DP-187 Provision Orchestrator's core componenets

- Initiate deploy job in Github workflow
cabinetoffice · Jul 13, 2024 · af11ecc · af11ecc
1 parent e042c24
commit af11ecc
Show file tree

Hide file tree

Showing 24 changed files with 312 additions and 7 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -0,0 +1,75 @@
+name: Deploy
+
+on:
+  push:
+    branches: [DP-187]
+  pull_request:
+    branches: [DP-187]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    env:
+      CDP_ORGANISATION_APP_PORT: 8888
+      CDP_TENANT_PORT: 8811
+      CDP_ORGANISATION_PORT: 8822
+      CDP_PERSON_PORT: 8833
+      CDP_FORMS_PORT: 8844
+      CDP_DATA_SHARING_PORT: 8855
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v4
+        with:
+          dotnet-version: '8.0.x'
+
+      - name: Build and Test .NET Project
+        run: |
+          dotnet tool restore
+          dotnet restore
+          dotnet build
+          dotnet test --logger trx --results-directory TestResults
+
+      - name: Build Docker Images
+        run: make build-docker
+
+      - name: Start services
+        run: make up
+
+      - name: Stop services
+        run: make down
+
+      - name: Set up AWS CLI
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: eu-west-2
+
+      - name: Login to Amazon ECR
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v1
+
+      - name: Tag and Push Docker Images
+        run: |
+          IMAGE_VERSION=$(date +%Y%m%d%H%M%S)
+          for image in cabinetoffice/cdp-organisation-information-migrations cabinetoffice/cdp-data-sharing cabinetoffice/cdp-forms cabinetoffice/cdp-organisation-app cabinetoffice/cdp-organisation cabinetoffice/cdp-person cabinetoffice/cdp-tenant cabinetoffice/cdp-authority; do
+            CLEAN_IMAGE_NAME=$(echo $image | sed 's/^cabinetoffice\///')
+            docker tag $image:latest ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/$CLEAN_IMAGE_NAME:$IMAGE_VERSION
+            docker push ${{ secrets.AWS_ACCOUNT_ID }}.dkr.ecr.eu-west-2.amazonaws.com/$CLEAN_IMAGE_NAME:$IMAGE_VERSION
+          done
+
+      - name: Create Git Tag
+        run: |
+          IMAGE_VERSION=$(date +%Y%m%d%H%M%S)
+          git config --global user.name "github-actions"
+          git config --global user.email "[email protected]"
+          git tag ${IMAGE_VERSION}
+          git push origin ${IMAGE_VERSION}
+
+      - name: Store Version in SSM Parameter Store
+        run: |
+          IMAGE_VERSION=$(date +%Y%m%d%H%M%S)
+          aws ssm put-parameter --name "cdp-sirsi-service-version" --value "${IMAGE_VERSION}" --type String --overwrite
diff --git a/terragrunt/components/common/networking/terragrunt.hcl b/terragrunt/components/common/networking/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//networking"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//networking" : null
 }
 
 include {

diff --git a/terragrunt/components/core/networking/terragrunt.hcl b/terragrunt/components/core/networking/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//core-networking"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//core-networking" : null
 }
 
 include {

diff --git a/terragrunt/components/core/security-groups/terragrunt.hcl b/terragrunt/components/core/security-groups/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//core-security-groups"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//core-security-groups" : null
 }
 
 include {

diff --git a/terragrunt/components/orchestrator/ecr/terragrunt.hcl b/terragrunt/components/orchestrator/ecr/terragrunt.hcl
@@ -0,0 +1,26 @@
+terraform {
+  source = local.global_vars.locals.environment == "orchestrator" ? "../../../modules//orchestrator/ecr" : null
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+locals {
+
+  global_vars = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
+  core_vars   = read_terragrunt_config(find_in_parent_folders("orchestrator.hcl"))
+
+  tags = merge(
+    local.global_vars.inputs.tags,
+    local.core_vars.inputs.tags,
+    {
+      component = "orchestrator-ecr"
+    }
+  )
+}
+
+inputs = {
+  service_configs = local.global_vars.locals.service_configs
+  tags            = local.tags
+}
diff --git a/terragrunt/components/orchestrator/iam/terragrunt.hcl b/terragrunt/components/orchestrator/iam/terragrunt.hcl
@@ -0,0 +1,26 @@
+terraform {
+  source = local.global_vars.locals.environment == "orchestrator" ? "../../../modules//orchestrator/iam" : null
+}
+
+include {
+  path = find_in_parent_folders()
+}
+
+locals {
+
+  global_vars = read_terragrunt_config(find_in_parent_folders("terragrunt.hcl"))
+  core_vars   = read_terragrunt_config(find_in_parent_folders("orchestrator.hcl"))
+
+  tags = merge(
+    local.global_vars.inputs.tags,
+    local.core_vars.inputs.tags,
+    {
+      component = "orchestrator-iam"
+    }
+  )
+}
+
+inputs = {
+  tags                = local.tags
+  terraform_operators = local.global_vars.locals.terraform_operators
+}
diff --git a/terragrunt/components/orchestrator/orchestrator.hcl b/terragrunt/components/orchestrator/orchestrator.hcl
@@ -0,0 +1,9 @@
+locals {
+  tags = {
+    component_root = "orchestrator"
+  }
+}
+
+inputs = {
+  tags = local.tags
+}
diff --git a/terragrunt/components/service/api-gateway/terragrunt.hcl b/terragrunt/components/service/api-gateway/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//api-gateway"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//api-gateway" : null
 }
 
