From 5833bcd0c3cb03196f3f909bea7c75e539cdbad0 Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Fri, 3 May 2024 14:29:16 +0100 Subject: [PATCH 01/10] Manage transition RDS instance with rds module Migrated from app-transition-postgresql --- .../tfc-configuration/variables-integration.tf | 16 ++++++++++++++++ .../tfc-configuration/variables-production.tf | 16 ++++++++++++++++ .../tfc-configuration/variables-staging.tf | 16 ++++++++++++++++ 3 files changed, 48 insertions(+) diff --git a/terraform/deployments/tfc-configuration/variables-integration.tf b/terraform/deployments/tfc-configuration/variables-integration.tf index c098d98df..f0afafa4b 100644 --- a/terraform/deployments/tfc-configuration/variables-integration.tf +++ b/terraform/deployments/tfc-configuration/variables-integration.tf @@ -451,6 +451,22 @@ module "variable-set-rds-integration" { freestoragespace_threshold = 10737418240 } + transition = { + engine = "postgres" + engine_version = "13" + engine_params = { + log_min_duration_statement = { value = 10000 } + log_statement = { value = "all" } + deadlock_timeout = { value = 2500 } + log_lock_waits = { value = 1 } + engine_params_family = "postgres13" + name = "blue-transition-postgresql-primary" + allocated_storage = 120 + instance_class = "db.m5.large" # TODO: downsize this after migration if required + performance_insights_enabled = true + } + } + whitehall = { engine = "mysql" engine_version = "8.0" diff --git a/terraform/deployments/tfc-configuration/variables-production.tf b/terraform/deployments/tfc-configuration/variables-production.tf index d1da2679e..e8d1ce225 100644 --- a/terraform/deployments/tfc-configuration/variables-production.tf +++ b/terraform/deployments/tfc-configuration/variables-production.tf @@ -471,6 +471,22 @@ module "variable-set-rds-production" { freestoragespace_threshold = 10737418240 } + transition = { + engine = "postgres" + engine_version = "13" + engine_params = { + log_min_duration_statement = { value = 10000 } + log_statement = { value = "all" } + deadlock_timeout = { value = 2500 } + log_lock_waits = { value = 1 } + engine_params_family = "postgres13" + name = "blue-transition-postgresql-primary" + allocated_storage = 120 + instance_class = "db.m5.large" # TODO: downsize this after migration if required + performance_insights_enabled = true + } + } + whitehall = { engine = "mysql" engine_version = "8.0" diff --git a/terraform/deployments/tfc-configuration/variables-staging.tf b/terraform/deployments/tfc-configuration/variables-staging.tf index b3e7a9840..26bab42b5 100644 --- a/terraform/deployments/tfc-configuration/variables-staging.tf +++ b/terraform/deployments/tfc-configuration/variables-staging.tf @@ -447,6 +447,22 @@ module "variable-set-rds-staging" { freestoragespace_threshold = 10737418240 } + transition = { + engine = "postgres" + engine_version = "13" + engine_params = { + log_min_duration_statement = { value = 10000 } + log_statement = { value = "all" } + deadlock_timeout = { value = 2500 } + log_lock_waits = { value = 1 } + engine_params_family = "postgres13" + name = "blue-transition-postgresql-primary" + allocated_storage = 120 + instance_class = "db.m5.large" # TODO: downsize this after migration if required + performance_insights_enabled = true + } + } + whitehall = { engine = "mysql" engine_version = "8.0" From 5e6a589a1d6d55a19daa31e89b590f830a07e57e Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Fri, 3 May 2024 14:34:13 +0100 Subject: [PATCH 02/10] Add import for transition RDS instance --- terraform/deployments/rds/import_transition.tf | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 terraform/deployments/rds/import_transition.tf diff --git a/terraform/deployments/rds/import_transition.tf b/terraform/deployments/rds/import_transition.tf new file mode 100644 index 000000000..a767e933b --- /dev/null +++ b/terraform/deployments/rds/import_transition.tf @@ -0,0 +1,4 @@ +import { + to = aws_db_instance.instance["transition"] + id = "blue-transition-postgresql-primary" +} From 0c7cfc01c3c72a6958059217654ac83e6ea9c2e7 Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Fri, 3 May 2024 14:38:26 +0100 Subject: [PATCH 03/10] Fix incorrect formatting of transition rds config --- .../variables-integration.tf | 19 ++++++++++--------- .../tfc-configuration/variables-production.tf | 19 ++++++++++--------- .../tfc-configuration/variables-staging.tf | 19 ++++++++++--------- 3 files changed, 30 insertions(+), 27 deletions(-) diff --git a/terraform/deployments/tfc-configuration/variables-integration.tf b/terraform/deployments/tfc-configuration/variables-integration.tf index f0afafa4b..ad77938e0 100644 --- a/terraform/deployments/tfc-configuration/variables-integration.tf +++ b/terraform/deployments/tfc-configuration/variables-integration.tf @@ -452,19 +452,20 @@ module "variable-set-rds-integration" { } transition = { - engine = "postgres" + engine = "postgres" engine_version = "13" engine_params = { log_min_duration_statement = { value = 10000 } - log_statement = { value = "all" } - deadlock_timeout = { value = 2500 } - log_lock_waits = { value = 1 } - engine_params_family = "postgres13" - name = "blue-transition-postgresql-primary" - allocated_storage = 120 - instance_class = "db.m5.large" # TODO: downsize this after migration if required - performance_insights_enabled = true + log_statement = { value = "all" } + deadlock_timeout = { value = 2500 } + log_lock_waits = { value = 1 } } + engine_params_family = "postgres13" + name = "blue-transition-postgresql-primary" + allocated_storage = 120 + instance_class = "db.m5.large" # TODO: downsize this after migration if required + performance_insights_enabled = true + freestoragespace_threshold = 10737418240 } whitehall = { diff --git a/terraform/deployments/tfc-configuration/variables-production.tf b/terraform/deployments/tfc-configuration/variables-production.tf index e8d1ce225..f40fc3195 100644 --- a/terraform/deployments/tfc-configuration/variables-production.tf +++ b/terraform/deployments/tfc-configuration/variables-production.tf @@ -472,19 +472,20 @@ module "variable-set-rds-production" { } transition = { - engine = "postgres" + engine = "postgres" engine_version = "13" engine_params = { log_min_duration_statement = { value = 10000 } - log_statement = { value = "all" } - deadlock_timeout = { value = 2500 } - log_lock_waits = { value = 1 } - engine_params_family = "postgres13" - name = "blue-transition-postgresql-primary" - allocated_storage = 120 - instance_class = "db.m5.large" # TODO: downsize this after migration if required - performance_insights_enabled = true + log_statement = { value = "all" } + deadlock_timeout = { value = 2500 } + log_lock_waits = { value = 1 } } + engine_params_family = "postgres13" + name = "blue-transition-postgresql-primary" + allocated_storage = 120 + instance_class = "db.m5.large" # TODO: downsize this after migration if required + performance_insights_enabled = true + freestoragespace_threshold = 10737418240 } whitehall = { diff --git a/terraform/deployments/tfc-configuration/variables-staging.tf b/terraform/deployments/tfc-configuration/variables-staging.tf index 26bab42b5..e67c9940b 100644 --- a/terraform/deployments/tfc-configuration/variables-staging.tf +++ b/terraform/deployments/tfc-configuration/variables-staging.tf @@ -448,19 +448,20 @@ module "variable-set-rds-staging" { } transition = { - engine = "postgres" + engine = "postgres" engine_version = "13" engine_params = { log_min_duration_statement = { value = 10000 } - log_statement = { value = "all" } - deadlock_timeout = { value = 2500 } - log_lock_waits = { value = 1 } - engine_params_family = "postgres13" - name = "blue-transition-postgresql-primary" - allocated_storage = 120 - instance_class = "db.m5.large" # TODO: downsize this after migration if required - performance_insights_enabled = true + log_statement = { value = "all" } + deadlock_timeout = { value = 2500 } + log_lock_waits = { value = 1 } } + engine_params_family = "postgres13" + name = "blue-transition-postgresql-primary" + allocated_storage = 120 + instance_class = "db.m5.large" # TODO: downsize this after migration if required + performance_insights_enabled = true + freestoragespace_threshold = 10737418240 } whitehall = { From 0a7a938058e965b05e507f1eabe64cb52cef6d8f Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Fri, 3 May 2024 14:57:42 +0100 Subject: [PATCH 04/10] Rename transition rds instance to 'transition'; Set transition RDS instance class to reflect current state --- .../deployments/tfc-configuration/variables-integration.tf | 4 ++-- .../deployments/tfc-configuration/variables-production.tf | 4 ++-- terraform/deployments/tfc-configuration/variables-staging.tf | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/deployments/tfc-configuration/variables-integration.tf b/terraform/deployments/tfc-configuration/variables-integration.tf index ad77938e0..c6014775f 100644 --- a/terraform/deployments/tfc-configuration/variables-integration.tf +++ b/terraform/deployments/tfc-configuration/variables-integration.tf @@ -461,9 +461,9 @@ module "variable-set-rds-integration" { log_lock_waits = { value = 1 } } engine_params_family = "postgres13" - name = "blue-transition-postgresql-primary" + name = "transition" allocated_storage = 120 - instance_class = "db.m5.large" # TODO: downsize this after migration if required + instance_class = "db.m6g.large" # TODO: downsize this after migration if required performance_insights_enabled = true freestoragespace_threshold = 10737418240 } diff --git a/terraform/deployments/tfc-configuration/variables-production.tf b/terraform/deployments/tfc-configuration/variables-production.tf index f40fc3195..8d7d20e66 100644 --- a/terraform/deployments/tfc-configuration/variables-production.tf +++ b/terraform/deployments/tfc-configuration/variables-production.tf @@ -481,9 +481,9 @@ module "variable-set-rds-production" { log_lock_waits = { value = 1 } } engine_params_family = "postgres13" - name = "blue-transition-postgresql-primary" + name = "transition" allocated_storage = 120 - instance_class = "db.m5.large" # TODO: downsize this after migration if required + instance_class = "db.m6g.large" # TODO: downsize this after migration if required performance_insights_enabled = true freestoragespace_threshold = 10737418240 } diff --git a/terraform/deployments/tfc-configuration/variables-staging.tf b/terraform/deployments/tfc-configuration/variables-staging.tf index e67c9940b..088d18025 100644 --- a/terraform/deployments/tfc-configuration/variables-staging.tf +++ b/terraform/deployments/tfc-configuration/variables-staging.tf @@ -457,9 +457,9 @@ module "variable-set-rds-staging" { log_lock_waits = { value = 1 } } engine_params_family = "postgres13" - name = "blue-transition-postgresql-primary" + name = "transition" allocated_storage = 120 - instance_class = "db.m5.large" # TODO: downsize this after migration if required + instance_class = "db.m6g.large" # TODO: downsize this after migration if required performance_insights_enabled = true freestoragespace_threshold = 10737418240 } From 3b62541cae39acaec3588de8c907e22e250bae8c Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Fri, 3 May 2024 15:14:07 +0100 Subject: [PATCH 05/10] Give terraform modules more helpful descriptions --- terraform/deployments/tfc-configuration/cloudfront.tf | 4 ++-- .../deployments/tfc-configuration/cluster-infrastructure.tf | 6 +++--- terraform/deployments/tfc-configuration/cluster-services.tf | 6 +++--- .../tfc-configuration/datagovuk-infrastructure.tf | 6 +++--- terraform/deployments/tfc-configuration/ecr.tf | 2 +- terraform/deployments/tfc-configuration/vpc.tf | 6 +++--- 6 files changed, 15 insertions(+), 15 deletions(-) diff --git a/terraform/deployments/tfc-configuration/cloudfront.tf b/terraform/deployments/tfc-configuration/cloudfront.tf