From 2f8262f4deb74080229ff6deb7ad6c347360c2ce Mon Sep 17 00:00:00 2001 From: satishgummadellimoj <134059962+satishgummadellimoj@users.noreply.github.com> Date: Mon, 13 Nov 2023 10:45:47 +0000 Subject: [PATCH 01/23] Merge pull request #215 from ministryofjustice/log-retention-90-days update log retention --- modules/eks/log_groups.tf | 2 +- modules/vpc/log_groups.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/eks/log_groups.tf b/modules/eks/log_groups.tf index 27bc3fd..974c5e1 100644 --- a/modules/eks/log_groups.tf +++ b/modules/eks/log_groups.tf @@ -2,5 +2,5 @@ resource "aws_cloudwatch_log_group" "this" { # The log group name format is /aws/eks//cluster # Reference: https://docs.aws.amazon.com/eks/latest/userguide/control-plane-logs.html name = "/aws/eks/${var.prefix}/cluster" - retention_in_days = terraform.workspace == "production" ? 90 : 7 + retention_in_days = 90 } diff --git a/modules/vpc/log_groups.tf b/modules/vpc/log_groups.tf index 1445541..82ae5a3 100644 --- a/modules/vpc/log_groups.tf +++ b/modules/vpc/log_groups.tf @@ -1,4 +1,4 @@ resource "aws_cloudwatch_log_group" "vpc_flow_log_group" { name = "/aws/vpc/${var.prefix}/flow-logs" - retention_in_days = terraform.workspace == "production" ? 90 : 7 + retention_in_days = 90 } From 58d104cd94e87b46b1358a583873e5aeff5204ce Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 12:51:42 +0000 Subject: [PATCH 02/23] github action improvements --- .github/workflows/deployment.yml | 487 +++++++----------- .../deployment_reusable_workflow.yml | 146 ++++++ 2 files changed, 343 insertions(+), 290 deletions(-) create mode 100644 .github/workflows/deployment_reusable_workflow.yml diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 3e4e5a4..10f5569 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -6,300 +6,207 @@ on: - "main" push: branches: - - "main" + - "montoring-impovements" permissions: id-token: write contents: read jobs: - deploy-development: - name: 'Deploy Development' - runs-on: ubuntu-latest - environment: development - defaults: - run: - shell: bash - env: - ENV: "development" - TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} - TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} - TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} - TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} - TF_VAR_enabled: ${{ secrets.ENABLED }} - TF_VAR_zone_id: ${{ secrets.ZONE_ID }} - TF_VAR_db_username: ${{ secrets.DB_USERNAME }} - TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} - TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} - TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} - TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} - TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} - TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} - TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} - TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} - AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} - AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} - AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} - AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} - SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} - DB_USERNAME: ${{ secrets.DB_USERNAME }} - DB_PASSWORD: ${{ secrets.DB_PASSWORD }} - DB_NAME: ${{ secrets.DB_NAME }} - - steps: - - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Configure AWS credentials - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2.2.0 - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-session-name: GitHubWorkflow - - # Install Kubectl and Helm CLI - - name: Setup Kubectl and Helm - uses: yokawasa/action-setup-kube-tools@v0.9.3 - with: - setup-tools: | - kubectl - helm - kubectl: '1.25.6' - helm: '3.8.0' - - # Create environment variables from AWS SSM parameters values - - name: Create environment variables from AWS SSM - run: | - export dhcpApiBasicAuthUsername=`aws ssm get-parameter --name /codebuild/dhcp/admin/api/basic_auth_username --query Parameter.Value --with-decryption --output text` - export dhcpApiBasicAuthPassword=`aws ssm get-parameter --name /codebuild/dhcp/admin/api/basic_auth_password --query Parameter.Value --with-decryption --output text` - - # Install Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.2.0 - terraform_wrapper: false - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" - - # Select or create and then select a Terraform workspace - - name: Terraform Workspace - run: terraform workspace select $ENV || terraform workspace new $ENV - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - run: terraform fmt --recursive -check - - # Validates Terraform configuration - - name: Terraform Validate - run: terraform validate - - # Generates an execution plan for Terraform - - name: Terraform Plan - run: terraform plan - - # On push to main, build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: terraform apply -auto-approve - - - name: Run the deployment script - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: make deploy - - # Terraform apply in pre-production - deploy-pre-production: - name: 'Deploy Pre-Production' - needs: deploy-development - runs-on: ubuntu-latest - environment: pre-production - defaults: - run: - shell: bash - env: - ENV: "pre-production" - TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} - TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} - TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} - TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} - TF_VAR_enabled: ${{ secrets.ENABLED }} - TF_VAR_zone_id: ${{ secrets.ZONE_ID }} - TF_VAR_db_username: ${{ secrets.DB_USERNAME }} - TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} - TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} - TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} - TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} - TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} - TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} - TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} - TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} - AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} - AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} - AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} - AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} - SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} - DB_USERNAME: ${{ secrets.DB_USERNAME }} - DB_PASSWORD: ${{ secrets.DB_PASSWORD }} - DB_NAME: ${{ secrets.DB_NAME }} - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Configure AWS credentials - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2.2.0 - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-session-name: GitHubWorkflow - - # Install Kubectl and Helm CLI - - name: Setup Kubectl and Helm - uses: yokawasa/action-setup-kube-tools@v0.9.3 - with: - setup-tools: | - kubectl - helm - kubectl: '1.25.6' - helm: '3.8.0' - - # Install Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.2.0 - terraform_wrapper: false - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" - - # Select or create and then select a Terraform workspace - - name: Terraform Workspace - run: terraform workspace select $ENV || terraform workspace new $ENV - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - run: terraform fmt --recursive -check - - # Validates Terraform configuration - - name: Terraform Validate - run: terraform validate - - # Generates an execution plan for Terraform - - name: Terraform Plan - run: terraform plan - - # On push to main, build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: terraform apply -auto-approve - - - name: Run the deployment script - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: make deploy - - # Terraform apply in production - deploy-production: - name: 'Deploy Production' - needs: deploy-pre-production - runs-on: ubuntu-latest - environment: production - defaults: - run: - shell: bash - env: - ENV: "production" - TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} - TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} - TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} - TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} - TF_VAR_enabled: ${{ secrets.ENABLED }} - TF_VAR_zone_id: ${{ secrets.ZONE_ID }} - TF_VAR_db_username: ${{ secrets.DB_USERNAME }} - TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} - TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} - TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} - TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} - TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} - TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} - TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} - TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} - AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} - AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} - AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} - AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} - SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} - DB_USERNAME: ${{ secrets.DB_USERNAME }} - DB_PASSWORD: ${{ secrets.DB_PASSWORD }} - DB_NAME: ${{ secrets.DB_NAME }} - - - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout - uses: actions/checkout@v3 - - # Configure AWS credentials - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v2.2.0 - with: - aws-region: eu-west-2 - role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} - role-session-name: GitHubWorkflow - - # Install Kubectl and Helm CLI - - name: Setup Kubectl and Helm - uses: yokawasa/action-setup-kube-tools@v0.9.3 - with: - setup-tools: | - kubectl - helm - kubectl: '1.25.6' - helm: '3.8.0' - - # Install Terraform