Merge branch 'main' into DBA-699

ministryofjustice · Aug 27, 2024 · 5abec2e · 5abec2e
2 parents e93ea89 + dbc630f
commit 5abec2e
Show file tree

Hide file tree

Showing 199 changed files with 2,106 additions and 1,560 deletions.
diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
@@ -16,9 +16,9 @@
       "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
     },
     "ghcr.io/ministryofjustice/devcontainer-feature/terraform:1": {
-      "version": "1.0.0",
-      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/terraform@sha256:af3b3891cf31ff373df29998c690257d6f21f2ee4536bc4d692856408ef0c83a",
-      "integrity": "sha256:af3b3891cf31ff373df29998c690257d6f21f2ee4536bc4d692856408ef0c83a"
+      "version": "1.1.0",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/terraform@sha256:34eb8c510a11fc44abb8173519215fcb6b82715b94e647c69089ee23773c6dc8",
+      "integrity": "sha256:34eb8c510a11fc44abb8173519215fcb6b82715b94e647c69089ee23773c6dc8"
     }
   }
-}
+}
diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -38,7 +38,7 @@ jobs:
         run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: tflint.sarif
   trivy:
@@ -63,7 +63,7 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: 'trivy-results.sarif'
   checkov:
@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@5fa28e9c4db2c0920ade6ae453c0e91745c6378a # v12.2847.0
+        uses: bridgecrewio/checkov-action@4fa90328619ebe2a5396c7f16308c17a7a4b5dc3 # v12.2858.0
         with:
           directory: ./
           framework: terraform
@@ -90,6 +90,6 @@ jobs:
           skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: ./checkov.sarif
diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml
@@ -40,7 +40,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter/flavors/terraform@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 #v7.13.0
+        uses: oxsecurity/megalinter/flavors/terraform@c217fe8f7bc9207062a084e989bd97efd56e7b9a #v8.0.0
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/#shared-variables

diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml
@@ -68,7 +68,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Load and Configure Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: "~1"
           terraform_wrapper: false

diff --git a/.github/workflows/reusable_terraform_plan_apply.yml b/.github/workflows/reusable_terraform_plan_apply.yml
@@ -112,7 +112,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8  # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd  # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false
@@ -294,7 +294,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8  # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd  # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false

diff --git a/.github/workflows/reusable_terraform_plan_apply_test.yml b/.github/workflows/reusable_terraform_plan_apply_test.yml
@@ -108,7 +108,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false
@@ -257,7 +257,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: results.sarif
diff --git a/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf
@@ -3,7 +3,7 @@ module "eks_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.4.0"
+  version = "5.5.0"
 
   name              = local.eks_cloudwatch_log_group_name
   kms_key_id        = module.eks_cluster_logs_kms.key_arn
@@ -17,7 +17,7 @@ module "managed_prometheus_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.3.1"
+  version = "5.5.0"
 
   name              = local.amp_cloudwatch_log_group_name
   kms_key_id        = module.managed_prometheus_logs_kms.key_arn

diff --git a/terraform/environments/analytical-platform-compute/eks-cluster.tf b/terraform/environments/analytical-platform-compute/eks-cluster.tf
@@ -6,7 +6,7 @@ module "eks" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.20.0"
+  version = "20.24.0"
 
   cluster_name    = local.eks_cluster_name
   cluster_version = local.environment_configuration.eks_cluster_version
@@ -172,7 +172,7 @@ module "karpenter" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "20.20.0"
+  version = "20.24.0"
 
   cluster_name = module.eks.cluster_name
 
@@ -190,6 +190,7 @@ module "karpenter" {
   iam_role_policies = {
     KarpenterSQSKMSAccess = module.karpenter_sqs_kms_access_iam_policy.arn
   }
+  enable_v1_permissions = true
 
   node_iam_role_name = "karpenter"
   node_iam_role_additional_policies = {

diff --git a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf
@@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "1.3.0"
+  version = "1.4.0"
 
   name = "aws-cloudwatch-metrics"
 

diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf
@@ -17,7 +17,7 @@ locals {
   eks_cloudwatch_log_group_retention_in_days = 400
 
   /* Kube Prometheus Stack */
-  prometheus_operator_crd_version = "v0.75.1"
+  prometheus_operator_crd_version = "v0.76.0"
 