index 73d8488b2..bc54936cf 100644 --- a/terraform/deployments/tfc-configuration/cloudfront.tf +++ b/terraform/deployments/tfc-configuration/cloudfront.tf @@ -4,7 +4,7 @@ module "cloudfront-staging" { organization = var.organization workspace_name = "cloudfront-staging" - workspace_desc = "The cloudfront module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources for the failover CDN in Cloudfront" workspace_tags = ["staging", "cloudfront", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" @@ -37,7 +37,7 @@ module "cloudfront-production" { organization = var.organization workspace_name = "cloudfront-production" - workspace_desc = "The cloudfront module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources for the failover CDN in Cloudfront" workspace_tags = ["production", "cloudfront", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" diff --git a/terraform/deployments/tfc-configuration/cluster-infrastructure.tf b/terraform/deployments/tfc-configuration/cluster-infrastructure.tf index f9bb06ea9..29803b6e3 100644 --- a/terraform/deployments/tfc-configuration/cluster-infrastructure.tf +++ b/terraform/deployments/tfc-configuration/cluster-infrastructure.tf @@ -4,7 +4,7 @@ module "cluster-infrastructure-integration" { organization = var.organization workspace_name = "cluster-infrastructure-integration" - workspace_desc = "The cluster-infrastructure module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages the EKS cluster, and other resources it depends on (e.g. IAM roles and policies)" workspace_tags = ["integration", "cluster-infrastructure", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" @@ -37,7 +37,7 @@ module "cluster-infrastructure-staging" { organization = var.organization workspace_name = "cluster-infrastructure-staging" - workspace_desc = "The cluster-infrastructure module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages the EKS cluster, and other resources it depends on (e.g. IAM roles and policies)" workspace_tags = ["staging", "cluster-infrastructure", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" @@ -70,7 +70,7 @@ module "cluster-infrastructure-production" { organization = var.organization workspace_name = "cluster-infrastructure-production" - workspace_desc = "The cluster-infrastructure module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages the EKS cluster, and other resources it depends on (e.g. IAM roles and policies)" workspace_tags = ["production", "cluster-infrastructure", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" diff --git a/terraform/deployments/tfc-configuration/cluster-services.tf b/terraform/deployments/tfc-configuration/cluster-services.tf index 12200f62d..a24ea49d6 100644 --- a/terraform/deployments/tfc-configuration/cluster-services.tf +++ b/terraform/deployments/tfc-configuration/cluster-services.tf @@ -4,7 +4,7 @@ module "cluster-services-integration" { organization = var.organization workspace_name = "cluster-services-integration" - workspace_desc = "The cluster-services module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources for services that run on top of the EKS cluster and are required by apps running on the cluster" workspace_tags = ["integration", "cluster-services", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" @@ -36,7 +36,7 @@ module "cluster-services-staging" { organization = var.organization workspace_name = "cluster-services-staging" - workspace_desc = "The cluster-services module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources for services that run on top of the EKS cluster and are required by apps running on the cluster" workspace_tags = ["staging", "cluster-services", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" @@ -67,7 +67,7 @@ module "cluster-services-production" { organization = var.organization workspace_name = "cluster-services-production" - workspace_desc = "The cluster-services module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources for services that run on top of the EKS cluster and are required by apps running on the cluster" workspace_tags = ["production", "cluster-services", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" diff --git a/terraform/deployments/tfc-configuration/datagovuk-infrastructure.tf b/terraform/deployments/tfc-configuration/datagovuk-infrastructure.tf index d78f7baeb..2b43f2171 100644 --- a/terraform/deployments/tfc-configuration/datagovuk-infrastructure.tf +++ b/terraform/deployments/tfc-configuration/datagovuk-infrastructure.tf @@ -4,7 +4,7 @@ module "datagovuk-infrastructure-integration" { organization = var.organization workspace_name = "datagovuk-infrastructure-integration" - workspace_desc = "The datagovuk-infrastructure module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources to run data.gov.uk on the GOV.UK EKS cluster" workspace_tags = ["integration", "datagovuk-infrastructure", "eks", "aws"] terraform_version = "1.7.0" execution_mode = "remote" @@ -36,7 +36,7 @@ module "datagovuk-infrastructure-staging" { organization = var.organization workspace_name = "datagovuk-infrastructure-staging" - workspace_desc = "The datagovuk-infrastructure module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources to run data.gov.uk on the GOV.UK EKS cluster" workspace_tags = ["staging", "datagovuk-infrastructure", "eks", "aws"] terraform_version = "1.7.0" execution_mode = "remote" @@ -67,7 +67,7 @@ module "datagovuk-infrastructure-production" { organization = var.organization workspace_name = "datagovuk-infrastructure-production" - workspace_desc = "The datagovuk-infrastructure module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages resources to run data.gov.uk on the GOV.UK EKS cluster" workspace_tags = ["production", "datagovuk-infrastructure", "eks", "aws"] terraform_version = "1.7.0" execution_mode = "remote" diff --git a/terraform/deployments/tfc-configuration/ecr.tf b/terraform/deployments/tfc-configuration/ecr.tf index ea4528efb..67fd1f81e 100644 --- a/terraform/deployments/tfc-configuration/ecr.tf +++ b/terraform/deployments/tfc-configuration/ecr.tf @@ -4,7 +4,7 @@ module "ecr-production" { organization = var.organization workspace_name = "ecr-production" - workspace_desc = "The ecr module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages Elastic Container Registry repositories, to store OCI images of GOV.UK apps" workspace_tags = ["production", "ecr", "eks", "aws"] terraform_version = var.terraform_version execution_mode = "remote" diff --git a/terraform/deployments/tfc-configuration/vpc.tf b/terraform/deployments/tfc-configuration/vpc.tf index 5536ad0f2..3de860020 100644 --- a/terraform/deployments/tfc-configuration/vpc.tf +++ b/terraform/deployments/tfc-configuration/vpc.tf @@ -4,7 +4,7 @@ module "vpc-integration" { organization = var.organization workspace_name = "vpc-integration" - workspace_desc = "The vpc module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages foundational cloud resources that are required by most other modules (VPC, DNS zones)" workspace_tags = ["integration", "vpc", "eks", "aws"] terraform_version = "1.7.0" execution_mode = "remote" @@ -38,7 +38,7 @@ module "vpc-staging" { organization = var.organization workspace_name = "vpc-staging" - workspace_desc = "The vpc module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages foundational cloud resources that are required by most other modules (VPC, DNS zones)" workspace_tags = ["staging", "vpc", "eks", "aws"] terraform_version = "1.7.0" execution_mode = "remote" @@ -71,7 +71,7 @@ module "vpc-production" { organization = var.organization workspace_name = "vpc-production" - workspace_desc = "The vpc module is responsible for the AWS resources which constitute the EKS cluster." + workspace_desc = "This module manages foundational cloud resources that are required by most other modules (VPC, DNS zones)" workspace_tags = ["production", "vpc", "eks", "aws"] terraform_version = "1.7.0" execution_mode = "remote" From aba5d149ad0d0d3e55dcf3869dfe163d53311642 Mon Sep 17 00:00:00 2001 From: Aga Dufrat Date: Tue, 7 May 2024 14:34:24 +0100 Subject: [PATCH 06/10] Continue to upload SARIF on Brakeman errors By default Brakeman returns a non-zero exit code if any security warnings are found or scanning errors are encountered. This ensures the scan output (SARIF file) gets uploaded to GitHub Code scanning. --- .github/workflows/brakeman.