Merge branch 'main' into LAWS-3585

ministryofjustice · Jan 16, 2024 · f72f40c · f72f40c
2 parents cf31a59 + 61ccb5a
commit f72f40c
Show file tree

Hide file tree

Showing 62 changed files with 1,194 additions and 2,266 deletions.
diff --git a/.devcontainer/features/src/aws/devcontainer-feature.json b/.devcontainer/features/src/aws/devcontainer-feature.json
@@ -1,20 +1,20 @@
 {
-    "id": "aws",
-    "version": "1.0.0",
-    "name": "aws",
-    "description": "AWS",
-    "options": {
-      "awsCliVersion": {
-        "type": "string",
-        "description": "AWS CLI version (https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst)",
-        "proposals": ["latest"],
-        "default": "latest"
-      },
-      "awsSsoCliVersion":{
-        "type": "string",
-        "description": "AWS SSO CLI version (https://github.com/synfinatic/aws-sso-cli/releases)",
-        "proposals": ["latest"],
-        "default": "latest"
-      }
+  "id": "aws",
+  "version": "1.0.0",
+  "name": "aws",
+  "description": "AWS",
+  "options": {
+    "awsCliVersion": {
+      "type": "string",
+      "description": "AWS CLI version (https://github.com/aws/aws-cli/blob/v2/CHANGELOG.rst)",
+      "proposals": ["latest"],
+      "default": "latest"
+    },
+    "awsSsoCliVersion": {
+      "type": "string",
+      "description": "AWS SSO CLI version (https://github.com/synfinatic/aws-sso-cli/releases)",
+      "proposals": ["latest"],
+      "default": "latest"
     }
   }
+}
diff --git a/.devcontainer/features/src/terraform/devcontainer-feature.json b/.devcontainer/features/src/terraform/devcontainer-feature.json
@@ -1,31 +1,29 @@
 {
-    "id": "terraform",
-    "version": "1.0.0",
-    "name": "terraform",
-    "description": "Terraform",
-    "options": {
-      "terraformSwitcherVersion": {
-        "type": "string",
-        "description": "Terraform Switcher version (https://github.com/warrensbox/terraform-switcher/releases)",
-        "proposals": ["latest"],
-        "default": "latest"
-      },
-      "terraformVersion": {
-        "type": "string",
-        "description": "Terraform version (https://github.com/hashicorp/terraform/releases)",
-        "proposals": ["latest"],
-        "default": "latest"
-      }
+  "id": "terraform",
+  "version": "1.0.0",
+  "name": "terraform",
+  "description": "Terraform",
+  "options": {
+    "terraformSwitcherVersion": {
+      "type": "string",
+      "description": "Terraform Switcher version (https://github.com/warrensbox/terraform-switcher/releases)",
+      "proposals": ["latest"],
+      "default": "latest"
     },
-    "customizations": {
-      "vscode": {
-        "extensions": [
-          "hashicorp.terraform"
-        ],
-        "settings": {
-          "editor.formatOnSave": true,
-          "editor.defaultFormatter": "hashicorp.terraform"
-        }
+    "terraformVersion": {
+      "type": "string",
+      "description": "Terraform version (https://github.com/hashicorp/terraform/releases)",
+      "proposals": ["latest"],
+      "default": "latest"
+    }
+  },
+  "customizations": {
+    "vscode": {
+      "extensions": ["hashicorp.terraform"],
+      "settings": {
+        "editor.formatOnSave": true,
+        "editor.defaultFormatter": "hashicorp.terraform"
       }
     }
   }
+}
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -15,7 +15,7 @@
 /terraform/environments/data-platform-apps-and-tools @ministryofjustice/data-platform-apps-and-tools-airflow-users @ministryofjustice/data-platform-apps-and-tools-development-sandbox @ministryofjustice/data-platform-apps-and-tools-production-developer @ministryofjustice/data-platform-audit-and-security @ministryofjustice/modernisation-platform
 /terraform/environments/data-platform-compute @ministryofjustice/data-platform-core-infra @ministryofjustice/data-tech-archs @ministryofjustice/modernisation-platform
 /terraform/environments/data-platform @ministryofjustice/data-platform-audit-and-security @ministryofjustice/data-platform-development-sandbox @ministryofjustice/data-platform-preproduction-developer @ministryofjustice/data-platform-production-developer @ministryofjustice/data-platform-test-developer @ministryofjustice/modernisation-platform
-/terraform/environments/delius-core @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/unilink @ministryofjustice/modernisation-platform
+/terraform/environments/delius-core @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform
 /terraform/environments/delius-iaps @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform
 /terraform/environments/delius-jitbit @ministryofjustice/hmpps-delius-jitbit-devs @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform
 /terraform/environments/digital-prison-reporting @ministryofjustice/hmpps-digital-prison-reporting @ministryofjustice/hmpps-digital-prison-reporting-non-cleared-team @ministryofjustice/modernisation-platform
@@ -46,7 +46,7 @@
 /terraform/environments/ppud @ministryofjustice/modernisation-platform @ministryofjustice/ppud-replacement-devs @ministryofjustice/modernisation-platform
 /terraform/environments/pra-register @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
 /terraform/environments/refer-monitor @ministryofjustice/hmpps-interventions-dashboard-access @ministryofjustice/hmpps-interventions-dev @ministryofjustice/modernisation-platform
-/terraform/environments/sprinkler @ministryofjustice/modernisation-platform @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
+/terraform/environments/sprinkler @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
 /terraform/environments/tariff @ministryofjustice/cica @ministryofjustice/modernisation-platform
 /terraform/environments/testing @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
 /terraform/environments/tipstaff @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform

diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -24,7 +24,7 @@ jobs:
           token: '${{ secrets.GITHUB_TOKEN }}'
           fetch-depth: 0
       - name: Cache plugin dir
-        uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
+        uses: actions/cache@e12d46a63a90f2fae62d114769bbf2a179198b5c # v3.3.3
         with:
           path: ~/.tflint.d/plugins
           key: '${{ matrix.os }}-tflint-${{ hashFiles(''.tflint.hcl'') }}'
@@ -78,7 +78,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@a87615f0e03d867a199100477e6ed64fc931ec58 # v12.2637.0
+        uses: bridgecrewio/checkov-action@627ee2bec82a6d32e254c1e5a8a7590ed68cfd2f # v12.2640.0
         with:
           directory: ./
           framework: terraform

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -59,7 +59,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
+        uses: actions/upload-artifact@1eb3cb2b3e0f29609092a73eb033bb759a334595 # v4.1.0
         with:
           name: SARIF file
           path: results.sarif

diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml
@@ -28,7 +28,7 @@ jobs:
       with:
         fetch-depth: 0
     - name: Run Analysis
-      uses: ministryofjustice/github-actions/terraform-static-analysis@433c75e44be4eabb0a6ca573951090b9da4901cf # v15.1.0
+      uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 # v15.3.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -49,7 +49,7 @@ jobs:
       with:
         fetch-depth: 0
     - name: Run Analysis
-      uses: ministryofjustice/github-actions/terraform-static-analysis@433c75e44be4eabb0a6ca573951090b9da4901cf # v15.1.0
+      uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 # v15.3.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:
@@ -68,7 +68,7 @@ jobs:
       with:
         fetch-depth: 0
     - name: Run Analysis
-      uses: ministryofjustice/github-actions/terraform-static-analysis@433c75e44be4eabb0a6ca573951090b9da4901cf # v15.1.0
+      uses: ministryofjustice/github-actions/terraform-static-analysis@7855159a5c3a9bcd658207c894cc4ed22bd35a22 # v15.3.0
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       with:

diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf
@@ -41,9 +41,9 @@ resource "aws_db_subnet_group" "db" {
 }
 
 resource "aws_security_group" "db" {
-  name = "${local.application_name}-db-sg" 
+  name        = "${local.application_name}-db-sg"
   description = "Allow DB inbound traffic"
-  vpc_id = data.aws_vpc.shared.id
+  vpc_id      = data.aws_vpc.shared.id
   ingress {
     from_port   = 1433
     to_port     = 1433
@@ -58,6 +58,15 @@ resource "aws_security_group" "db" {
   }
 }
 