CLI - - name: Setup Terraform - uses: hashicorp/setup-terraform@v2 - with: - terraform_version: 1.2.0 - terraform_wrapper: false - - # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. - - name: Terraform Init - run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" - - # Select or create and then select a Terraform workspace - - name: Terraform Workspace - run: terraform workspace select $ENV || terraform workspace new $ENV - - # Checks that all Terraform configuration files adhere to a canonical format - - name: Terraform Format - run: terraform fmt --recursive -check - - # Validates Terraform configuration - - name: Terraform Validate - run: terraform validate - - # Generates an execution plan for Terraform - - name: Terraform Plan - run: terraform plan - - # On push to main, build or change infrastructure according to Terraform configuration files - # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks - - name: Terraform Apply - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: terraform apply -auto-approve - - - name: Run the deployment script - if: github.ref == 'refs/heads/main' && github.event_name == 'push' - run: make deploy + deploy-development: + uses: ./.github/workflows/deployment_reusable_workflow.yml + with: + ENV: development + secrets: inherit + +# # Terraform apply in pre-production +# deploy-pre-production: +# name: 'Deploy Pre-Production' +# needs: deploy-development +# runs-on: ubuntu-latest +# environment: pre-production +# defaults: +# run: +# shell: bash +# env: +# ENV: "pre-production" +# TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} +# TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} +# TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} +# TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} +# TF_VAR_enabled: ${{ secrets.ENABLED }} +# TF_VAR_zone_id: ${{ secrets.ZONE_ID }} +# TF_VAR_db_username: ${{ secrets.DB_USERNAME }} +# TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} +# TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} +# TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} +# TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} +# TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} +# TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} +# TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} +# TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} +# AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} +# AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} +# AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} +# AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} +# SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} +# DB_USERNAME: ${{ secrets.DB_USERNAME }} +# DB_PASSWORD: ${{ secrets.DB_PASSWORD }} +# DB_NAME: ${{ secrets.DB_NAME }} +# +# steps: +# # Checkout the repository to the GitHub Actions runner +# - name: Checkout +# uses: actions/checkout@v3 +# +# # Configure AWS credentials +# - name: Configure AWS Credentials +# uses: aws-actions/configure-aws-credentials@v2.2.0 +# with: +# aws-region: eu-west-2 +# role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} +# role-session-name: GitHubWorkflow +# +# # Install Kubectl and Helm CLI +# - name: Setup Kubectl and Helm +# uses: yokawasa/action-setup-kube-tools@v0.9.3 +# with: +# setup-tools: | +# kubectl +# helm +# kubectl: '1.25.6' +# helm: '3.8.0' +# +# # Install Terraform CLI +# - name: Setup Terraform +# uses: hashicorp/setup-terraform@v2 +# with: +# terraform_version: 1.2.0 +# terraform_wrapper: false +# +# # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. +# - name: Terraform Init +# run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" +# +# # Select or create and then select a Terraform workspace +# - name: Terraform Workspace +# run: terraform workspace select $ENV || terraform workspace new $ENV +# +# # Checks that all Terraform configuration files adhere to a canonical format +# - name: Terraform Format +# run: terraform fmt --recursive -check +# +# # Validates Terraform configuration +# - name: Terraform Validate +# run: terraform validate +# +# # Generates an execution plan for Terraform +# - name: Terraform Plan +# run: terraform plan +# +# # On push to main, build or change infrastructure according to Terraform configuration files +# # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks +# - name: Terraform Apply +# if: github.ref == 'refs/heads/main' && github.event_name == 'push' +# run: terraform apply -auto-approve +# +# - name: Run the deployment script +# if: github.ref == 'refs/heads/main' && github.event_name == 'push' +# run: make deploy +# +# # Terraform apply in production +# deploy-production: +# name: 'Deploy Production' +# needs: deploy-pre-production +# runs-on: ubuntu-latest +# environment: production +# defaults: +# run: +# shell: bash +# env: +# ENV: "production" +# TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} +# TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} +# TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} +# TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} +# TF_VAR_enabled: ${{ secrets.ENABLED }} +# TF_VAR_zone_id: ${{ secrets.ZONE_ID }} +# TF_VAR_db_username: ${{ secrets.DB_USERNAME }} +# TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} +# TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} +# TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} +# TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} +# TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} +# TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} +# TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} +# TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} +# AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} +# AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} +# AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} +# AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} +# SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} +# DB_USERNAME: ${{ secrets.DB_USERNAME }} +# DB_PASSWORD: ${{ secrets.DB_PASSWORD }} +# DB_NAME: ${{ secrets.DB_NAME }} +# +# +# steps: +# # Checkout the repository to the GitHub Actions runner +# - name: Checkout +# uses: actions/checkout@v3 +# +# # Configure AWS credentials +# - name: Configure AWS Credentials +# uses: aws-actions/configure-aws-credentials@v2.2.0 +# with: +# aws-region: eu-west-2 +# role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} +# role-session-name: GitHubWorkflow +# +# # Install Kubectl and Helm CLI +# - name: Setup Kubectl and Helm +# uses: yokawasa/action-setup-kube-tools@v0.9.3 +# with: +# setup-tools: | +# kubectl +# helm +# kubectl: '1.25.6' +# helm: '3.8.0' +# +# # Install Terraform CLI +# - name: Setup Terraform +# uses: hashicorp/setup-terraform@v2 +# with: +# terraform_version: 1.2.0 +# terraform_wrapper: false +# +# # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. +# - name: Terraform Init +# run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" +# +# # Select or create and then select a Terraform workspace +# - name: Terraform Workspace +# run: terraform workspace select $ENV || terraform workspace new $ENV +# +# # Checks that all Terraform configuration files adhere to a canonical format +# - name: Terraform Format +# run: terraform fmt --recursive -check +# +# # Validates Terraform configuration +# - name: Terraform Validate +# run: terraform validate +# +# # Generates an execution plan for Terraform +# - name: Terraform Plan +# run: terraform plan +# +# # On push to main, build or change infrastructure according to Terraform configuration files +# # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks +# - name: Terraform Apply +# if: github.ref == 'refs/heads/main' && github.event_name == 'push' +# run: terraform apply -auto-approve +# +# - name: Run the deployment script +# if: github.ref == 'refs/heads/main' && github.event_name == 'push' +# run: make deploy diff --git a/.github/workflows/deployment_reusable_workflow.yml b/.github/workflows/deployment_reusable_workflow.yml new file mode 100644 index 0000000..d4f8acb --- /dev/null +++ b/.github/workflows/deployment_reusable_workflow.yml @@ -0,0 +1,146 @@ +on: + workflow_call: + inputs: + ENV: + required: true + type: string +# secrets: +# ASSUME_ROLE_DEVELOPMENT: +# required: true +# DOMAIN_NAME: +# required: true +# ENABLED: +# required: true +# ZONE_ID: +# required: true +# DB_USERNAME: +# required: true +# DB_PASSWORD: +# required: true +# ENABLE_TRANSIT_GATEWAY: +# required: true +# TRANSIT_GATEWAY_ID: +# required: true +# TRANSIT_GATEWAY_ROUTE_TABLE_ID: +# required: true +# BYOIP_POOL_ID: +# required: true +# CORSHAM_MGMT_RANGE: +# required: true +# FARNBOROUGH_MGMT_RANGE: +# required: true +# NETWORK_SERVICES_CIDR_BLOCK: +# required: true +# AZUREAD_CLIENT_ID: +# required: true +# AZUREAD_CLIENT_SECRET: +# required: true +# AZUREAD_AUTH_URL: +# required: true +# AZUREAD_TOKEN_URL: +# required: true +# SERVER_ROOT_URL: +# required: true +# DB_NAME: +# required: true + +jobs: + deploy-development: + name: 'Deploy ${{ inputs.config-path }}' + runs-on: ubuntu-latest + environment: ${{ inputs.ENV }} + defaults: + run: + shell: bash + env: + ENV: ${{ inputs.ENV }} #"development" + TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} + TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} + TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} + TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} + TF_VAR_enabled: ${{ secrets.ENABLED }} + TF_VAR_zone_id: ${{ secrets.ZONE_ID }} + TF_VAR_db_username: ${{ secrets.DB_USERNAME }} + TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} + TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} + TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} + TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} + TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} + TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} + TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} + TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} + AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} + AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} + AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} + AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} + SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} + DB_USERNAME: ${{ secrets.DB_USERNAME }} + DB_PASSWORD: ${{ secrets.DB_PASSWORD }} + DB_NAME: ${{ secrets.DB_NAME }} + + steps: + + # Checkout the repository to the GitHub Actions runner + - name: Checkout + uses: actions/checkout@v3 + + # Configure AWS credentials + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v2.2.0 + with: + aws-region: eu-west-2 + role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} + role-session-name: GitHubWorkflow + + # Install Kubectl and Helm CLI + - name: Setup Kubectl and Helm + uses: yokawasa/action-setup-kube-tools@v0.9.3 + with: + setup-tools: | + kubectl + helm + kubectl: '1.25.6' + helm: '3.8.0' + + # Create environment variables from AWS SSM parameters values + - name: Create environment variables from AWS SSM + run: | + export dhcpApiBasicAuthUsername=`aws ssm get-parameter --name /codebuild/dhcp/admin/api/basic_auth_username --query Parameter.Value --with-decryption --output text` + export dhcpApiBasicAuthPassword=`aws ssm get-parameter --name /codebuild/dhcp/admin/api/basic_auth_password --query Parameter.Value --with-decryption --output text` + + # Install Terraform CLI + - name: Setup Terraform + uses: hashicorp/setup-terraform@v2 + with: + terraform_version: 1.2.0 + terraform_wrapper: false + + # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. + - name: Terraform Init + run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" + + # Select or create and then select a Terraform workspace + - name: Terraform Workspace + run: terraform workspace select $ENV || terraform workspace new $ENV + + # Checks that all Terraform configuration files adhere to a canonical format + - name: Terraform Format + run: terraform fmt --recursive -check + + # Validates Terraform configuration + - name: Terraform Validate + run: terraform validate + + # Generates an execution plan for Terraform + - name: Terraform Plan + run: terraform plan + + # On push to main, build or change infrastructure according to Terraform configuration files + # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks + - name: Terraform Apply + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: terraform apply -auto-approve + + - name: Run the deployment script + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: make deploy From a778baf5058867f08cee41298e598f2e18e6102e Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 13:27:17 +0000 Subject: [PATCH 03/23] Cherry picked --- Makefile | 65 ++++++++++++++++++++++++++++++++-------- main.tf | 24 ++------------- modules/eks/outputs.tf | 8 ----- modules/eks/providers.tf | 11 ------- outputs.tf | 26 ++++++++-------- variables.tf | 10 ------- 6 files changed, 67 insertions(+), 77 deletions(-) delete mode 100644 modules/eks/providers.tf diff --git a/Makefile b/Makefile index 9e895e9..50f9516 100644 --- a/Makefile +++ b/Makefile @@ -2,34 +2,73 @@ -include .env export +deploy: + ./scripts/deploy.sh + +uninstall: + ./scripts/uninstall_all_deployments.sh + fmt: - terraform fmt --recursive + aws-vault exec $$AWS_VAULT_PROFILE -- terraform fmt --recursive init: - terraform init -upgrade -reconfigure \ - --backend-config="key=terraform.production.state" + aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -reconfigure \ + --backend-config="key=terraform.$$ENV.state" + +init-upgrade: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -upgrade \ + --backend-config="key=terraform.$$ENV.state" + +# How to use +# IMPORT_ARGUMENT=module.foo.bar some_resource make import +import: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform import $$IMPORT_ARGUMENT + +workspace-list: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace list + +workspace-select: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace select $$ENV || \ + aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace new $$ENV validate: - terraform validate + aws-vault exec $$AWS_VAULT_PROFILE -- terraform validate + +plan-out: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan -no-color > $$ENV.tfplan plan: - terraform plan + aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan + +refresh: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform refresh + +output: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform output -json apply: - terraform apply + aws-vault exec $$AWS_VAULT_PROFILE -- terraform apply + ./scripts/publish_terraform_outputs.sh -deploy: - ./scripts/deploy.sh +state-list: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform state list -uninstall: - ./scripts/uninstall_all_deployments.sh +show: + aws-vault exec $$AWS_VAULT_PROFILE -- terraform show -no-color destroy: - terraform destroy + aws-vault exec $$AWS_VAULT_PROFILE -- terraform destroy + +clean: + rm -rf .terraform/ terraform.tfstate* + +tfenv: + tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin generate_diagrams: docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/architecture_diagram.py docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/detailed_eks_diagram.py -.PHONY: init validate plan apply deploy uninstall destroy - +.PHONY: + fmt init workspace-list workspace-select validate plan-out plan \ + refresh output apply state-list show destroy clean tfenv diff --git a/main.tf b/main.tf index 3e148bb..7f5eb1a 100644 --- a/main.tf +++ b/main.tf @@ -15,24 +15,6 @@ provider "aws" { } } -provider "aws" { - region = var.aws_region - alias = "development" - - assume_role { - role_arn = var.assume_role_development - } -} - -provider "aws" { - region = var.aws_region - alias = "pre_production" - - assume_role { - role_arn = var.assume_role_pre_production - } -} - data "aws_availability_zones" "available_zones" { count = var.enabled ? 1 : 0 state = "available" @@ -90,8 +72,8 @@ module "eks" { tags = module.eks_label.tags providers = { - aws = aws.main - aws.development = aws.development - aws.pre_production = aws.pre_production + aws = aws.main + # aws.development = aws.development + # aws.pre_production = aws.pre_production } } diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 78f0df2..db92832 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -46,14 +46,6 @@ output "cloudwatch_exporter_iam_role_arn" { value = aws_iam_role.cloudwatch_exporter.arn } -output "cloudwatch_exporter_development_iam_role_arn" { - value = aws_iam_role.cloudwatch_exporter_development != [] ? aws_iam_role.cloudwatch_exporter_development[0].arn : "" -} - -output "cloudwatch_exporter_pre_production_iam_role_arn" { - value = aws_iam_role.cloudwatch_exporter_pre_production != [] ? aws_iam_role.cloudwatch_exporter_pre_production[0].arn : "" -} - output "db_endpoint" { value = aws_db_instance.this.endpoint } diff --git a/modules/eks/providers.tf b/modules/eks/providers.tf deleted file mode 100644 index b41e2a3..0000000 --- a/modules/eks/providers.tf +++ /dev/null @@ -1,11 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - configuration_aliases = [ - aws.development, - aws.pre_production - ] - } - } -} diff --git a/outputs.tf b/outputs.tf index dfc7b61..a6e8366 100644 --- a/outputs.tf +++ b/outputs.tf @@ -36,20 +36,18 @@ output "certificate" { output "eks_cluster" { value = var.enabled ? { - issuer = module.eks[0].issuer - name = module.eks[0].cluster_name - endpoint = module.eks[0].endpoint - aws_load_balancer_controller_iam_role_arn = module.eks[0].aws_load_balancer_controller_iam_role_arn - external_dns_iam_role_arn = module.eks[0].external_dns_iam_role_arn - aws_efs_csi_driver_iam_role_arn = module.eks[0].aws_efs_csi_driver_iam_role_arn - aws_ebs_csi_driver_iam_role_arn = module.eks[0].aws_ebs_csi_driver_iam_role_arn - efs_file_system_id = module.eks[0].efs_file_system_id - thanos_iam_role_arn = module.eks[0].thanos_iam_role_arn - thanos_storage_s3_bucket_name = module.eks[0].thanos_storage_s3_bucket_name - cloudwatch_exporter_iam_role_arn = module.eks[0].cloudwatch_exporter_iam_role_arn - cloudwatch_exporter_development_iam_role_arn = module.eks[0].cloudwatch_exporter_development_iam_role_arn - cloudwatch_exporter_pre_production_iam_role_arn = module.eks[0].cloudwatch_exporter_pre_production_iam_role_arn - db_endpoint = module.eks[0].db_endpoint + issuer = module.eks[0].issuer + name = module.eks[0].cluster_name + endpoint = module.eks[0].endpoint + aws_load_balancer_controller_iam_role_arn = module.eks[0].aws_load_balancer_controller_iam_role_arn + external_dns_iam_role_arn = module.eks[0].external_dns_iam_role_arn + aws_efs_csi_driver_iam_role_arn = module.eks[0].aws_efs_csi_driver_iam_role_arn + aws_ebs_csi_driver_iam_role_arn = module.eks[0].aws_ebs_csi_driver_iam_role_arn + efs_file_system_id = module.eks[0].efs_file_system_id + thanos_iam_role_arn = module.eks[0].thanos_iam_role_arn + thanos_storage_s3_bucket_name = module.eks[0].thanos_storage_s3_bucket_name + cloudwatch_exporter_iam_role_arn = module.eks[0].cloudwatch_exporter_iam_role_arn + db_endpoint = module.eks[0].db_endpoint } : null sensitive = true } diff --git a/variables.tf b/variables.tf index e1c4655..b56c395 100644 --- a/variables.tf +++ b/variables.tf @@ -15,16 +15,6 @@ variable "assume_role" { type = string } -variable "assume_role_development" { - description = "The role to assume in development aws account" - type = string -} - -variable "assume_role_pre_production" { - description = "The role to assume in pre-production aws account" - type = string -} - variable "aws_region" { description = "The AWS region to create things in" type = string From 63028cad1005aca6eccb037a536c80e81e6ecf89 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 15:06:13 +0000 Subject: [PATCH 04/23] deploy preproduction with resuable workflow --- .github/workflows/deployment.yml | 101 ++---------------- .../deployment_reusable_workflow.yml | 6 -- 2 files changed, 7 insertions(+), 100 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 10f5569..5c27fbc 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -20,100 +20,13 @@ jobs: ENV: development secrets: inherit -# # Terraform apply in pre-production -# deploy-pre-production: -# name: 'Deploy Pre-Production' -# needs: deploy-development -# runs-on: ubuntu-latest -# environment: pre-production -# defaults: -# run: -# shell: bash -# env: -# ENV: "pre-production" -# TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} -# TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} -# TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} -# TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} -# TF_VAR_enabled: ${{ secrets.ENABLED }} -# TF_VAR_zone_id: ${{ secrets.ZONE_ID }} -# TF_VAR_db_username: ${{ secrets.DB_USERNAME }} -# TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} -# TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} -# TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} -# TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} -# TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} -# TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} -# TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} -# TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} -# AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} -# AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} -# AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} -# AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} -# SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} -# DB_USERNAME: ${{ secrets.DB_USERNAME }} -# DB_PASSWORD: ${{ secrets.DB_PASSWORD }} -# DB_NAME: ${{ secrets.DB_NAME }} -# -# steps: -# # Checkout the repository to the GitHub Actions runner -# - name: Checkout -# uses: actions/checkout@v3 -# -# # Configure AWS credentials -# - name: Configure AWS Credentials -# uses: aws-actions/configure-aws-credentials@v2.2.0 -# with: -# aws-region: eu-west-2 -# role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} -# role-session-name: GitHubWorkflow -# -# # Install Kubectl and Helm CLI -# - name: Setup Kubectl and Helm -# uses: yokawasa/action-setup-kube-tools@v0.9.3 -# with: -# setup-tools: | -# kubectl -# helm -# kubectl: '1.25.6' -# helm: '3.8.0' -# -# # Install Terraform CLI -# - name: Setup Terraform -# uses: hashicorp/setup-terraform@v2 -# with: -# terraform_version: 1.2.0 -# terraform_wrapper: false -# -# # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. -# - name: Terraform Init -# run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" -# -# # Select or create and then select a Terraform workspace -# - name: Terraform Workspace -# run: terraform workspace select $ENV || terraform workspace new $ENV -# -# # Checks that all Terraform configuration files adhere to a canonical format -# - name: Terraform Format -# run: terraform fmt --recursive -check -# -# # Validates Terraform configuration -# - name: Terraform Validate -# run: terraform validate -# -# # Generates an execution plan for Terraform -# - name: Terraform Plan -# run: terraform plan -# -# # On push to main, build or change infrastructure according to Terraform configuration files -# # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks -# - name: Terraform Apply -# if: github.ref == 'refs/heads/main' && github.event_name == 'push' -# run: terraform apply -auto-approve -# -# - name: Run the deployment script -# if: github.ref == 'refs/heads/main' && github.event_name == 'push' -# run: make deploy + deploy-pre-production: + needs: [deploy-development] + uses: ./.github/workflows/deployment_reusable_workflow.yml + with: + ENV: pre-production + secrets: inherit + # # # Terraform apply in production # deploy-production: diff --git a/.github/workflows/deployment_reusable_workflow.yml b/.github/workflows/deployment_reusable_workflow.yml index d4f8acb..6da690b 100644 --- a/.github/workflows/deployment_reusable_workflow.yml +++ b/.github/workflows/deployment_reusable_workflow.yml @@ -102,12 +102,6 @@ jobs: kubectl: '1.25.6' helm: '3.8.0' - # Create environment variables from AWS SSM parameters values - - name: Create environment variables from AWS SSM - run: | - export dhcpApiBasicAuthUsername=`aws ssm get-parameter --name /codebuild/dhcp/admin/api/basic_auth_username --query Parameter.Value --with-decryption --output text` - export dhcpApiBasicAuthPassword=`aws ssm get-parameter --name /codebuild/dhcp/admin/api/basic_auth_password --query Parameter.Value --with-decryption --output text` - # Install Terraform CLI - name: Setup Terraform uses: hashicorp/setup-terraform@v2 From 045c986d2fd7281a9a6b414a362ec1cd044a042f Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 15:14:40 +0000 Subject: [PATCH 05/23] deploy production using reusable workflow --- .github/workflows/deployment.yml | 102 ++----------------------------- 1 file changed, 6 insertions(+), 96 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 5c27fbc..3fe13ef 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -27,99 +27,9 @@ jobs: ENV: pre-production secrets: inherit -# -# # Terraform apply in production -# deploy-production: -# name: 'Deploy Production' -# needs: deploy-pre-production -# runs-on: ubuntu-latest -# environment: production -# defaults: -# run: -# shell: bash -# env: -# ENV: "production" -# TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} -# TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} -# TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} -# TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} -# TF_VAR_enabled: ${{ secrets.ENABLED }} -# TF_VAR_zone_id: ${{ secrets.ZONE_ID }} -# TF_VAR_db_username: ${{ secrets.DB_USERNAME }} -# TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} -# TF_VAR_enable_transit_gateway: ${{ secrets.ENABLE_TRANSIT_GATEWAY }} -# TF_VAR_transit_gateway_id: ${{ secrets.TRANSIT_GATEWAY_ID }} -# TF_VAR_transit_gateway_route_table_id: ${{ secrets.TRANSIT_GATEWAY_ROUTE_TABLE_ID }} -# TF_VAR_byoip_pool_id: ${{ secrets.BYOIP_POOL_ID }} -# TF_VAR_corsham_mgmt_range: ${{ secrets.CORSHAM_MGMT_RANGE }} -# TF_VAR_farnborough_mgmt_range: ${{ secrets.FARNBOROUGH_MGMT_RANGE }} -# TF_VAR_network_services_cidr_block: ${{ secrets.NETWORK_SERVICES_CIDR_BLOCK }} -# AZUREAD_CLIENT_ID: ${{ secrets.AZUREAD_CLIENT_ID }} -# AZUREAD_CLIENT_SECRET: ${{ secrets.AZUREAD_CLIENT_SECRET }} -# AZUREAD_AUTH_URL: ${{ secrets.AZUREAD_AUTH_URL }} -# AZUREAD_TOKEN_URL: ${{ secrets.AZUREAD_TOKEN_URL }} -# SERVER_ROOT_URL: ${{ secrets.SERVER_ROOT_URL }} -# DB_USERNAME: ${{ secrets.DB_USERNAME }} -# DB_PASSWORD: ${{ secrets.DB_PASSWORD }} -# DB_NAME: ${{ secrets.DB_NAME }} -# -# -# steps: -# # Checkout the repository to the GitHub Actions runner -# - name: Checkout -# uses: actions/checkout@v3 -# -# # Configure AWS credentials -# - name: Configure AWS Credentials -# uses: aws-actions/configure-aws-credentials@v2.2.0 -# with: -# aws-region: eu-west-2 -# role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }} -# role-session-name: GitHubWorkflow -# -# # Install Kubectl and Helm CLI -# - name: Setup Kubectl and Helm -# uses: yokawasa/action-setup-kube-tools@v0.9.3 -# with: -# setup-tools: | -# kubectl -# helm -# kubectl: '1.25.6' -# helm: '3.8.0' -# -# # Install Terraform CLI -# - name: Setup Terraform -# uses: hashicorp/setup-terraform@v2 -# with: -# terraform_version: 1.2.0 -# terraform_wrapper: false -# -# # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. -# - name: Terraform Init -# run: terraform init -upgrade -reconfigure --backend-config="key=terraform.$ENV.state" -# -# # Select or create and then select a Terraform workspace -# - name: Terraform Workspace -# run: terraform workspace select $ENV || terraform workspace new $ENV -# -# # Checks that all Terraform configuration files adhere to a canonical format -# - name: Terraform Format -# run: terraform fmt --recursive -check -# -# # Validates Terraform configuration -# - name: Terraform Validate -# run: terraform validate -# -# # Generates an execution plan for Terraform -# - name: Terraform Plan -# run: terraform plan -# -# # On push to main, build or change infrastructure according to Terraform configuration files -# # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks -# - name: Terraform Apply -# if: github.ref == 'refs/heads/main' && github.event_name == 'push' -# run: terraform apply -auto-approve -# -# - name: Run the deployment script -# if: github.ref == 'refs/heads/main' && github.event_name == 'push' -# run: make deploy + deploy-production: + needs: [deploy-development, deploy-pre-production] + uses: ./.github/workflows/deployment_reusable_workflow.yml + with: + ENV: production + secrets: inherit From 4b7eea51e6c1be2041742b5d6dafc0e06ea80996 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 15:43:11 +0000 Subject: [PATCH 06/23] tidy up workflows and allow workflows to destory / create environments as needed --- .github/workflows/deployment.yml | 19 ++++++++ .../deployment_reusable_workflow.yml | 46 ++----------------- 2 files changed, 24 insertions(+), 41 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 