 include {

diff --git a/terragrunt/components/service/database/terragrunt.hcl b/terragrunt/components/service/database/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//database"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//database" : null
 }
 
 include {

diff --git a/terragrunt/components/service/ecs/terragrunt.hcl b/terragrunt/components/service/ecs/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//ecs"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//ecs" : null
 }
 
 include {

diff --git a/terragrunt/components/service/telemetry/terragrunt.hcl b/terragrunt/components/service/telemetry/terragrunt.hcl
@@ -1,5 +1,5 @@
 terraform {
-  source = "../../../modules//telemetry"
+  source = local.global_vars.locals.environment != "orchestrator" ? "../../../modules//telemetry" : null
 }
 
 include {

diff --git a/terragrunt/components/terragrunt.hcl b/terragrunt/components/terragrunt.hcl
@@ -2,12 +2,29 @@ locals {
 
     cidr_b_development = 3
     cidr_b_integration = 4
+    cidr_b_orchestrator = 5
     cidr_b_production = 1
     cidr_b_staging = 2
 
     environment = get_env("TG_ENVIRONMENT", "development")
 
     environments = {
+        orchestrator = {
+            cidr_block             = "10.${local.cidr_b_orchestrator}.0.0/16"
+            name                   = "orchestrator"
+            postgres_instance_type = "db.t4g.micro"
+            private_subnets        = [
+                "10.${local.cidr_b_orchestrator}.101.0/24",
+                "10.${local.cidr_b_orchestrator}.102.0/24",
+                "10.${local.cidr_b_orchestrator}.103.0/24"
+            ]
+            public_subnets = [
+                "10.${local.cidr_b_orchestrator}.1.0/24",
+                "10.${local.cidr_b_orchestrator}.2.0/24",
+                "10.${local.cidr_b_orchestrator}.3.0/24"
+            ]
+            top_level_domain = "findatender.codatt.net"
+        }
         development = {
             cidr_block             = "10.${local.cidr_b_development}.0.0/16"
             name                   = "dev"

diff --git a/terragrunt/modules/core-iam/ci-datasource.tf b/terragrunt/modules/core-iam/ci-datasource.tf
@@ -1,3 +1,6 @@
+# Note!
+# Resources in this file are shared with orchestrator/iam module
+
 data "aws_iam_policy_document" "terraform_assume" {
   statement {
     actions = ["sts:AssumeRole"]

diff --git a/terragrunt/modules/core-iam/ci.tf b/terragrunt/modules/core-iam/ci.tf
@@ -1,3 +1,6 @@
+# Note!
+# Resources in this file are shared with orchestrator/iam module
+
 resource "aws_iam_role" "terraform" {
   assume_role_policy = data.aws_iam_policy_document.terraform_assume.json
   name               = "${local.name_prefix}-${var.environment}-terraform"

