Skip to content

Commit

Permalink
Merge pull request #3736 from ministryofjustice/LAWS-3518
Browse files Browse the repository at this point in the history
Setting up Apex Codebuild
  • Loading branch information
alanrana7 authored Oct 19, 2023
2 parents 0dcf97b + f88a3c2 commit 7f5c968
Show file tree
Hide file tree
Showing 5 changed files with 269 additions and 0 deletions.
5 changes: 5 additions & 0 deletions terraform/environments/apex/codebuild.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,9 @@ module "apex-ecr-codebuild" {
app_name = local.application_name
account_id = local.environment_management.account_ids[terraform.workspace]
tags = local.tags
s3_lifecycle_expiration_days = 31
s3_lifecycle_noncurr_version_expiration_days = 31
core_shared_services_production_account_id = local.environment_management.account_ids["core-shared-services-production"]
local_ecr_url = "${local.environment_management.account_ids[terraform.workspace]}.dkr.ecr.eu-west-2.amazonaws.com/apex-local-ecr"
application_test_url = local.application_test_url
}
3 changes: 3 additions & 0 deletions terraform/environments/apex/locals.tf
Original file line number Diff line number Diff line change
@@ -1 +1,4 @@
#### This file can be used to store locals specific to the member account ####
locals {
application_test_url = "https://apex.laa-development.modernisation-platform.service.justice.gov.uk/apex/"
}
216 changes: 216 additions & 0 deletions terraform/environments/apex/modules/codebuild/main.tf
Original file line number Diff line number Diff line change
@@ -1,3 +1,50 @@
#############################################
# S3 Bucket for storing deployment, test reports and other outputs
#############################################

resource "aws_s3_bucket" "deployment_report" {
bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket"
# force_destroy = true # Enable to recreate bucket deleting everything inside
tags = merge(
var.tags,
{
Name = "laa-${var.app_name}-deployment-pipeline-reportbucket"
},
)
}

resource "aws_s3_bucket_server_side_encryption_configuration" "report_sse" {
bucket = aws_s3_bucket.deployment_report.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" {
bucket = aws_s3_bucket.deployment_report.id

rule {
id = "monthly-expiration"
expiration {
days = var.s3_lifecycle_expiration_days
}
noncurrent_version_expiration {
noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days
}

status = "Enabled"
}
}

resource "aws_s3_bucket_versioning" "report_versioning" {
bucket = aws_s3_bucket.deployment_report.id
versioning_configuration {
status = "Enabled"
}
}

######################################################
# ECR Resources
######################################################
Expand Down Expand Up @@ -48,6 +95,39 @@ data "aws_iam_policy_document" "local-ecr-policy-data" {
}
}

######################################################
# S3 Resource Bucket for Codebuild
######################################################

resource "aws_s3_bucket" "codebuild_resources" {
bucket = "laa-${var.app_name}-management-resourcebucket"
# force_destroy = true
}

resource "aws_s3_bucket_server_side_encryption_configuration" "resources_sse" {
bucket = aws_s3_bucket.codebuild_resources.id
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}

data "template_file" "s3_resource_bucket_policy" {
template = file("${path.module}/s3_bucket_policy.json.tpl")

vars = {
account_id = var.account_id,
s3_resource_name = aws_s3_bucket.codebuild_resources.id,
codebuild_role_name = aws_iam_role.codebuild_s3.id
}
}

resource "aws_s3_bucket_policy" "allow_access_from_codebuild" {
bucket = aws_s3_bucket.codebuild_resources.id
policy = data.template_file.s3_resource_bucket_policy.rendered
}

