DP-187 Move ECR to the Orchestrator account

- Reconfigure ECS services to pull images and the latest published version from Orchestrator
cabinetoffice · Jul 14, 2024 · 2dc3808 · 2dc3808
1 parent f2db62d
commit 2dc3808
Show file tree

Hide file tree

Showing 33 changed files with 195 additions and 96 deletions.
diff --git a/...hub/workflows/main-build-test-deploy.yaml → ...ub/workflows/main-build-test-publish.yaml b/...hub/workflows/main-build-test-deploy.yaml → ...ub/workflows/main-build-test-publish.yaml
@@ -72,7 +72,7 @@ jobs:
       - name: Stop services
         run: make down
 
-  deploy:
+  publish:
     runs-on: ubuntu-latest
     needs: test
     if: github.ref == 'refs/heads/DP-187' && github.repository_owner == 'cabinetoffice'

diff --git a/terragrunt/components/core/iam/terragrunt.hcl b/terragrunt/components/core/iam/terragrunt.hcl
@@ -20,6 +20,7 @@ locals {
 }
 
 inputs = {
+  account_ids         = local.global_vars.locals.account_ids
   tags                = local.tags
   terraform_operators = local.global_vars.locals.terraform_operators
   tfstate_bucket_name = local.global_vars.locals.tg.state_bucket

diff --git a/terragrunt/components/orchestrator/ecr/terragrunt.hcl b/terragrunt/components/orchestrator/ecr/terragrunt.hcl
@@ -9,23 +9,20 @@ include {
 locals {
 
   global_vars = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
-  core_vars   = read_terragrunt_config(find_in_parent_folders("orchestrator.hcl"))
+  orchestrator_vars   = read_terragrunt_config(find_in_parent_folders("orchestrator.hcl"))
 
   tags = merge(
     local.global_vars.inputs.tags,
-    local.core_vars.inputs.tags,
+    local.orchestrator_vars.inputs.tags,
     {
       component = "orchestrator-ecr"
     }
   )
 
-  account_ids = {
-    for name, env in local.global_vars.locals.environments : name => env.account_id
-  }
 }
 
 inputs = {
-  account_ids     = local.account_ids
+  account_ids     = local.global_vars.locals.account_ids
   service_configs = local.global_vars.locals.service_configs
   tags            = local.tags
 }
diff --git a/terragrunt/components/orchestrator/iam/terragrunt.hcl b/terragrunt/components/orchestrator/iam/terragrunt.hcl
@@ -9,18 +9,19 @@ include {
 locals {
 
   global_vars = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
-  core_vars   = read_terragrunt_config(find_in_parent_folders("orchestrator.hcl"))
+  orchestrator_vars = read_terragrunt_config(find_in_parent_folders("orchestrator.hcl"))
 
   tags = merge(
     local.global_vars.inputs.tags,
-    local.core_vars.inputs.tags,
+    local.orchestrator_vars.inputs.tags,
     {
       component = "orchestrator-iam"
     }
   )
 }
 
 inputs = {
+  account_ids         = local.global_vars.locals.account_ids
   tags                = local.tags
   terraform_operators = local.global_vars.locals.terraform_operators
 }
diff --git a/terragrunt/components/service/ecs/terragrunt.hcl b/terragrunt/components/service/ecs/terragrunt.hcl
@@ -76,6 +76,8 @@ dependency service_database {
 }
 
 inputs = {
+
+  account_ids     = local.global_vars.locals.account_ids
   service_configs = local.global_vars.locals.service_configs
   tags            = local.tags
 

diff --git a/terragrunt/components/terragrunt.hcl b/terragrunt/components/terragrunt.hcl
@@ -1,5 +1,9 @@
 locals {
 
+    account_ids = {
+        for name, env in local.environments : name => env.account_id
+    }
+
     cidr_b_development = 3
     cidr_b_integration = 4
     cidr_b_orchestrator = 5

diff --git a/terragrunt/modules/core-iam/ci-datasource.tf b/terragrunt/modules/core-iam/ci-datasource.tf
@@ -16,6 +16,14 @@ data "aws_iam_policy_document" "terraform_assume" {
   }
 }
 
