From 15acd0674033fd8fb6be4f53a18a6cca231ee846 Mon Sep 17 00:00:00 2001 From: Alan Date: Wed, 18 Oct 2023 09:35:06 +0100 Subject: [PATCH 1/4] Apex Codebuil Setup --- terraform/environments/apex/codebuild.tf | 5 + terraform/environments/apex/locals.tf | 3 + .../apex/modules/codebuild/main.tf | 183 ++++++++++++++++++ .../apex/modules/codebuild/variables.tf | 25 +++ 4 files changed, 216 insertions(+) diff --git a/terraform/environments/apex/codebuild.tf b/terraform/environments/apex/codebuild.tf index d2c927b6a08..3285e52bc13 100644 --- a/terraform/environments/apex/codebuild.tf +++ b/terraform/environments/apex/codebuild.tf @@ -5,4 +5,9 @@ module "apex-ecr-codebuild" { app_name = local.application_name account_id = local.environment_management.account_ids[terraform.workspace] tags = local.tags + s3_lifecycle_expiration_days = 31 + s3_lifecycle_noncurr_version_expiration_days = 31 + core_shared_services_production_account_id = local.environment_management.account_ids["core-shared-services-production"] + local_ecr_url = "${local.environment_management.account_ids[terraform.workspace]}.dkr.ecr.eu-west-2.amazonaws.com/apex-local-ecr" + application_test_url = local.application_test_url } \ No newline at end of file diff --git a/terraform/environments/apex/locals.tf b/terraform/environments/apex/locals.tf index a7454414911..e243252c914 100644 --- a/terraform/environments/apex/locals.tf +++ b/terraform/environments/apex/locals.tf @@ -1 +1,4 @@ #### This file can be used to store locals specific to the member account #### +locals { + application_test_url = "https://apex.laa-development.modernisation-platform.service.justice.gov.uk/apex/" +} \ No newline at end of file diff --git a/terraform/environments/apex/modules/codebuild/main.tf b/terraform/environments/apex/modules/codebuild/main.tf index 8d846a17bc3..88583adc855 100644 --- a/terraform/environments/apex/modules/codebuild/main.tf +++ b/terraform/environments/apex/modules/codebuild/main.tf @@ -1,3 +1,50 @@ +############################################# +# S3 Bucket for storing deployment, test reports and other outputs +############################################# + +resource "aws_s3_bucket" "deployment_report" { + bucket = "laa-${var.app_name}-deployment-pipeline-reportbucket" + # force_destroy = true # Enable to recreate bucket deleting everything inside + tags = merge( + var.tags, + { + Name = "laa-${var.app_name}-deployment-pipeline-reportbucket" + }, + ) +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "report_sse" { + bucket = aws_s3_bucket.deployment_report.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +resource "aws_s3_bucket_lifecycle_configuration" "report_lifecycle" { + bucket = aws_s3_bucket.deployment_report.id + + rule { + id = "monthly-expiration" + expiration { + days = var.s3_lifecycle_expiration_days + } + noncurrent_version_expiration { + noncurrent_days = var.s3_lifecycle_noncurr_version_expiration_days + } + + status = "Enabled" + } +} + +resource "aws_s3_bucket_versioning" "report_versioning" { + bucket = aws_s3_bucket.deployment_report.id + versioning_configuration { + status = "Enabled" + } +} + ###################################################### # ECR Resources ###################################################### @@ -61,4 +108,140 @@ resource "aws_iam_role" "codebuild_s3" { Name = "${var.app_name}-CodeBuildRole" } ) +} + +data "template_file" "codebuild_policy" { + template = file("${path.module}/codebuild_iam_policy.json.tpl") + + vars = { + s3_report_bucket_name = aws_s3_bucket.deployment_report.id + core_shared_services_production_account_id = var.core_shared_services_production_account_id + account_id = var.account_id + app_name = var.app_name + } +} + +resource "aws_iam_role_policy" "codebuild_s3" { + name = "${var.app_name}-CodeBuildPolicy" + role = aws_iam_role.codebuild_s3.name + policy = data.template_file.codebuild_policy.rendered +} + +resource "aws_codebuild_project" "app-build" { + name = "${var.app_name}-app-build" + description = "Project to build the ${var.app_name} Java application" + build_timeout = 20 + # encryption_key = aws_kms_key.codebuild.arn + service_role = aws_iam_role.codebuild_s3.arn + + artifacts { + type = "NO_ARTIFACTS" + } + # Comment above and uncomment below to use artifact + # artifacts { + # type = "S3" + # location = aws_s3_bucket.codebuild_artifact.id + # } + + environment { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/docker:17.09.0" + type = "LINUX_CONTAINER" + privileged_mode = true + + environment_variable { + name = "AWS_DEFAULT_REGION" + value = "eu-west-2" + } + + environment_variable { + name = "AWS_ACCOUNT_ID" + value = var.account_id + } + + environment_variable { + name = "REPOSITORY_URI" + value = var.local_ecr_url + } + + environment_variable { + name = "ARTIFACT_BUCKET" + value = "deployment_report" + } + + environment_variable { + name = "APPLICATION_NAME" + value = var.app_name + } + + environment_variable { + name = "REPORT_S3_BUCKET" + value = "deployment_report" + } + + } + + source { + type = "GITHUB" + location = "https://github.com/ministryofjustice/laa-${var.app_name}.git" + buildspec = "buildspec-mp.yml" + } + + tags = merge( + var.tags, + { + Name = "${var.app_name}-app-build" + }, + ) +} + +resource "aws_codebuild_project" "test-build" { + name = "${var.app_name}-test-build" + description = "Project to test the Java application ${var.app_name}" + build_timeout = 20 + # encryption_key = aws_kms_key.codebuild.arn + service_role = aws_iam_role.codebuild_s3.arn + + artifacts { + type = "NO_ARTIFACTS" + } + # Comment above and uncomment below to use artifact + # artifacts { + # type = "S3" + # location = aws_s3_bucket.codebuild_artifact.id + # } + + environment { + compute_type = "BUILD_GENERAL1_MEDIUM" + image = "aws/codebuild/python:2.7.12" + type = "LINUX_CONTAINER" + + environment_variable { + name = "APP_URL" + value = var.application_test_url + } + + environment_variable { + name = "APPLICATION_NAME" + value = var.app_name + } + + environment_variable { + name = "REPORT_S3_BUCKET" + value = aws_s3_bucket.deployment_report.id + } + } + + source { + type = "GITHUB" + location = "https://github.com/ministryofjustice/laa-${var.app_name}.git" + buildspec = "testspec-lz.yml" + } + + tags = merge( + var.tags, + { + Name = "${var.app_name}-test" + }, + ) } \ No newline at end of file diff --git a/terraform/environments/apex/modules/codebuild/variables.tf b/terraform/environments/apex/modules/codebuild/variables.tf index ff9f985e46b..6b28921000a 100644 --- a/terraform/environments/apex/modules/codebuild/variables.tf +++ b/terraform/environments/apex/modules/codebuild/variables.tf @@ -11,4 +11,29 @@ variable "tags" { variable "account_id" { type = string description = "AWS Account ID" +} + +variable "s3_lifecycle_expiration_days" { + type = string + description = "S3 Bucket lifecycle configuration expiration days" +} + +variable "s3_lifecycle_noncurr_version_expiration_days" { + type = string + description = "S3 Bucket lifecycle configuration noncurrent version expiration days" +} + +variable "core_shared_services_production_account_id" { + type = string + description = "AWS Account ID of Core Shared Services Production where the shared ECR resides" +} + +variable "local_ecr_url" { + type = string + description = "URL for the local ECR repo" +} + +variable "application_test_url" { + type = string + description = "Endpoint to test the application with Selenium upon" } \ No newline at end of file From 65516576d38536a6cf9ba85b84a015aaa83e6e1d Mon Sep 17 00:00:00 2001 From: Alan Date: Thu, 19 Oct 2023 09:29:49 +0100 Subject: [PATCH 2/4] Adding S3 resource bucket for