######################################################
# CodeBuild projects
######################################################
Expand All @@ -61,4 +141,140 @@ resource "aws_iam_role" "codebuild_s3" {
Name = "${var.app_name}-CodeBuildRole"
}
)
}

data "template_file" "codebuild_policy" {
template = file("${path.module}/codebuild_iam_policy.json.tpl")

vars = {
s3_report_bucket_name = aws_s3_bucket.deployment_report.id
core_shared_services_production_account_id = var.core_shared_services_production_account_id
account_id = var.account_id
app_name = var.app_name
}
}

resource "aws_iam_role_policy" "codebuild_s3" {
name = "${var.app_name}-CodeBuildPolicy"
role = aws_iam_role.codebuild_s3.name
policy = data.template_file.codebuild_policy.rendered
}

resource "aws_codebuild_project" "app-build" {
name = "${var.app_name}-app-build"
description = "Project to build the ${var.app_name} Java application"
build_timeout = 20
# encryption_key = aws_kms_key.codebuild.arn
service_role = aws_iam_role.codebuild_s3.arn

artifacts {
type = "NO_ARTIFACTS"
}
# Comment above and uncomment below to use artifact
# artifacts {
# type = "S3"
# location = aws_s3_bucket.codebuild_artifact.id
# }

environment {
compute_type = "BUILD_GENERAL1_MEDIUM"
image = "aws/codebuild/docker:17.09.0"
type = "LINUX_CONTAINER"
privileged_mode = true

environment_variable {
name = "AWS_DEFAULT_REGION"
value = "eu-west-2"
}

environment_variable {
name = "AWS_ACCOUNT_ID"
value = var.account_id
}

environment_variable {
name = "REPOSITORY_URI"
value = var.local_ecr_url
}

environment_variable {
name = "ARTIFACT_BUCKET"
value = "deployment_report"
}

environment_variable {
name = "APPLICATION_NAME"
value = var.app_name
}

environment_variable {
name = "REPORT_S3_BUCKET"
value = "deployment_report"
}

}

source {
type = "GITHUB"
location = "https://github.com/ministryofjustice/laa-${var.app_name}.git"
buildspec = "buildspec-mp.yml"
}

tags = merge(
var.tags,
{
Name = "${var.app_name}-app-build"
},
)
}

resource "aws_codebuild_project" "test-build" {
name = "${var.app_name}-test-build"
description = "Project to test the Java application ${var.app_name}"
build_timeout = 20
# encryption_key = aws_kms_key.codebuild.arn
service_role = aws_iam_role.codebuild_s3.arn

artifacts {
type = "NO_ARTIFACTS"
}
# Comment above and uncomment below to use artifact
# artifacts {
# type = "S3"
# location = aws_s3_bucket.codebuild_artifact.id
# }

environment {
compute_type = "BUILD_GENERAL1_MEDIUM"
image = "aws/codebuild/python:2.7.12"
type = "LINUX_CONTAINER"

environment_variable {
name = "APP_URL"
value = var.application_test_url
}

environment_variable {
name = "APPLICATION_NAME"
value = var.app_name
}

environment_variable {
name = "REPORT_S3_BUCKET"
value = aws_s3_bucket.deployment_report.id
}
}

source {
type = "GITHUB"
location = "https://github.com/ministryofjustice/laa-${var.app_name}.git"
buildspec = "testspec-lz.yml"
}

tags = merge(
var.tags,
{
Name = "${var.app_name}-test"
},
)
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Principal": {
"AWS": [
"arn:aws:iam::${account_id}:role/${codebuild_role_name}"
]
},
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::${s3_resource_name}",
"arn:aws:s3:::${s3_resource_name}/*"
]
}
]
}
25 changes: 25 additions & 0 deletions terraform/environments/apex/modules/codebuild/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,29 @@ variable "tags" {
variable "account_id" {
type = string
description = "AWS Account ID"
}

variable "s3_lifecycle_expiration_days" {
type = string
description = "S3 Bucket lifecycle configuration expiration days"
}

variable "s3_lifecycle_noncurr_version_expiration_days" {
type = string
description = "S3 Bucket lifecycle configuration noncurrent version expiration days"
}

variable "core_shared_services_production_account_id" {
type = string
description = "AWS Account ID of Core Shared Services Production where the shared ECR resides"
}

variable "local_ecr_url" {
type = string
description = "URL for the local ECR repo"
}

variable "application_test_url" {
type = string
description = "Endpoint to test the application with Selenium upon"
}

0 comments on commit 7f5c968

Please sign in to comment.