+resource "aws_security_group_rule" "allow_ec2_to_rds" {
+  type              = "ingress"
+  from_port         = 1433
+  to_port           = 1433
+  protocol          = "tcp"
+  source_security_group_id = aws_security_group.cluster_ec2.id
+  security_group_id = aws_security_group.db.id
+}
+
 data "aws_secretsmanager_secret" "db_password" {
   name = aws_secretsmanager_secret.chaps_secret.name
 }

diff --git a/terraform/environments/cdpt-chaps/ecs.tf b/terraform/environments/cdpt-chaps/ecs.tf
@@ -35,7 +35,9 @@ resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-polic
                 "kms:GenerateDataKey",
                 "kms:ReEncrypt",
                 "kms:GenerateDataKey",
-                "kms:DescribeKey"
+                "kms:DescribeKey",
+                "rds:Connect",
+                "rds:DescribeDBInstances"
             ],
             "Resource": "*"
         }
@@ -130,7 +132,7 @@ resource "aws_ecs_service" "ecs_service" {
   }
 
   network_configuration {
-    subnets         = data.aws_subnets.shared-public.ids
+    subnets         = data.aws_subnets.shared-private.ids
     security_groups = [aws_security_group.ecs_service.id]
   }
 
@@ -220,6 +222,14 @@ resource "aws_security_group" "cluster_ec2" {
     security_groups = [module.bastion_linux.bastion_security_group]
   }
 
+  ingress {
+    description     = "Allow RDS access"
+    from_port       = 1433
+    to_port         = 1433
+    protocol        = "tcp"
+    security_groups = [aws_security_group.db.id]   
+  }
+
   egress {
     description     = "Cluster EC2 loadbalancer egress rule"
     from_port       = 0
@@ -263,7 +273,7 @@ resource "aws_launch_template" "ec2-launch-template" {
 
   network_interfaces {
     associate_public_ip_address = false
-    security_groups             = [aws_security_group.cluster_ec2.id]
+    security_groups             = [aws_security_group.cluster_ec2.id, aws_security_group.db.id]
   }
 
   block_device_mappings {

diff --git a/terraform/environments/cdpt-chaps/user_data.txt b/terraform/environments/cdpt-chaps/user_data.txt
@@ -6,4 +6,6 @@ Import-Module ECSTools
 
 Initialize-ECSAgent –Cluster ${cluster_name} -EnableTaskIAMRole -LoggingDrivers '["json-file","awslogs"]' -EnableTaskENI
 
+Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))
+
 </powershell>
diff --git a/terraform/environments/data-platform-apps-and-tools/environment-configuration.tf b/terraform/environments/data-platform-apps-and-tools/environment-configuration.tf
@@ -17,13 +17,13 @@ locals {
       eks_cluster_name = "apps-tools-${local.environment}"
       eks_versions = {
         cluster                   = "1.28"
-        ami_release               = "1.16.0-d2d9cf87" // [major version].[minor version].[patch version]-[first 8 chars of commit SHA]. Get the SHA from here: https://github.com/bottlerocket-os/bottlerocket/releases
-        addon_coredns             = "v1.10.1-eksbuild.5"
-        addon_kube_proxy          = "v1.28.2-eksbuild.2"
-        addon_vpc_cni             = "v1.15.3-eksbuild.1"
+        ami_release               = "1.17.0-53f322c2" // [major version].[minor version].[patch version]-[first 8 chars of commit SHA]. Get the SHA from here: https://github.com/bottlerocket-os/bottlerocket/releases
+        addon_coredns             = "v1.10.1-eksbuild.6"
+        addon_kube_proxy          = "v1.28.4-eksbuild.4"
+        addon_vpc_cni             = "v1.16.0-eksbuild.1"
         addon_aws_guardduty_agent = "v1.4.0-eksbuild.1"
-        addon_ebs_csi_driver      = "v1.24.1-eksbuild.1"
-        addon_efs_csi_driver      = "v1.7.0-eksbuild.1"
+        addon_ebs_csi_driver      = "v1.26.1-eksbuild.1"
+        addon_efs_csi_driver      = "v1.7.2-eksbuild.1"
       }
       eks_sso_access_role = "modernisation-platform-sandbox"
 
