Merge pull request #22 from ministryofjustice/date-1619703666

New files for terraform/environments

terraform/environments/analytical-platform-management/backend.tf

@@ -0,0 +1,13 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/members/analytical-platform-management" # This will store the object as environments/members/analytical-platform-management/${workspace}/terraform.tfstate
+  }
+}

terraform/environments/analytical-platform-management/base_variables.tf

@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}

terraform/environments/analytical-platform-management/locals.tf

@@ -0,0 +1,32 @@
+# This data sources allows us to get the Modernisation Platform account information for use elsewhere
+# (when we want to assume a role in the MP, for instance)
+data "aws_organizations_organization" "root_account" {}
+
+locals {
+
+  application_name = "analytical-platform-management"
+
+  environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+
+  # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
+  # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
+  is-production    = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction"
+  is-test          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test"
+  is-development   = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
+
+  tags = {
+    business-unit = "Platforms"
+    application   = "Modernisation Platform: ${terraform.workspace}"
+    is-production = local.is-production
+    owner         = "Modernisation Platform: [email protected]"
+  }
+
+  environment = trimprefix(terraform.workspace, "${var.networking[0].application}-")
+  vpc_name    = var.networking[0].business-unit
+  subnet_set  = var.networking[0].set
+
+  is_live       = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"]
+  provider_name = "core-vpc-${local.environment}"
+
+}

terraform/environments/analytical-platform-management/networking.auto.tfvars.json

@@ -0,0 +1,9 @@
+{
+  "networking": [
+    {
+      "business-unit": "",
+      "set": "",
+      "application": "analytical-platform-management"
+    }
+  ]
+}

terraform/environments/analytical-platform-management/providers.tf

@@ -0,0 +1,33 @@
+# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for the Modernisation Platform, to get things from there if required
+provider "aws" {
+  alias  = "modernisation-platform"
+  region = "eu-west-2"
+}
+
+# AWS provider for core-vpc-<environment>, to share VPCs into this account
+provider "aws" {
+  alias  = "core-vpc"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for core-network-services-production, to share VPCs into this account
+provider "aws" {
+  alias  = "core-network-services"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/ModernisationPlatformAccess"
+  }
+}

terraform/environments/analytical-platform-management/secrets.tf

@@ -0,0 +1,11 @@
+# Get secret by name for environment management
+data "aws_secretsmanager_secret" "environment_management" {
+  provider = aws.modernisation-platform
+  name     = "environment_management"
+}
+
+# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
+data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.environment_management.id
+}

terraform/environments/analytical-platform-management/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 3.34.0"
+      source  = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 0.14.6"
+}

terraform/environments/bench/backend.tf

@@ -0,0 +1,13 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/members/bench" # This will store the object as environments/members/bench/${workspace}/terraform.tfstate
+  }
+}

terraform/environments/bench/base_variables.tf

@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}

terraform/environments/bench/locals.tf

@@ -0,0 +1,32 @@
+# This data sources allows us to get the Modernisation Platform account information for use elsewhere
+# (when we want to assume a role in the MP, for instance)
+data "aws_organizations_organization" "root_account" {}
+
+locals {
+
+  application_name = "bench"
+
+  environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+
+  # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
+  # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
+  is-production    = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction"
+  is-test          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test"
+  is-development   = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
+
+  tags = {
+    business-unit = "Platforms"
+    application   = "Modernisation Platform: ${terraform.workspace}"
+    is-production = local.is-production
+    owner         = "Modernisation Platform: [email protected]"
+  }
+
+  environment = trimprefix(terraform.workspace, "${var.networking[0].application}-")
+  vpc_name    = var.networking[0].business-unit
+  subnet_set  = var.networking[0].set
+
+  is_live       = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"]
+  provider_name = "core-vpc-${local.environment}"
+
+}

terraform/environments/bench/networking.auto.tfvars.json

@@ -0,0 +1,9 @@
+{
+  "networking": [
+    {
+      "business-unit": "core",
+      "set": "general",
+      "application": "bench"
+    }
+  ]
+}

terraform/environments/bench/providers.tf

@@ -0,0 +1,33 @@
+# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for the Modernisation Platform, to get things from there if required
+provider "aws" {
+  alias  = "modernisation-platform"
+  region = "eu-west-2"
+}
+
+# AWS provider for core-vpc-<environment>, to share VPCs into this account
+provider "aws" {
+  alias  = "core-vpc"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for core-network-services-production, to share VPCs into this account
+provider "aws" {
+  alias  = "core-network-services"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/ModernisationPlatformAccess"
+  }
+}

terraform/environments/bench/secrets.tf

@@ -0,0 +1,11 @@
+# Get secret by name for environment management
+data "aws_secretsmanager_secret" "environment_management" {
+  provider = aws.modernisation-platform
+  name     = "environment_management"
+}
+
+# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
+data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.environment_management.id
+}

terraform/environments/bench/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 3.34.0"
+      source  = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 0.14.6"
+}

terraform/environments/bichard7/backend.tf

@@ -0,0 +1,13 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/members/bichard7" # This will store the object as environments/members/bichard7/${workspace}/terraform.tfstate
+  }
+}

terraform/environments/bichard7/base_variables.tf

@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}

terraform/environments/bichard7/locals.tf

@@ -0,0 +1,32 @@
+# This data sources allows us to get the Modernisation Platform account information for use elsewhere
+# (when we want to assume a role in the MP, for instance)
+data "aws_organizations_organization" "root_account" {}
+
+locals {
+
+  application_name = "bichard7"
+
+  environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+
+  # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
+  # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
+  is-production    = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction"
+  is-test          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test"
+  is-development   = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
+
+  tags = {
+    business-unit = "Platforms"
+    application   = "Modernisation Platform: ${terraform.workspace}"
+    is-production = local.is-production
+    owner         = "Modernisation Platform: [email protected]"
+  }
+
+  environment = trimprefix(terraform.workspace, "${var.networking[0].application}-")
+  vpc_name    = var.networking[0].business-unit
+  subnet_set  = var.networking[0].set
+
+  is_live       = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"]
+  provider_name = "core-vpc-${local.environment}"
+
+}

terraform/environments/bichard7/networking.auto.tfvars.json

@@ -0,0 +1,9 @@
+{
+  "networking": [
+    {
+      "business-unit": "",
+      "set": "",
+      "application": "bichard7"
+    }
+  ]
+}

terraform/environments/bichard7/providers.tf

@@ -0,0 +1,33 @@
+# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for the Modernisation Platform, to get things from there if required
+provider "aws" {
+  alias  = "modernisation-platform"
+  region = "eu-west-2"
+}
+
+# AWS provider for core-vpc-<environment>, to share VPCs into this account
+provider "aws" {
+  alias  = "core-vpc"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for core-network-services-production, to share VPCs into this account
+provider "aws" {
+  alias  = "core-network-services"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/ModernisationPlatformAccess"
+  }
+}

terraform/environments/bichard7/secrets.tf

@@ -0,0 +1,11 @@
+# Get secret by name for environment management
+data "aws_secretsmanager_secret" "environment_management" {
+  provider = aws.modernisation-platform
+  name     = "environment_management"
+}
+
+# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
+data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.environment_management.id
+}

terraform/environments/bichard7/versions.tf

@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 3.34.0"
+      source  = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 0.14.6"
+}

terraform/environments/cooker/backend.tf

@@ -0,0 +1,13 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/members/cooker" # This will store the object as environments/members/cooker/${workspace}/terraform.tfstate
+  }
+}

terraform/environments/cooker/base_variables.tf

@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}