+data "aws_iam_policy_document" "terraform_assume_orchestrator_role" {
+  statement {
+    effect    = "Allow"
+    actions   = ["sts:AssumeRole"]
+    resources = ["arn:aws:iam::${local.orchestrator_account_id}:role/cdp-sirsi-orchestrator-read-service-version"]
+  }
+}
+
 data "aws_iam_policy_document" "terraform" {
 
   statement {
@@ -205,8 +213,9 @@ data "aws_iam_policy_document" "terraform_global" {
 
   statement {
     actions = [
-      "ecr:CreateRepository",
+      "ecr:BatchGetImage",
       "ecr:GetAuthorizationToken",
+      "ecr:GetDownloadUrlForLayer",
       "ecs:Create*",
       "ecs:DeregisterTaskDefinition",
       "ecs:DescribeTaskDefinition",
@@ -271,7 +280,8 @@ data "aws_iam_policy_document" "terraform_product" {
     resources = [
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/cdp-sirsi-*",
       "arn:aws:iam::${data.aws_caller_identity.current.account_id}:policy/cdp-sirsi-*",
-      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/*"
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/aws-service-role/*",
+      "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/cdp-sirsi-*"
     ]
     sid = "ManageProductIAMs"
   }
@@ -293,9 +303,7 @@ data "aws_iam_policy_document" "terraform_product" {
     actions = ["ec2:*"]
     effect  = "Allow"
     resources = [
-      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*/cdp-sirsi-*",
-      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:vpc/cdp-sirsi-*",
-      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:elastic-ip/cdp-sirsi-*"
+      "arn:aws:ec2:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:*/cdp-sirsi-*"
     ]
     sid = "ManageProductEC2"
   }

diff --git a/terragrunt/modules/core-iam/ci.tf b/terragrunt/modules/core-iam/ci.tf
@@ -28,6 +28,12 @@ resource "aws_iam_policy" "terraform_product" {
   tags        = var.tags
 }
 
+resource "aws_iam_policy" "terraform_assume_orchestrator_role" {
+  name        = "${local.name_prefix}-terraform-assume-orchestrator-role"
+  description = "Policy to allow assuming the orchestrator role"
+  policy      = data.aws_iam_policy_document.terraform_assume_orchestrator_role.json
+}
+
 resource "aws_iam_role_policy_attachment" "terraform" {
   policy_arn = aws_iam_policy.terraform.arn
   role       = aws_iam_role.terraform.name
@@ -42,3 +48,8 @@ resource "aws_iam_role_policy_attachment" "terraform_production" {
   policy_arn = aws_iam_policy.terraform_product.arn
   role       = aws_iam_role.terraform.name
 }
+
+resource "aws_iam_role_policy_attachment" "terraform_assume_orchestrator_role" {
+  role       = aws_iam_role.terraform.name
+  policy_arn = aws_iam_policy.terraform_assume_orchestrator_role.arn
+}
diff --git a/terragrunt/modules/core-iam/locals.tf b/terragrunt/modules/core-iam/locals.tf
@@ -1,3 +1,7 @@
+# Note!
+# Resources in this file are shared with orchestrator/iam module
+
 locals {
-  name_prefix = var.product.resource_name
+  name_prefix             = var.product.resource_name
+  orchestrator_account_id = var.account_ids["orchestrator"]
 }
diff --git a/terragrunt/modules/core-iam/variables.tf b/terragrunt/modules/core-iam/variables.tf
@@ -1,3 +1,8 @@
+variable "account_ids" {
+  description = "Map of all accounts and their IDs"
+  type        = map(string)
+}
+
 variable "environment" {
   description = "The environment we are provisioning"
   type        = string

diff --git a/terragrunt/modules/ecs/cloudwatch.tf b/terragrunt/modules/ecs/cloudwatch.tf
@@ -35,32 +35,3 @@ resource "aws_cloudwatch_log_group" "tasks" {
 
