From fb1b8d1c6c7411007726e4f1be674cac49c2127a Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 30 May 2025 11:20:24 +0100 Subject: [PATCH 1/4] eli-239 making resources workflow safe and amending dynamoDB naming to fit DPS required pattern --- .../modules/dynamodb/default_variables.tf | 1 + infrastructure/modules/dynamodb/dynamodb.tf | 2 +- infrastructure/modules/dynamodb/variables.tf | 16 ---------------- infrastructure/modules/s3/default_variables.tf | 1 + infrastructure/modules/s3/variables.tf | 10 ---------- .../stacks/_shared/default_variables.tf | 5 +++++ infrastructure/stacks/_shared/locals.tf | 15 --------------- infrastructure/stacks/api-layer/dynamodb.tf | 4 +++- infrastructure/stacks/bootstrap/locals.tf | 6 +++++- infrastructure/stacks/bootstrap/modules.tf | 2 ++ infrastructure/stacks/bootstrap/shared_locals.tf | 1 + 11 files changed, 19 insertions(+), 44 deletions(-) create mode 120000 infrastructure/modules/dynamodb/default_variables.tf create mode 120000 infrastructure/modules/s3/default_variables.tf mode change 120000 => 100644 infrastructure/stacks/bootstrap/locals.tf create mode 120000 infrastructure/stacks/bootstrap/shared_locals.tf diff --git a/infrastructure/modules/dynamodb/default_variables.tf b/infrastructure/modules/dynamodb/default_variables.tf new file mode 120000 index 000000000..062daf614 --- /dev/null +++ b/infrastructure/modules/dynamodb/default_variables.tf @@ -0,0 +1 @@ +../_shared/default_variables.tf \ No newline at end of file diff --git a/infrastructure/modules/dynamodb/dynamodb.tf b/infrastructure/modules/dynamodb/dynamodb.tf index 5ddfcceb6..1b8a0d3d6 100644 --- a/infrastructure/modules/dynamodb/dynamodb.tf +++ b/infrastructure/modules/dynamodb/dynamodb.tf @@ -1,5 +1,5 @@ resource "aws_dynamodb_table" "dynamodb_table" { - name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.table_name_suffix}" + name = "${terraform.workspace == "default" ? "" : "${terraform.workspace}-"}${var.project_name}-${var.environment}-${var.table_name_suffix}" billing_mode = "PAY_PER_REQUEST" hash_key = var.partition_key diff --git a/infrastructure/modules/dynamodb/variables.tf b/infrastructure/modules/dynamodb/variables.tf index 8a5f89fc2..4b89822e7 100644 --- a/infrastructure/modules/dynamodb/variables.tf +++ b/infrastructure/modules/dynamodb/variables.tf @@ -1,13 +1,3 @@ -variable "workspace" { - description = "Usually the developer short code or the name of the environment." - type = string -} - -variable "project_name" { - default = "eligibility-signposting-api" - type = string -} - variable "table_name_suffix" { description = "Name of the DynamoDB table" type = string @@ -34,9 +24,3 @@ variable "sort_key_type" { type = string default = null } - -variable "tags" { - description = "A map of tags to assign to resources." - type = map(string) - default = {} -} diff --git a/infrastructure/modules/s3/default_variables.tf b/infrastructure/modules/s3/default_variables.tf new file mode 120000 index 000000000..062daf614 --- /dev/null +++ b/infrastructure/modules/s3/default_variables.tf @@ -0,0 +1 @@ +../_shared/default_variables.tf \ No newline at end of file diff --git a/infrastructure/modules/s3/variables.tf b/infrastructure/modules/s3/variables.tf index 623f15480..22830c426 100644 --- a/infrastructure/modules/s3/variables.tf +++ b/infrastructure/modules/s3/variables.tf @@ -3,16 +3,6 @@ variable "bucket_name" { type = string } -variable "project_name" { - default = "eligibility-signposting-api" - type = string -} - -variable "environment" { - description = "The purpose of the account dev/test/ref/prod or the workspace" - type = string -} - variable "bucket_expiration_days" { default = 90 description = "How long to keep bucket contents before expiring" diff --git a/infrastructure/stacks/_shared/default_variables.tf b/infrastructure/stacks/_shared/default_variables.tf index 65b75cc20..5029308f5 100644 --- a/infrastructure/stacks/_shared/default_variables.tf +++ b/infrastructure/stacks/_shared/default_variables.tf @@ -15,3 +15,8 @@ variable "default_aws_region" { description = "Default AWS region" type = string } + +variable "workspace" { + description = "Usually the developer short code or the name of the environment." + type = string +} diff --git a/infrastructure/stacks/_shared/locals.tf b/infrastructure/stacks/_shared/locals.tf index c2d25fd2a..f6c9affe0 100644 --- a/infrastructure/stacks/_shared/locals.tf +++ b/infrastructure/stacks/_shared/locals.tf @@ -17,24 +17,9 @@ locals { workspace = lower(terraform.workspace) } - sso_role_patterns = { - dev = "AWSReservedSSO_vdselid_dev_*" - test = "AWSReservedSSO_vdselid_test_*" - preprod = "AWSReservedSSO_vdselid_preprod_*" - } - terraform_state_bucket_name = "eligibility-signposting-api-${var.environment}-tfstate" terraform_state_bucket_arn = "arn:aws:s3:::eligibility-signposting-api-${var.environment}-tfstate" - account_ids = { - dev = "448049830832" - test = "050451367081" - preprod = "203918864209" - # prod = "476114145616" - } - - current_account_id = lookup(local.account_ids, var.environment, data.aws_caller_identity.current.account_id) - role_arn_pre = "arn:aws:iam::603871901111:role/db-system-worker" role_arn_prod = "arn:aws:iam::232116723729:role/db-system-worker" diff --git a/infrastructure/stacks/api-layer/dynamodb.tf b/infrastructure/stacks/api-layer/dynamodb.tf index 30f19878e..1c705eefb 100644 --- a/infrastructure/stacks/api-layer/dynamodb.tf +++ b/infrastructure/stacks/api-layer/dynamodb.tf @@ -1,10 +1,12 @@ module "eligibility_status_table" { source = "../../modules/dynamodb" workspace = local.workspace - table_name_suffix = "eligibilty_data_store" + table_name_suffix = "eligibility_datastore" partition_key = "NHS_NUMBER" partition_key_type = "S" sort_key = "ATTRIBUTE_TYPE" sort_key_type = "S" tags = local.tags + environment = local.environment + stack_name = local.stack_name } diff --git a/infrastructure/stacks/bootstrap/locals.tf b/infrastructure/stacks/bootstrap/locals.tf deleted file mode 120000 index e360bc7ff..000000000 --- a/infrastructure/stacks/bootstrap/locals.tf +++ /dev/null @@ -1 +0,0 @@ -../_shared/locals.tf \ No newline at end of file diff --git a/infrastructure/stacks/bootstrap/locals.tf b/infrastructure/stacks/bootstrap/locals.tf new file mode 100644 index 000000000..643c79371 --- /dev/null +++ b/infrastructure/stacks/bootstrap/locals.tf @@ -0,0 +1,5 @@ +locals { + + stack_name = "bootstrap" + +} diff --git a/infrastructure/stacks/bootstrap/modules.tf b/infrastructure/stacks/bootstrap/modules.tf index 72e8b6e73..411b83ebf 100644 --- a/infrastructure/stacks/bootstrap/modules.tf +++ b/infrastructure/stacks/bootstrap/modules.tf @@ -3,4 +3,6 @@ module "tfstate" { project_name = var.project_name environment = var.environment + workspace = var.workspace + stack_name = local.stack_name } diff --git a/infrastructure/stacks/bootstrap/shared_locals.tf b/infrastructure/stacks/bootstrap/shared_locals.tf new file mode 120000 index 000000000..e360bc7ff --- /dev/null +++ b/infrastructure/stacks/bootstrap/shared_locals.tf @@ -0,0 +1 @@ +../_shared/locals.tf \ No newline at end of file From 67443bf51674a97a1c6c0bfcfd838962f68478bc Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 30 May 2025 11:29:07 +0100 Subject: [PATCH 2/4] eli-239 amending make commands in README files --- infrastructure/stacks/bootstrap/README.md | 4 ++-- infrastructure/stacks/iams-developer-roles/README.md | 4 ++-- infrastructure/stacks/networking/README.md | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/infrastructure/stacks/bootstrap/README.md b/infrastructure/stacks/bootstrap/README.md index 055bce0c8..84e7f8b57 100644 --- a/infrastructure/stacks/bootstrap/README.md +++ b/infrastructure/stacks/bootstrap/README.md @@ -62,7 +62,7 @@ make bootstrap-terraform env= tf-command=plan Workspaces allow for alternative deployments within the same environment (e.g., testing changes in `dev`). Create a workspace with the same name as the environment: ```bash -make terraform-workspace env= stack=bootstrap workspace= +make terraform-workspace env= stack=bootstrap workspace=default ``` ### 1.4 Apply Terraform Changes @@ -105,7 +105,7 @@ terraform { Reinitialize Terraform to migrate the state to the S3 bucket: ```bash -make terraform env= workspace= stack=bootstrap tf-command=apply +make terraform env= workspace=default stack=bootstrap tf-command=apply ``` You will see a prompt like the following: diff --git a/infrastructure/stacks/iams-developer-roles/README.md b/infrastructure/stacks/iams-developer-roles/README.md index d483ea983..e5225af96 100644 --- a/infrastructure/stacks/iams-developer-roles/README.md +++ b/infrastructure/stacks/iams-developer-roles/README.md @@ -37,13 +37,13 @@ This stack creates the following AWS resources: 3. Plan the deployment: ```bash - make terraform env=dev stack=iams-developer-roles tf-command=plan workspace=dev + make terraform env=dev stack=iams-developer-roles tf-command=plan workspace=default ``` 4. Apply the configuration: ```bash - make terraform env=dev stack=iams-developer-roles tf-command=apply workspace=dev + make terraform env=dev stack=iams-developer-roles tf-command=apply workspace=default ``` 5. Verify the role was created: diff --git a/infrastructure/stacks/networking/README.md b/infrastructure/stacks/networking/README.md