Wardship: change db setup for dev (#5451)

terraform/environments/wardship/ecs.tf

@@ -12,6 +12,7 @@ resource "aws_cloudwatch_log_group" "deployment_logs" {
 }
 
 resource "aws_ecs_task_definition" "wardship_task_definition" {
+  count                    = local.is-development ? 0 : 1
   family                   = "wardshipFamily"
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
@@ -36,23 +37,93 @@ resource "aws_ecs_task_definition" "wardship_task_definition" {
       environment = [
         {
           name  = "RDS_HOSTNAME"
-          value = "${aws_db_instance.wardship_db.address}"
+          value = "${aws_db_instance.wardship_db[0].address}"
         },
         {
           name  = "RDS_PORT"
           value = "${local.application_data.accounts[local.environment].rds_port}"
         },
         {
           name  = "RDS_USERNAME"
-          value = "${aws_db_instance.wardship_db.username}"
+          value = "${aws_db_instance.wardship_db[0].username}"
         },
         {
           name  = "RDS_PASSWORD"
-          value = "${aws_db_instance.wardship_db.password}"
+          value = "${aws_db_instance.wardship_db[0].password}"
         },
         {
           name  = "DB_NAME"
-          value = "${aws_db_instance.wardship_db.db_name}"
+          value = "${aws_db_instance.wardship_db[0].db_name}"
+        },
+        {
+          name  = "supportEmail"
+          value = "${local.application_data.accounts[local.environment].support_email}"
+        },
+        {
+          name  = "supportTeam"
+          value = "${local.application_data.accounts[local.environment].support_team}"
+        },
+        {
+          name  = "CurServer"
+          value = "${local.application_data.accounts[local.environment].curserver}"
+        },
+        {
+          name  = "ida:ClientId"
+          value = "${local.application_data.accounts[local.environment].client_id}"
+        }
+      ]
+    }
+  ])
+  runtime_platform {
+    operating_system_family = "WINDOWS_SERVER_2019_CORE"
+    cpu_architecture        = "X86_64"
+  }
+}
+
+//ECS task definition for the development environment:
+resource "aws_ecs_task_definition" "wardship_task_definition_dev" {
+  count                    = local.is-development ? 1 : 0
+  family                   = "wardshipFamily"
+  requires_compatibilities = ["FARGATE"]
+  network_mode             = "awsvpc"
+  execution_role_arn       = aws_iam_role.app_execution.arn
+  task_role_arn            = aws_iam_role.app_task.arn
+  cpu                      = 1024
+  memory                   = 2048
+  container_definitions = jsonencode([
+    {
+      name      = "wardship-container"
+      image     = "${aws_ecr_repository.wardship_ecr_repo.repository_url}:latest"
+      cpu       = 1024
+      memory    = 2048
+      essential = true
+      portMappings = [
+        {
+          containerPort = 80
+          protocol      = "tcp"
+          hostPort      = 80
+        }
+      ]
+      environment = [
+        {
+          name  = "RDS_HOSTNAME"
+          value = "${aws_db_instance.wardship_db_dev[0].address}"
+        },
+        {
+          name  = "RDS_PORT"
+          value = "${local.application_data.accounts[local.environment].rds_port}"
+        },
+        {
+          name  = "RDS_USERNAME"
+          value = "${aws_db_instance.wardship_db_dev[0].username}"
+        },
+        {
+          name  = "RDS_PASSWORD"
+          value = "${aws_db_instance.wardship_db_dev[0].password}"
+        },
+        {
+          name  = "DB_NAME"
+          value = "${aws_db_instance.wardship_db_dev[0].db_name}"
         },
         {
           name  = "supportEmail"
@@ -84,9 +155,41 @@ resource "aws_ecs_service" "wardship_ecs_service" {
     aws_lb_listener.wardship_lb
   ]
 
