Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PRC-446 : Create PREPROD environment #29299

Merged
merged 1 commit into from
Jan 31, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
PRC-446 : Create prod environment for hmpps-personal-relationships-api
prabash-moj committed Jan 31, 2025

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
commit 528b90ef701d678e84eca9b93944eb0846ee70e3
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
apiVersion: v1
kind: Namespace
metadata:
name: "hmpps-personal-relationships-preprod"
labels:
cloud-platform.justice.gov.uk/is-production: "false"
cloud-platform.justice.gov.uk/environment-name: "preprod"
pod-security.kubernetes.io/enforce: restricted
annotations:
cloud-platform.justice.gov.uk/business-unit: "HMPPS"
cloud-platform.justice.gov.uk/slack-channel: "public_move-and-improve"
cloud-platform.justice.gov.uk/application: "HMPPS personal-relationships"
cloud-platform.justice.gov.uk/owner: "Move and Improve: [email protected]"
cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/hmpps-personal-relationships-api"
cloud-platform.justice.gov.uk/team-name: "farsight-devs"
cloud-platform.justice.gov.uk/review-after: ""
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: hmpps-personal-relationships-preprod-admin
namespace: hmpps-personal-relationships-preprod
subjects:
- kind: Group
name: "github:dps-tech"
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: "github:hmpps-sre"
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: "github:hmpps-move-and-improve"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
apiVersion: v1
kind: LimitRange
metadata:
name: limitrange
namespace: hmpps-personal-relationships-preprod
spec:
limits:
- default:
cpu: 1000m
memory: 1000Mi
defaultRequest:
cpu: 10m
memory: 100Mi
type: Container
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
apiVersion: v1
kind: ResourceQuota
metadata:
name: namespace-quota
namespace: hmpps-personal-relationships-preprod
spec:
hard:
pods: "50"
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default
namespace: hmpps-personal-relationships-preprod
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- podSelector: {}
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: allow-ingress-controllers
namespace: hmpps-personal-relationships-preprod
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- namespaceSelector:
matchLabels:
component: ingress-controllers
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hmpps-personal-relationships-api-cert
namespace: hmpps-personal-relationships-preprod
spec:
secretName: hmpps-personal-relationships-api-cert
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
dnsNames:
- personal-relationships-api-preprod.hmpps.service.justice.gov.uk
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: hmpps-personal-relationships-ui-cert
namespace: hmpps-personal-relationships-preprod
spec:
secretName: hmpps-personal-relationships-ui-cert
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
dnsNames:
- personal-relationships-preprod.hmpps.service.justice.gov.uk
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
resource "kubernetes_secret" "hmpps_personal_relationships_domain_events_topic" {
metadata {
name = "hmpps-domain-events-topic"
namespace = var.namespace
}

data = {
topic_arn = data.aws_ssm_parameter.hmpps-domain-events-topic-arn.value
}
}

data "aws_ssm_parameter" "hmpps-domain-events-topic-arn" {
name = "/hmpps-domain-events-preprod/topic-arn"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
################################################################################
# HMPPs Typescript Template Application Elasticache
################################################################################

module "elasticache_redis" {
source = "github.com/ministryofjustice/cloud-platform-terraform-elasticache-cluster?ref=7.2.0"
vpc_name = var.vpc_name
team_name = var.team_name
business_unit = var.business_unit
application = var.application
is_production = var.is_production
namespace = var.namespace
environment_name = var.environment
infrastructure_support = var.infrastructure_support

number_cache_clusters = var.number_cache_clusters
# sized for micro in dev, preprod, suggest small for production
node_type = "cache.t4g.micro"
engine_version = "7.0"
parameter_group_name = "default.redis7"

providers = {
aws = aws.london
}
}

resource "kubernetes_secret" "elasticache_redis" {
metadata {
name = "elasticache-redis"
namespace = var.namespace
}

data = {
primary_endpoint_address = module.elasticache_redis.primary_endpoint_address
auth_token = module.elasticache_redis.auth_token
member_clusters = jsonencode(module.elasticache_redis.member_clusters)
replication_group_id = module.elasticache_redis.replication_group_id
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
# Add the names of the SQS queues & SNS topics which the app needs permissions to access.
# The value of each item should be the namespace where the queue or topic was created.
# This information is used to collect the IAM policies which are used by the IRSA module.
locals {
# The names of the queues used and the namespace which created them
sqs_queues = {
"Digital-Prison-Services-preprod-hmpps_audit_queue" = "hmpps-audit-preprod",
}

# The names of the SNS topics used and the namespace which created them
sns_topics = {
"cloud-platform-Digital-Prison-Services-15b2b4a6af7714848baeaf5f41c85fcd" = "hmpps-domain-events-preprod"
}

sqs_policies = { for item in data.aws_ssm_parameter.irsa_policy_arns_sqs : item.name => item.value }
sns_policies = { for item in data.aws_ssm_parameter.irsa_policy_arns_sns : item.name => item.value }
}

module "irsa" {
source = "github.com/ministryofjustice/cloud-platform-terraform-irsa?ref=2.0.0" # use the latest release

# EKS configuration
eks_cluster_name = var.eks_cluster_name

# IRSA configuration
service_account_name = "hmpps-personal-relationships-api"
role_policy_arns = merge(local.sqs_policies, local.sns_policies)

