UML-3115 Move ECS Terraform to region module (#2364)

* UML-3115 Move ECS Terraform to region module
ministryofjustice · Oct 11, 2023 · db36d37 · db36d37
1 parent b87582a
commit db36d37
Show file tree

Hide file tree

Showing 23 changed files with 943 additions and 203 deletions.
diff --git a/.github/workflows/_lint-terraform.yml b/.github/workflows/_lint-terraform.yml
@@ -24,7 +24,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@e192cfcbae6c6ed207c277ed7624131996c9bf13 # [email protected]
         with:
-          terraform_version: 1.2.4
+          terraform_version: 1.5.6
 
       - name: configure AWS credentials for terraform
         uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # [email protected]

diff --git a/.github/workflows/_run-terraform.yml b/.github/workflows/_run-terraform.yml
@@ -66,7 +66,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@e192cfcbae6c6ed207c277ed7624131996c9bf13 # [email protected]
         with:
-          terraform_version: 1.2.4
+          terraform_version: 1.5.6
 
       - name: configure AWS credentials for getting pagerduty token
         uses: aws-actions/configure-aws-credentials@375a690dc0af3921541e5f427167f333d7e85f67 # [email protected]

diff --git a/.github/workflows/pull-request-path.yml b/.github/workflows/pull-request-path.yml
@@ -130,6 +130,7 @@ jobs:
     uses: ./.github/workflows/_run-terraform.yml
     needs:
       - terraform_lint
+      - workflow_variables
     with:
       workspace: development
       terraform_path: account
@@ -161,6 +162,27 @@ jobs:
       needs.docker_build_scan_push.result == 'success' &&
       needs.workflow_variables.result == 'success'
 
+  terraform_preproduction_plan_environment:
+    name: terraform apply environment
+    uses: ./.github/workflows/_run-terraform.yml
+    needs:
+      - docker_build_scan_push
+      - terraform_lint
+      - workflow_variables
+    with:
+      workspace: preproduction
+      terraform_path: environment
+      container_version: main-${{ needs.workflow_variables.outputs.short_sha }}
+      apply: false
+      specific_path: all
+      add_ttl: false
+    secrets: inherit
+    if: |
+      always() &&
+      needs.terraform_lint.result == 'success' &&
+      needs.docker_build_scan_push.result == 'success' &&
+      needs.workflow_variables.result == 'success'
+    
   seed_dynamodb:
     name: seed dynamodb
     uses: ./.github/workflows/_seed-database.yml
@@ -228,7 +250,7 @@ jobs:
       always() &&
       needs.code_coverage.result == 'success' &&
       needs.terraform_apply_environment.result == 'success'
-
+    
   # Required end of workflow job
   end_of_workflow:
     name: end of workflow

diff --git a/.github/workflows/scheduled-workspace-cleanup.yml b/.github/workflows/scheduled-workspace-cleanup.yml
@@ -24,7 +24,7 @@ jobs:
       - uses: actions/checkout@f095bcc56b7c2baf48f3ac70d6d6782f4f553222 # pin@v3
       - uses: hashicorp/setup-terraform@e192cfcbae6c6ed207c277ed7624131996c9bf13 # pin@v2
         with:
-          terraform_version: 1.2.4
+          terraform_version: 1.5.6
           terraform_wrapper: false
 
       - uses: webfactory/ssh-agent@d4b9b8ff72958532804b70bbe600ad43b36d5f2e # [email protected]