@@ -53,7 +53,7 @@ locals {
       powerbi_gateway_ec2 = {
         instance_name       = "dpat-${local.environment}-powerbi"
         most_recent         = true
-        name                = ["Windows_Server-2022-English-Core-Base-*"]
+        name                = ["Windows_Server-2022-English-Full-Base-*"]
         virtualization_type = "hvm"
         owner_account       = "801119661308" # amazon
         instance_type       = "t3a.xlarge"   # 4vCPU, 16G RAM
@@ -105,13 +105,13 @@ locals {
       eks_cluster_name = "apps-tools-${local.environment}"
       eks_versions = {
         cluster                   = "1.28"
-        ami_release               = "1.16.0-d2d9cf87" // [major version].[minor version].[patch version]-[first 8 chars of commit SHA]. Get the SHA from here: https://github.com/bottlerocket-os/bottlerocket/releases
-        addon_coredns             = "v1.10.1-eksbuild.5"
-        addon_kube_proxy          = "v1.28.2-eksbuild.2"
-        addon_vpc_cni             = "v1.15.3-eksbuild.1"
-        addon_aws_guardduty_agent = "v1.3.1-eksbuild.1"
-        addon_ebs_csi_driver      = "v1.24.1-eksbuild.1"
-        addon_efs_csi_driver      = "v1.7.0-eksbuild.1"
+        ami_release               = "1.17.0-53f322c2" // [major version].[minor version].[patch version]-[first 8 chars of commit SHA]. Get the SHA from here: https://github.com/bottlerocket-os/bottlerocket/releases
+        addon_coredns             = "v1.10.1-eksbuild.6"
+        addon_kube_proxy          = "v1.28.4-eksbuild.4"
+        addon_vpc_cni             = "v1.16.0-eksbuild.1"
+        addon_aws_guardduty_agent = "v1.4.0-eksbuild.1"
+        addon_ebs_csi_driver      = "v1.26.1-eksbuild.1"
+        addon_efs_csi_driver      = "v1.7.2-eksbuild.1"
       }
       eks_sso_access_role = "modernisation-platform-developer"
 
@@ -156,7 +156,7 @@ locals {
       powerbi_gateway_ec2 = {
         instance_name       = "dpat-${local.environment}-powerbi"
         most_recent         = true
-        name                = ["Windows_Server-2022-English-Core-Base-*"]
+        name                = ["Windows_Server-2022-English-Full-Base-*"]
         virtualization_type = "hvm"
         owner_account       = "801119661308" # amazon
         instance_type       = "t3a.xlarge"   # 4vCPU, 16G RAM

