegation_set_nameservers" { + value = aws_route53_delegation_set.main.name_servers +} + +output "r53_subdomain_name" { + value = var.subdomain_name +} + +output "r53_subdomain_id" { + value = one(aws_route53_zone.subdomain[*].id) +} diff --git a/terraform/components/acct/provider_aws.tf b/terraform/components/acct/provider_aws.tf new file mode 100644 index 0000000..a805843 --- /dev/null +++ b/terraform/components/acct/provider_aws.tf @@ -0,0 +1,18 @@ +provider "aws" { + region = var.region + + allowed_account_ids = [ + var.aws_account_id, + ] + + default_tags { + tags = { + Project = var.project + Environment = var.environment + Component = var.component + Group = var.group + NHSNotifyDomain = var.nhs_notify_domain + Name = local.csi + } + } +} diff --git a/terraform/components/acct/route53_delegation_set_main.tf b/terraform/components/acct/route53_delegation_set_main.tf new file mode 100644 index 0000000..76ad88e --- /dev/null +++ b/terraform/components/acct/route53_delegation_set_main.tf @@ -0,0 +1,3 @@ +resource "aws_route53_delegation_set" "main" { + reference_name = "main" +} diff --git a/terraform/components/acct/route53_zone_subdomain.tf b/terraform/components/acct/route53_zone_subdomain.tf new file mode 100644 index 0000000..cc52061 --- /dev/null +++ b/terraform/components/acct/route53_zone_subdomain.tf @@ -0,0 +1,7 @@ +resource "aws_route53_zone" "subdomain" { + count = var.subdomain_name != "" ? 1 : 0 + + name = var.subdomain_name + + delegation_set_id = aws_route53_delegation_set.main.id +} diff --git a/terraform/components/acct/variables.tf b/terraform/components/acct/variables.tf new file mode 100644 index 0000000..f625501 --- /dev/null +++ b/terraform/components/acct/variables.tf @@ -0,0 +1,64 @@ +## +# Basic Required Variables for tfscaffold Components +## + +variable "project" { + type = string + description = "The name of the tfscaffold project" +} + +variable "environment" { + type = string + description = "The name of the tfscaffold environment" +} + +variable "aws_account_id" { + type = string + description = "The AWS Account ID (numeric)" +} + +variable "region" { + type = string + description = "The AWS Region" +} + +variable "group" { + type = string + description = "The group variables are being inherited from (often synonmous with account short-name)" +} + +## +# tfscaffold variables specific to this component +## + +# This is the only primary variable to have its value defined as +# a default within its declaration in this file, because the variables +# purpose is as an identifier unique to this component, rather +# then to the environment from where all other variables come. +variable "component" { + type = string + description = "The variable encapsulating the name of this component" + default = "acct" +} + +variable "nhs_notify_domain" { + type = string + description = "The name of the NHS Notify Domain that this is deploying to" +} + +variable "default_tags" { + type = map(string) + description = "A map of default tags to apply to all taggable resources within the component" + default = {} +} + + +## +# Variables specific to the "acct" component +## + +variable "subdomain_name" { + type = string + description = "The subdomain name to create a Route53 zone for" + default = "" +} diff --git a/terraform/components/acct/versions.tf b/terraform/components/acct/versions.tf new file mode 100644 index 0000000..ee15bad --- /dev/null +++ b/terraform/components/acct/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.50" + } + } + + required_version = "~> 1.8.4" +} diff --git a/terraform/etc/env_eu-west-2_example.tfvars b/terraform/etc/env_eu-west-2_example.tfvars new file mode 100644 index 0000000..45bace4 --- /dev/null +++ b/terraform/etc/env_eu-west-2_example.tfvars @@ -0,0 +1,7 @@ +environment = "example" +group = null + +# "NHS Notify poc-001 Dev" account +aws_account_id = "767397886959" + +subdomain_name = "example.dev.nhsnotify.national.nhs.uk" diff --git a/terraform/etc/env_eu-west-2_exampleenv.tfvars b/terraform/etc/env_eu-west-2_exampleenv.tfvars deleted file mode 100644 index 8317d38..0000000 --- a/terraform/etc/env_eu-west-2_exampleenv.tfvars +++ /dev/null @@ -1,10 +0,0 @@ -# Define variable values to be fed into components in the components directory that will each form a part of the examplenv environment... - -environment = "exampleenv" - -default_tags = { - "Project" = "myproject" - "Environment" = "exampleenv" - "Owner" = "My Project Manager" - "Client" = "My Client" -} diff --git a/terraform/etc/global.tfvars b/terraform/etc/global.tfvars index 216b4b4..0977e92 100644 --- a/terraform/etc/global.tfvars +++ b/terraform/etc/global.tfvars @@ -2,5 +2,8 @@ # CHANGEME: these should be set for the project you are working on # project should ideally be as short as possible whilst being meaningful as it will be used in resource naming! # aws_account_id should be set to the AWS account ID you are running Terraform in the context of - you will get errors otherwise... -project = "myproject" +project = "nhs-notify" aws_account_id = "012345678901" + +# set this for the NHS Notify Domain you are working on +nhs_notify_domain = "CHANGEME" diff --git a/terraform/etc/group_examplegroup.tfvars b/terraform/etc/group_examplegroup.tfvars deleted file mode 100644 index 5949382..0000000 --- a/terraform/etc/group_examplegroup.tfvars +++ /dev/null @@ -1 +0,0 @@ -# Variables shared by any environment that chooses to be subscribed to it diff --git a/terraform/etc/versions_eg-region-1_exampleenv.tfvars b/terraform/etc/versions_eg-region-1_exampleenv.tfvars deleted file mode 100644 index 31b0602..0000000 --- a/terraform/etc/versions_eg-region-1_exampleenv.tfvars +++ /dev/null @@ -1,2 +0,0 @@ -# Define variable values to be fed into components in the components directory that will each form a part of the examplenv environment... -my_example_docker_app_version = "0.0.1" From 28d818cc6102611bd20213d39e8eb235de68c059 Mon Sep 17 00:00:00 2001 From: Ross Buggins Date: Tue, 2 Jul 2024 08:43:30 +0100 Subject: [PATCH 2/4] delete terraform folder. --- terraform/etc/global.tfvars | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 terraform/etc/global.tfvars diff --git a/terraform/etc/global.tfvars b/terraform/etc/global.tfvars deleted file mode 100644 index 0977e92..0000000 --- a/terraform/etc/global.tfvars +++ /dev/null @@ -1,9 +0,0 @@ -# Specific to whole project / AWS Account -# CHANGEME: these should be set for the project you are working on -# project should ideally be as short as possible whilst being meaningful as it will be used in resource naming! -# aws_account_id should be set to the AWS account ID you are running Terraform in the context of - you will get errors otherwise... -project = "nhs-notify" -aws_account_id = "012345678901" - -# set this for the NHS Notify Domain you are working on -nhs_notify_domain = "CHANGEME" From f61e08d8f638d0c985ea660a466612bfc5c96d82 Mon Sep 17 00:00:00 2001 From: Ross Buggins Date: Tue, 2 Jul 2024 08:47:54 +0100 Subject: [PATCH 3/4] added to git ignore. --- infrastructure/terraform/.gitignore | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/infrastructure/terraform/.gitignore b/infrastructure/terraform/.gitignore index f0d9138..579b641 100644 --- a/infrastructure/terraform/.gitignore +++ b/infrastructure/terraform/.gitignore @@ -3,6 +3,13 @@ # Transient backends components/**/backend_tfscaffold.tf +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + # Compiled files **/*.tfstate **/*.tfplan From c1c8b542cbb195441387e3ac6cbd535287c59bb9 Mon Sep 17 00:00:00 2001 From: Ross Buggins Date: Tue, 2 Jul 2024 08:50:02 +0100 Subject: [PATCH 4/4] refresh git ignore. --- infrastructure/terraform/etc/env_eu-west-2_example.tfvars | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 infrastructure/terraform/etc/env_eu-west-2_example.tfvars diff --git a/infrastructure/terraform/etc/env_eu-west-2_example.tfvars b/infrastructure/terraform/etc/env_eu-west-2_example.tfvars deleted file mode 100644 index 45bace4..0000000 --- a/infrastructure/terraform/etc/env_eu-west-2_example.tfvars +++ /dev/null @@ -1,7 +0,0 @@ -environment = "example" -group = null - -# "NHS Notify poc-001 Dev" account -aws_account_id = "767397886959" - -subdomain_name = "example.dev.nhsnotify.national.nhs.uk"