+  count                             = local.is-development ? 0 : 1
+  name                              = var.networking[0].application
+  cluster                           = aws_ecs_cluster.wardship_cluster.id
+  task_definition                   = aws_ecs_task_definition.wardship_task_definition[0].arn
+  launch_type                       = "FARGATE"
+  enable_execute_command            = true
+  desired_count                     = 2
+  health_check_grace_period_seconds = 180
+
+  network_configuration {
+    subnets          = data.aws_subnets.shared-public.ids
+    security_groups  = [aws_security_group.ecs_service.id]
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_lb_target_group.wardship_target_group.arn
+    container_name   = "wardship-container"
+    container_port   = 80
+  }
+
+  deployment_controller {
+    type = "ECS"
+  }
+}
+
+resource "aws_ecs_service" "wardship_ecs_service_dev" {
+  depends_on = [
+    aws_lb_listener.wardship_lb
+  ]
+
+  count                             = local.is-development ? 1 : 0
   name                              = var.networking[0].application
   cluster                           = aws_ecs_cluster.wardship_cluster.id
-  task_definition                   = aws_ecs_task_definition.wardship_task_definition.arn
+  task_definition                   = aws_ecs_task_definition.wardship_task_definition_dev[0].arn
   launch_type                       = "FARGATE"
   enable_execute_command            = true
   desired_count                     = 2
@@ -377,3 +480,60 @@ module "pagerduty_core_alerts_prod" {
   sns_topics                = [aws_sns_topic.wardship_utilisation_alarm[0].name]
   pagerduty_integration_key = local.pagerduty_integration_keys["wardship_prod_alarms"]
 }
+
+# resource "aws_eip" "nat" {
+#   domain = "vpc"
+
+#   tags = {
+#     Name = "eip-for-nat-gateway"
+#   }
+# }
+
+# resource "aws_nat_gateway" "nat_gateway" {
+#   allocation_id = aws_eip.nat.id
+#   subnet_id     = data.aws_subnets.shared-public.ids[0]
+
+#   tags = {
+#     Name = "nat-gateway"
+#   }
+# }
+
+# resource "aws_route" "route" {
+#   route_table_id            = data.aws_route_table.private.id
+#   destination_cidr_block    = "0.0.0.0/0"
+#   nat_gateway_id            = aws_nat_gateway.nat_gateway.id
+# }
+
+# data "aws_route_table" "private" {
+#   subnet_id = data.aws_subnets.shared-private.ids[0]
+# }
+
+//VPC endpoint stuff:
+
+# resource "aws_vpc_endpoint" "ecr_dkr" {
+#   vpc_id              = data.aws_vpc.shared.id
+#   service_name        = "com.amazonaws.eu-west-2.ecr.dkr"
+#   vpc_endpoint_type   = "Interface"
+#   private_dns_enabled = true
+
+#   security_group_ids = [aws_security_group.ecs_service.id]
+#   subnet_ids         = data.aws_subnets.shared-private.ids
+# }
+
+# resource "aws_vpc_endpoint" "ecr_api" {
+#   vpc_id              = data.aws_vpc.shared.id
+#   service_name        = "com.amazonaws.eu-west-2.ecr.api"
+#   vpc_endpoint_type   = "Interface"
+#   private_dns_enabled = true
+
+#   security_group_ids = [aws_security_group.ecs_service.id]
+#   subnet_ids         = data.aws_subnets.shared-private.ids
+# }
+
+# resource "aws_vpc_endpoint" "s3" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.s3"
+#   vpc_endpoint_type = "Gateway"
+
+#   route_table_ids = data.aws_subnets.shared-private.ids
+# }

terraform/environments/wardship/rds.tf

@@ -1,4 +1,5 @@
 resource "aws_db_instance" "wardship_db" {
+  count                       = local.is-development ? 0 : 1
   allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
   db_name                     = local.application_data.accounts[local.environment].db_name
   storage_type                = local.application_data.accounts[local.environment].storage_type
@@ -10,7 +11,7 @@ resource "aws_db_instance" "wardship_db" {
   password                    = random_password.password.result
   skip_final_snapshot         = true
   publicly_accessible         = false
-  vpc_security_group_ids      = [aws_security_group.postgresql_db_sc.id]
+  vpc_security_group_ids      = [aws_security_group.postgresql_db_sc[0].id]
   db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
   allow_major_version_upgrade = true
 }
@@ -20,30 +21,60 @@ resource "aws_db_subnet_group" "dbsubnetgroup" {
   subnet_ids = data.aws_subnets.shared-public.ids
 }
 
