ministryofjustice · SteveLinden · Jun 12, 2024 · Jun 12, 2024 · Jun 13, 2024
@@ -21,4 +21,4 @@
       "integrity": "sha256:af3b3891cf31ff373df29998c690257d6f21f2ee4536bc4d692856408ef0c83a"
     }
   }
-}
+}
@@ -4,7 +4,7 @@
 * @ministryofjustice/modernisation-platform
 /terraform/environments/analytical-platform-compute @ministryofjustice/analytical-platform @ministryofjustice/modernisation-platform
 /terraform/environments/analytical-platform-ingestion @ministryofjustice/analytical-platform @ministryofjustice/modernisation-platform
-/terraform/environments/apex @ministryofjustice/laa-apex-developer @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
+/terraform/environments/apex @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
 /terraform/environments/ccms-ebs-upgrade @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform
 /terraform/environments/ccms-ebs @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform-security @ministryofjustice/modernisation-platform
 /terraform/environments/cdpt-chaps @ministryofjustice/central-digital-product-team @ministryofjustice/modernisation-platform
@@ -30,8 +30,8 @@
 /terraform/environments/equip @ministryofjustice/modernisation-platform-engineers @ministryofjustice/modernisation-platform
 /terraform/environments/eric @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
 /terraform/environments/example @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
-/terraform/environments/genesys-call-centre-data @ministryofjustice/ @ministryofjustice/modernisation-platform
 /terraform/environments/hmpps-domain-services @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
+/terraform/environments/hmpps-intelligence-management @ministryofjustice/hmpps-intelligence-management @ministryofjustice/modernisation-platform
 /terraform/environments/hmpps-oem @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/laa-ccms-infra-azure-ad-sso @ministryofjustice/laa-ccms-webops @ministryofjustice/modernisation-platform-security @ministryofjustice/modernisation-platform
 /terraform/environments/laa-oem @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform

@@ -11,6 +11,7 @@ on:
   pull_request:
     branches:
       - main
+    types: [opened, edited, reopened, synchronize]
     paths:
       - 'terraform/environments/analytical-platform-compute/**'
       - '.github/workflows/analytical-platform-compute.yml'

@@ -38,7 +38,7 @@ jobs:
         run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           sarif_file: tflint.sarif
   trivy:
@@ -53,7 +53,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
+        uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2
         with:
           scan-type: 'fs'
           scanners: misconfig,vuln,secret
@@ -63,7 +63,7 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           sarif_file: 'trivy-results.sarif'
   checkov:
@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@d5cf7815e6ec033e990dc1d66c346983339a912b # v12.2777.0
+        uses: bridgecrewio/checkov-action@329e2bb9c8d047eaa4216c2e815c6957cbf97e59 # v12.2765.0
         with:
           directory: ./
           framework: terraform
@@ -90,6 +90,6 @@ jobs:
           skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           sarif_file: ./checkov.sarif
@@ -11,6 +11,7 @@ on:
   pull_request:
     branches:
       - main
+    types: [opened, edited, reopened, synchronize]
     paths:
       - 'terraform/environments/delius-core/**'
       - '.github/workflows/delius-core.yml'

@@ -40,7 +40,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter/flavors/terraform@5199c6377b4cb7faff749a1971636f3343db9fe6 #v7.12.0
+        uses: oxsecurity/megalinter/flavors/terraform@03986e6993ccf699a22451118520680b438e7d2a #v7.11.1
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/#shared-variables

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@9fdb3e49720b44c48891d036bb502feb25684276 # v3.25.6
         with:
           sarif_file: results.sarif
@@ -18,11 +18,7 @@ RESOURCES_TO_CHECK_FOR=(
   "aws_route_table"
   "aws_route_table_association"
   "aws_route",
-  "aws_iam_openid_connect_provider",
-  "aws_cloudformation_stack",
-  "aws_cloudformation_stack_set",
-  "aws_cloudformation_stack_set_instance",
-  "aws_cloudformation_type"
+  "aws_iam_openid_connect_provider"
 )
 
 resourcesFound=false

@@ -6,7 +6,7 @@ module "eks" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.13.1"
+  version = "20.12.0"
 
