Merge pull request #764 from ministryofjustice/date-1659358722

New files for terraform/environments

.github/CODEOWNERS

@@ -2,6 +2,7 @@
 # https://github.com/ministryofjustice/modernisation-platform/blob/main/scripts/provision-member-directories.sh
 
 * @ministryofjustice/modernisation-platform
+/terraform/environments/apex @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
 /terraform/environments/equip @ministryofjustice/modernisation-platform-engineers @ministryofjustice/modernisation-platform
 /terraform/environments/example @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
 /terraform/environments/nomis @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform

.github/workflows/apex.yml

@@ -0,0 +1,204 @@
+---
+name: apex
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'terraform/environments/apex/**'
+      - '.github/workflows/apex.yml'
+  pull_request:
+    branches:
+      - main
+    types: [opened, edited, reopened, synchronize]
+    paths:
+      - 'terraform/environments/apex/**'
+      - '.github/workflows/apex.yml'
+  workflow_dispatch:
+env:
+  AWS_ACCESS_KEY_ID:  ${{ secrets.AWS_ACCESS_KEY_ID }}
+  AWS_SECRET_ACCESS_KEY:  ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+  TF_IN_AUTOMATION: true
+defaults:
+  run:
+    shell: bash
+
+jobs:
+
+  # These jobs run when creating a pull request
+  plan-development:
+    name: Plan Development - apex
+    runs-on: ubuntu-latest
+    if: github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+      - name: Load and Configure Terraform
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: "~1"
+          terraform_wrapper: false
+      - name: Terraform plan - development
+        run: |
+          echo "Terraform plan - ${TF_ENV}"
+          bash scripts/terraform-init.sh terraform/environments/apex
+          terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+          bash scripts/terraform-plan.sh terraform/environments/apex
+        env:
+          TF_ENV: development
+
+  deploy-development:
+    name: Deploy Development - apex
+    runs-on: ubuntu-latest
+    if: github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+    environment:
+      name: apex-development
+    steps:
+      - name: Checkout Repository
+        uses: actions/[email protected]
+      - name: Load and Configure Terraform
+        uses: hashicorp/[email protected]
+        with:
+          terraform_version: "~1"
+          terraform_wrapper: false
+      - name: Terraform apply - development
+        run: |
+          echo "Terraform apply - ${TF_ENV}"
+          bash scripts/terraform-init.sh terraform/environments/apex
+          terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+          bash scripts/terraform-apply.sh terraform/environments/apex
+        env:
+          TF_ENV: development
+
+  # plan-test:
+  #   name: Plan Test - apex
+  #   runs-on: ubuntu-latest
+  #   if: github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+  #   steps:
+  #     - name: Checkout Repository
+  #       uses: actions/[email protected]
+  #     - name: Load and Configure Terraform
+  #       uses: hashicorp/[email protected]
+  #       with:
+  #         terraform_version: "~1"
+  #         terraform_wrapper: false
+  #     - name: Terraform plan - test
+  #       run: |
+  #         echo "Terraform plan - ${TF_ENV}"
+  #         bash scripts/terraform-init.sh terraform/environments/apex
+  #         terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+  #         bash scripts/terraform-plan.sh terraform/environments/apex
+  #       env:
+  #         TF_ENV: test
+  #
+  # deploy-test:
+  #   name: Deploy Test - apex
+  #   runs-on: ubuntu-latest
+  #   if: github.ref != 'refs/heads/main' || github.event_name == 'workflow_dispatch'
+  #   environment:
+  #     name: apex-test
+  #   steps:
+  #     - name: Checkout Repository
+  #       uses: actions/[email protected]
+  #     - name: Load and Configure Terraform
+  #       uses: hashicorp/[email protected]
+  #       with:
+  #         terraform_version: "~1"
+  #         terraform_wrapper: false
+  #     - name: Terraform apply - test
+  #       run: |
+  #         echo "Terraform apply - ${TF_ENV}"
+  #         bash scripts/terraform-init.sh terraform/environments/apex
+  #         terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+  #         bash scripts/terraform-apply.sh terraform/environments/apex
+  #       env:
+  #         TF_ENV: test
+  #
+  # # These jobs run after merging to main
+  # plan-preproduction:
+  #   name: Plan Preproduction - apex
+  #   runs-on: ubuntu-latest
+  #   if: github.ref == 'refs/heads/main'
+  #   steps:
+  #     - name: Checkout Repository
+  #       uses: actions/[email protected]
+  #     - name: Load and Configure Terraform
+  #       uses: hashicorp/[email protected]
+  #       with:
+  #         terraform_version: "~1"
+  #         terraform_wrapper: false
+  #     - name: Terraform plan - preproduction
+  #       run: |
+  #         echo "Terraform plan - ${TF_ENV}"
+  #         bash scripts/terraform-init.sh terraform/environments/apex
+  #         terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+  #         bash scripts/terraform-plan.sh terraform/environments/apex
+  #       env:
+  #         TF_ENV: preproduction
+  #
+  # deploy-preproduction:
+  #   name: Deploy Preproduction - apex
+  #   runs-on: ubuntu-latest
+  #   if: github.ref == 'refs/heads/main'
+  #   environment:
+  #     name: apex-preproduction
+  #   steps:
+  #     - name: Checkout Repository
+  #       uses: actions/[email protected]
+  #     - name: Load and Configure Terraform
+  #       uses: hashicorp/[email protected]
+  #       with:
+  #         terraform_version: "~1"
+  #         terraform_wrapper: false
+  #     - name: Terraform apply - preproduction
+  #       run: |
+  #         echo "Terraform apply - ${TF_ENV}"
+  #         bash scripts/terraform-init.sh terraform/environments/apex
+  #         terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+  #         bash scripts/terraform-apply.sh terraform/environments/apex
+  #       env:
+  #         TF_ENV: preproduction
+  #
+  # plan-production:
+  #   name: Plan Production - apex
+  #   runs-on: ubuntu-latest
+  #   if: github.ref == 'refs/heads/main'
+  #   steps:
+  #     - name: Checkout Repository
+  #       uses: actions/[email protected]
+  #     - name: Load and Configure Terraform
+  #       uses: hashicorp/[email protected]
+  #       with:
+  #         terraform_version: "~1"
+  #         terraform_wrapper: false
+  #     - name: Terraform plan - production
+  #       run: |
+  #         echo "Terraform plan - ${TF_ENV}"
+  #         bash scripts/terraform-init.sh terraform/environments/apex
+  #         terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+  #         bash scripts/terraform-plan.sh terraform/environments/apex
+  #       env:
+  #         TF_ENV: production
+  #
+  # deploy-production:
+  #   name: Deploy Production - apex
+  #   runs-on: ubuntu-latest
+  #   if: github.ref == 'refs/heads/main'
+  #   environment:
+  #     name: apex-production
+  #   steps:
+  #     - name: Checkout Repository
+  #       uses: actions/[email protected]
+  #     - name: Load and Configure Terraform
+  #       uses: hashicorp/[email protected]
+  #       with:
+  #         terraform_version: "~1"
+  #         terraform_wrapper: false
+  #     - name: Terraform apply - production
+  #       run: |
+  #         echo "Terraform apply - ${TF_ENV}"
+  #         bash scripts/terraform-init.sh terraform/environments/apex
+  #         terraform -chdir="terraform/environments/apex" workspace select "apex-${TF_ENV}"
+  #         bash scripts/terraform-apply.sh terraform/environments/apex
+  #       env:
+  #         TF_ENV: production