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/brakeman.yml b/.github/workflows/brakeman.yml index e021ee1a4..40da9e799 100644 --- a/.github/workflows/brakeman.yml +++ b/.github/workflows/brakeman.yml @@ -21,6 +21,7 @@ jobs: bundler-cache: true - name: Run Brakeman + continue-on-error: true run: bundle exec brakeman . --except CheckRenderInline --quiet -f sarif >> brakeman.sarif - name: Upload result to Github Code Scanning From 971b2ac05b198070eab004a735cd8b4825ef19f6 Mon Sep 17 00:00:00 2001 From: David Mays Date: Wed, 8 May 2024 10:46:27 +0100 Subject: [PATCH 07/10] Enable ARM builds for "sidecar" images. --- .github/workflows/build-clamav-image.yml | 2 +- .github/workflows/build-mongodb-image.yml | 2 +- .github/workflows/build-toolbox-image.yml | 2 +- images/clamav/Dockerfile | 2 +- images/mongodb/Dockerfile | 2 +- images/toolbox/Dockerfile | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-clamav-image.yml b/.github/workflows/build-clamav-image.yml index a3d81d7bd..66a09da85 100644 --- a/.github/workflows/build-clamav-image.yml +++ b/.github/workflows/build-clamav-image.yml @@ -20,7 +20,7 @@ on: jobs: build-and-push-image: - uses: alphagov/govuk-infrastructure/.github/workflows/build-and-push-image.yml@main + uses: alphagov/govuk-infrastructure/.github/workflows/build-and-push-multiarch-image.yml@main with: gitRef: ${{ inputs.gitRef || github.ref }} ecrRepositoryName: clamav diff --git a/.github/workflows/build-mongodb-image.yml b/.github/workflows/build-mongodb-image.yml index 4eea187e9..09ac99210 100644 --- a/.github/workflows/build-mongodb-image.yml +++ b/.github/workflows/build-mongodb-image.yml @@ -20,7 +20,7 @@ on: jobs: build-and-push-image: - uses: alphagov/govuk-infrastructure/.github/workflows/build-and-push-image.yml@main + uses: alphagov/govuk-infrastructure/.github/workflows/build-and-push-multiarch-image.yml@main with: gitRef: ${{ inputs.gitRef || github.ref }} ecrRepositoryName: mongodb diff --git a/.github/workflows/build-toolbox-image.yml b/.github/workflows/build-toolbox-image.yml index 055bd6d62..e5e7afa08 100644 --- a/.github/workflows/build-toolbox-image.yml +++ b/.github/workflows/build-toolbox-image.yml @@ -20,7 +20,7 @@ on: jobs: build-and-push-image: - uses: alphagov/govuk-infrastructure/.github/workflows/build-and-push-image.yml@main + uses: alphagov/govuk-infrastructure/.github/workflows/build-and-push-multiarch-image.yml@main with: gitRef: ${{ inputs.gitRef || github.ref }} ecrRepositoryName: toolbox diff --git a/images/clamav/Dockerfile b/images/clamav/Dockerfile index bd2b4f451..75f6a97af 100644 --- a/images/clamav/Dockerfile +++ b/images/clamav/Dockerfile @@ -1,4 +1,4 @@ -FROM clamav/clamav-debian:1.2 +FROM --platform=$TARGETPLATFORM clamav/clamav-debian:1.2 COPY "./images/clamav/scripts/unprivileged-entrypoint.sh" "/unpriv-init" diff --git a/images/mongodb/Dockerfile b/images/mongodb/Dockerfile index 0c0bd3115..8b4cdfcfc 100644 --- a/images/mongodb/Dockerfile +++ b/images/mongodb/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/lts/ubuntu:22.04 +FROM --platform=$TARGETPLATFORM public.ecr.aws/lts/ubuntu:22.04 SHELL ["/bin/bash", "-euo", "pipefail", "-c"] ENV MONGO_VERSION 2.6.12 diff --git a/images/toolbox/Dockerfile b/images/toolbox/Dockerfile index 381fbf548..3fce37140 100644 --- a/images/toolbox/Dockerfile +++ b/images/toolbox/Dockerfile @@ -1,4 +1,4 @@ -FROM public.ecr.aws/lts/ubuntu:22.04 +FROM --platform=$TARGETPLATFORM