-//SG for accessing the tacticalproducts source DB:
-resource "aws_security_group" "modernisation_wardship_access" {
-  provider    = aws.tacticalproducts
-  name        = "modernisation_wardship_access-${local.environment}"
-  description = "Allow wardship on modernisation platform to access the source database"
+resource "aws_security_group" "postgresql_db_sc" {
+  count       = local.is-development ? 0 : 1
+  name        = "postgres_security_group"
+  description = "control access to the database"
+  vpc_id      = data.aws_vpc.shared.id
+  ingress {
+    from_port       = 5432
+    to_port         = 5432
+    protocol        = "tcp"
+    description     = "Allows ECS service to access RDS"
+    security_groups = [aws_security_group.ecs_service.id]
+  }
 
   ingress {
+    protocol    = "tcp"
+    description = "Allow PSQL traffic from bastion"
     from_port   = 5432
     to_port     = 5432
-    protocol    = "tcp"
-    description = "Allow wardship on modernisation platform to connect to source database"
-    cidr_blocks = ["${jsondecode(data.http.myip.response_body)["ip"]}/32"]
+    security_groups = [
+      module.bastion_linux.bastion_security_group
+    ]
   }
-
   egress {
+    description = "allow all outbound traffic"
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
+
 }
 
-resource "aws_security_group" "postgresql_db_sc" {
-  name        = "postgres_security_group"
+// DB setup for the development environment (set to publicly accessible to allow GitHub Actions access):
+resource "aws_db_instance" "wardship_db_dev" {
+  count                       = local.is-development ? 1 : 0
+  allocated_storage           = local.application_data.accounts[local.environment].allocated_storage
+  db_name                     = local.application_data.accounts[local.environment].db_name
+  storage_type                = local.application_data.accounts[local.environment].storage_type
+  engine                      = local.application_data.accounts[local.environment].engine
+  identifier                  = local.application_data.accounts[local.environment].identifier
+  engine_version              = local.application_data.accounts[local.environment].engine_version
+  instance_class              = local.application_data.accounts[local.environment].instance_class
+  username                    = local.application_data.accounts[local.environment].db_username
+  password                    = random_password.password.result
+  skip_final_snapshot         = true
+  publicly_accessible         = true
+  vpc_security_group_ids      = [aws_security_group.postgresql_db_sc_dev[0].id]
+  db_subnet_group_name        = aws_db_subnet_group.dbsubnetgroup.name
+  allow_major_version_upgrade = true
+}
+
+resource "aws_security_group" "postgresql_db_sc_dev" {
+  count       = local.is-development ? 1 : 0
+  name        = "postgres_security_group_dev"
   description = "control access to the database"
   vpc_id      = data.aws_vpc.shared.id
   ingress {
@@ -84,20 +115,19 @@ data "http" "myip" {
   url = "http://ipinfo.io/json"
 }
 
-// Sets up empty database for Development environment
 resource "null_resource" "setup_dev_db" {
   count = local.is-development ? 1 : 0
 
-  depends_on = [aws_db_instance.wardship_db]
+  depends_on = [aws_db_instance.wardship_db_dev[0]]
 
   provisioner "local-exec" {
     interpreter = ["bash", "-c"]
     command     = "chmod +x ./setup-dev-db.sh; ./setup-dev-db.sh"
 
     environment = {
-      DB_HOSTNAME          = aws_db_instance.wardship_db.address
-      DB_NAME              = aws_db_instance.wardship_db.db_name
-      WARDSHIP_DB_USERNAME = aws_db_instance.wardship_db.username
+      DB_HOSTNAME          = aws_db_instance.wardship_db_dev[0].address
+      DB_NAME              = aws_db_instance.wardship_db_dev[0].db_name
+      WARDSHIP_DB_USERNAME = aws_db_instance.wardship_db_dev[0].username
       WARDSHIP_DB_PASSWORD = random_password.password.result
     }
   }