Merge branch 'main' into chaps-prod-rds

.github/CODEOWNERS

@@ -12,9 +12,9 @@
 /terraform/environments/corporate-staff-rostering @ministryofjustice/csr-application-support @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/dacp @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
 /terraform/environments/data-and-insights-wepi @ministryofjustice/data-and-insights-hub @ministryofjustice/modernisation-platform
-/terraform/environments/data-platform-apps-and-tools @ministryofjustice/data-platform-apps-and-tools-airflow-users @ministryofjustice/data-platform-apps-and-tools-development-sandbox @ministryofjustice/data-platform-apps-and-tools-production-developer @ministryofjustice/data-platform-audit-and-security @ministryofjustice/modernisation-platform
-/terraform/environments/data-platform-compute @ministryofjustice/data-platform-core-infra @ministryofjustice/data-tech-archs @ministryofjustice/modernisation-platform
-/terraform/environments/data-platform @ministryofjustice/data-platform-audit-and-security @ministryofjustice/data-platform-development-sandbox @ministryofjustice/data-platform-preproduction-developer @ministryofjustice/data-platform-production-developer @ministryofjustice/data-platform-test-developer @ministryofjustice/modernisation-platform
+/terraform/environments/data-platform-apps-and-tools @ministryofjustice/data-platform-apps-and-tools @ministryofjustice/modernisation-platform
+/terraform/environments/data-platform-compute @ministryofjustice/data-platform-apps-and-tools @ministryofjustice/modernisation-platform
+/terraform/environments/data-platform @ministryofjustice/data-platform-apps-and-tools @ministryofjustice/data-platform-labs @ministryofjustice/modernisation-platform
 /terraform/environments/delius-core @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform
 /terraform/environments/delius-iaps @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform
 /terraform/environments/delius-jitbit @ministryofjustice/hmpps-delius-jitbit-devs @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform

.github/workflows/code-scanning.yml

@@ -78,7 +78,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@dfc6272ce9092a322d652d4726b14f1d6573050c # v12.2645.0
+        uses: bridgecrewio/checkov-action@bd4e3153006976539d522f45b9620806b23d9b1d # v12.2646.0
         with:
           directory: ./
           framework: terraform

.github/workflows/scorecards.yml

@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
+        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
         with:
           name: SARIF file
           path: results.sarif

terraform/environments/ccms-ebs/application_variables.json

@@ -68,7 +68,6 @@
       "ebs_size_ebsdb_exhome": 100,
       "ebs_size_ebsdb_u01": 300,
       "ebs_size_ebsdb_arch": 500,
-      "ebs_size_ebsdb_dbf": 11000,
       "ebs_iops_ebsdb_dbf01": 12000,
       "ebs_size_ebsdb_dbf01": 4000,
       "ebs_iops_ebsdb_dbf02": 12000,
@@ -152,7 +151,6 @@
       "ebs_size_ebsdb_exhome": 100,
       "ebs_size_ebsdb_u01": 300,
       "ebs_size_ebsdb_arch": 500,
-      "ebs_size_ebsdb_dbf": 11000,
       "ebs_iops_ebsdb_dbf01": 12000,
       "ebs_size_ebsdb_dbf01": 4000,
       "ebs_iops_ebsdb_dbf02": 12000,
@@ -234,7 +232,6 @@
       "ebs_size_ebsdb_exhome": 100,
       "ebs_size_ebsdb_u01": 300,
       "ebs_size_ebsdb_arch": 500,
-      "ebs_size_ebsdb_dbf": 11000,
       "ebs_iops_ebsdb_dbf01": 24000,
       "ebs_size_ebsdb_dbf01": 4000,
       "ebs_iops_ebsdb_dbf02": 24000,
@@ -316,7 +313,6 @@
       "ebs_size_ebsdb_exhome": 100,
       "ebs_size_ebsdb_u01": 300,
       "ebs_size_ebsdb_arch": 500,
-      "ebs_size_ebsdb_dbf": 11000,
       "ebs_iops_ebsdb_dbf01": 24000,
       "ebs_size_ebsdb_dbf01": 4000,
       "ebs_iops_ebsdb_dbf02": 24000,

terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs-outputs.tf

@@ -87,27 +87,27 @@ output "aws_volume_attachment_arch_att_volume_id" {
 
 #
 
-output "aws_ebs_volume_dbf_arn" {
-  description = "aws_ebs_volume dbf arn"
-  value       = aws_ebs_volume.dbf.arn
-}
+#output "aws_ebs_volume_dbf_arn" {
+#  description = "aws_ebs_volume dbf arn"
+#  value       = aws_ebs_volume.dbf.arn
+#}
 