public.ecr.aws/lts/ubuntu:22.04 ARG TARGETARCH SHELL ["/bin/bash", "-euo", "pipefail", "-c"] From 951141f752f911173fdbdbe8074cc146ae44b2a6 Mon Sep 17 00:00:00 2001 From: David Mays Date: Wed, 8 May 2024 15:03:02 +0100 Subject: [PATCH 08/10] Try and tag builds on main as "latest". --- .github/workflows/build-and-push-multiarch-image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-and-push-multiarch-image.yml b/.github/workflows/build-and-push-multiarch-image.yml index db168874d..3c8ac072d 100644 --- a/.github/workflows/build-and-push-multiarch-image.yml +++ b/.github/workflows/build-and-push-multiarch-image.yml @@ -187,6 +187,7 @@ jobs: labels: | org.opencontainers.image.vendor=GDS tags: | + type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'main') }} type=raw,priority=500,value=${{ inputs.gitRef }},enable=${{ startsWith(inputs.gitRef, 'v') }} type=raw,priority=400,value=${{ needs.build-and-push-image.outputs.localSha }},enable=${{ !startsWith(inputs.gitRef, 'v') }} From 9ec3b4c58e30b97644cd5624a94c935938247818 Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Thu, 9 May 2024 10:38:07 +0100 Subject: [PATCH 09/10] Manage security group rules for RDS SGs --- terraform/deployments/rds/remote_state.tf | 5 ++++ terraform/deployments/rds/security_groups.tf | 27 ++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/terraform/deployments/rds/remote_state.tf b/terraform/deployments/rds/remote_state.tf index ad002429a..a7a7c99d5 100644 --- a/terraform/deployments/rds/remote_state.tf +++ b/terraform/deployments/rds/remote_state.tf @@ -33,3 +33,8 @@ data "terraform_remote_state" "infra_vpc" { region = var.aws_region } } + +data "tfe_outputs" "cluster_infrastructure" { + organization = "govuk" + workspace = "cluster-infrastructure-${var.govuk_environment}" +} diff --git a/terraform/deployments/rds/security_groups.tf b/terraform/deployments/rds/security_groups.tf index 44530b115..b5438b3cd 100644 --- a/terraform/deployments/rds/security_groups.tf +++ b/terraform/deployments/rds/security_groups.tf @@ -6,3 +6,30 @@ resource "aws_security_group" "rds" { description = "Access to ${each.value.name} RDS" tags = { Name = "blue_${each.value.name}_rds_access" } } + +resource "aws_security_group_rule" "mysql" { + for_each = { for name, data in var.databases : name => data if data.engine == "mysql" } + security_group_id = aws_security_group.rds[each.key].id + description = "Access to MySQL database from EKS worker nodes" + + type = "ingress" + protocol = "tcp" + from_port = 3306 + to_port = 3306 + + source_security_group_id = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.node_security_group_id +} + +resource "aws_security_group_rule" "postgres" { + for_each = { for name, data in var.databases : name => data if data.engine == "postgres" } + security_group_id = aws_security_group.rds[each.key].id + description = "Access to PostgreSQL database from EKS worker nodes" + + type = "ingress" + protocol = "tcp" + from_port = 5432 + to_port = 5432 + + source_security_group_id = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.node_security_group_id + +} From 851afc95f7c25b989a992dec7e035a221f7294fc Mon Sep 17 00:00:00 2001 From: Sam Simpson Date: Thu, 9 May 2024 11:14:33 +0100 Subject: [PATCH 10/10] Import transition RDS DNS record --- terraform/deployments/rds/import_transition.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/deployments/rds/import_transition.tf b/terraform/deployments/rds/import_transition.tf index a767e933b..05c896b7b 100644 --- a/terraform/deployments/rds/import_transition.tf +++ b/terraform/deployments/rds/import_transition.tf @@ -2,3 +2,8 @@ import { to = aws_db_instance.instance["transition"] id = "blue-transition-postgresql-primary" } + +import { + to = aws_route53_record.instance_cname["transition"] + id = "${data.terraform_remote_state.infra_root_dns_zones.outputs.internal_root_zone_id}_transition-postgres.${var.govuk_environment}.govuk-internal.digital_CNAME" +}