Merge pull request #7548 from ministryofjustice/feat/apc-updates-190824

🚀 APC Patching

terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf

@@ -3,7 +3,7 @@ module "eks_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.4.0"
+  version = "5.5.0"
 
   name              = local.eks_cloudwatch_log_group_name
   kms_key_id        = module.eks_cluster_logs_kms.key_arn
@@ -17,7 +17,7 @@ module "managed_prometheus_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.3.1"
+  version = "5.5.0"
 
   name              = local.amp_cloudwatch_log_group_name
   kms_key_id        = module.managed_prometheus_logs_kms.key_arn

terraform/environments/analytical-platform-compute/eks-cluster.tf

@@ -6,7 +6,7 @@ module "eks" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.20.0"
+  version = "20.23.0"
 
   cluster_name    = local.eks_cluster_name
   cluster_version = local.environment_configuration.eks_cluster_version
@@ -172,7 +172,7 @@ module "karpenter" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "20.20.0"
+  version = "20.23.0"
 
   cluster_name = module.eks.cluster_name
 

terraform/environments/analytical-platform-compute/eks-pod-identities.tf

@@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "1.3.0"
+  version = "1.4.0"
 
   name = "aws-cloudwatch-metrics"
 

terraform/environments/analytical-platform-compute/environment-configuration.tf

@@ -17,7 +17,7 @@ locals {
   eks_cloudwatch_log_group_retention_in_days = 400
 
   /* Kube Prometheus Stack */
-  prometheus_operator_crd_version = "v0.75.1"
+  prometheus_operator_crd_version = "v0.76.0"
 
   /* Environment Configuration */
   environment_configuration = local.environment_configurations[local.environment]
@@ -47,15 +47,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-sandbox"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Data Engineering Airflow */
@@ -98,15 +98,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Observability Platform */
@@ -148,15 +148,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Data Engineering Airflow */

terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf

@@ -12,7 +12,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -35,7 +35,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-dpr"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -66,7 +66,7 @@ resource "helm_release" "actions_runner_mojas_airflow" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -97,7 +97,7 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow-create-a-pipeline"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [

terraform/environments/analytical-platform-compute/helm-charts-mlops.tf

@@ -2,7 +2,7 @@ resource "helm_release" "mlflow" {
   /* https://github.com/ministryofjustice/analytical-platform-mlflow */
   name       = "mlflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.15.1-rc1"
+  version    = "2.15.1-rc2"
   chart      = "mlflow"
   namespace  = kubernetes_namespace.mlflow.metadata[0].name
   values = [

terraform/environments/analytical-platform-compute/helm-charts-system.tf

@@ -64,11 +64,14 @@ resource "helm_release" "aws_for_fluent_bit" {
 
 resource "helm_release" "amazon_prometheus_proxy" {
   /* https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack */
-  /* If you are upgrading this chart, check whether the CRD version needs updating */
+  /* 
+    If you are upgrading this chart, check whether the CRD version needs updating
+    https://github.com/prometheus-operator/prometheus-operator/releases
+  */
   name       = "amazon-prometheus-proxy"
   repository = "https://prometheus-community.github.io/helm-charts"
   chart      = "kube-prometheus-stack"
-  version    = "61.3.2"
+  version    = "61.9.0"
   namespace  = kubernetes_namespace.aws_observability.metadata[0].name
   values = [
     templatefile(
@@ -183,7 +186,7 @@ resource "helm_release" "cert_manager" {
   name       = "cert-manager"
   repository = "https://charts.jetstack.io"
   chart      = "cert-manager"
-  version    = "v1.15.1"
+  version    = "v1.15.3"
   namespace  = kubernetes_namespace.cert_manager.metadata[0].name
   values = [
     templatefile(
@@ -236,7 +239,7 @@ resource "helm_release" "ingress_nginx" {
   name       = "ingress-nginx"
   repository = "https://kubernetes.github.io/ingress-nginx"
   chart      = "ingress-nginx"
-  version    = "4.11.1"
+  version    = "4.11.2"
   namespace  = kubernetes_namespace.ingress_nginx.metadata[0].name
   values = [
     templatefile(
@@ -257,7 +260,7 @@ resource "helm_release" "external_secrets" {
   name       = "external-secrets"
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.9.20"
+  version    = "0.10.0"
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   values = [
     templatefile(
@@ -284,7 +287,7 @@ resource "helm_release" "keda" {
   name       = "keda"
   repository = "https://kedacore.github.io/charts"
   chart      = "keda"
-  version    = "2.14.2"
+  version    = "2.15.1"
   namespace  = kubernetes_namespace.keda.metadata[0].name
   values = [
     templatefile(

terraform/environments/analytical-platform-compute/iam-policies.tf

@@ -18,7 +18,7 @@ module "eks_cluster_logs_kms_access_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "eks-cluster-logs-kms-access"
 
@@ -45,7 +45,7 @@ module "karpenter_sqs_kms_access_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "karpenter-sqs-kms-access"
 
@@ -71,7 +71,7 @@ module "amazon_prometheus_proxy_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "amazon-prometheus-proxy"
 
@@ -98,7 +98,7 @@ module "managed_prometheus_kms_access_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "managed-prometheus-kms-access"
 
@@ -147,7 +147,7 @@ module "mlflow_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "mlflow"
 
@@ -168,7 +168,7 @@ module "gha_mojas_airflow_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "github-actions-mojas-airflow"
 
@@ -274,7 +274,7 @@ module "analytical_platform_lake_formation_share_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "analytical-platform-lake-formation-sharing-policy"
 

terraform/environments/analytical-platform-compute/iam-roles.tf

@@ -3,7 +3,7 @@ module "vpc_cni_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix      = "vpc-cni"
   attach_vpc_cni_policy = true
@@ -24,7 +24,7 @@ module "ebs_csi_driver_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix      = "ebs-csi-driver"
   attach_ebs_csi_policy = true
@@ -44,7 +44,7 @@ module "efs_csi_driver_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix      = "efs-csi-driver"
   attach_efs_csi_policy = true
@@ -64,7 +64,7 @@ module "aws_for_fluent_bit_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "aws-for-fluent-bit"
 
@@ -88,7 +88,7 @@ module "amazon_prometheus_proxy_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "amazon-prometheus-proxy"
 
@@ -111,7 +111,7 @@ module "cluster_autoscaler_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "cluster-autoscaler"
 
@@ -133,7 +133,7 @@ module "external_dns_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix              = "external-dns"
   attach_external_dns_policy    = true
@@ -154,7 +154,7 @@ module "cert_manager_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix              = "cert-manager"
   attach_cert_manager_policy    = true
@@ -175,7 +175,7 @@ module "external_secrets_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix               = "external-secrets"
   attach_external_secrets_policy = true
@@ -196,7 +196,7 @@ module "mlflow_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "mlflow"
 
@@ -219,7 +219,7 @@ module "gha_mojas_airflow_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name = "github-actions-mojas-airflow"
 
@@ -237,7 +237,7 @@ module "lake_formation_share_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "5.41.0"
+  version = "5.44.0"
 
   create_role       = true
   role_requires_mfa = false
@@ -265,7 +265,7 @@ module "analytical_platform_ui_service_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   create_role = true