Merge branch 'main' into task/make-private-api-private/CDD-1177

UKHSA-Internal · Jan 7, 2025 · 8e1096b · 8e1096b
2 parents aee92fb + fdc0a8d
commit 8e1096b
Show file tree

Hide file tree

Showing 12 changed files with 35 additions and 28 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1 @@
+* @UKHSA-Internal/data-dashboard-engineers
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -102,6 +102,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
           tools-account-role: ${{ secrets.UHD_TERRAFORM_IAM_ROLE }}
 
+      - uses: ./.github/actions/setup-terraform
       - uses: ./.github/actions/setup-zsh
 
       - name: Terraform output

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -193,6 +193,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
           tools-account-role: ${{ secrets.UHD_TERRAFORM_IAM_ROLE }}
 
+      - uses: ./.github/actions/setup-terraform
       - uses: ./.github/actions/setup-zsh
       - uses: ./.github/actions/short-sha
 

diff --git a/.github/workflows/well-known-environment.yml b/.github/workflows/well-known-environment.yml
@@ -126,6 +126,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
           tools-account-role: ${{ secrets.UHD_TERRAFORM_IAM_ROLE }}
 
+      - uses: ./.github/actions/setup-terraform
       - uses: ./.github/actions/setup-zsh
       - uses: ./.github/actions/well-known-environment-name
         with:

diff --git a/src/lambda-db-password-rotation/index.js b/src/lambda-db-password-rotation/index.js
@@ -32,6 +32,7 @@ async function restartMainDbECSServices(ecsClient = new ECSClient(), overridenDe
     await dependencies.restartECSService(ecsClient, process.env.CMS_ADMIN_ECS_SERVICE_NAME)
     await dependencies.restartECSService(ecsClient, process.env.PRIVATE_API_ECS_SERVICE_NAME)
     await dependencies.restartECSService(ecsClient, process.env.PUBLIC_API_ECS_SERVICE_NAME)
+    await dependencies.restartECSService(ecsClient, process.env.FEEDBACK_API_ECS_SERVICE_NAME)
     console.log(`All required ECS tasks have been restarted for main DB`);
 };
 

diff --git a/src/lambda-db-password-rotation/index.test.js b/src/lambda-db-password-rotation/index.test.js
@@ -58,12 +58,14 @@ describe('restartMainDbECSServices', () => {
         const fakeCMSAdminECSServiceName = 'fake-cms-admin-ecs-service-name'
         const fakePrivateAPIECSServiceName = 'fake-private-api-ecs-service-name'
         const fakePublicAPIECSServiceName = 'fake-public-api-ecs-service-name'
+        const fakeFeedbackAPIECSServiceName = 'fake-feedback-api-ecs-service-name'
 
         const mockedEnvVar = sinon.stub(process, 'env').value(
             {
                 CMS_ADMIN_ECS_SERVICE_NAME: fakeCMSAdminECSServiceName,
                 PRIVATE_API_ECS_SERVICE_NAME: fakePrivateAPIECSServiceName,
                 PUBLIC_API_ECS_SERVICE_NAME: fakePublicAPIECSServiceName,
+                FEEDBACK_API_ECS_SERVICE_NAME: fakeFeedbackAPIECSServiceName,
             }
         );
 
@@ -78,12 +80,11 @@ describe('restartMainDbECSServices', () => {
         await restartMainDbECSServices(mockedECSClient, spyDependencies);
 
         // Then
-        // The function should have been called 3 times, 1 for each ECS service
-        expect(restartECSServiceSpy.calledThrice).toBeTruthy();
         // The function should have been called with each ECS service name
         expect(restartECSServiceSpy.firstCall.lastArg).toEqual(fakeCMSAdminECSServiceName)
         expect(restartECSServiceSpy.secondCall.lastArg).toEqual(fakePrivateAPIECSServiceName)
         expect(restartECSServiceSpy.thirdCall.lastArg).toEqual(fakePublicAPIECSServiceName)
+        expect(restartECSServiceSpy.lastCall.lastArg).toEqual(fakeFeedbackAPIECSServiceName)
 
         // Restore the environment variable
         mockedEnvVar.restore();

diff --git a/terraform/10-account/iam.operations-role.tf b/terraform/10-account/iam.operations-role.tf
@@ -54,7 +54,6 @@ module "iam_operations_policy" {
             "ecs:DescribeTasks",
             "ecs:ExecuteCommand",
             "ecs:RunTask",
-            "iam:PassRole",
             "logs:StartLiveTail",
             "logs:StopLiveTail"
           ],

diff --git a/terraform/20-app/aurora-db.app.tf b/terraform/20-app/aurora-db.app.tf
@@ -14,11 +14,12 @@ module "aurora_db_app" {
   database_name               = "cms"
   master_username             = "api_user"
 
-  monitoring_interval = 0
-  apply_immediately   = true
-  skip_final_snapshot = true
-  publicly_accessible = local.enable_public_db
-  deletion_protection = local.use_prod_sizing
+  monitoring_interval             = 0
+  apply_immediately               = true
+  skip_final_snapshot             = true
+  publicly_accessible             = local.enable_public_db
+  deletion_protection             = local.use_prod_sizing
+  enabled_cloudwatch_logs_exports = ["postgresql"]
 
   instance_class = "db.serverless"
   serverlessv2_scaling_configuration = {

diff --git a/terraform/20-app/aurora-db.feature-flags.tf b/terraform/20-app/aurora-db.feature-flags.tf
@@ -8,15 +8,17 @@ module "aurora_db_feature_flags" {
   engine_version    = "15.5"
   storage_encrypted = true
 
