From ec21ff3209b5ee19cd116c889c8adc7ccf2fce28 Mon Sep 17 00:00:00 2001 From: "prabash.balasuriya" Date: Fri, 31 Jan 2025 16:29:26 +0000 Subject: [PATCH] PRC-446 : Create preprod environment for hmpps-personal-relationships-api --- .../00-namespace.yaml | 16 ++++ .../01-rbac.yaml | 19 +++++ .../02-limitrange.yaml | 14 ++++ .../03-resourcequota.yaml | 8 ++ .../04-networkpolicy.yaml | 27 +++++++ .../06-certificate.yaml | 26 +++++++ .../resources/domain-events-topic.tf | 14 ++++ .../resources/elasticache.tf | 39 ++++++++++ .../resources/irsa.tf | 60 +++++++++++++++ .../resources/main.tf | 48 ++++++++++++ .../resources/rds-postgresql.tf | 63 +++++++++++++++ .../resources/serviceaccount-circleci.tf | 73 ++++++++++++++++++ .../resources/variables.tf | 77 +++++++++++++++++++ .../resources/versions.tf | 17 ++++ 14 files changed, 501 insertions(+) create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/00-namespace.yaml create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/01-rbac.yaml create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/02-limitrange.yaml create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/03-resourcequota.yaml create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/04-networkpolicy.yaml create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/06-certificate.yaml create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/domain-events-topic.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/elasticache.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/irsa.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/main.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/rds-postgresql.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/serviceaccount-circleci.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/variables.tf create mode 100644 namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/versions.tf diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/00-namespace.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/00-namespace.yaml new file mode 100644 index 00000000000..f13505c1b4a --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/00-namespace.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "hmpps-personal-relationships-preprod" + labels: + cloud-platform.justice.gov.uk/is-production: "false" + cloud-platform.justice.gov.uk/environment-name: "preprod" + pod-security.kubernetes.io/enforce: restricted + annotations: + cloud-platform.justice.gov.uk/business-unit: "HMPPS" + cloud-platform.justice.gov.uk/slack-channel: "public_move-and-improve" + cloud-platform.justice.gov.uk/application: "HMPPS personal-relationships" + cloud-platform.justice.gov.uk/owner: "Move and Improve: move-and-improve@digital.justice.gov.uk" + cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/hmpps-personal-relationships-api" + cloud-platform.justice.gov.uk/team-name: "farsight-devs" + cloud-platform.justice.gov.uk/review-after: "" diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/01-rbac.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/01-rbac.yaml new file mode 100644 index 00000000000..796eacbf803 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/01-rbac.yaml @@ -0,0 +1,19 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-personal-relationships-preprod-admin + namespace: hmpps-personal-relationships-preprod +subjects: + - kind: Group + name: "github:dps-tech" + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: "github:hmpps-sre" + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: "github:hmpps-move-and-improve" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/02-limitrange.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/02-limitrange.yaml new file mode 100644 index 00000000000..6cea57d770c --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/02-limitrange.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: limitrange + namespace: hmpps-personal-relationships-preprod +spec: + limits: + - default: + cpu: 1000m + memory: 1000Mi + defaultRequest: + cpu: 10m + memory: 100Mi + type: Container diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/03-resourcequota.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/03-resourcequota.yaml new file mode 100644 index 00000000000..0eed4e50ca3 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/03-resourcequota.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: namespace-quota + namespace: hmpps-personal-relationships-preprod +spec: + hard: + pods: "50" diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/04-networkpolicy.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/04-networkpolicy.yaml new file mode 100644 index 00000000000..2599774b6c9 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/04-networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default + namespace: hmpps-personal-relationships-preprod +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: {} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-ingress-controllers + namespace: hmpps-personal-relationships-preprod +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + component: ingress-controllers diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/06-certificate.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/06-certificate.yaml new file mode 100644 index 00000000000..d4c20e6c0f1 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/06-certificate.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: hmpps-personal-relationships-api-cert + namespace: hmpps-personal-relationships-preprod +spec: + secretName: hmpps-personal-relationships-api-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - personal-relationships-api-preprod.hmpps.service.justice.gov.uk +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: hmpps-personal-relationships-ui-cert + namespace: hmpps-personal-relationships-preprod +spec: + secretName: hmpps-personal-relationships-ui-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - personal-relationships-preprod.hmpps.service.justice.gov.uk diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/domain-events-topic.