Merge pull request #615 from NHSDigital/feature/made14-NRL-619-new-qa-env

[NRL-619] Add new AWS environments for qa and qa-sandbox

Author: mattdean3-nhs

.github/workflows/pr-env-deploy.yml

@@ -217,7 +217,7 @@ jobs:
           role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Run Integration Tests
-        run: make test-features-integration TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
+        run: make test-features-integration TF_WORKSPACE_NAME=${{ needs.set-environment-id.outputs.environment_id }}
 
   performance-test:
     name: Run Performance Tests
@@ -266,7 +266,7 @@ jobs:
           role-session-name: github-actions-ci-${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Setup Environment Test Data
-        run: make test-performance-prepare TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
+        run: make test-performance-prepare TF_WORKSPACE_NAME=${{ needs.set-environment-id.outputs.environment_id }}
 
       - name: Run Performance Test - Baseline
         run: make test-performance-baseline HOST=${{ needs.set-environment-id.outputs.environment_id }}.api.record-locator.dev.national.nhs.uk ENV_TYPE=dev
@@ -284,4 +284,4 @@ jobs:
           path: dist/*.png
 
       - name: Cleanup Environment Test Data
-        run: make test-performance-cleanup TF_WORKSPACE=${{ needs.set-environment-id.outputs.environment_id }}
+        run: make test-performance-cleanup TF_WORKSPACE_NAME=${{ needs.set-environment-id.outputs.environment_id }}

Makefile

@@ -10,7 +10,7 @@ SHELL := /bin/bash
 DIST_PATH ?= ./dist
 TEST_ARGS ?= --cov --cov-report=term-missing
 FEATURE_TEST_ARGS ?= ./tests/features --format progress2
-TF_WORKSPACE ?= $(shell terraform -chdir=terraform/infrastructure workspace show)
+TF_WORKSPACE_NAME ?= $(shell terraform -chdir=terraform/infrastructure workspace show)
 ENV ?= dev
 APP_ALIAS ?= default
 
@@ -76,11 +76,11 @@ test: check-warn ## Run the unit tests
 
 test-features-integration: check-warn ## Run the BDD feature tests in the integration environment
 	@echo "Running feature tests in the integration environment"
-	behave --define="integration_test=true" --define="env=$(TF_WORKSPACE)" $(FEATURE_TEST_ARGS)
+	behave --define="integration_test=true" --define="env=$(TF_WORKSPACE_NAME)" $(FEATURE_TEST_ARGS)
 
 test-performance-prepare:
 	mkdir -p $(DIST_PATH)
-	poetry run python tests/performance/environment.py setup $(TF_WORKSPACE)
+	poetry run python tests/performance/environment.py setup $(TF_WORKSPACE_NAME)
 
 test-performance: check-warn test-performance-baseline test-performance-stress ## Run the performance tests
 
@@ -102,15 +102,11 @@ test-performance-output: ## Process outputs from the performance tests
 	poetry run python tests/performance/process_results.py stress $(DIST_PATH)/consumer-stress.csv
 
 test-performance-cleanup:
-	poetry run python tests/performance/environment.py cleanup $(TF_WORKSPACE)
-
+	poetry run python tests/performance/environment.py cleanup $(TF_WORKSPACE_NAME)
 
 lint: check-warn ## Lint the project
 	SKIP="no-commit-to-branch" pre-commit run --all-files
 
-deploy: check-deploy-warn ## Deploy the project
-	cd terraform/infrastructure && $(MAKE) ENV=$(ENV) TF_WORKSPACE=$(TF_WORKSPACE) apply
-
 clean: ## Remove all generated and temporary files
 	[ -n "$(DIST_PATH)" ] && \
 		rm -rf $(DIST_PATH)/*.zip && \

README.md

@@ -423,11 +423,11 @@ The `records` property is derived by first deploying to a specific environment,
 
 ## Sandbox
 
-The public-facing sandbox is an additional persistent workspace (`int-sandbox`) deployed in our UAT (`int` / `test`) environment, alongside the persistent workspace named `ref`. It is identical to our live API, except it is open to the world via Apigee (which implements rate limiting on our behalf).
+The public-facing sandbox is an additional persistent workspace (`int-sandbox`) deployed in our INT (`int` / `test`) environment, alongside the persistent workspace named `ref`. It is identical to our live API, except it is open to the world via Apigee (which implements rate limiting on our behalf).
 
 ### Sandbox deployment
 
-In order to deploy to a sandbox environment (`dev-sandbox`, `ref-sandbox`, `int-sandbox`, `production-sandbox`) you should use the GitHub Action for persistent environments, where you should select the option to deploy to the sandbox workspace.
+In order to deploy to a sandbox environment (`dev-sandbox`, `qa-sandbox`, `int-sandbox`) you should use the GitHub Action for persistent environments, where you should select the option to deploy to the sandbox workspace.
 