diff --git a/terraform/account/.tfswitchrc b/terraform/account/.tfswitchrc
@@ -1 +1 @@
-1.2.4
+1.5.6
diff --git a/terraform/environment/.tfswitchrc b/terraform/environment/.tfswitchrc
@@ -1 +1 @@
-1.2.4
+1.5.6
diff --git a/terraform/environment/autoscaling.tf b/terraform/environment/autoscaling.tf
@@ -1,8 +1,8 @@
 module "view_ecs_autoscaling" {
   source                           = "./modules/ecs_autoscaling"
   environment                      = local.environment_name
-  aws_ecs_cluster_name             = aws_ecs_cluster.use-an-lpa.name
-  aws_ecs_service_name             = aws_ecs_service.viewer.name
+  aws_ecs_cluster_name             = module.eu_west_1.ecs_cluster.name
+  aws_ecs_service_name             = module.eu_west_1.ecs_services.viewer.name
   ecs_autoscaling_service_role_arn = data.aws_iam_role.ecs_autoscaling_service_role.arn
   ecs_task_autoscaling_minimum     = local.environment.autoscaling.view.minimum
   ecs_task_autoscaling_maximum     = local.environment.autoscaling.view.maximum
@@ -11,8 +11,8 @@ module "view_ecs_autoscaling" {
 module "use_ecs_autoscaling" {
   source                           = "./modules/ecs_autoscaling"
   environment                      = local.environment_name
-  aws_ecs_cluster_name             = aws_ecs_cluster.use-an-lpa.name
-  aws_ecs_service_name             = aws_ecs_service.actor.name
+  aws_ecs_cluster_name             = module.eu_west_1.ecs_cluster.name
+  aws_ecs_service_name             = module.eu_west_1.ecs_services.actor.name
   ecs_autoscaling_service_role_arn = data.aws_iam_role.ecs_autoscaling_service_role.arn
   ecs_task_autoscaling_minimum     = local.environment.autoscaling.use.minimum
   ecs_task_autoscaling_maximum     = local.environment.autoscaling.use.maximum
@@ -21,8 +21,8 @@ module "use_ecs_autoscaling" {
 module "api_ecs_autoscaling" {
   source                           = "./modules/ecs_autoscaling"
   environment                      = local.environment_name
-  aws_ecs_cluster_name             = aws_ecs_cluster.use-an-lpa.name
-  aws_ecs_service_name             = aws_ecs_service.api.name
+  aws_ecs_cluster_name             = module.eu_west_1.ecs_cluster.name
+  aws_ecs_service_name             = module.eu_west_1.ecs_services.api.name
   ecs_autoscaling_service_role_arn = data.aws_iam_role.ecs_autoscaling_service_role.arn
   ecs_task_autoscaling_minimum     = local.environment.autoscaling.api.minimum
   ecs_task_autoscaling_maximum     = local.environment.autoscaling.api.maximum
@@ -31,8 +31,8 @@ module "api_ecs_autoscaling" {
 module "pdf_ecs_autoscaling" {
   source                           = "./modules/ecs_autoscaling"
   environment                      = local.environment_name
-  aws_ecs_cluster_name             = aws_ecs_cluster.use-an-lpa.name
-  aws_ecs_service_name             = aws_ecs_service.pdf.name
+  aws_ecs_cluster_name             = module.eu_west_1.ecs_cluster.name
+  aws_ecs_service_name             = module.eu_west_1.ecs_services.pdf.name
   ecs_autoscaling_service_role_arn = data.aws_iam_role.ecs_autoscaling_service_role.arn
   ecs_task_autoscaling_minimum     = local.environment.autoscaling.pdf.minimum
   ecs_task_autoscaling_maximum     = local.environment.autoscaling.pdf.maximum

diff --git a/terraform/environment/config_file.tf b/terraform/environment/config_file.tf
@@ -6,7 +6,7 @@ resource "local_file" "cluster_config" {
 locals {
   cluster_config = {
     actor_users_table                        = aws_dynamodb_table.actor_users_table.name
-    cluster_name                             = aws_ecs_cluster.use-an-lpa.name
+    cluster_name                             = module.eu_west_1.ecs_cluster.name
     account_id                               = local.environment.account_id
     actor_lpa_codes_table                    = aws_dynamodb_table.actor_codes_table.name
     viewer_codes_table                       = aws_dynamodb_table.viewer_codes_table.name