-  publicly_accessible = true
+  publicly_accessible = local.enable_public_db
+  deletion_protection = local.use_prod_sizing
 
   manage_master_user_password = true
   database_name               = "unleash"
   master_username             = "unleash_user"
 
-  monitoring_interval = 60
-  apply_immediately   = true
-  skip_final_snapshot = true
+  monitoring_interval             = 60
+  apply_immediately               = true
+  skip_final_snapshot             = true
+  enabled_cloudwatch_logs_exports = ["postgresql"]
 
   instance_class = "db.serverless"
   serverlessv2_scaling_configuration = {

diff --git a/terraform/20-app/ip-allow-lists.tf b/terraform/20-app/ip-allow-lists.tf
@@ -7,21 +7,20 @@ locals {
       "167.98.124.170/32",  # Burendo London
       "90.219.251.228/32",  # Phil
       "84.67.254.137/32",   # Rhys
-      "176.254.91.127/32",     # Rhys 2
+      "176.254.91.127/32",  # Rhys 2
       "35.176.13.254/32",   # UKHSA test EC2
       "35.176.178.91/32",   # UKHSA test EC2
       "35.179.30.107/32",   # UKHSA test EC2
       "18.133.111.70/32",   # UKHSA test gateway
       "81.108.89.51/32",    # Krishna - Macbook
-      "165.225.197.26/32",  # Krishna - Windows
+      "147.161.236.99/32",  # Krishna - Windows
       "80.7.227.61/32",     # Kiran
       "92.234.44.48/32",    # Zesh
       "51.241.222.137/32",  # Temitope Akinsoto
       "86.177.34.133/32"    # Luke
     ],
     project_team = [
-      "90.206.168.235/32",  # Debbie
-      "86.19.42.86/32",     # Debbie 2
+      "5.68.132.72/32",     # Debbie
     ],
     other_stakeholders = [
       "62.253.228.56/32",   # UKHSA gateway
@@ -38,21 +37,18 @@ locals {
       "66.249.74.35/32",    # Ciara 2
       "2.25.205.147/32",    # Prince
       "86.128.102.66/32",   # Ester
-      "167.98.243.140/32",  # Tom H
-      "81.105.235.133/32",  # Tom H 2
+      "167.98.243.140/32",  # Tom Hebbert
+      "81.105.235.133/32",  # Tom Hebbert 2
       "51.149.2.8/32",      # Agostinho Sousa
-      "86.29.186.201/32",   # Charlotte Brace
+      "136.226.191.87/32",  # Charlotte Brace
       "2.221.74.175/32",    # Gareth
       "81.108.143.100/32",  # Ruairidh Villar
       "90.218.199.1/32",    # Ruth Baxter
+      "86.11.171.6/32",     # Jason Deakin
+      "192.168.0.20/32",    # Alana Firth
+      "62.253.228.56/32",   # Georgina Milne
     ]
-    ncc = [
-      "5.148.69.16/28",
-      "167.98.200.192/27",
-      "167.98.200.196/27",
-      "195.95.131.0/24",
-      "5.148.32.192/26",
-    ]
+    ncc = []
   }
   complete_ip_allow_list = tolist(
     # Cast back to a list for portability

diff --git a/terraform/20-app/lambda.db-password-rotation.tf b/terraform/20-app/lambda.db-password-rotation.tf
@@ -19,6 +19,7 @@ module "lambda_db_password_rotation" {
     CMS_ADMIN_ECS_SERVICE_NAME           = module.ecs_service_cms_admin.name
     PRIVATE_API_ECS_SERVICE_NAME         = module.ecs_service_private_api.name
     PUBLIC_API_ECS_SERVICE_NAME          = module.ecs_service_public_api.name
+    FEEDBACK_API_ECS_SERVICE_NAME        = module.ecs_service_feedback_api.name
     FEATURE_FLAGS_ECS_SERVICE_NAME       = module.ecs_service_feature_flags.name
   }
 
@@ -31,7 +32,9 @@ module "lambda_db_password_rotation" {
         module.ecs_service_private_api.id,
         module.ecs_service_public_api.id,
         module.ecs_service_cms_admin.id,
+        module.ecs_service_feedback_api.id,
         module.ecs_service_feature_flags.id,
+
       ]
     }
   }

diff --git a/terraform/20-app/locals.tf b/terraform/20-app/locals.tf
@@ -33,8 +33,8 @@ locals {
 
   scheduled_scaling_policies_for_non_essential_envs = {
     start_of_working_day_scale_out = {
-      min_capacity = local.use_prod_sizing ? 3 : 1
-      max_capacity = local.use_prod_sizing ? 3 : 1
+      min_capacity = 1
+      max_capacity = 1
       schedule     = "cron(0 07 ? * MON-FRI *)" # Run every weekday at 7am
     }
     end_of_working_day_scale_in = {