terraform/environments/apex/application_variables.json

@@ -0,0 +1,16 @@
+{
+  "accounts": {
+    "development": {
+      "example_var": "dev-data"
+    },
+    "test": {
+      "example_var": "test-data"
+    },
+    "preproduction": {
+      "example_var": "preproduction-data"
+    },
+    "production": {
+      "example_var": "production-data"
+    }
+  }
+}

terraform/environments/apex/backend.tf

@@ -0,0 +1,13 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/members/apex" # This will store the object as environments/members/apex/${workspace}/terraform.tfstate
+  }
+}

terraform/environments/apex/base_variables.tf

@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}

terraform/environments/apex/data.tf

@@ -0,0 +1,147 @@
+# This data sources allows us to get the Modernisation Platform account information for use elsewhere
+# (when we want to assume a role in the MP, for instance)
+data "aws_organizations_organization" "root_account" {}
+
+# Get the environments file from the main repository
+data "http" "environments_file" {
+  url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json"
+}
+
+# Current account data
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}
+
+# VPC and subnet data
+data "aws_vpc" "shared" {
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}"
+  }
+}
+
+data "aws_subnets" "shared-data" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.shared.id]
+  }
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data*"
+  }
+}
+
+data "aws_subnets" "private-public" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.shared.id]
+  }
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*"
+  }
+}
+
+data "aws_subnets" "shared-public" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.shared.id]
+  }
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public*"
+  }
+}
+
+data "aws_subnet" "data_subnets_a" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}a"
+  }
+}
+
+data "aws_subnet" "data_subnets_b" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}b"
+  }
+}
+
+data "aws_subnet" "data_subnets_c" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}c"
+  }
+}
+
+data "aws_subnet" "private_subnets_a" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}a"
+  }
+}
+
+data "aws_subnet" "private_subnets_b" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}b"
+  }
+}
+
+data "aws_subnet" "private_subnets_c" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}c"
+  }
+}
+
+data "aws_subnet" "public_subnets_a" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}a"
+  }
+}
+
+data "aws_subnet" "public_subnets_b" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}b"
+  }
+}
+
+data "aws_subnet" "public_subnets_c" {
+  vpc_id = data.aws_vpc.shared.id
+  tags = {
+    Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}c"
+  }
+}
+
+# Route53 DNS data
+data "aws_route53_zone" "external" {
+  provider = aws.core-vpc
+
+  name         = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk."
+  private_zone = false
+}
+
+data "aws_route53_zone" "inner" {
+  provider = aws.core-vpc
+
+  name         = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.internal."
+  private_zone = true
+}
+
+data "aws_route53_zone" "network-services" {
+  provider = aws.core-network-services
+
+  name         = "modernisation-platform.service.justice.gov.uk."
+  private_zone = false
+}
+
+# State for core-network-services resource information
+data "terraform_remote_state" "core_network_services" {
+  backend = "s3"
+  config = {
+    acl     = "bucket-owner-full-control"
+    bucket  = "modernisation-platform-terraform-state"
+    key     = "environments/accounts/core-network-services/core-network-services-production/terraform.tfstate"
+    region  = "eu-west-2"
+    encrypt = "true"
+  }
+}