index 4808576ba..86824e720 100644 --- a/infrastructure/stacks/networking/README.md +++ b/infrastructure/stacks/networking/README.md @@ -84,8 +84,8 @@ For a high-level overview, see the [VPC Structure Confluence Page](https://nhsd- Run the following command to initialize Terraform and generate a plan. Replace `` with your target environment (e.g., `dev`): ```bash -make terraform env=dev stack=networking tf-command=init workspace= -make terraform env=dev stack=networking tf-command=plan workspace= +make terraform env=dev stack=networking tf-command=init workspace=default +make terraform env=dev stack=networking tf-command=plan workspace=default ``` ### 2. Apply Terraform Changes @@ -93,7 +93,7 @@ make terraform env=dev stack=networking tf-command=plan workspace= Deploy the Terraform configuration: ```bash -make terraform env=dev stack=networking tf-command=apply workspace= +make terraform env=dev stack=networking tf-command=apply workspace=default ``` For more on Terraform, see the [Terraform Documentation](https://developer.hashicorp.com/terraform/docs). From aef643d2f9c40b7541e4f859fe0c7e7a452ea6b2 Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Fri, 30 May 2025 14:50:52 +0100 Subject: [PATCH 3/4] eli-239 tidying up --- infrastructure/stacks/_shared/default_variables.tf | 5 ----- infrastructure/stacks/api-layer/s3_buckets.tf | 4 ++++ infrastructure/stacks/api-layer/truststore_s3_bucket.tf | 2 ++ infrastructure/stacks/bootstrap/modules.tf | 2 +- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/infrastructure/stacks/_shared/default_variables.tf b/infrastructure/stacks/_shared/default_variables.tf index 5029308f5..65b75cc20 100644 --- a/infrastructure/stacks/_shared/default_variables.tf +++ b/infrastructure/stacks/_shared/default_variables.tf @@ -15,8 +15,3 @@ variable "default_aws_region" { description = "Default AWS region" type = string } - -variable "workspace" { - description = "Usually the developer short code or the name of the environment." - type = string -} diff --git a/infrastructure/stacks/api-layer/s3_buckets.tf b/infrastructure/stacks/api-layer/s3_buckets.tf index 87f35ad83..a1c554575 100644 --- a/infrastructure/stacks/api-layer/s3_buckets.tf +++ b/infrastructure/stacks/api-layer/s3_buckets.tf @@ -3,6 +3,8 @@ module "s3_rules_bucket" { bucket_name = "eli-rules" environment = var.environment project_name = var.project_name + stack_name = local.stack_name + workspace = terraform.workspace } module "s3_audit_bucket" { @@ -11,4 +13,6 @@ module "s3_audit_bucket" { environment = var.environment project_name = var.project_name bucket_expiration_days = 180 + stack_name = local.stack_name + workspace = terraform.workspace } diff --git a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf index c3dc330ad..d78ad6f9c 100644 --- a/infrastructure/stacks/api-layer/truststore_s3_bucket.tf +++ b/infrastructure/stacks/api-layer/truststore_s3_bucket.tf @@ -3,6 +3,8 @@ module "s3_truststore_bucket" { bucket_name = "truststore" environment = var.environment project_name = var.project_name + stack_name = local.stack_name + workspace = terraform.workspace } resource "aws_s3_bucket_policy" "truststore" { diff --git a/infrastructure/stacks/bootstrap/modules.tf b/infrastructure/stacks/bootstrap/modules.tf index 411b83ebf..1b496145e 100644 --- a/infrastructure/stacks/bootstrap/modules.tf +++ b/infrastructure/stacks/bootstrap/modules.tf @@ -3,6 +3,6 @@ module "tfstate" { project_name = var.project_name environment = var.environment - workspace = var.workspace + workspace = terraform.workspace stack_name = local.stack_name } From 36e380476d437c9b67b4a6a670f4d1ce51d9becf Mon Sep 17 00:00:00 2001 From: Edd Almond Date: Tue, 3 Jun 2025 15:42:35 +0100 Subject: [PATCH 4/4] eli-239 renaming external role to a more identifiable name --- infrastructure/stacks/api-layer/iam_roles.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/infrastructure/stacks/api-layer/iam_roles.tf b/infrastructure/stacks/api-layer/iam_roles.tf index e0f618fe3..c53f9102e 100644 --- a/infrastructure/stacks/api-layer/iam_roles.tf +++ b/infrastructure/stacks/api-layer/iam_roles.tf @@ -31,7 +31,8 @@ resource "aws_iam_role" "eligibility_lambda_role" { resource "aws_iam_role" "write_access_role" { - name = "external-write-role-${terraform.workspace == "default" ? "" : "-${terraform.workspace}"}" + count = terraform.workspace == "default" ? 1 : 0 + name = "eligibility-signposting-api-${local.environment}-external-write-role" assume_role_policy = data.aws_iam_policy_document.dps_assume_role.json permissions_boundary = aws_iam_policy.assumed_role_permissions_boundary.arn }