diff --git a/terraform/environment/outputs.tf b/terraform/environment/outputs.tf
@@ -0,0 +1,3 @@
+output "admin_domain" {
+  value = module.eu_west_1.admin_domain
+}
diff --git a/terraform/environment/refactor.tf b/terraform/environment/refactor.tf
@@ -0,0 +1,179 @@
+moved {
+  from = aws_ecs_cluster.use-an-lpa
+  to   = module.eu_west_1.aws_ecs_cluster.use_an_lpa
+}
+
+moved {
+  from = aws_ecs_service.actor
+  to   = module.eu_west_1.aws_ecs_service.actor
+}
+
+moved {
+  from = aws_ecs_service.admin
+  to   = module.eu_west_1.aws_ecs_service.admin
+}
+
+moved {
+  from = aws_ecs_service.api
+  to   = module.eu_west_1.aws_ecs_service.api
+}
+
+moved {
+  from = aws_ecs_service.pdf
+  to   = module.eu_west_1.aws_ecs_service.pdf
+}
+
+moved {
+  from = aws_ecs_service.viewer
+  to   = module.eu_west_1.aws_ecs_service.viewer
+}
+
+moved {
+  from = aws_ecs_task_definition.actor
+  to   = module.eu_west_1.aws_ecs_task_definition.actor
+}
+
+moved {
+  from = aws_ecs_task_definition.admin
+  to   = module.eu_west_1.aws_ecs_task_definition.admin
+}
+
+moved {
+  from = aws_ecs_task_definition.api
+  to   = module.eu_west_1.aws_ecs_task_definition.api
+}
+
+moved {
+  from = aws_ecs_task_definition.pdf
+  to   = module.eu_west_1.aws_ecs_task_definition.pdf
+}
+
+moved {
+  from = aws_ecs_task_definition.viewer
+  to   = module.eu_west_1.aws_ecs_task_definition.viewer
+}
+
+moved {
+  from = aws_iam_role_policy.actor_permissions_role
+  to   = module.eu_west_1.aws_iam_role_policy.actor_permissions_role
+}
+
+moved {
+  from = aws_iam_role_policy.admin_permissions_role
+  to   = module.eu_west_1.aws_iam_role_policy.admin_permissions_role
+}
+
+moved {
+  from = aws_iam_role_policy.api_permissions_role
+  to   = module.eu_west_1.aws_iam_role_policy.api_permissions_role
+}
+
+moved {
+  from = aws_iam_role_policy.execution_role
+  to   = module.eu_west_1.aws_iam_role_policy.execution_role
+}
+
+moved {
+  from = aws_iam_role_policy.viewer_permissions_role
+  to   = module.eu_west_1.aws_iam_role_policy.viewer_permissions_role
+}
+
+moved {
+  from = aws_security_group.actor_ecs_service
+  to   = module.eu_west_1.aws_security_group.actor_ecs_service
+}
+
+moved {
+  from = aws_security_group.admin_ecs_service
+  to   = module.eu_west_1.aws_security_group.admin_ecs_service
+}
+
+moved {
+  from = aws_security_group.api_ecs_service
+  to   = module.eu_west_1.aws_security_group.api_ecs_service
+}
+
+moved {
+  from = aws_security_group.pdf_ecs_service
+  to   = module.eu_west_1.aws_security_group.pdf_ecs_service
+}
+
+moved {
+  from = aws_security_group.viewer_ecs_service
+  to   = module.eu_west_1.aws_security_group.viewer_ecs_service
+}
+
+moved {
+  from = aws_security_group_rule.actor_ecs_service_egress
+  to   = module.eu_west_1.aws_security_group_rule.actor_ecs_service_egress
+}
+
+moved {
+  from = aws_security_group_rule.actor_ecs_service_elasticache_ingress
+  to   = module.eu_west_1.aws_security_group_rule.actor_ecs_service_elasticache_ingress
+}
+
+moved {
+  from = aws_security_group_rule.actor_ecs_service_ingress
+  to   = module.eu_west_1.aws_security_group_rule.actor_ecs_service_ingress
+}
+
+moved {
+  from = aws_security_group_rule.admin_ecs_service_egress
+  to   = module.eu_west_1.aws_security_group_rule.admin_ecs_service_egress
+}
+
+moved {
+  from = aws_security_group_rule.admin_ecs_service_ingress
+  to   = module.eu_west_1.aws_security_group_rule.admin_ecs_service_ingress
+}
+
+moved {
+  from = aws_security_group_rule.api_ecs_service_actor_ingress
+  to   = module.eu_west_1.aws_security_group_rule.api_ecs_service_actor_ingress
+}
+
+moved {
+  from = aws_security_group_rule.api_ecs_service_egress
+  to   = module.eu_west_1.aws_security_group_rule.api_ecs_service_egress
+}
+
+moved {
+  from = aws_security_group_rule.api_ecs_service_viewer_ingress
+  to   = module.eu_west_1.aws_security_group_rule.api_ecs_service_viewer_ingress
+}
+
+moved {
+  from = aws_security_group_rule.pdf_ecs_service_egress
+  to   = module.eu_west_1.aws_security_group_rule.pdf_ecs_service_egress
+}
+
+moved {
+  from = aws_security_group_rule.pdf_ecs_service_viewer_ingress
+  to   = module.eu_west_1.aws_security_group_rule.pdf_ecs_service_viewer_ingress
+}
+
+moved {
+  from = aws_security_group_rule.viewer_ecs_service_egress
+  to   = module.eu_west_1.aws_security_group_rule.viewer_ecs_service_egress
+}
+
+moved {
+  from = aws_security_group_rule.viewer_ecs_service_elasticache_ingress
+  to   = module.eu_west_1.aws_security_group_rule.viewer_ecs_service_elasticache_ingress
+}
+
+moved {
+  from = aws_security_group_rule.viewer_ecs_service_ingress
+  to   = module.eu_west_1.aws_security_group_rule.viewer_ecs_service_ingress
+}
+
+moved {
+  from = aws_service_discovery_service.api_ecs
+  to   = module.eu_west_1.aws_service_discovery_service.api_ecs
+}
+
+moved {
+  from = aws_service_discovery_service.pdf_ecs
+  to   = module.eu_west_1.aws_service_discovery_service.pdf_ecs
+}