3fe13ef..9c9b9c2 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -18,6 +18,7 @@ jobs: uses: ./.github/workflows/deployment_reusable_workflow.yml with: ENV: development + ENABLED: true secrets: inherit deploy-pre-production: @@ -25,6 +26,15 @@ jobs: uses: ./.github/workflows/deployment_reusable_workflow.yml with: ENV: pre-production + ENABLED: true + secrets: inherit + + destory-development: + needs: [ deploy-development, deploy-pre-production] + uses: ./.github/workflows/deployment_reusable_workflow.yml + with: + ENV: development + ENABLED: false secrets: inherit deploy-production: @@ -32,4 +42,13 @@ jobs: uses: ./.github/workflows/deployment_reusable_workflow.yml with: ENV: production + ENABLED: true + secrets: inherit + + destory-pre-production: + needs: [ deploy-development, deploy-pre-production, deploy-production] + uses: ./.github/workflows/deployment_reusable_workflow.yml + with: + ENV: pre-production + ENABLED: false secrets: inherit diff --git a/.github/workflows/deployment_reusable_workflow.yml b/.github/workflows/deployment_reusable_workflow.yml index 6da690b..fa578d6 100644 --- a/.github/workflows/deployment_reusable_workflow.yml +++ b/.github/workflows/deployment_reusable_workflow.yml @@ -4,45 +4,9 @@ on: ENV: required: true type: string -# secrets: -# ASSUME_ROLE_DEVELOPMENT: -# required: true -# DOMAIN_NAME: -# required: true -# ENABLED: -# required: true -# ZONE_ID: -# required: true -# DB_USERNAME: -# required: true -# DB_PASSWORD: -# required: true -# ENABLE_TRANSIT_GATEWAY: -# required: true -# TRANSIT_GATEWAY_ID: -# required: true -# TRANSIT_GATEWAY_ROUTE_TABLE_ID: -# required: true -# BYOIP_POOL_ID: -# required: true -# CORSHAM_MGMT_RANGE: -# required: true -# FARNBOROUGH_MGMT_RANGE: -# required: true -# NETWORK_SERVICES_CIDR_BLOCK: -# required: true -# AZUREAD_CLIENT_ID: -# required: true -# AZUREAD_CLIENT_SECRET: -# required: true -# AZUREAD_AUTH_URL: -# required: true -# AZUREAD_TOKEN_URL: -# required: true -# SERVER_ROOT_URL: -# required: true -# DB_NAME: -# required: true + ENABLED: + required: true + type: string jobs: deploy-development: @@ -53,12 +17,12 @@ jobs: run: shell: bash env: - ENV: ${{ inputs.ENV }} #"development" + ENV: ${{ inputs.ENV }} + TF_VAR_enabled: ${{ inputs.ENABLED }} TF_VAR_assume_role: ${{ secrets.ASSUME_ROLE }} TF_VAR_assume_role_development: ${{ secrets.ASSUME_ROLE_DEVELOPMENT }} TF_VAR_assume_role_pre_production: ${{ secrets.ASSUME_ROLE_PRE_PRODUCTION }} TF_VAR_domain_name: ${{ secrets.DOMAIN_NAME }} - TF_VAR_enabled: ${{ secrets.ENABLED }} TF_VAR_zone_id: ${{ secrets.ZONE_ID }} TF_VAR_db_username: ${{ secrets.DB_USERNAME }} TF_VAR_db_password: ${{ secrets.DB_PASSWORD }} From a504ebe3f09097649f1831bec24d1502eb37a1c0 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 16:33:07 +0000 Subject: [PATCH 07/23] correct spelling mistake --- .github/workflows/deployment.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index 9c9b9c2..b928b1a 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -29,7 +29,7 @@ jobs: ENABLED: true secrets: inherit - destory-development: + destroy-development: needs: [ deploy-development, deploy-pre-production] uses: ./.github/workflows/deployment_reusable_workflow.yml with: @@ -45,7 +45,7 @@ jobs: ENABLED: true secrets: inherit - destory-pre-production: + destroy-pre-production: needs: [ deploy-development, deploy-pre-production, deploy-production] uses: ./.github/workflows/deployment_reusable_workflow.yml with: From e2e9811704d6f51f1b70520a1aa71aff0fb42348 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 16:37:59 +0000 Subject: [PATCH 08/23] Updated makefile and ran make lock to resolve issues with Terraform lock file --- .terraform.lock.hcl | 5 ++++- Makefile | 6 ++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index 0ce37c5..1454255 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -6,6 +6,7 @@ provider "registry.terraform.io/hashicorp/aws" { constraints = ">= 4.40.0, >= 5.0.0, 5.9.0" hashes = [ "h1:f3SxpLlSueYKYXz5zpzP90MUN3cJ+omnTHXV9vUtOvM=", + "h1:gFsITWUrCJk+MFJ+Z84uecb6DfHm4sKHlALQ95kcVUU=", "h1:mvg6WWqqUvgUq6wYCWg/zqpND/5yIz3plIL1IOR50Rs=", "zh:032424d4686ce2ff7c5a4a738491635616afbf6e06b3e7e6a754baa031d1265d", "zh:1e530b4020544ec94e1fe7b1e4296640eb12cf1bf4f79cd6429ff2c4e6fffaf3", @@ -30,6 +31,7 @@ provider "registry.terraform.io/hashicorp/template" { hashes = [ "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=", "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", + "h1:LN84cu+BZpVRvYlCzrbPfCRDaIelSyEx/W9Iwwgbnn4=", "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", @@ -48,6 +50,7 @@ provider "registry.terraform.io/hashicorp/tls" { hashes = [ "h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=", "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=", + "h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=", "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55", "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848", "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be", @@ -61,4 +64,4 @@ provider "registry.terraform.io/hashicorp/tls" { "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316", "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", ] -} \ No newline at end of file +} diff --git a/Makefile b/Makefile index 50f9516..d8b4937 100644 --- a/Makefile +++ b/Makefile @@ -72,3 +72,9 @@ generate_diagrams: .PHONY: fmt init workspace-list workspace-select validate plan-out plan \ refresh output apply state-list show destroy clean tfenv + + +.PHONY: lock +lock: ## terraform providers lock (reset hashes after upgrades prior to commit) + rm .terraform.lock.hcl + $(DOCKER_RUN) terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 From dc1852884fbd7eebe8cf6dd9eb2c2cd9c22e4282 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 17:14:03 +0000 Subject: [PATCH 09/23] added back in provider due to orgphined resouces being legt in other accounts --- main.tf | 22 ++++++++++++++++++++-- modules/eks/providers.tf | 11 +++++++++++ variables.tf | 10 ++++++++++ 3 files changed, 41 insertions(+), 2 deletions(-) create mode 100644 modules/eks/providers.tf diff --git a/main.tf b/main.tf index 7f5eb1a..8c51776 100644 --- a/main.tf +++ b/main.tf @@ -15,6 +15,24 @@ provider "aws" { } } +provider "aws" { + region = var.aws_region + alias = "development" + + assume_role { + role_arn = var.assume_role_development + } +} + +provider "aws" { + region = var.aws_region + alias = "pre_production" + + assume_role { + role_arn = var.assume_role_pre_production + } +} + data "aws_availability_zones" "available_zones" { count = var.enabled ? 1 : 0 state = "available" @@ -73,7 +91,7 @@ module "eks" { providers = { aws = aws.main - # aws.development = aws.development - # aws.pre_production = aws.pre_production + aws.development = aws.development + aws.pre_production = aws.pre_production } } diff --git a/modules/eks/providers.tf b/modules/eks/providers.tf new file mode 100644 index 0000000..b41e2a3 --- /dev/null +++ b/modules/eks/providers.tf @@ -0,0 +1,11 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + configuration_aliases = [ + aws.development, + aws.pre_production + ] + } + } +} diff --git a/variables.tf b/variables.tf index b56c395..2ea8f7f 100644 --- a/variables.tf +++ b/variables.tf @@ -67,3 +67,13 @@ variable "farnborough_mgmt_range" { variable "network_services_cidr_block" { type = string } + +variable "assume_role_development" { + description = "The role to assume in development aws account" + type = string +} + +variable "assume_role_pre_production" { + description = "The role to assume in pre-production aws account" + type = string +} From 42e487b6295113a44fde882b844e9d9a0aa585ca Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 14 Nov 2023 17:41:50 +0000 Subject: [PATCH 10/23] revert cross account changes --- .github/workflows/deployment.yml | 2 +- .../deployment_reusable_workflow.yml | 2 +- main.tf | 6 ++--- modules/eks/outputs.tf | 8 ++++++ outputs.tf | 26 ++++++++++--------- variables.tf | 20 +++++++------- 6 files changed, 37 insertions(+), 27 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index b928b1a..ba6b74b 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -6,7 +6,7 @@ on: - "main" push: branches: - - "montoring-impovements" + - "main" permissions: id-token: write diff --git a/.github/workflows/deployment_reusable_workflow.yml b/.github/workflows/deployment_reusable_workflow.yml index fa578d6..8fa8e99 100644 --- a/.github/workflows/deployment_reusable_workflow.yml +++ b/.github/workflows/deployment_reusable_workflow.yml @@ -9,7 +9,7 @@ on: type: string jobs: - deploy-development: + deploy-environment: name: 'Deploy ${{ inputs.config-path }}' runs-on: ubuntu-latest environment: ${{ inputs.ENV }} diff --git a/main.tf b/main.tf index 8c51776..3e148bb 100644 --- a/main.tf +++ b/main.tf @@ -90,8 +90,8 @@ module "eks" { tags = module.eks_label.tags providers = { - aws = aws.main - aws.development = aws.development - aws.pre_production = aws.pre_production + aws = aws.main + aws.development = aws.development + aws.pre_production = aws.pre_production } } diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index db92832..78f0df2 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -46,6 +46,14 @@ output "cloudwatch_exporter_iam_role_arn" { value = aws_iam_role.cloudwatch_exporter.arn } +output "cloudwatch_exporter_development_iam_role_arn" { + value = aws_iam_role.cloudwatch_exporter_development != [] ? aws_iam_role.cloudwatch_exporter_development[0].arn : "" +} + +output "cloudwatch_exporter_pre_production_iam_role_arn" { + value = aws_iam_role.cloudwatch_exporter_pre_production != [] ? aws_iam_role.cloudwatch_exporter_pre_production[0].arn : "" +} + output "db_endpoint" { value = aws_db_instance.this.endpoint } diff --git a/outputs.tf b/outputs.tf index a6e8366..dfc7b61 100644 --- a/outputs.tf +++ b/outputs.tf @@ -36,18 +36,20 @@ output "certificate" { output "eks_cluster" { value = var.enabled ? { - issuer = module.eks[0].issuer - name = module.eks[0].cluster_name - endpoint = module.eks[0].endpoint - aws_load_balancer_controller_iam_role_arn = module.eks[0].aws_load_balancer_controller_iam_role_arn - external_dns_iam_role_arn = module.eks[0].external_dns_iam_role_arn - aws_efs_csi_driver_iam_role_arn = module.eks[0].aws_efs_csi_driver_iam_role_arn - aws_ebs_csi_driver_iam_role_arn = module.eks[0].aws_ebs_csi_driver_iam_role_arn - efs_file_system_id = module.eks[0].efs_file_system_id - thanos_iam_role_arn = module.eks[0].thanos_iam_role_arn - thanos_storage_s3_bucket_name = module.eks[0].thanos_storage_s3_bucket_name - cloudwatch_exporter_iam_role_arn = module.eks[0].cloudwatch_exporter_iam_role_arn - db_endpoint = module.eks[0].db_endpoint + issuer = module.eks[0].issuer + name = module.eks[0].cluster_name + endpoint = module.eks[0].endpoint + aws_load_balancer_controller_iam_role_arn = module.eks[0].aws_load_balancer_controller_iam_role_arn + external_dns_iam_role_arn = module.eks[0].external_dns_iam_role_arn + aws_efs_csi_driver_iam_role_arn = module.eks[0].aws_efs_csi_driver_iam_role_arn + aws_ebs_csi_driver_iam_role_arn = module.eks[0].aws_ebs_csi_driver_iam_role_arn + efs_file_system_id = module.eks[0].efs_file_system_id + thanos_iam_role_arn = module.eks[0].thanos_iam_role_arn + thanos_storage_s3_bucket_name = module.eks[0].thanos_storage_s3_bucket_name + cloudwatch_exporter_iam_role_arn = module.eks[0].cloudwatch_exporter_iam_role_arn + cloudwatch_exporter_development_iam_role_arn = module.eks[0].cloudwatch_exporter_development_iam_role_arn + cloudwatch_exporter_pre_production_iam_role_arn = module.eks[0].cloudwatch_exporter_pre_production_iam_role_arn + db_endpoint = module.eks[0].db_endpoint } : null sensitive = true } diff --git a/variables.tf b/variables.tf index 2ea8f7f..e1c4655 100644 --- a/variables.tf +++ b/variables.tf @@ -15,6 +15,16 @@ variable "assume_role" { type = string } +variable "assume_role_development" { + description = "The role to assume in development aws account" + type = string +} + +variable "assume_role_pre_production" { + description = "The role to assume in pre-production aws account" + type = string +} + variable "aws_region" { description = "The AWS region to create things in" type = string @@ -67,13 +77,3 @@ variable "farnborough_mgmt_range" { variable "network_services_cidr_block" { type = string } - -variable "assume_role_development" { - description = "The role to assume in development aws account" - type = string -} - -variable "assume_role_pre_production" { - description = "The role to assume in pre-production aws account" - type = string -} From 14e011c0e1f6861a132bceb2edcd183efbac6d72 Mon Sep 17 00:00:00 2001 From: jamesgreen-moj <144033531+jamesgreen-moj@users.noreply.github.com> Date: Mon, 20 Nov 2023 10:29:41 +0000 Subject: [PATCH 11/23] Merge pull request #222 from ministryofjustice/montoring-impovements Montoring impovements From 1ca479e2427c98f3b3f5372d2a9b50ab4f0cb3e8 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 21 Nov 2023 15:09:57 +0000 Subject: [PATCH 12/23] adjusting env on and off switch to work rather rather than destory resources that need to be retained --- main.tf | 7 ++++--- modules/eks/efs.tf | 10 +++++++--- modules/eks/node_groups.tf | 6 +++--- modules/eks/outputs.tf | 4 ++-- modules/eks/rds.tf | 1 + modules/eks/variables.tf | 6 ++++++ 6 files changed, 23 insertions(+), 11 deletions(-) diff --git a/main.tf b/main.tf index 3e148bb..77c561e 100644 --- a/main.tf +++ b/main.tf @@ -34,7 +34,7 @@ provider "aws" { } data "aws_availability_zones" "available_zones" { - count = var.enabled ? 1 : 0 + count = 1 state = "available" } @@ -51,7 +51,7 @@ module "vpc_label" { } module "vpc" { - count = var.enabled ? 1 : 0 + count = 1 source = "./modules/vpc" prefix = module.vpc_label.id cidr = "10.180.100.0/22" @@ -78,7 +78,7 @@ module "eks_label" { } module "eks" { - count = var.enabled ? 1 : 0 + count = 1 source = "./modules/eks" prefix = module.eks_label.id vpc_id = module.vpc[0].vpc_id @@ -86,6 +86,7 @@ module "eks" { private_subnets_cidr_blocks = module.vpc[0].private_subnets_cidr_blocks db_username = var.db_username db_password = var.db_password + enabled = var.enabled tags = module.eks_label.tags diff --git a/modules/eks/efs.tf b/modules/eks/efs.tf index 84addee..e6bde07 100644 --- a/modules/eks/efs.tf +++ b/modules/eks/efs.tf @@ -1,4 +1,5 @@ resource "aws_efs_file_system" "this" { + count = var.enabled ? 1 : 0 creation_token = "${var.prefix}-efs" tags = var.tags @@ -26,19 +27,22 @@ resource "aws_security_group" "allow_inbound_nfs_traffic" { } resource "aws_efs_mount_target" "private_subnet_1" { - file_system_id = aws_efs_file_system.this.id + count = var.enabled ? 1 : 0 + file_system_id = aws_efs_file_system.this[0].id subnet_id = var.private_subnets[0] security_groups = [aws_security_group.allow_inbound_nfs_traffic.id] } resource "aws_efs_mount_target" "private_subnet_2" { - file_system_id = aws_efs_file_system.this.id + count = var.enabled ? 1 : 0 + file_system_id = aws_efs_file_system.this[0].id subnet_id = var.private_subnets[1] security_groups = [aws_security_group.allow_inbound_nfs_traffic.id] } resource "aws_efs_mount_target" "private_subnet_3" { - file_system_id = aws_efs_file_system.this.id + count = var.enabled ? 1 : 0 + file_system_id = aws_efs_file_system.this[0].id subnet_id = var.private_subnets[2] security_groups = [aws_security_group.allow_inbound_nfs_traffic.id] } diff --git a/modules/eks/node_groups.tf b/modules/eks/node_groups.tf index 0f5b1e3..f4d7e84 100644 --- a/modules/eks/node_groups.tf +++ b/modules/eks/node_groups.tf @@ -5,9 +5,9 @@ resource "aws_eks_node_group" "green" { subnet_ids = var.private_subnets scaling_config { - desired_size = 3 - max_size = 4 - min_size = 2 + desired_size = var.enabled ? 3 : 0 + max_size = var.enabled ? 4 : 1 + min_size = var.enabled ? 2 : 0 } update_config { diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf index 78f0df2..377b541 100644 --- a/modules/eks/outputs.tf +++ b/modules/eks/outputs.tf @@ -27,7 +27,7 @@ output "aws_ebs_csi_driver_iam_role_arn" { } output "efs_file_system_id" { - value = aws_efs_file_system.this.id + value = var.enabled ? aws_efs_file_system.this[0].id : null } output "thanos_iam_role_arn" { @@ -55,5 +55,5 @@ output "cloudwatch_exporter_pre_production_iam_role_arn" { } output "db_endpoint" { - value = aws_db_instance.this.endpoint + value = var.enabled ? aws_db_instance.this[0].endpoint : null } diff --git a/modules/eks/rds.tf b/modules/eks/rds.tf index d71b721..62d2e1a 100644 --- a/modules/eks/rds.tf +++ b/modules/eks/rds.tf @@ -1,4 +1,5 @@ resource "aws_db_instance" "this" { + count = var.enabled ? 1 : 0 identifier = "${var.prefix}-grafana-db" allocated_storage = 10 storage_type = "gp2" diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf index f1074c2..a655c5e 100644 --- a/modules/eks/variables.tf +++ b/modules/eks/variables.tf @@ -25,3 +25,9 @@ variable "db_username" { variable "db_password" { type = string } + +variable "enabled" { + description = "Feature flag that controls the deployment of the infrastructure in a given environment" + type = bool + default = true +} From 787a9025d093a5dd13031335e4948a9f79f9f067 Mon Sep 17 00:00:00 2001 From: Stephen James Date: Tue, 21 Nov 2023 15:21:13 +0000 Subject: [PATCH 13/23] Add descriptive local var for workaround work around to prevent destruction of exisisting resources in production avoids risk of importing into state file of live services. --- main.tf | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 77c561e..4152ffc 100644 --- a/main.tf +++ b/main.tf @@ -34,10 +34,16 @@ provider "aws" { } data "aws_availability_zones" "available_zones" { - count = 1 + count = local.always_create state = "available" } +locals { + ## work around to prevent destruction of exisisting resources in production + ## avoids risk of importing into state file of live services. + always_create = 1 +} + module "label" { source = "./modules/label" name = "nvvs-devops-monitor" @@ -51,7 +57,7 @@ module "vpc_label" { } module "vpc" { - count = 1 + count = local.always_create source = "./modules/vpc" prefix = module.vpc_label.id cidr = "10.180.100.0/22" @@ -78,7 +84,7 @@ module "eks_label" { } module "eks" { - count = 1 + count = local.always_create source = "./modules/eks" prefix = module.eks_label.id vpc_id = module.vpc[0].vpc_id From b227b1e846460496ebad8c2fdb986e328ac0d692 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 21 Nov 2023 15:36:00 +0000 Subject: [PATCH 14/23] if environment off lower site avilability --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 4152ffc..3cc6c79 100644 --- a/main.tf +++ b/main.tf @@ -62,7 +62,7 @@ module "vpc" { prefix = module.vpc_label.id cidr = "10.180.100.0/22" region = var.aws_region - available_zones = data.aws_availability_zones.available_zones[0].zone_ids + available_zones = var.enabled ? data.aws_availability_zones.available_zones[0].zone_ids : ["eu-west-2a"] // If environment off lower VPC avilability enable_transit_gateway = var.enable_transit_gateway transit_gateway_id = var.transit_gateway_id transit_gateway_route_table_id = var.transit_gateway_route_table_id From d0bbde69cb34d426e8e2aa79a02ead795fa0579e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Wed, 22 Nov 2023 15:42:17 +0000 Subject: [PATCH 15/23] Commit changes made by code formatters --- modules/eks/efs.