From 17474676eb60cab2bc165a80c77267c203946601 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Wed, 15 Mar 2023 11:36:28 +0000 Subject: [PATCH] Workflow: created files in . --- .github/CODEOWNERS | 1 + .github/workflows/tribunals.yml | 259 ++++++++++++++++++ terraform/environments/tribunals/README.md | 76 +++++ .../tribunals/application_variables.json | 16 ++ terraform/environments/tribunals/data.tf | 1 + terraform/environments/tribunals/locals.tf | 1 + .../tribunals/networking.auto.tfvars.json | 9 + .../tribunals/platform_backend.tf | 13 + .../tribunals/platform_base_variables.tf | 5 + .../environments/tribunals/platform_data.tf | 173 ++++++++++++ .../environments/tribunals/platform_locals.tf | 38 +++ .../tribunals/platform_providers.tf | 84 ++++++ .../tribunals/platform_secrets.tf | 16 ++ .../tribunals/platform_versions.tf | 13 + terraform/environments/tribunals/secrets.tf | 1 + 15 files changed, 706 insertions(+) create mode 100644 .github/workflows/tribunals.yml create mode 100644 terraform/environments/tribunals/README.md create mode 100644 terraform/environments/tribunals/application_variables.json create mode 100644 terraform/environments/tribunals/data.tf create mode 100644 terraform/environments/tribunals/locals.tf create mode 100644 terraform/environments/tribunals/networking.auto.tfvars.json create mode 100644 terraform/environments/tribunals/platform_backend.tf create mode 100644 terraform/environments/tribunals/platform_base_variables.tf create mode 100644 terraform/environments/tribunals/platform_data.tf create mode 100644 terraform/environments/tribunals/platform_locals.tf create mode 100644 terraform/environments/tribunals/platform_providers.tf create mode 100644 terraform/environments/tribunals/platform_secrets.tf create mode 100644 terraform/environments/tribunals/platform_versions.tf create mode 100644 terraform/environments/tribunals/secrets.tf diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 75c69b5be81..1a307d81147 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -29,6 +29,7 @@ /terraform/environments/tariff @ministryofjustice/cica @ministryofjustice/modernisation-platform /terraform/environments/testing @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform /terraform/environments/tipstaff @ministryofjustice/dts-heritage-services @ministryofjustice/modernisation-platform +/terraform/environments/tribunals @ministryofjustice/dts-heritage-services @ministryofjustice/modernisation-platform /terraform/environments/xhibit-portal @ministryofjustice/xhibit-portal-dev @ministryofjustice/modernisation-platform **/providers.tf @ministryofjustice/modernisation-platform **/backend.tf @ministryofjustice/modernisation-platform diff --git a/.github/workflows/tribunals.yml b/.github/workflows/tribunals.yml new file mode 100644 index 00000000000..49e09ad22a7 --- /dev/null +++ b/.github/workflows/tribunals.yml @@ -0,0 +1,259 @@ +--- +name: tribunals +on: + push: + branches: + - main + paths: + - 'terraform/environments/tribunals/**' + - '.github/workflows/tribunals.yml' + pull_request: + branches: + - main + types: [opened, edited, reopened, synchronize] + paths: + - 'terraform/environments/tribunals/**' + - '.github/workflows/tribunals.yml' + workflow_dispatch: + inputs: + action: + description: 'Set either [deploy|destroy].' + default: 'deploy' + required: true + type: string + options: + - deploy + - destroy +env: + TF_IN_AUTOMATION: true + AWS_REGION: "eu-west-2" + ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout +defaults: + run: + shell: bash + +jobs: + + plan-dev-test: + strategy: + matrix: + include: + - environment: development + - environment: test + name: Plan - ${{ matrix.environment }} + runs-on: ubuntu-latest + if: github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch' && github.event.inputs.action == 'deploy' + env: + TF_ENV: ${{ matrix.environment }} + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Set Account Number + run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + with: + role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" + role-session-name: githubactionsrolesession + aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: "~1" + terraform_wrapper: false + - name: Plan - ${{ matrix.environment }} + run: | + terraform --version + echo "Terraform plan - ${TF_ENV}" + bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW + terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}" + bash scripts/terraform-plan.sh terraform/environments/$GITHUB_WORKFLOW + + # These jobs run when creating a pull request + deploy-dev-test: + needs: plan-dev-test + if: success() && github.event.inputs.action != 'destroy' + strategy: + matrix: + include: + - environment: development + - environment: test + name: Apply - ${{ matrix.environment }} + runs-on: ubuntu-latest + env: + TF_ENV: ${{ matrix.environment }} + environment: + name: ${{ github.workflow }}-${{ matrix.environment }} + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Set Account Number + run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + with: + role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" + role-session-name: githubactionsrolesession + aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: "~1" + terraform_wrapper: false + - name: Apply - ${{ matrix.environment }} + run: | + terraform --version + echo "Terraform apply - ${TF_ENV}" + bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW + terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}" + bash scripts/terraform-apply.sh terraform/environments/$GITHUB_WORKFLOW + + destroy-plan-dev-test: + strategy: + matrix: + include: + - environment: development + - environment: test + name: Terraform destroy plan - ${{ github.workflow }} - ${{ matrix.environment }} + runs-on: ubuntu-latest + if: github.event_name == 'workflow_dispatch' && github.event.inputs.action == 'destroy' + env: + TF_ENV: ${{ matrix.environment }} + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Set Account Number + run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + with: + role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" + role-session-name: githubactionsrolesession + aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: "~1" + terraform_wrapper: false + - name: Terraform destroy plan - ${{ github.workflow }} - ${{ matrix.environment }} + run: | + terraform --version + echo "Terraform destroy plan - ${TF_ENV}" + bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW + terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}" + bash scripts/terraform-plan.sh terraform/environments/$GITHUB_WORKFLOW -destroy + + destroy-apply-dev-test: + needs: destroy-plan-dev-test + if: success() + strategy: + matrix: + include: + - environment: development + - environment: test + name: Terraform destroy apply - ${{ github.workflow }} - ${{ matrix.environment }} + runs-on: ubuntu-latest + env: + TF_ENV: ${{ matrix.environment }} + environment: + name: ${{ github.workflow }}-${{ matrix.environment }} + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Set Account Number + run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + with: + role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" + role-session-name: githubactionsrolesession + aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: "~1" + terraform_wrapper: false + - name: Terraform destroy apply - ${{ github.workflow }} - ${{ matrix.environment }} + run: | + terraform --version + echo "Terraform destroy apply - ${TF_ENV}" + bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW + terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}" + bash scripts/terraform-apply.sh terraform/environments/$GITHUB_WORKFLOW -destroy + +# # Plan + deploy for pre-production and production environments, only from main + plan-preprod-prod: + strategy: + matrix: + include: + - environment: preproduction + - environment: production + name: Plan - ${{ matrix.environment }} + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + env: + TF_ENV: ${{ matrix.environment }} + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Set Account Number + run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + with: + role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" + role-session-name: githubactionsrolesession + aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: "~1" + terraform_wrapper: false + - name: Plan - ${{ matrix.environment }} + run: | + terraform --version + echo "Terraform plan - ${TF_ENV}" + bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW + terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}" + bash scripts/terraform-plan.sh terraform/environments/$GITHUB_WORKFLOW + # These jobs run when creating a pull request + deploy-preprod-prod: + needs: plan-preprod-prod + if: success() + strategy: + matrix: + include: + - environment: preproduction + - environment: production + name: Apply - ${{ matrix.environment }} + runs-on: ubuntu-latest + env: + TF_ENV: ${{ matrix.environment }} + environment: + name: ${{ github.workflow }}-${{ matrix.environment }} + steps: + - name: Checkout Repository + uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 + - name: Set Account Number + run: echo "ACCOUNT_NUMBER=$(jq -r -e --arg account_name "${GITHUB_WORKFLOW}-${TF_ENV}" '.account_ids[$account_name]' <<< $ENVIRONMENT_MANAGEMENT)" >> $GITHUB_ENV + - name: configure aws credentials + uses: aws-actions/configure-aws-credentials@67fbcbb121271f7775d2e7715933280b06314838 # v1.7.0 + with: + role-to-assume: "arn:aws:iam::${{ env.ACCOUNT_NUMBER }}:role/github-actions" + role-session-name: githubactionsrolesession + aws-region: ${{ env.AWS_REGION }} + - name: Load and Configure