diff --git a/.github/workflows/delete_review_app_aks.yml b/.github/workflows/delete_review_app_aks.yml new file mode 100644 index 00000000..47d89017 --- /dev/null +++ b/.github/workflows/delete_review_app_aks.yml @@ -0,0 +1,41 @@ +name: Delete review app on AKS + +on: + pull_request: + branches: + - master + types: + - closed + +concurrency: deploy-${{ github.ref }} + +jobs: + build-and-push: + runs-on: ubuntu-latest + environment: review + + steps: + - name: Destroy review app + uses: actions/checkout@v4 + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.6.4 + terraform_wrapper: false + + - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + with: + azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Terraform Destroy + run: | + make ci review terraform-destroy + env: + PR_NUMBER: ${{ github.event.pull_request.number }} + + - name: Post Pull Request Comment + if: ${{ github.event_name == 'pull_request' }} + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: aks + message: Review app was deleted diff --git a/.github/workflows/deploy_aks.yml b/.github/workflows/deploy_aks.yml new file mode 100644 index 00000000..0a7a6c6f --- /dev/null +++ b/.github/workflows/deploy_aks.yml @@ -0,0 +1,94 @@ +name: Build and deploy to AKS cluster + +on: + push: + branches: + - master + pull_request: + branches: + - master + +concurrency: deploy-${{ github.ref }} + +jobs: + build: + runs-on: ubuntu-latest + outputs: + docker-image-tag: ${{ steps.build-image.outputs.tag }} + matrix-environments: ${{ toJSON(steps.*.outputs.matrix-environment) }} + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Setup ruby + uses: ruby/setup-ruby@v1 + with: + ruby-version: 2.7 + bundler-cache: true + + - name: Build docs with middleman + run: make build + + - name: Build and push docker image + id: build-image + uses: DFE-Digital/github-actions/build-docker-image@master + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + context: . + + - name: Prepare matrix environments review + id: matrix-env-review + if: github.event_name == 'pull_request' + run: echo "matrix-environment=review" >> $GITHUB_OUTPUT + + - name: Prepare matrix environments for production + id: matrix-env-main + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: | + echo "matrix-environment=production" >> $GITHUB_OUTPUT + + deploy: + name: Deploy ${{ matrix.environment }} + runs-on: ubuntu-latest + needs: [build] + environment: + name: ${{ matrix.environment }} + url: ${{ steps.get-app-url.outputs.url }} + strategy: + max-parallel: 1 + matrix: + environment: ${{ fromJSON(needs.build.outputs.matrix-environments) }} + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - uses: hashicorp/setup-terraform@v3 + with: + terraform_version: 1.6.4 + terraform_wrapper: false + + - uses: DFE-Digital/github-actions/set-arm-environment-variables@master + with: + azure-credentials: ${{ secrets.AZURE_CREDENTIALS }} + + - name: Terraform Apply + run: | + make ci ${{ matrix.environment }} terraform-apply + env: + DOCKER_IMAGE_TAG: ${{ needs.build.outputs.docker-image-tag }} + PR_NUMBER: ${{ github.event.pull_request.number }} + + - name: Get application URL + id: get-app-url + run: | + url=$(terraform -chdir=terraform/application output -raw url) + echo "url=${url}" >> $GITHUB_OUTPUT + + - name: Post comment to Pull Request ${{ github.event.number }} + if: ${{ github.event_name == 'pull_request' }} + uses: marocchino/sticky-pull-request-comment@v2 + with: + header: aks + message: Review app deployed to <${{ steps.get-app-url.outputs.url }}> diff --git a/.gitignore b/.gitignore index 5e31dc00..4456e150 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,11 @@ # Ignore vscode files .vscode/ + +# Ignore terraform files +bin/terrafile +.terraform +terraform/application/vendor +terraform/domains/environment_domains/vendor +terraform/domains/infrastructure/vendor +terraform.tfstate* diff --git a/.tool-versions b/.tool-versions index 974865fc..ea37c903 100644 --- a/.tool-versions +++ b/.tool-versions @@ -1 +1,2 @@ ruby 2.7.6 +terraform 1.6.4 diff --git a/Dockerfile b/Dockerfile index c7457e42..67bcb635 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,30 +1,3 @@ -# Use the official Ruby 2.7.6 image as the base image -FROM ruby:2.7.6 +FROM nginx:1.25.3-alpine3.18-slim -# Install Node.js and npm -RUN apt-get update && apt-get install -y nodejs npm - -# RUN apt-get install -y nodejs npm - -# Set the working directory to /app -WORKDIR /app - -# Copy the Gemfile and Gemfile.lock into the container -COPY Gemfile Gemfile.lock ./ - -# Install the required gems -RUN bundle install - -# Copy the package.json and package-lock.json into the container -COPY package*.json ./ - -# Install the required npm packages -RUN npm install - -# Copy the rest of the application code into the container -COPY . . - -EXPOSE 4567 - -# Start the application -CMD ["rails", "server", "-b", "0.0.0.0"] +COPY ./build/ /usr/share/nginx/html diff --git a/Makefile b/Makefile index 548a03c0..c56fd6a8 100644 --- a/Makefile +++ b/Makefile @@ -1,3 +1,102 @@ +TERRAFILE_VERSION=0.8 +ARM_TEMPLATE_TAG=1.1.10 +RG_TAGS={"Product" : "Teacher services cloud"} +REGION=UK South +SERVICE_NAME=technical-guidance +SERVICE_SHORT=techg +DOCKER_REPOSITORY=ghcr.io/dfe-digital/technical-guidance + +help: + @grep -E '^[a-zA-Z\._\-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}' + +review: test-cluster + $(if ${PR_NUMBER},,$(error Missing PR_NUMBER)) + $(eval ENVIRONMENT=${PR_NUMBER}) + $(eval TF_VAR_ENVIRONMENT=${PR_NUMBER}) + $(eval include global_config/review.sh) + +production: production-cluster + $(if $(or ${SKIP_CONFIRM}, ${CONFIRM_PRODUCTION}), , $(error Missing CONFIRM_PRODUCTION=yes)) + $(eval include global_config/production.sh) + +domains: + $(eval include global_config/domains.sh) + +composed-variables: + $(eval RESOURCE_GROUP_NAME=${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-rg) + $(eval KEYVAULT_NAMES='("${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-app-kv", "${AZURE_RESOURCE_PREFIX}-${SERVICE_SHORT}-${CONFIG_SHORT}-inf-kv")') + $(eval STORAGE_ACCOUNT_NAME=${AZURE_RESOURCE_PREFIX}${SERVICE_SHORT}${CONFIG_SHORT}tfsa) + +ci: + $(eval AUTO_APPROVE=-auto-approve) + $(eval SKIP_AZURE_LOGIN=true) + $(eval SKIP_CONFIRM=true) + +bin/terrafile: ## Install terrafile to manage terraform modules + curl -sL https://github.com/coretech/terrafile/releases/download/v${TERRAFILE_VERSION}/terrafile_${TERRAFILE_VERSION}_$$(uname)_x86_64.tar.gz \ + | tar xz -C ./bin terrafile + +set-azure-account: + [ "${SKIP_AZURE_LOGIN}" != "true" ] && az account set -s ${AZURE_SUBSCRIPTION} || true + +terraform-init: composed-variables bin/terrafile set-azure-account + $(if ${DOCKER_IMAGE_TAG}, , $(eval DOCKER_IMAGE_TAG=main)) + + ./bin/terrafile -p terraform/application/vendor/modules -f terraform/application/config/$(CONFIG)_Terrafile + terraform -chdir=terraform/application init -upgrade -reconfigure \ + -backend-config=resource_group_name=${RESOURCE_GROUP_NAME} \ + -backend-config=storage_account_name=${STORAGE_ACCOUNT_NAME} \ + -backend-config=key=${ENVIRONMENT}_kubernetes.tfstate + $(eval export TF_VAR_environment=${ENVIRONMENT}) + $(eval export TF_VAR_azure_resource_prefix=${AZURE_RESOURCE_PREFIX}) + $(eval export TF_VAR_config_short=${CONFIG_SHORT}) + $(eval export TF_VAR_service_name=${SERVICE_NAME}) + $(eval export TF_VAR_service_short=${SERVICE_SHORT}) + $(eval export TF_VAR_docker_image=${DOCKER_REPOSITORY}:${DOCKER_IMAGE_TAG}) + +terraform-plan: terraform-init + terraform -chdir=terraform/application plan -var-file "config/${CONFIG}.tfvars.json" + +terraform-apply: terraform-init + terraform -chdir=terraform/application apply -var-file "config/${CONFIG}.tfvars.json" ${AUTO_APPROVE} + +terraform-destroy: terraform-init + terraform -chdir=terraform/application destroy -var-file "config/${CONFIG}.tfvars.json" ${AUTO_APPROVE} + +set-what-if: + $(eval WHAT_IF=--what-if) + +arm-deployment: composed-variables set-azure-account + $(if ${DISABLE_KEYVAULTS},, $(eval KV_ARG=keyVaultNames=${KEYVAULT_NAMES})) + $(if ${ENABLE_KV_DIAGNOSTICS}, $(eval KV_DIAG_ARG=enableDiagnostics=${ENABLE_KV_DIAGNOSTICS} logAnalyticsWorkspaceName=${LOG_ANALYTICS_WORKSPACE_NAME}),) + + az deployment sub create --name "resourcedeploy-tsc-$(shell date +%Y%m%d%H%M%S)" \ + -l "${REGION}" --template-uri "https://raw.githubusercontent.com/DFE-Digital/tra-shared-services/${ARM_TEMPLATE_TAG}/azure/resourcedeploy.json" \ + --parameters "resourceGroupName=${RESOURCE_GROUP_NAME}" 'tags=${RG_TAGS}' \ + "tfStorageAccountName=${STORAGE_ACCOUNT_NAME}" "tfStorageContainerName=terraform-state" \ + ${KV_ARG} \ + ${KV_DIAG_ARG} \ + "enableKVPurgeProtection=${KV_PURGE_PROTECTION}" \ + ${WHAT_IF} + +deploy-arm-resources: arm-deployment ## Validate ARM resource deployment. Usage: make domains validate-arm-resources + +validate-arm-resources: set-what-if arm-deployment ## Validate ARM resource deployment. Usage: make domains validate-arm-resources + +test-cluster: + $(eval CLUSTER_RESOURCE_GROUP_NAME=s189t01-tsc-ts-rg) + $(eval CLUSTER_NAME=s189t01-tsc-test-aks) + +production-cluster: + $(eval CLUSTER_RESOURCE_GROUP_NAME=s189p01-tsc-pd-rg) + $(eval CLUSTER_NAME=s189p01-tsc-production-aks) + +get-cluster-credentials: set-azure-account + az aks get-credentials --overwrite-existing -g ${CLUSTER_RESOURCE_GROUP_NAME} -n ${CLUSTER_NAME} + +bin/konduit.sh: + curl -s https://raw.githubusercontent.com/DFE-Digital/teacher-services-cloud/main/scripts/konduit.sh -o bin/konduit.sh \ + && chmod +x bin/konduit.sh server: bundle exec middleman server --verbose diff --git a/bin/.gitkeep b/bin/.gitkeep new file mode 100644 index 00000000..e69de29b diff --git a/docker-compose.yml b/docker-compose.yml deleted file mode 100644 index 3d94e879..00000000 --- a/docker-compose.yml +++ /dev/null @@ -1,14 +0,0 @@ -# docker-compose.yml - -version: '3.7' - -services: - web: - build: . - command: bundle exec middleman server - volumes: - - '.:/app' - ports: - - '4567:4567' -# volumes: -# node_modules: diff --git a/global_config/production.sh b/global_config/production.sh new file mode 100644 index 00000000..0a122077 --- /dev/null +++ b/global_config/production.sh @@ -0,0 +1,6 @@ +CONFIG=production +ENVIRONMENT=production +CONFIG_SHORT=pd +AZURE_SUBSCRIPTION=s189-teacher-services-cloud-production +AZURE_RESOURCE_PREFIX=s189p01 +ENABLE_KV_DIAGNOSTICS=true diff --git a/global_config/review.sh b/global_config/review.sh new file mode 100644 index 00000000..6f2c5d5c --- /dev/null +++ b/global_config/review.sh @@ -0,0 +1,5 @@ +CONFIG=review +CONFIG_SHORT=rv +AZURE_SUBSCRIPTION=s189-teacher-services-cloud-test +AZURE_RESOURCE_PREFIX=s189t01 +KV_PURGE_PROTECTION=false diff --git a/terraform/application/.terraform.lock.hcl b/terraform/application/.terraform.lock.hcl new file mode 100644 index 00000000..6fcd3d14 --- /dev/null +++ b/terraform/application/.terraform.lock.hcl @@ -0,0 +1,44 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/azurerm" { + version = "3.82.0" + constraints = "3.82.0" + hashes = [ + "h1:Zo/EZdNd8Vubo3rSj5NTU4SwLqArsz1mqtefru/8DpQ=", + "h1:wIfGA8icS9CbbMfHQFRAUddF2/emdmvJbkTZxfEJTXg=", + "zh:2042c5485476b0b9dbcebfc01d95e1cec50b37b2c443ffd9824a4fc6a7b293bd", + "zh:3fc6753c039bac1866b90f5faf5f72edc7470cb64c1e84f830e71931dfced865", + "zh:4760c4595a5e8a07c5eef08304877909f88252c1536432e443211ae668456459", + "zh:4886aadcafcd88d036c3e36019ca3b0b39a6b7cfbd34f88fe8a544ca337af14f", + "zh:631602a5e38cb3ee8f8a2a2257e669f41ff05766a774eb19933d54ae1832c100", + "zh:6c03c113c729614598cb197415a3dd7b7d0fcb0aec9055b0491f02274e244582", + "zh:95390bd4037f695329a38ff1a736e4f03c134097d19201f89c5e6c08a11becb9", + "zh:ac1a1dd5559c53f72f89320f0cd9aeb8fc84ad1351b6578f99efc07c16486a2a", + "zh:b96d4ca8a05a1903accd5c1b16109444d05868198a4698e31c17ef7ab95c4541", + "zh:ccc5895c0579e4f5b0dc2d358579d417c21281104591f1877525d87f31079f96", + "zh:e0c496ab8f07ea381bbed86eefde47480b9b156bb022b2215c94cb01779c7076", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.24.0" + constraints = "2.24.0" + hashes = [ + "h1:8Ov9r+eCpuqY9LNjG3I8vKT0hX/FkyzuDxQySZVt9i4=", + "h1:Q8+R+wE1XMfJjIixxdBo6qVni01a/P6ceSGJ+kR2z/0=", + "zh:0ed83ec390a7e75c4990ebce698f14234de2b6204ed9a01cd042bb7ea5f26564", + "zh:195150e4fdab259c70088528006f4604557a051e037ebe8de64e92840f27e40a", + "zh:1a334af55f7a74adf033eb871c9fe7e9e648b41ab84321114ef4ca0e7a34fba6", + "zh:1ef68c3832691de21a61bf1a4e268123f3e08850712eda0b893cac908a0d1bc1", + "zh:44a1c58e5a6646e62b0bad653319c245f3b635dd03554dea2707a38f553e4a52", + "zh:54b5b374c4386f7f05b3fe986f9cb57bde4beab3bdf6ee33444f2b9a81b8af64", + "zh:aa8c2687ab784b72f8cdad8d3c3673dea83b33561e7b3f2d287ef0d06ff2a9e5", + "zh:e6ecba0503052ef3ad49ad56e17b2a73d9b55e30fcb82b040189d281e25e1a3b", + "zh:f105393f6487d3eb1f1636ba42d10c82950ddfef852244c1bca8d526fa23a9a3", + "zh:f17a8f1914ec66d80ccacecd40123362cf093abee3d3aa1ff9f8f687d8736f85", + "zh:f394b12ef01fa0bdf666a43ad152eb3890134f35e635ea056b18771c292de46e", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} diff --git a/terraform/application/application.tf b/terraform/application/application.tf new file mode 100644 index 00000000..8742d2d7 --- /dev/null +++ b/terraform/application/application.tf @@ -0,0 +1,36 @@ +module "application_configuration" { + source = "./vendor/modules/aks//aks/application_configuration" + + namespace = var.namespace + environment = var.environment + azure_resource_prefix = var.azure_resource_prefix + service_short = var.service_short + config_short = var.config_short + secret_key_vault_short = "app" + + # Delete for non rails apps + is_rails_application = true + + config_variables = { + ENVIRONMENT_NAME = var.environment + } + +} + +module "web_application" { + source = "./vendor/modules/aks//aks/application" + + is_web = true + + namespace = var.namespace + environment = var.environment + service_name = var.service_name + + cluster_configuration_map = module.cluster_data.configuration_map + kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name + kubernetes_secret_name = module.application_configuration.kubernetes_secret_name + web_port = 80 + probe_path = "/" + + docker_image = var.docker_image +} diff --git a/terraform/application/cluster_data.tf b/terraform/application/cluster_data.tf new file mode 100644 index 00000000..42778646 --- /dev/null +++ b/terraform/application/cluster_data.tf @@ -0,0 +1,4 @@ +module "cluster_data" { + source = "./vendor/modules/aks//aks/cluster_data" + name = var.cluster +} diff --git a/terraform/application/config/production.tfvars.json b/terraform/application/config/production.tfvars.json new file mode 100644 index 00000000..2e31c4c6 --- /dev/null +++ b/terraform/application/config/production.tfvars.json @@ -0,0 +1,5 @@ +{ + "cluster": "production", + "namespace": "tech-arch-production", + "environment": "production" +} diff --git a/terraform/application/config/production_Terrafile b/terraform/application/config/production_Terrafile new file mode 100644 index 00000000..65af53b1 --- /dev/null +++ b/terraform/application/config/production_Terrafile @@ -0,0 +1,3 @@ +aks: + source: "https://github.com/DFE-Digital/terraform-modules" + version: "main" diff --git a/terraform/application/config/review.tfvars.json b/terraform/application/config/review.tfvars.json new file mode 100644 index 00000000..6d91c5c1 --- /dev/null +++ b/terraform/application/config/review.tfvars.json @@ -0,0 +1,4 @@ +{ + "cluster": "test", + "namespace": "tech-arch-development" +} diff --git a/terraform/application/config/review_Terrafile b/terraform/application/config/review_Terrafile new file mode 100644 index 00000000..65af53b1 --- /dev/null +++ b/terraform/application/config/review_Terrafile @@ -0,0 +1,3 @@ +aks: + source: "https://github.com/DFE-Digital/terraform-modules" + version: "main" diff --git a/terraform/application/output.tf b/terraform/application/output.tf new file mode 100644 index 00000000..4398f01c --- /dev/null +++ b/terraform/application/output.tf @@ -0,0 +1,3 @@ +output "url" { + value = "https://${module.web_application.hostname}/" +} diff --git a/terraform/application/secrets.tf b/terraform/application/secrets.tf new file mode 100644 index 00000000..f3592a80 --- /dev/null +++ b/terraform/application/secrets.tf @@ -0,0 +1,8 @@ +module "infrastructure_secrets" { + source = "./vendor/modules/aks//aks/secrets" + + azure_resource_prefix = var.azure_resource_prefix + service_short = var.service_short + config_short = var.config_short + key_vault_short = "inf" +} diff --git a/terraform/application/terraform.tf b/terraform/application/terraform.tf new file mode 100644 index 00000000..5f159b1b --- /dev/null +++ b/terraform/application/terraform.tf @@ -0,0 +1,31 @@ +terraform { + required_version = "= 1.6.4" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "3.82.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "2.24.0" + } + + } + backend "azurerm" { + container_name = "terraform-state" + } +} + +provider "azurerm" { + features {} + + skip_provider_registration = true + +} + +provider "kubernetes" { + host = module.cluster_data.kubernetes_host + client_certificate = module.cluster_data.kubernetes_client_certificate + client_key = module.cluster_data.kubernetes_client_key + cluster_ca_certificate = module.cluster_data.kubernetes_cluster_ca_certificate +} diff --git a/terraform/application/variables.tf b/terraform/application/variables.tf new file mode 100644 index 00000000..7b899b3b --- /dev/null +++ b/terraform/application/variables.tf @@ -0,0 +1,52 @@ +variable "cluster" { + description = "AKS cluster where this app is deployed. Either 'test' or 'production'" +} +variable "namespace" { + description = "AKS namespace where this app is deployed" +} +variable "environment" { + description = "Name of the deployed environment in AKS" +} +variable "azure_resource_prefix" { + description = "Standard resource prefix. Usually s189t01 (test) or s189p01 (production)" +} +variable "config_short" { + description = "Short name of the environment configuration, e.g. dv, st, pd..." +} +variable "service_name" { + description = "Full name of the service. Lowercase and hyphen separated" +} +variable "service_short" { + description = "Short name to identify the service. Up to 6 charcters." +} +variable "deploy_azure_backing_services" { + default = true + description = "Deploy real Azure backing services like databases, as opposed to containers inside of AKS" +} +variable "enable_postgres_ssl" { + default = true + description = "Enforce SSL connection from the client side" +} +variable "enable_postgres_backup_storage" { + default = false + description = "Create a storage account to store database dumps" +} +variable "docker_image" { + description = "Docker image full name to identify it in the registry. Includes docker registry, repository and tag e.g.: ghcr.io/dfe-digital/teacher-pay-calculator:673f6309fd0c907014f44d6732496ecd92a2bcd0" +} +variable "external_url" { + default = null + description = "Healthcheck URL for StatusCake monitoring" +} +variable "statuscake_contact_groups" { + default = [] + description = "ID of the contact group in statuscake web UI" +} +variable "enable_monitoring" { + default = false + description = "Enable monitoring and alerting" +} + +locals { + postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable" +}