codebuild --- .../apex/modules/codebuild/main.tf | 33 +++++++++++++++++++ .../apex/modules/s3_bucket_policy.json.tpl | 20 +++++++++++ 2 files changed, 53 insertions(+) create mode 100644 terraform/environments/apex/modules/s3_bucket_policy.json.tpl diff --git a/terraform/environments/apex/modules/codebuild/main.tf b/terraform/environments/apex/modules/codebuild/main.tf index 88583adc855..3ef1a8ca3f0 100644 --- a/terraform/environments/apex/modules/codebuild/main.tf +++ b/terraform/environments/apex/modules/codebuild/main.tf @@ -95,6 +95,39 @@ data "aws_iam_policy_document" "local-ecr-policy-data" { } } +###################################################### +# S3 Resource Bucket for Codebuild +###################################################### + +resource "aws_s3_bucket" "codebuild_resources" { + bucket = "laa-${var.app_name}-management-resourcebucket" + # force_destroy = true +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "resources_sse" { + bucket = aws_s3_bucket.codebuild_resources.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } +} + +data "template_file" "s3_resource_bucket_policy" { + template = "${file("${path.module}/s3_bucket_policy.json.tpl")}" + + vars = { + account_id = var.account_id, + s3_resource_name = aws_s3_bucket.codebuild_resources.id, + codebuild_role_name = aws_iam_role.codebuild_s3.id + } +} + +resource "aws_s3_bucket_policy" "allow_access_from_codebuild" { + bucket = aws_s3_bucket.codebuild_resources.id + policy = data.template_file.s3_resource_bucket_policy.rendered +} + ###################################################### # CodeBuild projects ###################################################### diff --git a/terraform/environments/apex/modules/s3_bucket_policy.json.tpl b/terraform/environments/apex/modules/s3_bucket_policy.json.tpl new file mode 100644 index 00000000000..5adbbce3cfd --- /dev/null +++ b/terraform/environments/apex/modules/s3_bucket_policy.json.tpl @@ -0,0 +1,20 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Principal": { + "AWS": [ + "arn:aws:iam::${account_id}:role/${codebuild_role_name}" + ] + }, + "Effect": "Allow", + "Action": [ + "s3:*" + ], + "Resource": [ + "arn:aws:s3:::${s3_resource_name}", + "arn:aws:s3:::${s3_resource_name}/*" + ] + } + ] +} From 6ddae68cdba98a827963eeaeacd883235696c389 Mon Sep 17 00:00:00 2001 From: Alan Date: Thu, 19 Oct 2023 13:13:33 +0100 Subject: [PATCH 3/4] Updating the way the policy json is called --- terraform/environments/apex/modules/codebuild/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/apex/modules/codebuild/main.tf b/terraform/environments/apex/modules/codebuild/main.tf index 3ef1a8ca3f0..8339a67a2a0 100644 --- a/terraform/environments/apex/modules/codebuild/main.tf +++ b/terraform/environments/apex/modules/codebuild/main.tf @@ -114,7 +114,7 @@ resource "aws_s3_bucket_server_side_encryption_configuration" "resources_sse" { } data "template_file" "s3_resource_bucket_policy" { - template = "${file("${path.module}/s3_bucket_policy.json.tpl")}" + template = file("${path.module}/s3_bucket_policy.json.tpl") vars = { account_id = var.account_id, From f88a3c2814789bc225e6276fa881fd1906ada9c5 Mon Sep 17 00:00:00 2001 From: Alan Date: Thu, 19 Oct 2023 13:16:01 +0100 Subject: [PATCH 4/4] moving the S3 in the correct directory --- .../apex/modules/{ => codebuild}/s3_bucket_policy.json.tpl | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename terraform/environments/apex/modules/{ => codebuild}/s3_bucket_policy.json.tpl (100%) diff --git a/terraform/environments/apex/modules/s3_bucket_policy.json.tpl b/terraform/environments/apex/modules/codebuild/s3_bucket_policy.json.tpl similarity index 100% rename from terraform/environments/apex/modules/s3_bucket_policy.json.tpl rename to terraform/environments/apex/modules/codebuild/s3_bucket_policy.json.tpl