From aa044492ac9684f6eec75b82c5d2b3b2dd4d5059 Mon Sep 17 00:00:00 2001 From: RMcVelia Date: Thu, 28 Sep 2023 11:57:12 +0100 Subject: [PATCH] Add AKS review app terraform --- Makefile | 2 +- config/database.yml | 4 ++ config/environments/production.rb | 1 + config/routes.rb | 1 + terraform/aks/application.tf | 50 +++++++++++++++++++++ terraform/aks/config/review_aks.tfvars.json | 2 +- terraform/aks/database.tf | 32 +++++++++++++ terraform/aks/output.tf | 3 ++ terraform/aks/secrets.tf | 8 ++++ terraform/aks/statuscake.tf | 10 +++++ terraform/aks/terraform.tf | 6 +-- terraform/aks/variables.tf | 4 ++ 12 files changed, 118 insertions(+), 5 deletions(-) create mode 100644 terraform/aks/application.tf create mode 100644 terraform/aks/database.tf create mode 100644 terraform/aks/output.tf create mode 100644 terraform/aks/secrets.tf create mode 100644 terraform/aks/statuscake.tf diff --git a/Makefile b/Makefile index ffb43fa1ff..650b79df22 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ TERRAFILE_VERSION=0.8 ARM_TEMPLATE_TAG=1.1.6 RG_TAGS={"Product" : "Get into teaching website"} REGION=UK South -SERVICE_NAME=get-into-teaching +SERVICE_NAME=get-into-teaching-app SERVICE_SHORT=git DOCKER_REPOSITORY=ghcr.io/dfe-digital/get-into-teaching-frontend diff --git a/config/database.yml b/config/database.yml index cba951994d..2212356b7e 100644 --- a/config/database.yml +++ b/config/database.yml @@ -22,7 +22,11 @@ test: production: &production <<: *default + <% if ENV.key?("VCAP_APPLICATION") %> url: <%= Rails.application.config.x.vcap_services.dig("postgres", 0, "credentials", "uri") %> + <% else %> + url: <%= ENV["DATABASE_URL"] %> + <% end %> rolling: <<: *production diff --git a/config/environments/production.rb b/config/environments/production.rb index aae2412ba4..11bd39704e 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -47,6 +47,7 @@ # config.force_ssl = true unless ENV["SKIPSSL"].in? %w[1 true yes] config.force_ssl = true + config.ssl_options = { redirect: { exclude: ->(request) { request.path.include?("/check") } } } end # Use the lowest log level to ensure availability of diagnostic information diff --git a/config/routes.rb b/config/routes.rb index e31a7c09a7..7d06996880 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -13,6 +13,7 @@ get "/403", to: "errors#forbidden" get "/healthcheck.json", to: "healthchecks#show", as: :healthcheck get "/sitemap.xml", to: "sitemap#show", via: :all + get "/check", to: proc { [200, {}, %w[OK]] } YAML.load_file(Rails.root.join("config/redirects.yml")).fetch("redirects").tap do |redirect_rules| redirect_rules.each do |from, to| diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf new file mode 100644 index 0000000000..bc43ff8c97 --- /dev/null +++ b/terraform/aks/application.tf @@ -0,0 +1,50 @@ +locals { + environment = "${var.environment}${var.pr_number}" +} + +module "application_configuration" { + source = "./vendor/modules/aks//aks/application_configuration" + + namespace = var.namespace + environment = local.environment + azure_resource_prefix = var.azure_resource_prefix + service_short = var.service_short + config_short = var.config_short + secret_key_vault_short = "app" + + # Delete for non rails apps + is_rails_application = true + + config_variables = { + PGSSLMODE = local.postgres_ssl_mode + } + secret_variables = { + DATABASE_URL = module.postgres.url + REDIS_URL = module.redis-cache.url +# below added from paas config + HTTPAUTH_PASSWORD = module.infrastructure_secrets.map.HTTP-PASSWORD, + HTTPAUTH_USERNAME = module.infrastructure_secrets.map.HTTP-USERNAME, + BASIC_AUTH = var.basic_auth, + APP_URL = length(var.paas_asset_hostnames) == 0 ? "" : "https://${var.paas_internet_hostnames[0]}.education.gov.uk", +# keeping here as a reminder, but went be set in aks and need to confirm impact + APP_ASSETS_URL = length(var.paas_asset_hostnames) == 0 ? "" : "https://${var.paas_asset_hostnames[0]}.education.gov.uk" + } +} + +module "web_application" { + source = "./vendor/modules/aks//aks/application" + + is_web = true + + namespace = var.namespace + environment = local.environment + service_name = var.service_name + probe_path = "/check" + command = var.command + + cluster_configuration_map = module.cluster_data.configuration_map + kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name + kubernetes_secret_name = module.application_configuration.kubernetes_secret_name + + docker_image = var.docker_image +} diff --git a/terraform/aks/config/review_aks.tfvars.json b/terraform/aks/config/review_aks.tfvars.json index 9a07a9843d..4d03828c55 100644 --- a/terraform/aks/config/review_aks.tfvars.json +++ b/terraform/aks/config/review_aks.tfvars.json @@ -3,5 +3,5 @@ "namespace": "git-development", "environment": "review", "deploy_azure_backing_services": false, - "enable_postgres_ssl" : false + "enable_postgres_ssl": false } diff --git a/terraform/aks/database.tf b/terraform/aks/database.tf new file mode 100644 index 0000000000..2bc3b2ac43 --- /dev/null +++ b/terraform/aks/database.tf @@ -0,0 +1,32 @@ +module "postgres" { + source = "./vendor/modules/aks//aks/postgres" + + namespace = var.namespace + environment = local.environment + azure_resource_prefix = var.azure_resource_prefix + service_name = var.service_name + service_short = var.service_short + config_short = var.config_short + cluster_configuration_map = module.cluster_data.configuration_map + use_azure = var.deploy_azure_backing_services + azure_enable_monitoring = var.enable_monitoring + azure_enable_backup_storage = var.enable_postgres_backup_storage + server_version = "14" +} + + +module "redis-cache" { + source = "./vendor/modules/aks//aks/redis" + + namespace = var.namespace + environment = local.environment + azure_resource_prefix = var.azure_resource_prefix + service_short = var.service_short + config_short = var.config_short + service_name = var.service_name + cluster_configuration_map = module.cluster_data.configuration_map + use_azure = var.deploy_azure_backing_services + azure_enable_monitoring = var.enable_monitoring + azure_patch_schedule = [{ "day_of_week" : "Sunday", "start_hour_utc" : 01 }] + server_version = "6" +} diff --git a/terraform/aks/output.tf b/terraform/aks/output.tf new file mode 100644 index 0000000000..989dbad146 --- /dev/null +++ b/terraform/aks/output.tf @@ -0,0 +1,3 @@ +output "url" { + value = module.web_application.url +} diff --git a/terraform/aks/secrets.tf b/terraform/aks/secrets.tf new file mode 100644 index 0000000000..f3592a80a6 --- /dev/null +++ b/terraform/aks/secrets.tf @@ -0,0 +1,8 @@ +module "infrastructure_secrets" { + source = "./vendor/modules/aks//aks/secrets" + + azure_resource_prefix = var.azure_resource_prefix + service_short = var.service_short + config_short = var.config_short + key_vault_short = "inf" +} diff --git a/terraform/aks/statuscake.tf b/terraform/aks/statuscake.tf new file mode 100644 index 0000000000..be1b3f03ef --- /dev/null +++ b/terraform/aks/statuscake.tf @@ -0,0 +1,10 @@ +module "statuscake" { + count = var.enable_monitoring ? 1 : 0 + + source = "./vendor/modules/aks//monitoring/statuscake" + + uptime_urls = compact([module.web_application.probe_url, var.external_url]) + ssl_urls = compact([var.external_url]) + + contact_groups = var.statuscake_contact_groups +} diff --git a/terraform/aks/terraform.tf b/terraform/aks/terraform.tf index 4210d93c80..ec813de625 100644 --- a/terraform/aks/terraform.tf +++ b/terraform/aks/terraform.tf @@ -36,6 +36,6 @@ provider "kubernetes" { cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate } -# provider "statuscake" { -# api_token = module.infrastructure_secrets.map.STATUSCAKE-API-TOKEN -# } +provider "statuscake" { + api_token = module.infrastructure_secrets.map.SC-PASSWORD +} diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf index c6a923c59b..c453fc9492 100644 --- a/terraform/aks/variables.tf +++ b/terraform/aks/variables.tf @@ -64,6 +64,10 @@ variable "paas_asset_hostnames" { variable "paas_internet_hostnames" { default = [] } +variable "command" { + type = list(string) + default = [] +} locals { azure_credentials = try(jsondecode(var.azure_credentials_json), null)