 #
 
-output "aws_volume_attachment_dbf_att_device_name" {
-  description = "aws_volume_attachment dbf_att device_name"
-  value       = aws_volume_attachment.dbf_att.device_name
-}
+#output "aws_volume_attachment_dbf_att_device_name" {
+#  description = "aws_volume_attachment dbf_att device_name"
+#  value       = aws_volume_attachment.dbf_att.device_name
+#}
 
-output "aws_volume_attachment_dbf_att_instance_id" {
-  description = "aws_volume_attachment dbf_att instance_id"
-  value       = aws_volume_attachment.dbf_att.instance_id
-}
+#output "aws_volume_attachment_dbf_att_instance_id" {
+#  description = "aws_volume_attachment dbf_att instance_id"
+#  value       = aws_volume_attachment.dbf_att.instance_id
+#}
 
-output "aws_volume_attachment_dbf_att_volume_id" {
-  description = "aws_volume_attachment dbf_att volume_id"
-  value       = aws_volume_attachment.dbf_att.volume_id
-}
+#output "aws_volume_attachment_dbf_att_volume_id" {
+#  description = "aws_volume_attachment dbf_att volume_id"
+#  value       = aws_volume_attachment.dbf_att.volume_id
+#}
 
 #
 
@@ -231,11 +231,12 @@ output "aws_volume_attachment_diag_att_volume_id" {
 
 #
 
-output "aws_cloudwatch_metric_alarm_disk_free_ebsdb_ccms_ebs_dbf_arn" {
-  description = "aws_cloudwatch_metric_alarm disk_free_ebsdb_ccms_ebs_dbf arn"
-  value       = aws_cloudwatch_metric_alarm.disk_free_ebsdb_ccms_ebs_dbf.arn
-}
-output "aws_cloudwatch_metric_alarm_disk_free_ebsdb_ccms_ebs_dbf_id" {
-  description = "aws_cloudwatch_metric_alarm disk_free_ebsdb_ccms_ebs_dbf id"
-  value       = aws_cloudwatch_metric_alarm.disk_free_ebsdb_ccms_ebs_dbf.id
-}
+#output "aws_cloudwatch_metric_alarm_disk_free_ebsdb_ccms_ebs_dbf_arn" {
+#  description = "aws_cloudwatch_metric_alarm disk_free_ebsdb_ccms_ebs_dbf arn"
+#  value       = aws_cloudwatch_metric_alarm.disk_free_ebsdb_ccms_ebs_dbf.arn
+#}
+
+#output "aws_cloudwatch_metric_alarm_disk_free_ebsdb_ccms_ebs_dbf_id" {
+#  description = "aws_cloudwatch_metric_alarm disk_free_ebsdb_ccms_ebs_dbf id"
+#  value       = aws_cloudwatch_metric_alarm.disk_free_ebsdb_ccms_ebs_dbf.id
+#}

terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db-cloudwatch.tf

@@ -23,30 +23,30 @@ resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_redoa" {
   }
 }
 
-resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_dbf" {
-  alarm_name                = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_dbf"
-  alarm_description         = "This metric monitors the amount of free disk space on /CCMS/EBS/dbf mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger"
-  comparison_operator       = "GreaterThanOrEqualToThreshold"
-  metric_name               = "disk_used_percent"
-  namespace                 = "CWAgent"
-  statistic                 = "Average"
-  insufficient_data_actions = []
-
-  evaluation_periods  = local.application_data.cloudwatch_ec2.disk.eval_periods
-  datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods
-  period              = local.application_data.cloudwatch_ec2.disk.period
-  threshold           = local.application_data.cloudwatch_ec2.disk.threshold_dbf
-  alarm_actions       = [aws_sns_topic.cw_alerts.arn]
-
-  dimensions = {
-    ImageId      = aws_instance.ec2_oracle_ebs.ami
-    path         = "/CCMS/EBS/dbf" # local.application_data.accounts[local.environment].dbf_path
-    InstanceType = aws_instance.ec2_oracle_ebs.instance_type
-    InstanceId   = aws_instance.ec2_oracle_ebs.id
-    fstype       = "ext4"
-    device       = "nvme3n1" # local.application_data.accounts[local.environment].dbf_device
-  }
-}
+#resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_dbf" {
+#  alarm_name                = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_dbf"
+#  alarm_description         = "This metric monitors the amount of free disk space on /CCMS/EBS/dbf mount. If the amount of free disk space on root falls below 20% for 2 minutes, the alarm will trigger"
+#  comparison_operator       = "GreaterThanOrEqualToThreshold"
+#  metric_name               = "disk_used_percent"
+#  namespace                 = "CWAgent"
+#  statistic                 = "Average"
+#  insufficient_data_actions = []
+#
+#  evaluation_periods  = local.application_data.cloudwatch_ec2.disk.eval_periods
+#  datapoints_to_alarm = local.application_data.cloudwatch_ec2.disk.eval_periods
+#  period              = local.application_data.cloudwatch_ec2.disk.period
+#  threshold           = local.application_data.cloudwatch_ec2.disk.threshold_dbf
+#  alarm_actions       = [aws_sns_topic.cw_alerts.arn]
+#
+#  dimensions = {
+#    ImageId      = aws_instance.ec2_oracle_ebs.ami
+#    path         = "/CCMS/EBS/dbf" # local.application_data.accounts[local.environment].dbf_path
+#    InstanceType = aws_instance.ec2_oracle_ebs.instance_type
+#    InstanceId   = aws_instance.ec2_oracle_ebs.id
+#    fstype       = "ext4"
+#    device       = "nvme3n1" # local.application_data.accounts[local.environment].dbf_device
+#  }
+#}
 
 resource "aws_cloudwatch_metric_alarm" "disk_free_ebsdb_ccms_ebs_arch" {
   alarm_name                = "${local.application_data.accounts[local.environment].short_env}-ebs_db-disk_free-ccms_ebs_arch"

terraform/environments/ccms-ebs/ccms-ec2-oracle_ebs_db.tf

@@ -129,27 +129,6 @@ resource "aws_volume_attachment" "arch_att" {
   instance_id = aws_instance.ec2_oracle_ebs.id
 }
 
-resource "aws_ebs_volume" "dbf" {
-  lifecycle {
-    ignore_changes = [kms_key_id]
-  }
-  availability_zone = "eu-west-2a"
-  size              = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf
-  type              = "io2"
-  iops              = local.application_data.accounts[local.environment].ebs_default_iops
-  encrypted         = true
-  kms_key_id        = data.aws_kms_key.ebs_shared.key_id
-  tags = merge(local.tags,
-    { Name = "dbf" }
-  )
-}
-
-resource "aws_volume_attachment" "dbf_att" {
-  device_name = "/dev/sdk"
-  volume_id   = aws_ebs_volume.dbf.id
-  instance_id = aws_instance.ec2_oracle_ebs.id
-}
-
 resource "aws_ebs_volume" "redoA" {
   lifecycle {
     ignore_changes = [kms_key_id]

terraform/environments/cdpt-chaps/application_variables.json

@@ -1,17 +1,12 @@
 {
   "accounts": {
     "development": {
-      "db_enabled": true,
       "db_instance_class": "db.t3.small",
       "db_user": "dbadmin",
       "db_allocated_storage": "100",
       "db_name": "chaps-dev",
       "env_name": "DEVELOPMENT",
       "db_instance_identifier": "db-chaps-dev",
-      "friendly_name": "Chaps development",
-      "container_instance_type": "windows",
-      "container_version": "preproduction",
-      "region": "eu-west-2",
       "docker_image_tag": "development",
       "app_count": 1,
       "ec2_desired_capacity": 1,
@@ -24,17 +19,12 @@
       "client_id": "aa335a21-40a9-45a0-b0ef-16d65584b024"
     },
     "preproduction": {
-      "db_enabled": true,
       "db_instance_class": "db.t3.xlarge",
       "db_user": "dbadmin",
       "db_allocated_storage": "100",
       "db_name": "chaps-staging",
       "env_name": "STAGING",
       "db_instance_identifier": "chaps-preprod-instance",
-      "friendly_name": "Chaps preproduction",
-      "container_instance_type": "windows",
-      "container_version": "preproduction",
-      "region": "eu-west-2",
       "docker_image_tag": "preproduction",
       "app_count": 2,
       "ec2_desired_capacity": 2,
@@ -47,17 +37,12 @@
       "client_id": "2e2cc8ad-7b64-41b9-93a1-c16b9a00b34f"
     },
     "production": {
-      "db_enabled": true,
       "db_instance_class": "db.m5.xlarge",
       "db_user": "dbadmin",
       "db_allocated_storage": "100",
       "db_name": "chaps-prod",
       "env_name": "PRODUCTION",
       "db_instance_identifier": "chaps-prod-instance",
-      "friendly_name": "Chaps Production",
-      "container_instance_type": "windows",
-      "container_version": "production",
-      "region": "eu-west-2",
       "docker_image_tag": "production",
       "app_count": 2,
       "ec2_desired_capacity": 2,

