Merge pull request #3620 from DFE-Digital/create-aks-prod-env

Create AKS prod environment

.github/workflows/build.yml

@@ -965,3 +965,84 @@ jobs:
           SLACK_TITLE: Production Release ${{github.event.title}}
           SLACK_MESSAGE: Failure deploying Production release
           SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }}
+
+  production_aks:
+    name: Production AKS Deployment
+    runs-on: ubuntu-latest
+    needs: [ integration, development_aks ]
+    concurrency: production_aks
+    continue-on-error: true
+    environment:
+       name: production_aks
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: set-up-environment
+        uses: DFE-Digital/github-actions/set-up-environment@master
+        with:
+          var_file: .github/common_environment_aks.yml
+
+      - uses: Azure/login@v1
+        with:
+            creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+      - name: Fetch secrets from key vault
+        uses: azure/CLI@v1
+        id: keyvault-yaml-secret
+        with:
+          inlineScript: |
+            SLACK_WEBHOOK=$(az keyvault secret show --name "SLACK-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
+            echo "::add-mask::$SLACK_WEBHOOK"
+            echo "SLACK_WEBHOOK=$SLACK_WEBHOOK" >> $GITHUB_OUTPUT
+            SLACK_RELEASE_NOTE_WEBHOOK=$(az keyvault secret show --name "SLACK-RELEASE-NOTE-WEBHOOK" --vault-name "${{ secrets.KEY_VAULT}}" --query "value" -o tsv)
+            echo "::add-mask::$SLACK_RELEASE_NOTE_WEBHOOK"
+            echo "SLACK_RELEASE_NOTE_WEBHOOK=$SLACK_RELEASE_NOTE_WEBHOOK" >> $GITHUB_OUTPUT
+
+      - name: Get Release Id from Tag
+        id: tag_id
+        uses: DFE-Digital/github-actions/DraftReleaseByTag@master
+        with:
+          TAG: ${{needs.development_aks.outputs.release_tag}}
+          TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      # Uncomment when migrated from PaaS
+      #
+      # - name: Publish Release
+      #   if: steps.tag_id.outputs.release_id
+      #   uses: eregon/publish-release@v1
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      #   with:
+      #     release_id: ${{steps.tag_id.outputs.release_id}}
+
+      - name: Deploy to Production AKS
+        uses: ./.github/workflows/actions/deploy_v2
+        id: deploy_v2
+        with:
+          environment: production_aks
+          sha:  ${{ github.sha }}
+          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
+          KEY_VAULT:         ${{ secrets.KEY_VAULT }}
+          ARM_ACCESS_KEY:    ${{ secrets.ARM_ACCESS_KEY }}
+
+      # Uncomment when migrated from PaaS
+      #
+      # - name: Slack Release Notification
+      #   if: steps.tag_id.outputs.release_id
+      #   uses: rtCamp/action-slack-notify@master
+      #   env:
+      #     SLACK_COLOR: ${{env.SLACK_SUCCESS}}
+      #     SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}"
+      #     SLACK_MESSAGE: ${{ fromJson( steps.tag_id.outputs.release_body) }}
+      #     SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-RELEASE-NOTE-WEBHOOK }}
+      #     MSG_MINIMAL: true
+
+      - name: Slack Notification
+        if: failure()
+        uses: rtCamp/action-slack-notify@master
+        env:
+          SLACK_COLOR: ${{env.SLACK_FAILURE}}
+          SLACK_TITLE: Production Release ${{github.event.title}}
+          SLACK_MESSAGE: Failure deploying Production AKS release
+          SLACK_WEBHOOK: ${{ steps.keyvault-yaml-secret.outputs.SLACK-WEBHOOK }}

Makefile

@@ -1,5 +1,5 @@
 TERRAFILE_VERSION=0.8
-ARM_TEMPLATE_TAG=1.1.6
+ARM_TEMPLATE_TAG=1.1.8
 RG_TAGS={"Product" : "Get into teaching website"}
 REGION=UK South
 SERVICE_NAME=get-into-teaching-app

terraform/aks/application.tf

@@ -25,9 +25,9 @@ module "application_configuration" {
     HTTPAUTH_PASSWORD = module.infrastructure_secrets.map.HTTP-PASSWORD,
     HTTPAUTH_USERNAME = module.infrastructure_secrets.map.HTTP-USERNAME,
     BASIC_AUTH        = var.basic_auth,
-    APP_URL           = length(var.paas_asset_hostnames) == 0 ? "" : "https://${var.paas_internet_hostnames[0]}.education.gov.uk",
+    APP_URL           = length(var.internet_hostnames) == 0 ? "" : "https://${var.internet_hostnames[0]}.education.gov.uk",
 #   keeping here as a reminder, but went be set in aks and need to confirm impact
-    APP_ASSETS_URL    = length(var.paas_asset_hostnames) == 0 ? "" : "https://${var.paas_asset_hostnames[0]}.education.gov.uk"
+    APP_ASSETS_URL    = length(var.asset_hostnames) == 0 ? "" : "https://${var.asset_hostnames[0]}.education.gov.uk"
   }
 }
 

terraform/aks/config/production_aks.tfvars.json

@@ -0,0 +1,15 @@
+{
+    "cluster": "production",
+    "namespace": "git-production",
+    "environment": "production",
+    "internet_hostnames": [ "getintoteaching" ],
+    "basic_auth": 0,
+    "replicas": 0,
+    "postgres_enable_high_availability": true,
+    "postgres_flexible_server_sku": "GP_Standard_D2ds_v4",
+    "azure_maintenance_window": {
+        "day_of_week": 0,
+        "start_hour": 3,
+        "start_minute": 0
+      }
+}

terraform/aks/config/production_aks_Terrafile

@@ -0,0 +1,3 @@
+aks:
+    source:  "https://github.com/DFE-Digital/terraform-modules"
+    version: "stable"

terraform/aks/config/test_aks.tfvars.json

@@ -1,5 +1,6 @@
 {
     "cluster": "test",
     "namespace": "git-test",
-    "environment": "test"
+    "environment": "test",
+    "internet_hostnames": [ "staging.getintoteaching" ]
 }

terraform/aks/database.tf

@@ -12,6 +12,10 @@ module "postgres" {
   azure_enable_monitoring     = var.enable_monitoring
   azure_enable_backup_storage = var.enable_postgres_backup_storage
   server_version              = "14"
+  azure_sku_name              = var.postgres_flexible_server_sku
+
+  azure_enable_high_availability = var.postgres_enable_high_availability
+  azure_maintenance_window       = var.azure_maintenance_window
 }
 
 

terraform/aks/variables.tf

@@ -58,10 +58,10 @@ variable "pr_number" {
 variable "basic_auth" {
   default = 1
 }
-variable "paas_asset_hostnames" {
+variable "asset_hostnames" {
   default = []
 }
-variable "paas_internet_hostnames" {
+variable "internet_hostnames" {
   default = []
 }
 variable "command" {
@@ -76,6 +76,15 @@ variable "memory_max" {
   default = "1Gi"
   type = string
 }
+variable "azure_maintenance_window" {
+  default = null
+}
+variable "postgres_flexible_server_sku" {
+  default = "B_Standard_B1ms"
+}
+variable "postgres_enable_high_availability" {
+  default = false
+}
 
 locals {
   azure_credentials = try(jsondecode(var.azure_credentials_json), null)