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/domain-events-topic.tf new file mode 100644 index 00000000000..ef43171c477 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/domain-events-topic.tf @@ -0,0 +1,14 @@ +resource "kubernetes_secret" "hmpps_personal_relationships_domain_events_topic" { + metadata { + name = "hmpps-domain-events-topic" + namespace = var.namespace + } + + data = { + topic_arn = data.aws_ssm_parameter.hmpps-domain-events-topic-arn.value + } +} + +data "aws_ssm_parameter" "hmpps-domain-events-topic-arn" { + name = "/hmpps-domain-events-preprod/topic-arn" +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/elasticache.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/elasticache.tf new file mode 100644 index 00000000000..678c0750fc1 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/elasticache.tf @@ -0,0 +1,39 @@ +################################################################################ +# HMPPs Typescript Template Application Elasticache +################################################################################ + +module "elasticache_redis" { + source = "github.com/ministryofjustice/cloud-platform-terraform-elasticache-cluster?ref=7.1.0" + vpc_name = var.vpc_name + team_name = var.team_name + business_unit = var.business_unit + application = var.application + is_production = var.is_production + namespace = var.namespace + environment_name = var.environment + infrastructure_support = var.infrastructure_support + + number_cache_clusters = var.number_cache_clusters + # sized for micro in dev, preprod, suggest small for production + node_type = "cache.t4g.micro" + engine_version = "7.0" + parameter_group_name = "default.redis7" + + providers = { + aws = aws.london + } +} + +resource "kubernetes_secret" "elasticache_redis" { + metadata { + name = "elasticache-redis" + namespace = var.namespace + } + + data = { + primary_endpoint_address = module.elasticache_redis.primary_endpoint_address + auth_token = module.elasticache_redis.auth_token + member_clusters = jsonencode(module.elasticache_redis.member_clusters) + replication_group_id = module.elasticache_redis.replication_group_id + } +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/irsa.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/irsa.tf new file mode 100644 index 00000000000..9147cb4598a --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/irsa.tf @@ -0,0 +1,60 @@ +# Add the names of the SQS queues & SNS topics which the app needs permissions to access. +# The value of each item should be the namespace where the queue or topic was created. +# This information is used to collect the IAM policies which are used by the IRSA module. +locals { + # The names of the queues used and the namespace which created them + sqs_queues = { + "Digital-Prison-Services-preprod-hmpps_audit_queue" = "hmpps-audit-preprod", + } + + # The names of the SNS topics used and the namespace which created them + sns_topics = { + "cloud-platform-Digital-Prison-Services-15b2b4a6af7714848baeaf5f41c85fcd" = "hmpps-domain-events-preprod" + } + + sqs_policies = { for item in data.aws_ssm_parameter.irsa_policy_arns_sqs : item.name => item.value } + sns_policies = { for item in data.aws_ssm_parameter.irsa_policy_arns_sns : item.name => item.value } +} + +module "irsa" { + source = "github.com/ministryofjustice/cloud-platform-terraform-irsa?ref=2.0.0" # use the latest release + + # EKS configuration + eks_cluster_name = var.eks_cluster_name + + # IRSA configuration + service_account_name = "hmpps-personal-relationships-api" + role_policy_arns = merge(local.sqs_policies, local.sns_policies) + + # Tags + business_unit = var.business_unit + application = var.application + is_production = var.is_production + team_name = var.team_name + namespace = var.namespace # this is also used to attach your service account to your namespace + environment_name = var.environment + infrastructure_support = var.infrastructure_support +} + +data "aws_ssm_parameter" "irsa_policy_arns_sqs" { + for_each = local.sqs_queues + name = "/${each.value}/sqs/${each.key}/irsa-policy-arn" +} + +data "aws_ssm_parameter" "irsa_policy_arns_sns" { + for_each = local.sns_topics + name = "/${each.value}/sns/${each.key}/irsa-policy-arn" +} + +resource "kubernetes_secret" "irsa" { + metadata { + name = "irsa-output" + namespace = var.namespace + } + data = { + role = module.irsa.role_name + serviceaccount = module.irsa.service_account.name + rolearn = module.irsa.role_arn + } +} + diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/main.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/main.tf new file mode 100644 index 00000000000..29765597407 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/main.tf @@ -0,0 +1,48 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + alias = "london" + region = "eu-west-2" + + default_tags { + tags = { + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + GithubTeam = "hmpps-move-and-improve" + } + } +} + +provider "aws" { + alias = "ireland" + region = "eu-west-1" + + default_tags { + tags = { + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + GithubTeam = "hmpps-move-and-improve" + } + } +} + +provider "github" { + token = var.github_token + owner = var.github_owner +} + +provider "kubernetes" {} + +locals { + default_tags = { + business_unit = var.business_unit + application = var.application + is_production = var.is_production + team_name = var.team_name + environment_name = var.environment + infrastructure_support = var.infrastructure_support + } +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/rds-postgresql.