terraform/environments/cdpt-chaps/database.tf

@@ -10,7 +10,7 @@ resource "aws_db_instance" "database" {
   instance_class         = local.application_data.accounts[local.environment].db_instance_class
   identifier             = local.application_data.accounts[local.environment].db_instance_identifier
   # username               = local.application_data.accounts[local.environment].db_user
-  password               = data.aws_secretsmanager_secret_version.db_password.secret_string
+  password               = aws_secretsmanager_secret_version.db_password.secret_string
   vpc_security_group_ids = [aws_security_group.db.id]
   depends_on             = [aws_security_group.db]
   # snapshot_identifier    = "arn:aws:rds:eu-west-2:613903586696:snapshot:chaps-prod-snapshot-2024-01-19"
@@ -58,14 +58,6 @@ resource "aws_security_group" "db" {
   }
 }
 
-data "aws_secretsmanager_secret" "db_password" {
-  name = aws_secretsmanager_secret.chaps_secret.name
-}
-
-data "aws_secretsmanager_secret_version" "db_password" {
-  secret_id = data.aws_secretsmanager_secret.db_password.id
-}
-
 #------------------------------------------------------------------------------
 # KMS setup for RDS
 #------------------------------------------------------------------------------

terraform/environments/cdpt-chaps/ecs.tf

@@ -101,10 +101,6 @@ resource "aws_ecs_task_definition" "chaps_task_definition" {
           name  = "RDS_USERNAME"
           value = "${aws_db_instance.database.username}"
         },
-        {
-          name  = "RDS_PASSWORD"
-          value = "${aws_db_instance.database.password}"
-        },
         {
           name  = "DB_NAME"
           value = "${local.application_data.accounts[local.environment].db_name}"
@@ -117,6 +113,12 @@ resource "aws_ecs_task_definition" "chaps_task_definition" {
           name  = "CurServer"
           value = "${local.application_data.accounts[local.environment].env_name}"
         }
+      ],
+      secrets = [
+        {
+          name: "RDS_PASSWORD",
+          valueFrom: aws_secretsmanager_secret_version.db_password.arn
+        }
       ]
     }
   ])

terraform/environments/cdpt-chaps/secrets.tf

@@ -1,15 +1,14 @@
 #### This file can be used to store secrets specific to the member account ####
 
-resource "aws_secretsmanager_secret" "chaps_secret" {
-  name        = "chaps_secret1"
-  description = "Simple secret created through Terraform"
+resource "aws_secretsmanager_secret" "db_password" {
+  name        = "database_password"
 }
 
-resource "random_password" "password" {
-  length = 10
+resource "random_password" "password_long" {
+  length = 32
 }
 
-resource "aws_secretsmanager_secret_version" "chaps_secret" {
-  secret_id     = aws_secretsmanager_secret.chaps_secret.id
-  secret_string = random_password.password.result
+resource "aws_secretsmanager_secret_version" "db_password" {
+  secret_id     = aws_secretsmanager_secret.db_password.id
+  secret_string = random_password.password_long.result
 }

terraform/environments/data-platform-compute/application_variables.json

@@ -1,7 +1,7 @@
 {
   "accounts": {
     "development": {
-      "example_var": "dev-data"
+      "vpc_cidr": "10.0.0.0/16"
     },
     "test": {
       "example_var": "test-data"
@@ -10,7 +10,7 @@
       "example_var": "preproduction-data"
     },
     "production": {
-      "example_var": "production-data"
+      "vpc_cidr": "10.0.0.0/16"
     }
   }
 }

terraform/environments/data-platform-compute/data.tf

@@ -1 +1,2 @@
 #### This file can be used to store data specific to the member account ####
+data "aws_availability_zones" "available" {}

terraform/environments/data-platform-compute/locals.tf

@@ -1 +1,5 @@
 #### This file can be used to store locals specific to the member account ####
+locals {
+  availability_zones = slice(data.aws_availability_zones.available.names, 0, 3)
+  private_subnets    = cidrsubnets(local.application_data.accounts[local.environment].vpc_cidr, 4, 4, 4)
+}