Merge pull request #226 from ministryofjustice/make-env-switch-work-c…

…orrectly Make env switch work correctly
ministryofjustice · Nov 22, 2023 · ba4b9cf · ba4b9cf
2 parents d4abe8f + 85ef9ad
commit ba4b9cf
Show file tree

Hide file tree

Showing 8 changed files with 32 additions and 14 deletions.
diff --git a/.github/workflows/deployment_reusable_workflow.yml b/.github/workflows/deployment_reusable_workflow.yml
@@ -70,7 +70,7 @@ jobs:
       - name: Setup Terraform
         uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.2.0
+          terraform_version: 1.2.9
           terraform_wrapper: false
 
       # Initialize a new or existing Terraform working directory by creating initial files, loading any remote state, downloading modules, etc.

diff --git a/main.tf b/main.tf
@@ -34,10 +34,16 @@ provider "aws" {
 }
 
 data "aws_availability_zones" "available_zones" {
-  count = var.enabled ? 1 : 0
+  count = local.always_create
   state = "available"
 }
 
+locals {
+  ## work around to prevent destruction of exisisting resources in production
+  ## avoids risk of importing into state file of live services.
+  always_create = 1
+}
+
 module "label" {
   source           = "./modules/label"
   name             = "nvvs-devops-monitor"
@@ -51,12 +57,12 @@ module "vpc_label" {
 }
 
 module "vpc" {
-  count                          = var.enabled ? 1 : 0
+  count                          = local.always_create
   source                         = "./modules/vpc"
   prefix                         = module.vpc_label.id
   cidr                           = "10.180.100.0/22"
   region                         = var.aws_region
-  available_zones                = data.aws_availability_zones.available_zones[0].zone_ids
+  available_zones                = var.enabled ? data.aws_availability_zones.available_zones[0].zone_ids : ["eu-west-2a"] // If environment off lower VPC avilability
   enable_transit_gateway         = var.enable_transit_gateway
   transit_gateway_id             = var.transit_gateway_id
   transit_gateway_route_table_id = var.transit_gateway_route_table_id
@@ -78,14 +84,15 @@ module "eks_label" {
 }
 
 module "eks" {
-  count                       = var.enabled ? 1 : 0
+  count                       = local.always_create
   source                      = "./modules/eks"
   prefix                      = module.eks_label.id
   vpc_id                      = module.vpc[0].vpc_id
   private_subnets             = module.vpc[0].private_subnets
   private_subnets_cidr_blocks = module.vpc[0].private_subnets_cidr_blocks
   db_username                 = var.db_username
   db_password                 = var.db_password
+  enabled                     = var.enabled
 
   tags = module.eks_label.tags
 

diff --git a/modules/eks/efs.tf b/modules/eks/efs.tf
@@ -1,4 +1,5 @@
 resource "aws_efs_file_system" "this" {
+  count          = var.enabled ? 1 : 0
   creation_token = "${var.prefix}-efs"
 
   tags = var.tags
@@ -26,19 +27,22 @@ resource "aws_security_group" "allow_inbound_nfs_traffic" {
 }
 
 resource "aws_efs_mount_target" "private_subnet_1" {
-  file_system_id  = aws_efs_file_system.this.id
+  count           = var.enabled ? 1 : 0
+  file_system_id  = aws_efs_file_system.this[0].id
   subnet_id       = var.private_subnets[0]
   security_groups = [aws_security_group.allow_inbound_nfs_traffic.id]
 }
 
 resource "aws_efs_mount_target" "private_subnet_2" {
-  file_system_id  = aws_efs_file_system.this.id
+  count           = var.enabled ? 1 : 0
+  file_system_id  = aws_efs_file_system.this[0].id
   subnet_id       = var.private_subnets[1]
   security_groups = [aws_security_group.allow_inbound_nfs_traffic.id]
 }
 
 resource "aws_efs_mount_target" "private_subnet_3" {
-  file_system_id  = aws_efs_file_system.this.id
+  count           = var.enabled ? 1 : 0
+  file_system_id  = aws_efs_file_system.this[0].id
   subnet_id       = var.private_subnets[2]
   security_groups = [aws_security_group.allow_inbound_nfs_traffic.id]
 }
diff --git a/modules/eks/node_groups.tf b/modules/eks/node_groups.tf
@@ -5,9 +5,9 @@ resource "aws_eks_node_group" "green" {
   subnet_ids      = var.private_subnets
 
   scaling_config {
-    desired_size = 3
-    max_size     = 4
-    min_size     = 2
+    desired_size = var.enabled ? 3 : 0
+    max_size     = var.enabled ? 4 : 1
+    min_size     = var.enabled ? 2 : 0
   }
 
   update_config {

diff --git a/modules/eks/outputs.tf b/modules/eks/outputs.tf
@@ -27,7 +27,7 @@ output "aws_ebs_csi_driver_iam_role_arn" {
 }
 
 output "efs_file_system_id" {
-  value = aws_efs_file_system.this.id
+  value = var.enabled ? aws_efs_file_system.this[0].id : null
 }
 
 output "thanos_iam_role_arn" {
@@ -55,5 +55,5 @@ output "cloudwatch_exporter_pre_production_iam_role_arn" {
 }
 
 output "db_endpoint" {
-  value = aws_db_instance.this.endpoint
+  value = var.enabled ? aws_db_instance.this[0].endpoint : null
 }
diff --git a/modules/eks/rds.tf b/modules/eks/rds.tf
@@ -1,4 +1,5 @@
 resource "aws_db_instance" "this" {
+  count                       = var.enabled ? 1 : 0
   identifier                  = "${var.prefix}-grafana-db"
   allocated_storage           = 10
   storage_type                = "gp2"

diff --git a/modules/eks/variables.tf b/modules/eks/variables.tf
@@ -25,3 +25,9 @@ variable "db_username" {
 variable "db_password" {
   type = string
 }
+
+variable "enabled" {
+  description = "Feature flag that controls the deployment of the infrastructure in a given environment"
+  type        = bool
+  default     = true
+}
diff --git a/versions.tf b/versions.tf
@@ -1,5 +1,5 @@
 terraform {
-  required_version = ">= 1.2.0"
+  required_version = "1.2.9"
 
   required_providers {
     aws = {