diff --git a/terragrunt/modules/orchestrator/ecr/locals.tf b/terragrunt/modules/orchestrator/ecr/locals.tf
@@ -0,0 +1,12 @@
+locals {
+
+  name_prefix = var.product.resource_name
+
+  repositories = concat(
+    [
+      for name, config in var.service_configs :
+      config.name
+    ],
+    ["cdp-grafana"])
+
+}
diff --git a/terragrunt/modules/orchestrator/ecr/main.tf b/terragrunt/modules/orchestrator/ecr/main.tf
@@ -0,0 +1,12 @@
+resource "aws_ecr_repository" "this" {
+  for_each = toset(local.repositories)
+
+  name                 = "cdp-${each.value}"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = true
+  }
+
+  tags = var.tags
+}
diff --git a/terragrunt/modules/orchestrator/ecr/variables.tf b/terragrunt/modules/orchestrator/ecr/variables.tf
@@ -0,0 +1,29 @@
+variable "environment" {
+  description = "The environment we are provisioning"
+  type        = string
+}
+
+variable "product" {
+  description = "product's common attributes"
+  type = object({
+    name               = string
+    resource_name      = string
+    public_hosted_zone = string
+  })
+}
+
+variable "service_configs" {
+  description = "Map of services to their ports"
+  type = map(object({
+    cpu       = number
+    memory    = number
+    name      = string
+    port      = number
+    port_host = number
+  }))
+}
+
+variable "tags" {
+  description = "Tags to apply to all resources in this module"
+  type        = map(string)
+}
diff --git a/terragrunt/modules/orchestrator/iam/ci-datasource.tf b/terragrunt/modules/orchestrator/iam/ci-datasource.tf
@@ -0,0 +1 @@
+../../core-iam/ci-datasource.tf
diff --git a/terragrunt/modules/orchestrator/iam/ci.tf b/terragrunt/modules/orchestrator/iam/ci.tf
@@ -0,0 +1 @@
+../../core-iam/ci.tf
diff --git a/terragrunt/modules/orchestrator/iam/datasource.tf b/terragrunt/modules/orchestrator/iam/datasource.tf
@@ -0,0 +1,33 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_region" "current" {}
+
+data "aws_iam_policy_document" "ecr_push_policy" {
+  statement {
+    actions = [
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:BatchGetImage",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:PutImage",
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload"
+    ]
+    resources = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/cdp-*"]
+    effect    = "Allow"
+  }
+}
+
+data "aws_iam_policy_document" "ssm_update_policy" {
+  statement {
+    actions = [
+      "ssm:PutParameter",
+      "ssm:GetParameter",
+      "ssm:DeleteParameter"
+    ]
+    resources = ["*"] # @TODO: (ABN) Limit me
+    effect    = "Allow"
+  }
+}
+
+
diff --git a/terragrunt/modules/orchestrator/iam/github.tf b/terragrunt/modules/orchestrator/iam/github.tf
@@ -0,0 +1,20 @@
+resource "aws_iam_user" "github_user" {
+  name = "github-user"
+  tags = var.tags
+}
+
+resource "aws_iam_user_policy" "ecr_push_policy" {
+  name   = "ECRPushPolicy"
+  user   = aws_iam_user.github_user.name
+  policy = data.aws_iam_policy_document.ecr_push_policy.json
+}
+
+resource "aws_iam_user_policy" "ssm_update_policy" {
+  name   = "SSMUpdatePolicy"
+  user   = aws_iam_user.github_user.name
+  policy = data.aws_iam_policy_document.ssm_update_policy.json
+}
+
+resource "aws_iam_access_key" "github_user_access_key" {
+  user = aws_iam_user.github_user.name
+}
diff --git a/terragrunt/modules/orchestrator/iam/locals.tf b/terragrunt/modules/orchestrator/iam/locals.tf
@@ -0,0 +1,3 @@
+locals {
+  name_prefix = var.product.resource_name
+}
diff --git a/terragrunt/modules/orchestrator/iam/outputs.tf b/terragrunt/modules/orchestrator/iam/outputs.tf
@@ -0,0 +1,12 @@
+output "github_user_access_key_id" {
+  value = aws_iam_access_key.github_user_access_key.id
+}
+
+output "github_user_secret_access_key" {
+  value     = aws_iam_access_key.github_user_access_key.secret
+  sensitive = true
+}
+
+output "terraform_role_arn" {
+  value = aws_iam_role.terraform.arn
+}
diff --git a/terragrunt/modules/orchestrator/iam/variables.tf b/terragrunt/modules/orchestrator/iam/variables.tf
@@ -0,0 +1,23 @@
+variable "environment" {
+  description = "The environment we are provisioning"
+  type        = string
+}
+
+variable "product" {
+  description = "product's common attributes"
+  type = object({
+    name               = string
+    resource_name      = string
+    public_hosted_zone = string
+  })
+}
+
+variable "terraform_operators" {
+  description = "List of IAM user ARNs allowed to assume terraform roles"
+  type        = list(string)
+}
+
+variable "tags" {
+  description = "Tags to apply to all resources in this module"
+  type        = map(string)
+}