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/eks/efs.tf b/modules/eks/efs.tf index e6bde07..9560231 100644 --- a/modules/eks/efs.tf +++ b/modules/eks/efs.tf @@ -1,5 +1,5 @@ resource "aws_efs_file_system" "this" { - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 creation_token = "${var.prefix}-efs" tags = var.tags @@ -27,21 +27,21 @@ resource "aws_security_group" "allow_inbound_nfs_traffic" { } resource "aws_efs_mount_target" "private_subnet_1" { - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 file_system_id = aws_efs_file_system.this[0].id subnet_id = var.private_subnets[0] security_groups = [aws_security_group.allow_inbound_nfs_traffic.id] } resource "aws_efs_mount_target" "private_subnet_2" { - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 file_system_id = aws_efs_file_system.this[0].id subnet_id = var.private_subnets[1] security_groups = [aws_security_group.allow_inbound_nfs_traffic.id] } resource "aws_efs_mount_target" "private_subnet_3" { - count = var.enabled ? 1 : 0 + count = var.enabled ? 1 : 0 file_system_id = aws_efs_file_system.this[0].id subnet_id = var.private_subnets[2] security_groups = [aws_security_group.allow_inbound_nfs_traffic.id] From 7d11f2bf4eeed59927854d4907ebe9423c7a4cb7 Mon Sep 17 00:00:00 2001 From: James Green Date: Wed, 22 Nov 2023 15:44:22 +0000 Subject: [PATCH 16/23] pin terraform version to version 1.2.9 --- .github/workflows/deployment_reusable_workflow.yml | 2 +- versions.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/deployment_reusable_workflow.yml b/.github/workflows/deployment_reusable_workflow.yml index 8fa8e99..664c5bc 100644 --- a/.github/workflows/deployment_reusable_workflow.yml +++ b/.github/workflows/deployment_reusable_workflow.yml @@ -70,7 +70,7 @@ jobs: - name: Setup Terraform uses: hashicorp/setup-terraform@v2 with: - terraform_version: 1.2.0 + terraform_version: 1.2.9 terraform_wrapper: false # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc. diff --git a/versions.tf b/versions.tf index 6546fae..f9a8198 100644 --- a/versions.tf +++ b/versions.tf @@ -1,5 +1,5 @@ terraform { - required_version = ">= 1.2.0" + required_version = "1.2.9" required_providers { aws = { From 2f6f53bded5fea4a4e73b371160e4d0263d0b6ce Mon Sep 17 00:00:00 2001 From: Stephen James Date: Tue, 28 Nov 2023 22:03:32 +0000 Subject: [PATCH 17/23] Generate env file script This script is for use with the baseline Makefile. TV_VARS files now redundant. --- scripts/generate-env-file.sh | 117 +++++++++++++++++++++++++++++++++++ 1 file changed, 117 insertions(+) create mode 100755 scripts/generate-env-file.sh diff --git a/scripts/generate-env-file.sh b/scripts/generate-env-file.sh new file mode 100755 index 0000000..aaf18e9 --- /dev/null +++ b/scripts/generate-env-file.sh @@ -0,0 +1,117 @@ +#!/usr/bin/env bash + +## This script will generate .env file for use with the Makefile +## or to export the TF_VARS into the environment + +set -x + +get-environment-secrets() { + local tag_name="supported-application-secret-for" + local application_name="nvvs-devops-monitor" + + local tag_name2=supported-application-environment + local environment=${1} + + local secrets + local secret_value + local tf_env + local env_var + local comment + + echo "" > ./.env.tmp + + secrets=$(aws secretsmanager list-secrets --no-cli-pager \ + --query "SecretList[].Name" \ + --filters Key=tag-key,Values=${tag_name} Key=tag-value,Values=${application_name} \ + --filters Key=tag-key,Values=${tag_name2} Key=tag-value,Values=${environment} \ + --output json | jq '.[]' --raw-output) + + for secret_id in ${secrets} + do + tf_env=$(aws secretsmanager describe-secret --secret-id ${secret_id} --query "Tags[?Key=='tf_var'].Value[]" --output text) + env_var=$(aws secretsmanager describe-secret --secret-id ${secret_id} --query "Tags[?Key=='env_var'].Value[]" --output text) + secret_value=$(aws secretsmanager get-secret-value --secret-id ${secret_id} --query "SecretString" --output text) + + [[ ! -z "${tf_env}" ]] && echo "${comment} export TF_VAR_${tf_env}=${secret_value}" >> ./.env.tmp + [[ ! -z "${env_var}" ]] && echo "${comment} export ${env_var}=${secret_value}" >> ./.env.tmp + done + + cat ./.env.tmp | sort >> ./.env + rm ./.env.tmp +} + +export ENV="${1:-development}" + +printf "\n\nEnvironment is %s\n\n" "${ENV}" + +case "${ENV}" in + development) + echo "development -- Continuing..." + ;; + pre-production) + echo "pre-production -- Continuing..." + ;; + production) + echo "production shouldn't really be running this locally." + ;; + *) + echo "Invalid input." + ;; +esac + +echo "Press 'y' to continue or 'n' to exit." + +# Wait for the user to press a key +read -s -n 1 key + +# Check which key was pressed +case $key in + y|Y) + echo "You pressed 'y'. Continuing..." + ;; + n|N) + echo "You pressed 'n'. Exiting..." + exit 1 + ;; + *) + echo "Invalid input. Please press 'y' or 'n'." + ;; +esac + + +cat << EOF > ./.env +# env file +# regenerate by running "./scripts/generate-env-file.sh" +# defaults to "development" +# To test against another environment +# regenerate by running "./scripts/generate-env-file.sh [pre-production | production]" +# Also run "make clean" +# then run "make init" + + +export AWS_PROFILE=mojo-shared-services-cli +export AWS_VAULT_PROFILE=mojo-shared-services-cli + +### ${ENV} ### +export ENV=${ENV} +export TF_VAR_env=${ENV} +EOF + +assume_role_development_id="nvvs-devops-monitor/development/assume_role_arn" +assume_role_development=$(aws secretsmanager get-secret-value --secret-id ${assume_role_development_id} --query "SecretString" --output text) + +assume_role_pre_production_id="nvvs-devops-monitor/pre_production/assume_role_arn" +assume_role_pre_production=$(aws secretsmanager get-secret-value --secret-id ${assume_role_pre_production_id} --query "SecretString" --output text) + +cat << EOF >> ./.env +export TF_VAR_assume_role_development=${assume_role_development} +export TF_VAR_assume_role_pre_production=${assume_role_pre_production} +EOF + + +get-environment-secrets ${ENV} +chmod u+x ./.env + +rm -rf .terraform/ terraform.tfstate* + +printf "\n\n run \"make init\"\n\n" From 8fecb58f040dfdb201baa2fc7124404ebc964106 Mon Sep 17 00:00:00 2001 From: Stephen James Date: Tue, 28 Nov 2023 23:03:19 +0000 Subject: [PATCH 18/23] Baselined Makefile using Docker tooling container --- Makefile | 218 +++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 149 insertions(+), 69 deletions(-) diff --git a/Makefile b/Makefile index d8b4937..d290b70 100644 --- a/Makefile +++ b/Makefile @@ -1,80 +1,160 @@ #!make --include .env -export +.DEFAULT_GOAL := help +SHELL := '/bin/bash' + +CURRENT_TIME := `date "+%Y.%m.%d-%H.%M.%S"` +TERRAFORM_VERSION := `cat versions.tf 2> /dev/null | grep required_version | cut -d "\\"" -f 2 | cut -d " " -f 2` + +LOCAL_IMAGE := ministryofjustice/nvvs/terraforms:latest +DOCKER_IMAGE := ghcr.io/ministryofjustice/nvvs/terraforms:v0.2.0 + +DOCKER_RUN := @docker run --rm \ + --env-file <(aws-vault exec $$AWS_PROFILE -- env | grep ^AWS_) \ + --env-file <(env | grep ^TF_VAR_) \ + --env-file <(env | grep ^ENV) \ + -e TFENV_TERRAFORM_VERSION=$(TERRAFORM_VERSION) \ + -v `pwd`:/data \ + --workdir /data \ + --platform linux/amd64 \ + $(DOCKER_IMAGE) + +DOCKER_RUN_IT := @docker run --rm -it \ + --env-file <(aws-vault exec $$AWS_PROFILE -- env | grep ^AWS_) \ + --env-file <(env | grep ^TF_VAR_) \ + --env-file <(env | grep ^ENV) \ + -e TFENV_TERRAFORM_VERSION=$(TERRAFORM_VERSION) \ + -v `pwd`:/data \ + --workdir /data \ + --platform linux/amd64 \ + $(DOCKER_IMAGE) + +export DOCKER_DEFAULT_PLATFORM=linux/amd64 + +.PHONY: debug +debug: ## debug + @echo "debug" + $(info target is $@) + +.PHONY: aws +aws: ## provide aws cli command as an arg e.g. (make aws AWSCLI_ARGUMENT="s3 ls") + $(DOCKER_RUN) /bin/bash -c "aws $$AWSCLI_ARGUMENT" + +.PHONY: shell +shell: ## Run Docker container with interactive terminal + $(DOCKER_RUN_IT) /bin/bash + +.PHONY: fmt +fmt: ## terraform fmt + $(DOCKER_RUN) terraform fmt --recursive + +.PHONY: init +init: ## terraform init (make init ENV_ARGUMENT=pre-production) NOTE: Will also select the env's workspace. + +## INFO: Do not indent the conditional below, make stops with an error. +ifneq ("$(wildcard .env)","") +$(info Using config file ".env") +include .env +init: -init +else +$(info Config file ".env" does not exist.) +init: -init-gen-env +endif + +.PHONY: -init-gen-env +-init-gen-env: + $(MAKE) gen-env + +.PHONY: -init +-init: + $(DOCKER_RUN) terraform init --backend-config="key=terraform.$$ENV.state" + $(MAKE) workspace-select + +.PHONY: init-upgrade +init-upgrade: ## terraform init -upgrade + $(DOCKER_RUN) terraform init -upgrade --backend-config="key=terraform.$$ENV.state" + +.PHONY: import +import: ## terraform import e.g. (make import IMPORT_ARGUMENT=module.foo.bar some_resource) + $(DOCKER_RUN) terraform import $$IMPORT_ARGUMENT + +.PHONY: workspace-list +workspace-list: ## terraform workspace list + $(DOCKER_RUN) terraform workspace list + +.PHONY: workspace-select +workspace-select: ## terraform workspace select + $(DOCKER_RUN) terraform workspace select $$ENV || \ + $(DOCKER_RUN) terraform workspace new $$ENV + +.PHONY: validate +validate: ## terraform validate + $(DOCKER_RUN) terraform validate + +.PHONY: plan-out +plan-out: ## terraform plan - output to timestamped file + $(DOCKER_RUN) terraform plan -no-color > $$ENV.