   tags = var.tags
 }
-
-resource "aws_cloudwatch_event_rule" "ecr_push" {
-  for_each = aws_ecr_repository.this
-
-  name        = "${local.name_prefix}-ecr-push-to-${each.value.name}"
-  description = "CloudWatch Event rule to detect ECR push events to ${each.value.name}"
-
-  event_pattern = jsonencode(
-    {
-      "source" : ["aws.ecr"],
-      "detail-type" : ["ECR Image Action"],
-      "detail" : {
-        "action-type" : ["PUSH"],
-        "image-tag" : ["latest"],
-        "repository-name" : [each.value.name]
-        "result" : ["SUCCESS"],
-      }
-    }
-  )
-
-  tags = var.tags
-}
-
-resource "aws_cloudwatch_event_target" "trigger_service_deployment" {
-  for_each = aws_cloudwatch_event_rule.ecr_push
-  rule     = each.value.name
-  arn      = each.key == "organisation-information-migrations" ? aws_sfn_state_machine.ecs_run_migration.arn : aws_sfn_state_machine.ecs_force_deploy[each.key].arn
-  role_arn = var.role_cloudwatch_events_arn
-}
diff --git a/terragrunt/modules/ecs/datasource.tf b/terragrunt/modules/ecs/datasource.tf
@@ -83,3 +83,33 @@ data "aws_iam_policy_document" "step_function_manage_services" {
     sid = "MangeIAM"
   }
 }
+
+data "aws_iam_policy_document" "ecr_pull_from_orchestrator" {
+  statement {
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:GetAuthorizationToken"
+    ]
+    resources = ["*"]
+  }
+}
+
+# Configure the provider to assume the role in the orchestrator account and fetch the latest service version
+provider "aws" {
+  alias  = "orchestrator"
+  region = "eu-west-2"
+}
+
+provider "aws" {
+  alias  = "orchestrator_assume_role"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.orchestrator_account_id}:role/cdp-sirsi-orchestrator-read-service-version"
+  }
+}
+
+data "aws_ssm_parameter" "orchestrator_service_version" {
+  provider = aws.orchestrator_assume_role
+  name     = "/cdp-sirsi-service-version"
+}
diff --git a/terragrunt/modules/ecs/ecr.tf b/terragrunt/modules/ecs/ecr.tf
diff --git a/terragrunt/modules/ecs/iam.tf b/terragrunt/modules/ecs/iam.tf
@@ -9,6 +9,17 @@ resource "aws_iam_role_policy_attachment" "ecs_task_access_secrets" {
   role       = var.role_ecs_task_exec_name
 }
 
+resource "aws_iam_policy" "ecr_pull_from_orchestrator" {
+  name   = "${local.name_prefix}-ecr-pull-from-orchestrator"
+  policy = data.aws_iam_policy_document.ecr_pull_from_orchestrator.json
+  tags   = var.tags
+}
+
+resource "aws_iam_role_policy_attachment" "ecr_pull_from_orchestrator" {
+  policy_arn = aws_iam_policy.ecr_pull_from_orchestrator.arn
+  role       = var.role_ecs_task_exec_name
+}
+
 resource "aws_iam_policy" "cloudwatch_event_invoke_deployer_step_function" {
   name        = "${local.name_prefix}-invoke-deployer-step-function"
   description = "Policy for CloudWatch Events to invoke Step Functions"

diff --git a/terragrunt/modules/ecs/locals.tf b/terragrunt/modules/ecs/locals.tf
@@ -1,12 +1,8 @@
 locals {
 
-  service_environment = var.environment == "production" ? "Production" : "Development"
-
-  ecr_urls = [
-    for repos in aws_ecr_repository.this.* : { for repo, attr in repos : repo => attr.repository_url }
-    ][
-    0
-  ]
+  ecr_urls = {
+    for task in local.tasks : task => "${local.orchestrator_account_id}.dkr.ecr.eu-west-2.amazonaws.com/cdp-${task}"
+  }
 
   name_prefix = var.product.resource_name
 
@@ -18,11 +14,17 @@ locals {
     }
   }
 
+  orchestrator_account_id = var.account_ids["orchestrator"]
+
+  orchestrator_service_version = data.aws_ssm_parameter.orchestrator_service_version.value
+
   services = [
     for name, config in var.service_configs :
     config.name if config.name != "organisation-information-migrations"
   ]
 