diff --git a/terraform/environments/data-platform-apps-and-tools/helm-charts-applications.tf b/terraform/environments/data-platform-apps-and-tools/helm-charts-applications.tf
@@ -0,0 +1,76 @@
+resource "helm_release" "static_assets" {
+  name      = "static-assets"
+  chart     = "./src/helm/charts/static-assets"
+  namespace = kubernetes_namespace.static_assets.metadata[0].name
+
+  set {
+    name  = "ingress.host"
+    value = local.environment_configuration.static_assets_hostname
+  }
+
+  depends_on = [helm_release.cert_manager_additional]
+}
+
+resource "helm_release" "openmetadata_dependencies" {
+  name       = "openmetadata-dependencies"
+  repository = "https://helm.open-metadata.org"
+  chart      = "openmetadata-dependencies"
+  version    = "1.2.1"
+  namespace  = kubernetes_namespace.openmetadata.metadata[0].name
+  values = [
+    templatefile(
+      "${path.module}/src/helm/openmetadata-dependencies/values.yml.tftpl",
+      {
+        openmetadata_airflow_password                = random_password.openmetadata_airflow.result
+        openmetadata_airflow_eks_role_arn            = module.openmetadata_airflow_iam_role.iam_role_arn
+        openmetadata_airflow_rds_host                = module.openmetadata_airflow_rds.db_instance_address
+        openmetadata_airflow_rds_user                = module.openmetadata_airflow_rds.db_instance_username
+        openmetadata_airflow_rds_db                  = module.openmetadata_airflow_rds.db_instance_name
+        openmetadata_airflow_rds_password_secret     = kubernetes_secret.openmetadata_airflow_rds_credentials.metadata[0].name
+        openmetadata_airflow_rds_password_secret_key = "password"
+        openmetadata_airflow_admin_email             = "${local.environment_configuration.airflow_mail_from_address}@${local.environment_configuration.ses_domain_identity}"
+      }
+    )
+  ]
+  wait    = true
+  timeout = 600
+
+  depends_on = [kubernetes_secret.openmetadata_airflow]
+}
+
+resource "helm_release" "openmetadata" {
+  name       = "openmetadata"
+  repository = "https://helm.open-metadata.org"
+  chart      = "openmetadata"
+  version    = "1.2.1"
+  namespace  = kubernetes_namespace.openmetadata.metadata[0].name
+  values = [
+    templatefile(
+      "${path.module}/src/helm/openmetadata/values.yml.tftpl",
+      {
+        host                                 = "catalogue.${local.environment_configuration.route53_zone}"
+        eks_role_arn                         = module.openmetadata_iam_role.iam_role_arn
+        client_id                            = data.aws_secretsmanager_secret_version.openmetadata_entra_id_client_id.secret_string
+        tenant_id                            = data.aws_secretsmanager_secret_version.openmetadata_entra_id_tenant_id.secret_string
+        jwt_key_id                           = random_uuid.openmetadata_jwt.result
+        openmetadata_airflow_username        = "${local.environment_configuration.airflow_mail_from_address}@${local.environment_configuration.ses_domain_identity}"
+        openmetadata_airflow_password_secret = kubernetes_secret.openmetadata_airflow.metadata[0].name
+        #checkov:skip=CKV_SECRET_6:Reference to Kubernetes secret not a sensitive value
+        openmetadata_airflow_password_secret_key    = "openmetadata-airflow-password"
+        openmetadata_opensearch_host                = resource.aws_opensearch_domain.openmetadata.endpoint
+        openmetadata_opensearch_user                = "openmetadata"
+        openmetadata_opensearch_password_secret     = kubernetes_secret.openmetadata_opensearch_credentials.metadata[0].name
+        openmetadata_opensearch_password_secret_key = "password"
+        openmetadata_rds_host                       = module.openmetadata_rds.db_instance_address
+        openmetadata_rds_user                       = module.openmetadata_rds.db_instance_username
+        openmetadata_rds_dbname                     = module.openmetadata_rds.db_instance_name
+        openmetadata_rds_password_secret            = kubernetes_secret.openmetadata_rds_credentials.metadata[0].name
+        openmetadata_rds_password_secret_key        = "password"
+      }
+    )
+  ]
+  wait    = true
+  timeout = 600
+
+  depends_on = [helm_release.openmetadata_dependencies]
+}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -6,4 +6,6 @@ Import-Module ECSTools

		Initialize-ECSAgent –Cluster ${cluster_name} -EnableTaskIAMRole -LoggingDrivers '["json-file","awslogs"]' -EnableTaskENI

		Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1'))

		</powershell>