$(CURRENT_TIME).tfplan + +.PHONY: plan +plan: ## terraform plan + $(DOCKER_RUN) terraform plan + +.PHONY: refresh +refresh: ## terraform refresh + $(DOCKER_RUN) terraform refresh + +.PHONY: output +output: ## terraform output (make output OUTPUT_ARGUMENT='--raw dns_dhcp_vpc_id') + $(DOCKER_RUN) terraform output -no-color $$OUTPUT_ARGUMENT + +.PHONY: apply +apply: ## terraform apply + $(DOCKER_RUN_IT) terraform apply + $(DOCKER_RUN) /bin/bash -c "./scripts/publish_terraform_outputs.sh" + +.PHONY: state-list +state-list: ## terraform state list + $(DOCKER_RUN) terraform state list + +.PHONY: show +show: ## terraform show + $(DOCKER_RUN) terraform show -no-color + +.PHONY: destroy +destroy: ## terraform destroy + $(DOCKER_RUN) terraform destroy -deploy: - ./scripts/deploy.sh - -uninstall: - ./scripts/uninstall_all_deployments.sh - -fmt: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform fmt --recursive - -init: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -reconfigure \ - --backend-config="key=terraform.$$ENV.state" - -init-upgrade: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform init -upgrade \ - --backend-config="key=terraform.$$ENV.state" - -# How to use -# IMPORT_ARGUMENT=module.foo.bar some_resource make import -import: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform import $$IMPORT_ARGUMENT - -workspace-list: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace list - -workspace-select: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace select $$ENV || \ - aws-vault exec $$AWS_VAULT_PROFILE -- terraform workspace new $$ENV - -validate: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform validate - -plan-out: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan -no-color > $$ENV.tfplan - -plan: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform plan - -refresh: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform refresh - -output: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform output -json - -apply: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform apply - ./scripts/publish_terraform_outputs.sh +.PHONY: lock +lock: ## terraform providers lock (reset hashes after upgrades prior to commit) + rm .terraform.lock.hcl + $(DOCKER_RUN) terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 -state-list: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform state list +.PHONY: clean +clean: ## clean terraform cached providers etc + rm -rf .terraform/ terraform.tfstate* .env .env.tmp + ## Sometimes engineers forget to remove the unnecessary TFVARs file and create issues + ## We move it safely out of the way + if test -f terraform.tfvars; then mv terraform.tfvars terraform.tfvars.DELETE_ME; fi -show: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform show -no-color +.PHONY: gen-env +gen-env: ## generate a ".env" file with the correct TF_VARS for the environment e.g. (make gen-env ENV_ARGUMENT=pre-production) + $(DOCKER_RUN) /bin/bash -c "./scripts/generate-env-file.sh $$ENV_ARGUMENT" -destroy: - aws-vault exec $$AWS_VAULT_PROFILE -- terraform destroy +.PHONY: tfenv +tfenv: ## tfenv pin - terraform version from versions.tf + tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin -clean: - rm -rf .terraform/ terraform.tfstate* +.PHONY: deploy +deploy: ## deploy + $(DOCKER_RUN_IT) /bin/bash -c "./scripts/deploy.sh" -tfenv: - tfenv use $(cat versions.tf 2> /dev/null | grep required_version | cut -d "\"" -f 2 | cut -d " " -f 2) && tfenv pin +.PHONY: uninstall +uninstall: ## uninstall + $(DOCKER_RUN_IT) /bin/bash -c "./scripts/uninstall_all_deployments.sh" -generate_diagrams: +.PHONY: generate_diagrams +generate_diagrams: ## generate_diagrams docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/architecture_diagram.py docker run -it --rm -v "${PWD}":/app/ -w /app/documentation/diagrams/ mjdk/diagrams scripts/detailed_eks_diagram.py -.PHONY: - fmt init workspace-list workspace-select validate plan-out plan \ - refresh output apply state-list show destroy clean tfenv - - -.PHONY: lock -lock: ## terraform providers lock (reset hashes after upgrades prior to commit) - rm .terraform.lock.hcl - $(DOCKER_RUN) terraform providers lock -platform=windows_amd64 -platform=darwin_amd64 -platform=linux_amd64 +help: + @grep -h -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' From 1858c51e00a49223f6907eaa74159460631b1c7c Mon Sep 17 00:00:00 2001 From: Stephen James Date: Tue, 28 Nov 2023 23:05:46 +0000 Subject: [PATCH 19/23] Removed deprecated files --- .gitignore | 1 + terraform.tfvars.example | 26 -------------------------- 2 files changed, 1 insertion(+), 26 deletions(-) delete mode 100644 terraform.tfvars.example diff --git a/.gitignore b/.gitignore index 4276471..1b3cbbf 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ terraform.tfstate *.tfstate.* .infracost/ .terraform-version +.idea diff --git a/terraform.tfvars.example b/terraform.tfvars.example deleted file mode 100644 index 364cc64..0000000 --- a/terraform.tfvars.example +++ /dev/null @@ -1,26 +0,0 @@ -# The Role which Shared Services will build with in the relevant AWS account -assume_role = - -# The role to assume in other aws accounts to create some required iam roles -assume_role_development = -assume_role_pre_production = - -# Run aws route53 list-hosted-zones in the relevant account to get the following variables -domain_name = -zone_id = - -# To create (or not delete, if already created) the infrastructure set to 'true'. Similarly set to 'false' [default] to destroy infrastructure. -enabled = - -# Grafana RDS Database Username & Password -db_username = -db_password = - -byoip_pool_id = - -enable_transit_gateway = true -transit_gateway_route_table_id = -transit_gateway_id = -corsham_mgmt_range = .0/24 -farnborough_mgmt_range = .0/24 -network_services_cidr_block = From 1564047df6761ef53e4af07158abf30a5865feca Mon Sep 17 00:00:00 2001 From: James Green Date: Thu, 4 Jan 2024 16:10:08 +0000 Subject: [PATCH 20/23] Updated GitHub actions Removed GitHub actions ability to deploy dev and preprod monitoring. More testing is required under a different ticket to enable to this work --- .github/workflows/deployment.yml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deployment.yml b/.github/workflows/deployment.yml index ba6b74b..8cd6d4b 100644 --- a/.github/workflows/deployment.yml +++ b/.github/workflows/deployment.yml @@ -18,7 +18,7 @@ jobs: uses: ./.github/workflows/deployment_reusable_workflow.yml with: ENV: development - ENABLED: true + ENABLED: false secrets: inherit deploy-pre-production: @@ -26,17 +26,17 @@ jobs: uses: ./.github/workflows/deployment_reusable_workflow.yml with: ENV: pre-production - ENABLED: true - secrets: inherit - - destroy-development: - needs: [ deploy-development, deploy-pre-production] - uses: ./.github/workflows/deployment_reusable_workflow.yml - with: - ENV: development ENABLED: false secrets: inherit +# destroy-development: +# needs: [ deploy-development, deploy-pre-production] +# uses: ./.github/workflows/deployment_reusable_workflow.yml +# with: +# ENV: development +# ENABLED: false +# secrets: inherit + deploy-production: needs: [deploy-development, deploy-pre-production] uses: ./.github/workflows/deployment_reusable_workflow.yml @@ -45,10 +45,10 @@ jobs: ENABLED: true secrets: inherit - destroy-pre-production: - needs: [ deploy-development, deploy-pre-production, deploy-production] - uses: ./.github/workflows/deployment_reusable_workflow.yml - with: - ENV: pre-production - ENABLED: false - secrets: inherit +# destroy-pre-production: +# needs: [ deploy-development, deploy-pre-production, deploy-production] +# uses: ./.github/workflows/deployment_reusable_workflow.yml +# with: +# ENV: pre-production +# ENABLED: false +# secrets: inherit From 9f602cfb16abf8e40c93aa058351895b78be7b2e Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 9 Jan 2024 19:04:50 +0000 Subject: [PATCH 21/23] Updated documentation in the makefile Import needs quotes to pass into container successfully --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index d290b70..bcad133 100644 --- a/Makefile +++ b/Makefile @@ -74,7 +74,7 @@ init-upgrade: ## terraform init -upgrade $(DOCKER_RUN) terraform init -upgrade --backend-config="key=terraform.$$ENV.state" .PHONY: import -import: ## terraform import e.g. (make import IMPORT_ARGUMENT=module.foo.bar some_resource) +import: ## terraform import e.g. (make import IMPORT_ARGUMENT="module.foo.bar some_resource") $(DOCKER_RUN) terraform import $$IMPORT_ARGUMENT .PHONY: workspace-list From 8c1164732794a854ecc868c6c3145ac252b755f8 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 9 Jan 2024 19:10:37 +0000 Subject: [PATCH 22/23] max_unavilable update given that the new max size is 1 when enabled == false, max_unavilable neeeded updating to reflect new max_size --- modules/eks/node_groups.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/eks/node_groups.tf b/modules/eks/node_groups.tf index f4d7e84..ba0e0b0 100644 --- a/modules/eks/node_groups.tf +++ b/modules/eks/node_groups.tf @@ -11,7 +11,7 @@ resource "aws_eks_node_group" "green" { } update_config { - max_unavailable = 2 + max_unavailable = var.enabled ? 2 : 1 } # Ensure that IAM Role permissions are created before and deleted after EKS Node Group handling. From e05a01ebab09bea1a1d033d231043a29b1b28814 Mon Sep 17 00:00:00 2001 From: James Green Date: Tue, 9 Jan 2024 19:12:15 +0000 Subject: [PATCH 23/23] Fixed AZ zones When VPC was created from skratch, it was forcing all subnets in the same AZ, this was a problem due to a reqirement of the ECS to be "in at least two different availability zones". --- main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.tf b/main.tf index 3cc6c79..4152ffc 100644 --- a/main.tf +++ b/main.tf @@ -62,7 +62,7 @@ module "vpc" { prefix = module.vpc_label.id cidr = "10.180.100.0/22" region = var.aws_region - available_zones = var.enabled ? data.aws_availability_zones.available_zones[0].zone_ids : ["eu-west-2a"] // If environment off lower VPC avilability + available_zones = data.aws_availability_zones.available_zones[0].zone_ids enable_transit_gateway = var.enable_transit_gateway transit_gateway_id = var.transit_gateway_id transit_gateway_route_table_id = var.transit_gateway_route_table_id