Terraform + uses: hashicorp/setup-terraform@633666f66e0061ca3b725c73b2ec20cd13a8fdd1 # v2.0.3 + with: + terraform_version: "~1" + terraform_wrapper: false + - name: Apply - ${{ matrix.environment }} + run: | + terraform --version + echo "Terraform apply - ${TF_ENV}" + bash scripts/terraform-init.sh terraform/environments/$GITHUB_WORKFLOW + terraform -chdir="terraform/environments/${GITHUB_WORKFLOW}" workspace select "${GITHUB_WORKFLOW}-${TF_ENV}" + bash scripts/terraform-apply.sh terraform/environments/$GITHUB_WORKFLOW diff --git a/terraform/environments/tribunals/README.md b/terraform/environments/tribunals/README.md new file mode 100644 index 00000000000..9aa2658704c --- /dev/null +++ b/terraform/environments/tribunals/README.md @@ -0,0 +1,76 @@ +# Service Runbook + + + +_If you have any questions surrounding this page please post in the `#team-name` channel._ + +## Mandatory Information + +### **Last review date:** + + + +### **Description:** + + + +### **Service URLs:** + + + +### **Incident response hours:** + + + +### **Incident contact details:** + + + +### **Service team contact:** + + + +### **Hosting environment:** + +Modernisation Platform + + + +## Optional + +### **Other URLs:** + + + +### **Expected speed and frequency of releases:** + + + +### **Automatic alerts:** + + + +### **Impact of an outage:** + + + +### **Out of hours response types:** + + + +### **Consumers of this service:** + + + +### **Services consumed by this:** + + + +### **Restrictions on access:** + + + +### **How to resolve specific issues:** + + diff --git a/terraform/environments/tribunals/application_variables.json b/terraform/environments/tribunals/application_variables.json new file mode 100644 index 00000000000..6b52bfe9b30 --- /dev/null +++ b/terraform/environments/tribunals/application_variables.json @@ -0,0 +1,16 @@ +{ + "accounts": { + "development": { + "example_var": "dev-data" + }, + "test": { + "example_var": "test-data" + }, + "preproduction": { + "example_var": "preproduction-data" + }, + "production": { + "example_var": "production-data" + } + } +} diff --git a/terraform/environments/tribunals/data.tf b/terraform/environments/tribunals/data.tf new file mode 100644 index 00000000000..96a2521d17e --- /dev/null +++ b/terraform/environments/tribunals/data.tf @@ -0,0 +1 @@ +#### This file can be used to store data specific to the member account #### diff --git a/terraform/environments/tribunals/locals.tf b/terraform/environments/tribunals/locals.tf new file mode 100644 index 00000000000..a7454414911 --- /dev/null +++ b/terraform/environments/tribunals/locals.tf @@ -0,0 +1 @@ +#### This file can be used to store locals specific to the member account #### diff --git a/terraform/environments/tribunals/networking.auto.tfvars.json b/terraform/environments/tribunals/networking.auto.tfvars.json new file mode 100644 index 00000000000..d1593db5d40 --- /dev/null +++ b/terraform/environments/tribunals/networking.auto.tfvars.json @@ -0,0 +1,9 @@ +{ + "networking": [ + { + "business-unit": "hmcts", + "set": "general", + "application": "tribunals" + } + ] +} diff --git a/terraform/environments/tribunals/platform_backend.tf b/terraform/environments/tribunals/platform_backend.tf new file mode 100644 index 00000000000..db46b33ebb3 --- /dev/null +++ b/terraform/environments/tribunals/platform_backend.tf @@ -0,0 +1,13 @@ +# Backend +terraform { + # `backend` blocks do not support variables, so the following are hard-coded here: + # - S3 bucket name, which is created in modernisation-platform-account/s3.tf + backend "s3" { + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "terraform.tfstate" + region = "eu-west-2" + workspace_key_prefix = "environments/members/tribunals" # This will store the object as environments/members/tribunals/${workspace}/terraform.tfstate + } +} diff --git a/terraform/environments/tribunals/platform_base_variables.tf b/terraform/environments/tribunals/platform_base_variables.tf new file mode 100644 index 00000000000..d196e7a5f26 --- /dev/null +++ b/terraform/environments/tribunals/platform_base_variables.tf @@ -0,0 +1,5 @@ +variable "networking" { + + type = list(any) + +} \ No newline at end of file diff --git a/terraform/environments/tribunals/platform_data.tf b/terraform/environments/tribunals/platform_data.tf new file mode 100644 index 00000000000..8e14a10510b --- /dev/null +++ b/terraform/environments/tribunals/platform_data.tf @@ -0,0 +1,173 @@ +# Current account data +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} + +# VPC and subnet data +data "aws_vpc" "shared" { + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}" + } +} + +data "aws_subnets" "shared-data" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data*" + } +} + +data "aws_subnets" "private-public" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*" + } +} + +data "aws_subnets" "shared-public" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public*" + } +} + +data "aws_subnet" "data_subnets_a" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}a" + } +} + +data "aws_subnet" "data_subnets_b" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}b" + } +} + +data "aws_subnet" "data_subnets_c" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}c" + } +} + +data "aws_subnet" "private_subnets_a" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}a" + } +} + +data "aws_subnet" "private_subnets_b" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}b" + } +} + +data "aws_subnet" "private_subnets_c" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}c" + } +} + +data "aws_subnet" "public_subnets_a" { + vpc_id = data.aws_vpc.shared.id + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}a" + } +} + +data "aws_subnet" "public_subnets_b" { + vpc_id = data.aws_vpc.shared.id + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}b" + } +} + +data "aws_subnet" "public_subnets_c" { + vpc_id = data.aws_vpc.shared.id + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}c" + } +} + +# Route53 DNS data +data "aws_route53_zone" "external" { + provider = aws.core-vpc + + name = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk." + private_zone = false +} + +data "aws_route53_zone" "inner" { + provider = aws.core-vpc + + name = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.internal." + private_zone = true +} + +data "aws_route53_zone" "network-services" { + provider = aws.core-network-services + + name = "modernisation-platform.service.justice.gov.uk." + private_zone = false +} + +# Shared KMS keys (per business unit) +data "aws_kms_key" "general_shared" { + key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/general-${var.networking[0].business-unit}" +} + +data "aws_kms_key" "ebs_shared" { + key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/ebs-${var.networking[0].business-unit}" +} + +data "aws_kms_key" "rds_shared" { + key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/rds-${var.networking[0].business-unit}" +} + +# State for core-network-services resource information +data "terraform_remote_state" "core_network_services" { + backend = "s3" + config = { + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + key = "environments/accounts/core-network-services/core-network-services-production/terraform.tfstate" + region = "eu-west-2" + encrypt = "true" + } +} + +data "aws_organizations_organization" "root_account" {} + +# Retrieve information about the modernisation platform account +data "aws_caller_identity" "modernisation_platform" { + provider = aws.modernisation-platform +} + +# caller account information to instantiate aws.oidc provider +data "aws_caller_identity" "original_session" { + provider = aws.original-session +} + +data "aws_iam_session_context" "whoami" { + provider = aws.original-session + arn = data.aws_caller_identity.original_session.arn +} + +# Get the environments file from the main repository +data "http" "environments_file" { + url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json" +} diff --git a/terraform/environments/tribunals/platform_locals.tf b/terraform/environments/tribunals/platform_locals.tf new file mode 100644 index 00000000000..f1cf95240a3 --- /dev/null +++ b/terraform/environments/tribunals/platform_locals.tf @@ -0,0 +1,38 @@ +locals { + + application_name = "tribunals" + + environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string) + + # Stores modernisation platform account id for setting up the modernisation-platform provider + modernisation_platform_account_id = data.aws_ssm_parameter.modernisation_platform_account_id.value + + # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if + # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false. + is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" + is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" + is-test = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test" + is-development = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development" + + # Merge tags from the environment json file with additional ones + tags = merge( + jsondecode(data.http.environments_file.response_body).tags, + { "is-production" = local.is-production }, + { "environment-name" = terraform.workspace }, + { "source-code" = "https://github.com/ministryofjustice/modernisation-platform-environments" } + ) + + environment = trimprefix(terraform.workspace, "${var.networking[0].application}-") + vpc_name = var.networking[0].business-unit + subnet_set = var.networking[0].set + vpc_all = "${local.vpc_name}-${local.environment}" + subnet_set_name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}" + + is_live = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"] + provider_name = "core-vpc-${local.environment}" + + # environment specfic variables + # example usage: + # example_data = local.application_data.accounts[local.environment].example_var + application_data = fileexists("./application_variables.json") ? jsondecode(file("./application_variables.json")) : null +} diff --git a/terraform/environments/tribunals/platform_providers.tf b/terraform/environments/tribunals/platform_providers.tf new file mode 100644 index 00000000000..ac5370a87d6 --- /dev/null +++ b/terraform/environments/tribunals/platform_providers.tf @@ -0,0 +1,84 @@ +# ######################### Run Terraform via CICD ################################## +# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified) +provider "aws" { + alias = "original-session" + region = "eu-west-2" +} + +provider "aws" { + region = "eu-west-2" + assume_role { + role_arn = "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess" + } +} + +# AWS provider for the Modernisation Platform, to get things from there if required +provider "aws" { + alias = "modernisation-platform" + region = "eu-west-2" + assume_role { + role_arn = "arn:aws:iam::${local.modernisation_platform_account_id}:role/modernisation-account-limited-read-member-access" + } +} + +# AWS provider for core-vpc-, to share VPCs into this account +provider "aws" { + alias = "core-vpc" + region = "eu-west-2" + assume_role { + role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/member-delegation-${local.vpc_name}-${local.environment}" + } +} + +# AWS provider for network services to enable dns entries for certificate validation to be created +provider "aws" { + alias = "core-network-services" + region = "eu-west-2" + assume_role { + role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/modify-dns-records" + } +} +######################### Run Terraform via CICD ################################## + + +######################### Run Terraform Plan Locally Only ################################## +# # To run a Terraform Plan locally, uncomment this bottom section of code and comment out the top section + +# provider "aws" { +# region = "eu-west-2" +# } + +# provider "aws" { +# alias = "original-session" +# region = "eu-west-2" +# } + +# # AWS provider for the Modernisation Platform, to get things from there if required +# provider "aws" { +# alias = "modernisation-platform" +# region = "eu-west-2" +# assume_role { +# role_arn = "arn:aws:iam::${local.modernisation_platform_account_id}:role/modernisation-account-limited-read-member-access" +# } +# } + +# # AWS provider for core-vpc-, to share VPCs into this account +# provider "aws" { +# alias = "core-vpc" +# region = "eu-west-2" + +# assume_role { +# role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/member-delegation-read-only" +# } +# } + +# # AWS provider for network services to enable dns entries for certificate validation to be created +# provider "aws" { +# alias = "core-network-services" +# region = "eu-west-2" + +# assume_role { +# role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/read-dns-records" +# } +# } +######################### Run Terraform Plan Locally Only ################################## \ No newline at end of file diff --git a/terraform/environments/tribunals/platform_secrets.tf b/terraform/environments/tribunals/platform_secrets.tf new file mode 100644 index 00000000000..7ee43f42a13 --- /dev/null +++ b/terraform/environments/tribunals/platform_secrets.tf @@ -0,0 +1,16 @@ +# Get modernisation account id from ssm parameter +data "aws_ssm_parameter" "modernisation_platform_account_id" { + name = "modernisation_platform_account_id" +} + +# Get secret by arn for environment management +data "aws_secretsmanager_secret" "environment_management" { + provider = aws.modernisation-platform + name = "environment_management" +} + +# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts +data "aws_secretsmanager_secret_version" "environment_management" { + provider = aws.modernisation-platform + secret_id = data.aws_secretsmanager_secret.environment_management.id +} \ No newline at end of file diff --git a/terraform/environments/tribunals/platform_versions.tf b/terraform/environments/tribunals/platform_versions.tf new file mode 100644 index 00000000000..d2ff54875b7 --- /dev/null +++ b/terraform/environments/tribunals/platform_versions.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + version = ">= 4.0.0, < 5.0.0" + source = "hashicorp/aws" + } + http = { + version = "~> 3.0" + source = "hashicorp/http" + } + } + required_version = "~> 1.0" +} diff --git a/terraform/environments/tribunals/secrets.tf b/terraform/environments/tribunals/secrets.tf new file mode 100644 index 00000000000..a6a94d9c098 --- /dev/null +++ b/terraform/environments/tribunals/secrets.tf @@ -0,0 +1 @@ +#### This file can be used to store secrets specific to the member account ####