# Tags
business_unit = var.business_unit
application = var.application
is_production = var.is_production
team_name = var.team_name
namespace = var.namespace # this is also used to attach your service account to your namespace
environment_name = var.environment
infrastructure_support = var.infrastructure_support
}

data "aws_ssm_parameter" "irsa_policy_arns_sqs" {
for_each = local.sqs_queues
name = "/${each.value}/sqs/${each.key}/irsa-policy-arn"
}

data "aws_ssm_parameter" "irsa_policy_arns_sns" {
for_each = local.sns_topics
name = "/${each.value}/sns/${each.key}/irsa-policy-arn"
}

resource "kubernetes_secret" "irsa" {
metadata {
name = "irsa-output"
namespace = var.namespace
}
data = {
role = module.irsa.role_name
serviceaccount = module.irsa.service_account.name
rolearn = module.irsa.role_arn
}
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
terraform {
backend "s3" {
}
}

provider "aws" {
alias = "london"
region = "eu-west-2"

default_tags {
tags = {
source-code = "github.com/ministryofjustice/cloud-platform-environments"
slack-channel = var.slack_channel
GithubTeam = "hmpps-move-and-improve"
}
}
}

provider "aws" {
alias = "ireland"
region = "eu-west-1"

default_tags {
tags = {
source-code = "github.com/ministryofjustice/cloud-platform-environments"
slack-channel = var.slack_channel
GithubTeam = "hmpps-move-and-improve"
}
}
}

provider "github" {
token = var.github_token
owner = var.github_owner
}

provider "kubernetes" {}

locals {
default_tags = {
business_unit = var.business_unit
application = var.application
is_production = var.is_production
team_name = var.team_name
environment_name = var.environment
infrastructure_support = var.infrastructure_support
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
/*
* Make sure that you use the latest version of the module by changing the
* `ref=` value in the `source` attribute to the latest version listed on the
* releases page of this repository.
*
*/
module "rds" {
source = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=8.0.1"

# VPC configuration
vpc_name = var.vpc_name

# RDS configuration
allow_minor_version_upgrade = true
allow_major_version_upgrade = false
performance_insights_enabled = false
db_max_allocated_storage = "500"
enable_rds_auto_start_stop = true # Uncomment to turn off your database overnight between 10PM and 6AM UTC / 11PM and 7AM BST.
# db_password_rotated_date = "2023-04-17" # Uncomment to rotate your database password.

# PostgreSQL specifics
db_engine = "postgres"
db_engine_version = "16"
rds_family = "postgres16"
db_instance_class = "db.t4g.small"

# Tags
application = var.application
business_unit = var.business_unit
environment_name = var.environment
infrastructure_support = var.infrastructure_support
is_production = var.is_production
namespace = var.namespace
team_name = var.team_name
}

resource "kubernetes_secret" "rds" {
metadata {
name = "rds-postgresql-instance-output"
namespace = var.namespace
}

data = {
rds_instance_endpoint = module.rds.rds_instance_endpoint
database_name = module.rds.database_name
database_username = module.rds.database_username
database_password = module.rds.database_password
rds_instance_address = module.rds.rds_instance_address
}
}

resource "kubernetes_config_map" "rds" {
metadata {
name = "rds-postgresql-instance-output"
namespace = var.namespace
}

data = {
database_name = module.rds.database_name
db_identifier = module.rds.db_identifier
}
}

Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
locals {
sa_rules = [
{
api_groups = [""]
resources = [
"pods/portforward",
"deployment",
"secrets",
"services",
"configmaps",
"pods",
]
verbs = [
"patch",
"get",
"create",
"update",
"delete",
"list",
"watch",
]
},
{
api_groups = [
"extensions",
"apps",
"batch",
"networking.k8s.io",
"policy",
]
resources = [
"deployments",
"ingresses",
"cronjobs",
"jobs",
"replicasets",
"poddisruptionbudgets",
"networkpolicies"
]
verbs = [
"get",
"update",
"delete",
"create",
"patch",
"list",
"watch",
]
},
{
api_groups = [
"monitoring.coreos.com",
]
resources = [
"prometheusrules",
"servicemonitors"
]
verbs = [
"*",
]
},
]
}

module "serviceaccount" {
source = "github.com/ministryofjustice/cloud-platform-terraform-serviceaccount?ref=1.1.0"
namespace = var.namespace
kubernetes_cluster = var.kubernetes_cluster
serviceaccount_name = "circleci"
role_name = "circleci"
serviceaccount_rules = local.sa_rules
rolebinding_name = "circleci"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
variable "vpc_name" {
description = "VPC name to create security groups in for the ElastiCache and RDS modules"
type = string
}

variable "kubernetes_cluster" {
description = "Kubernetes cluster name for references to secrets for service accounts"
type = string
}

variable "application" {
description = "Name of the application you are deploying"
type = string
default = "HMPPS Personal Relationships"
}

variable "namespace" {
description = "Name of the namespace these resources are part of"
type = string
default = "hmpps-personal-relationships-preprod"
}

variable "business_unit" {
description = "Area of the MOJ responsible for this service"
type = string
default = "HMPPS"
}

variable "team_name" {
description = "Name of the development team responsible for this service"
type = string
default = "hmpps-move-and-improve"
}

variable "environment" {
description = "Name of the environment type for this service"
type = string
default = "preproduction"
}

variable "eks_cluster_name" {
description = "The name of the eks cluster to retrieve the OIDC information"
}

variable "infrastructure_support" {
description = "Email address of the team responsible this service"
type = string
default = "dps-hmpps@digital.justice.gov.uk"
}

variable "is_production" {
description = "Whether this environment type is production or not"
type = string
default = "false"
}

variable "slack_channel" {
description = "Slack channel name for your team, if we need to contact you about this service"
type = string
default = "public_move-and-improve"
}

variable "github_owner" {
description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials"
type = string
default = "ministryofjustice"
}

variable "github_token" {
type = string
description = "Required by the GitHub Terraform provider"
default = ""
}

variable "number_cache_clusters" {
default = "2"
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
terraform {
required_version = ">= 1.2.5"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.67.0"
}
github = {
source = "integrations/github"
version = "~> 5.39.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.23.0"
}
}
}