+  service_environment = var.environment == "production" ? "Production" : "Development"
+
   tasks = [
     for name, config in var.service_configs :
     config.name

diff --git a/terragrunt/modules/ecs/service-authority.tf b/terragrunt/modules/ecs/service-authority.tf
@@ -10,7 +10,7 @@ module "ecs_service_authority" {
       conn_string_location    = var.db_connection_secret_arn
       environment             = local.service_environment
       host_port               = var.service_configs.authority.port
-      image                   = "${local.ecr_urls[var.service_configs.authority.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.authority.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.authority.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-data-sharing.tf b/terragrunt/modules/ecs/service-data-sharing.tf
@@ -8,7 +8,7 @@ module "ecs_service_data_sharing" {
       cpu                     = var.service_configs.data_sharing.cpu
       environment             = local.service_environment
       host_port               = var.service_configs.data_sharing.port
-      image                   = "${local.ecr_urls[var.service_configs.data_sharing.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.data_sharing.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.data_sharing.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-entity-verification.tf b/terragrunt/modules/ecs/service-entity-verification.tf
@@ -8,7 +8,7 @@ module "ecs_service_entity_verification" {
       cpu                     = var.service_configs.entity_verification.cpu
       environment             = local.service_environment
       host_port               = var.service_configs.entity_verification.port
-      image                   = "${local.ecr_urls[var.service_configs.entity_verification.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.entity_verification.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.entity_verification.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-forms.tf b/terragrunt/modules/ecs/service-forms.tf
@@ -8,7 +8,7 @@ module "ecs_service_forms" {
       cpu                     = var.service_configs.forms.cpu
       environment             = local.service_environment
       host_port               = var.service_configs.forms.port
-      image                   = "${local.ecr_urls[var.service_configs.forms.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.forms.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.forms.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-organisation-app.tf b/terragrunt/modules/ecs/service-organisation-app.tf
@@ -8,7 +8,7 @@ module "ecs_service_organisation_app" {
       cpu                     = var.service_configs.organisation_app.cpu
       environment             = local.service_environment
       host_port               = var.service_configs.organisation_app.port
-      image                   = "${local.ecr_urls[var.service_configs.organisation_app.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.organisation_app.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.organisation_app.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-organisation.tf b/terragrunt/modules/ecs/service-organisation.tf
@@ -9,7 +9,7 @@ module "ecs_service_organisation" {
       conn_string_location    = var.db_connection_secret_arn
       environment             = local.service_environment
       host_port               = var.service_configs.organisation.port
-      image                   = "${local.ecr_urls[var.service_configs.organisation.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.organisation.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.organisation.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-person.tf b/terragrunt/modules/ecs/service-person.tf
@@ -9,7 +9,7 @@ module "ecs_service_person" {
       conn_string_location    = var.db_connection_secret_arn
       environment             = local.service_environment
       host_port               = var.service_configs.person.port
-      image                   = "${local.ecr_urls[var.service_configs.person.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.person.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.person.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/service-tenant.tf b/terragrunt/modules/ecs/service-tenant.tf
@@ -9,7 +9,7 @@ module "ecs_service_tenant" {
       conn_string_location    = var.db_connection_secret_arn
       environment             = local.service_environment
       host_port               = var.service_configs.tenant.port
-      image                   = "${local.ecr_urls[var.service_configs.tenant.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.tenant.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.tenant.name].name
       lg_prefix               = "app"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/task-organisation-information-migrations.tf b/terragrunt/modules/ecs/task-organisation-information-migrations.tf
@@ -7,7 +7,7 @@ module "ecs_service_organisation_information_migrations" {
       cpu                     = var.service_configs.organisation_information_migrations.cpu
       conn_string_location    = var.db_connection_secret_arn
       environment             = local.service_environment
-      image                   = "${local.ecr_urls[var.service_configs.organisation_information_migrations.name]}:latest"
+      image                   = "${local.ecr_urls[var.service_configs.organisation_information_migrations.name]}:${local.orchestrator_service_version}"
       lg_name                 = aws_cloudwatch_log_group.tasks[var.service_configs.organisation_information_migrations.name].name
       lg_prefix               = "db"
       lg_region               = data.aws_region.current.name

diff --git a/terragrunt/modules/ecs/variables.tf b/terragrunt/modules/ecs/variables.tf
@@ -1,3 +1,8 @@
+variable "account_ids" {
+  description = "Map of all accounts and their IDs"
+  type        = map(string)
+}
+
 variable "alb_sg_id" {
   description = "Application load-balancer security group ID"
   type        = string