   /* Environment Configuration */
   environment_configuration = local.environment_configurations[local.environment]
@@ -47,15 +47,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-sandbox"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Data Engineering Airflow */
@@ -98,15 +98,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Observability Platform */
@@ -148,15 +148,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Data Engineering Airflow */

diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf
@@ -12,7 +12,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -35,7 +35,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-dpr"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -66,7 +66,7 @@ resource "helm_release" "actions_runner_mojas_airflow" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -97,7 +97,7 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow-create-a-pipeline"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [

diff --git a/terraform/environments/analytical-platform-compute/helm-charts-applications.tf b/terraform/environments/analytical-platform-compute/helm-charts-applications.tf
@@ -2,7 +2,7 @@ resource "helm_release" "ui" {
   /* https://github.com/ministryofjustice/analytical-platform-ui */
   name       = "ui"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "0.0.0-rc1"
+  version    = "0.1.6"
   chart      = "analytical-platform-ui"
   namespace  = kubernetes_namespace.ui.metadata[0].name
   values = [

diff --git a/terraform/environments/analytical-platform-compute/helm-charts-mlops.tf b/terraform/environments/analytical-platform-compute/helm-charts-mlops.tf
@@ -2,7 +2,7 @@ resource "helm_release" "mlflow" {
   /* https://github.com/ministryofjustice/analytical-platform-mlflow */
   name       = "mlflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.15.1-rc1"
+  version    = "2.15.1-rc2"
   chart      = "mlflow"
   namespace  = kubernetes_namespace.mlflow.metadata[0].name
   values = [

diff --git a/terraform/environments/analytical-platform-compute/helm-charts-system.tf b/terraform/environments/analytical-platform-compute/helm-charts-system.tf
@@ -64,11 +64,14 @@ resource "helm_release" "aws_for_fluent_bit" {
 
 resource "helm_release" "amazon_prometheus_proxy" {
   /* https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack */
-  /* If you are upgrading this chart, check whether the CRD version needs updating */
+  /* 
+    If you are upgrading this chart, check whether the CRD version needs updating
+    https://github.com/prometheus-operator/prometheus-operator/releases
+  */
   name       = "amazon-prometheus-proxy"
   repository = "https://prometheus-community.github.io/helm-charts"
   chart      = "kube-prometheus-stack"
-  version    = "61.3.2"
+  version    = "61.9.0"
   namespace  = kubernetes_namespace.aws_observability.metadata[0].name
   values = [
     templatefile(
@@ -111,12 +114,34 @@ resource "helm_release" "cluster_autoscaler" {
 }
 
 /* Karpenter */
+resource "helm_release" "karpenter_crd" {
+  /* https://github.com/aws/karpenter-provider-aws/releases */
+  name       = "karpenter-crd"
+  repository = "oci://public.ecr.aws/karpenter"
+  chart      = "karpenter-crd"
+  version    = "1.0.0"
+  namespace  = kubernetes_namespace.karpenter.metadata[0].name
+
+  values = [
+    templatefile(
+      "${path.module}/src/helm/values/karpenter-crd/values.yml.tftpl",
+      {
+        service_namespace = kubernetes_namespace.karpenter.metadata[0].name
+      }
+    )
+  ]
+  depends_on = [
+    aws_iam_service_linked_role.spot,
+    module.karpenter
+  ]
+}
+
 resource "helm_release" "karpenter" {
   /* https://github.com/aws/karpenter-provider-aws/releases */
   name       = "karpenter"
   repository = "oci://public.ecr.aws/karpenter"
   chart      = "karpenter"
-  version    = "0.37.0"
+  version    = "1.0.0"
   namespace  = kubernetes_namespace.karpenter.metadata[0].name
 
   values = [
@@ -132,7 +157,8 @@ resource "helm_release" "karpenter" {
   ]
   depends_on = [
     aws_iam_service_linked_role.spot,
-    module.karpenter
+    module.karpenter,
+    helm_release.karpenter_crd
   ]
 }
 
@@ -183,7 +209,7 @@ resource "helm_release" "cert_manager" {
   name       = "cert-manager"
   repository = "https://charts.jetstack.io"
   chart      = "cert-manager"
-  version    = "v1.15.1"
+  version    = "v1.15.3"
   namespace  = kubernetes_namespace.cert_manager.metadata[0].name
   values = [
     templatefile(
@@ -236,7 +262,7 @@ resource "helm_release" "ingress_nginx" {
   name       = "ingress-nginx"
   repository = "https://kubernetes.github.io/ingress-nginx"
   chart      = "ingress-nginx"
-  version    = "4.11.1"
+  version    = "4.11.2"
   namespace  = kubernetes_namespace.ingress_nginx.metadata[0].name
   values = [
     templatefile(
@@ -257,7 +283,7 @@ resource "helm_release" "external_secrets" {
   name       = "external-secrets"
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.9.20"
+  version    = "0.10.0"
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   values = [
     templatefile(
@@ -284,7 +310,7 @@ resource "helm_release" "keda" {
   name       = "keda"
   repository = "https://kedacore.github.io/charts"
   chart      = "keda"
-  version    = "2.14.2"
+  version    = "2.15.1"
   namespace  = kubernetes_namespace.keda.metadata[0].name
   values = [
     templatefile(