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/rds-postgresql.tf new file mode 100644 index 00000000000..9e27a64de18 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/rds-postgresql.tf @@ -0,0 +1,63 @@ +/* + * Make sure that you use the latest version of the module by changing the + * `ref=` value in the `source` attribute to the latest version listed on the + * releases page of this repository. + * + */ +module "rds" { + source = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=7.3.1" + + # VPC configuration + vpc_name = var.vpc_name + + # RDS configuration + allow_minor_version_upgrade = true + allow_major_version_upgrade = false + performance_insights_enabled = false + db_max_allocated_storage = "500" + enable_rds_auto_start_stop = true # Uncomment to turn off your database overnight between 10PM and 6AM UTC / 11PM and 7AM BST. + # db_password_rotated_date = "2023-04-17" # Uncomment to rotate your database password. + + # PostgreSQL specifics + db_engine = "postgres" + db_engine_version = "16" + rds_family = "postgres16" + db_instance_class = "db.t4g.small" + + # Tags + application = var.application + business_unit = var.business_unit + environment_name = var.environment + infrastructure_support = var.infrastructure_support + is_production = var.is_production + namespace = var.namespace + team_name = var.team_name +} + +resource "kubernetes_secret" "rds" { + metadata { + name = "rds-postgresql-instance-output" + namespace = var.namespace + } + + data = { + rds_instance_endpoint = module.rds.rds_instance_endpoint + database_name = module.rds.database_name + database_username = module.rds.database_username + database_password = module.rds.database_password + rds_instance_address = module.rds.rds_instance_address + } +} + +resource "kubernetes_config_map" "rds" { + metadata { + name = "rds-postgresql-instance-output" + namespace = var.namespace + } + + data = { + database_name = module.rds.database_name + db_identifier = module.rds.db_identifier + } +} + diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/serviceaccount-circleci.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/serviceaccount-circleci.tf new file mode 100644 index 00000000000..8e4468414e0 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/serviceaccount-circleci.tf @@ -0,0 +1,73 @@ +locals { + sa_rules = [ + { + api_groups = [""] + resources = [ + "pods/portforward", + "deployment", + "secrets", + "services", + "configmaps", + "pods", + ] + verbs = [ + "patch", + "get", + "create", + "update", + "delete", + "list", + "watch", + ] + }, + { + api_groups = [ + "extensions", + "apps", + "batch", + "networking.k8s.io", + "policy", + ] + resources = [ + "deployments", + "ingresses", + "cronjobs", + "jobs", + "replicasets", + "poddisruptionbudgets", + "networkpolicies" + ] + verbs = [ + "get", + "update", + "delete", + "create", + "patch", + "list", + "watch", + ] + }, + { + api_groups = [ + "monitoring.coreos.com", + ] + resources = [ + "prometheusrules", + "servicemonitors" + ] + verbs = [ + "*", + ] + }, + ] +} + +module "serviceaccount" { + source = "github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?ref=1.1.0" + namespace = var.namespace + kubernetes_cluster = var.kubernetes_cluster + serviceaccount_name = "circleci" + role_name = "circleci" + serviceaccount_rules = local.sa_rules + rolebinding_name = "circleci" +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/variables.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/variables.tf new file mode 100644 index 00000000000..bff8c9045fd --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/variables.tf @@ -0,0 +1,77 @@ +variable "vpc_name" { + description = "VPC name to create security groups in for the ElastiCache and RDS modules" + type = string +} + +variable "kubernetes_cluster" { + description = "Kubernetes cluster name for references to secrets for service accounts" + type = string +} + +variable "application" { + description = "Name of the application you are deploying" + type = string + default = "HMPPS Personal Relationships" +} + +variable "namespace" { + description = "Name of the namespace these resources are part of" + type = string + default = "hmpps-personal-relationships-preprod" +} + +variable "business_unit" { + description = "Area of the MOJ responsible for this service" + type = string + default = "HMPPS" +} + +variable "team_name" { + description = "Name of the development team responsible for this service" + type = string + default = "hmpps-move-and-improve" +} + +variable "environment" { + description = "Name of the environment type for this service" + type = string + default = "preproduction" +} + +variable "eks_cluster_name" { + description = "The name of the eks cluster to retrieve the OIDC information" +} + +variable "infrastructure_support" { + description = "Email address of the team responsible this service" + type = string + default = "dps-hmpps@digital.justice.gov.uk" +} + +variable "is_production" { + description = "Whether this environment type is production or not" + type = string + default = "false" +} + +variable "slack_channel" { + description = "Slack channel name for your team, if we need to contact you about this service" + type = string + default = "public_move-and-improve" +} + +variable "github_owner" { + description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials" + type = string + default = "ministryofjustice" +} + +variable "github_token" { + type = string + description = "Required by the GitHub Terraform provider" + default = "" +} + +variable "number_cache_clusters" { + default = "2" +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/versions.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/versions.tf new file mode 100644 index 00000000000..001c7bad981 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-personal-relationships-preprod/resources/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.2.5" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.67.0" + } + github = { + source = "integrations/github" + version = "~> 5.39.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.23.0" + } + } +}