   cluster_name    = local.eks_cluster_name
   cluster_version = local.environment_configuration.eks_cluster_version
@@ -98,40 +98,10 @@ module "eks" {
   eks_managed_node_groups = {
     general = {
       min_size       = 1
-      max_size       = 10
+      max_size       = 5
       desired_size   = 3
       instance_types = ["t3.xlarge"]
     }
-    airflow-high-memory = {
-      min_size       = 0
-      max_size       = 1
-      desired_size   = 0
-      instance_types = ["r6i.8xlarge"]
-      labels = {
-        high-memory = "true"
-      }
-      taints = [
-        {
-          key    = "high-memory"
-          value  = "true"
-          effect = "NO_SCHEDULE"
-        }
-      ]
-      block_device_mappings = {
-        xvdb = {
-          device_name = "/dev/xvdb"
-          ebs = {
-            volume_size           = 200
-            volume_type           = "gp3"
-            iops                  = 3000
-            throughput            = 250
-            encrypted             = true
-            kms_key_id            = module.ebs_kms.key_arn
-            delete_on_termination = true
-          }
-        }
-      }
-    }
   }
 
   access_entries = {
@@ -146,17 +116,6 @@ module "eks" {
         }
       }
     }
-    data-engineering-airflow = {
-      principal_arn     = local.environment_configuration.data_engineering_airflow_execution_role_arn
-      username          = "data-engineering-airflow"
-      kubernetes_groups = ["airflow"]
-    }
-    github-actions-mojas-airflow = {
-      # principal_arn doesn't use the module output because they reference each other
-      principal_arn     = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/github-actions-mojas-airflow"
-      username          = "github-actions-mojas-airflow"
-      kubernetes_groups = ["airflow-serviceaccount-management"]
-    }
   }
 
   tags = local.tags

@@ -40,20 +40,17 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-sandbox"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.1-7c3e9198"
+      eks_node_version    = "1.20.0-fcf71a47"
       eks_cluster_addon_versions = {
         coredns                = "v1.11.1-eksbuild.9"
         kube_proxy             = "v1.30.0-eksbuild.3"
         aws_ebs_csi_driver     = "v1.31.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.3-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.2-eksbuild.1"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.2.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.1-eksbuild.3"
       }
 
-      /* Data Engineering Airflow */
-      data_engineering_airflow_execution_role_arn = "arn:aws:iam::593291632749:role/airflow-dev-execution-role"
-
       /* Observability Platform */
       observability_platform = "development"
 
@@ -78,23 +75,20 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.1-7c3e9198"
+      eks_node_version    = "1.20.0-fcf71a47"
       eks_cluster_addon_versions = {
         coredns                = "v1.11.1-eksbuild.9"
         kube_proxy             = "v1.30.0-eksbuild.3"
         aws_ebs_csi_driver     = "v1.31.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.3-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.2-eksbuild.1"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.2.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.1-eksbuild.3"
       }
 
       /* Observability Platform */
       observability_platform = "development"
 
-      /* Data Engineering Airflow */
-      data_engineering_airflow_execution_role_arn = "arn:aws:iam::593291632749:role/airflow-dev-execution-role"
-
       /* QuickSight */
       quicksight_notification_email = "[email protected]"
     }
@@ -116,20 +110,17 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.1-7c3e9198"
+      eks_node_version    = "1.20.0-fcf71a47"
       eks_cluster_addon_versions = {
         coredns                = "v1.11.1-eksbuild.9"
         kube_proxy             = "v1.30.0-eksbuild.3"
         aws_ebs_csi_driver     = "v1.31.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.3-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.2-eksbuild.1"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.2.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.1-eksbuild.3"
       }
 
-      /* Data Engineering Airflow */
-      data_engineering_airflow_execution_role_arn = "arn:aws:iam::593291632749:role/airflow-prod-execution-role"
-
       /* Observability Platform */
       observability_platform = "production"
-Original file line number
+Diff line change
@@ Expand Up / @@ -21,4 +21,4 @@ @@
           "integrity": "sha256:af3b3891cf31ff373df29998c690257d6f21f2ee4536bc4d692856408ef0c83a"
         }
       }
-    }
+    }