 ### Sandbox database clear and reseed
 

scripts/check-deploy-environment.sh

@@ -5,6 +5,7 @@ set -o errexit -o pipefail -o nounset
 
 : "${SHOULD_WARN_ONLY:="false"}"
 : "${ENV:="dev"}"
+: "${ENV_ACCOUNT_NAME:="dev"}"
 
 function success() {
   [ "${SHOULD_WARN_ONLY}" == "true" ] && return
@@ -41,24 +42,28 @@ done
 
 # Check the mgmt account has the environments account id
 set +e
-env_account_id="$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--${ENV}-account-id --query SecretString --output text)"
+env_account_id="$(aws secretsmanager get-secret-value --secret-id nhsd-nrlf--mgmt--${ENV_ACCOUNT_NAME}-account-id --query SecretString --output text)"
 set -e
 if [ -n "${env_account_id}" ]
 then
-    success "${ENV} account id found in mgmt account"
+    success "${ENV_ACCOUNT_NAME} account id found in mgmt account"
 else
-    warning "${ENV} account id not found in mgmt account. Check you are logged into the NRLF mgmt account."
+    warning "${ENV_ACCOUNT_NAME} account id not found in mgmt account. Check you are logged into the NRLF mgmt account."
 fi
 
 # Check the Terraform workspace is set
 set +e
 tf_workspace="$(cd terraform/infrastructure && terraform workspace show)"
 set -e
 case "${tf_workspace}" in
-    dev|int|ref|prod)
+    dev|qa|int|ref|prod)
         warning "Terraform workspace set to persistent environment '${tf_workspace}'"
+        if [ "${tf_workspace}" != "${ENV}" ]
+        then
+            warning "Terraform workspace '${tf_workspace}' does not match deployment environment '${ENV}'"
+        fi
         ;;
-    dev-sandbox|ref-sandbox|int-sandbox)
+    dev-sandbox|qa-sandbox|int-sandbox)
         warning "Terraform workspace set to sandbox environment '${tf_workspace}'"
         ;;
     account_wide|default)

scripts/get-account-name-for-env.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Get the account name for the provided NRLF environment
+set -o errexit -o nounset -o pipefail
+
+if [ $# -ne 1 ]; then
+    echo "Usage: get-account-name-for-env.sh <env>"
+    exit 1
+fi
+
+env="$1"
+
+case "${env}" in
+    dev|dev-sandbox)
+        echo "dev"
+        ;;
+    qa|qa-sandbox|ref|int|int-sandbox)
+        echo "test"
+        ;;
+    prod)
+        echo "prod"
+        ;;
+    *)
+        echo "Unknown"
+        exit 1
+esac
+
+exit 0

scripts/truststore.sh

@@ -1,13 +1,17 @@
+#!/bin/bash
+# Script to manage the NRLF truststore files
+set -o errexit -o pipefail -o nounset
+
 BUCKET="nhsd-nrlf--truststore"
 
 function _truststore_help() {
     echo
-    echo "nrlf truststore <command> [options]"
+    echo "$0 <command> [options]"
     echo
     echo "commands:"
     echo "  help                            - this help screen"
     echo "  build-ca <name> <fqdn>          - Build a single CA cert"
-    echo "  build-client <name> <ca> <fqdn> - Build a single client cert + private key"
+    echo "  build-cert <name> <ca> <fqdn>   - Build a single client cert + private key"
     echo "  build-all                       - Build the standard trust store certs"
     echo "  pull-ca <ca>                    - Pull the certificate authority"
     echo "  pull-client <env>               - pull the files needed for a client connection"
@@ -32,7 +36,7 @@ EOF
 # build a certificate authority
 function _truststore_build_ca() {
     if [ $# -ne 2 ]; then
-        echo "Usage nrlf truststore ca <name> <fqdn>"
+        echo "Usage: $0 build-ca <name> <fqdn>"
         exit 1
     fi
 
@@ -61,14 +65,14 @@ function _truststore_build_ca() {
 # buld a certificate
 function _truststore_build_cert() {
     if [ $# -ne 3 ]; then
-        echo "Usage nrlf truststore client <name> <ca> <fqdn>"
+        echo "Usage: $0 build-cert <name> <ca> <fqdn>"
         exit 1;
     fi
 
     client=$1
     ca=$2
     fqdn=$3
-    serial=$("$DATE" +%s%3N)
+    serial=$(date +%s%3N)
 
     substitute_env_in_file ./truststore/config/client.conf /tmp/client.conf
 
@@ -108,11 +112,13 @@ function _truststore_build_all() {
     _truststore_build_ca "prod" "record-locator.national.nhs.uk"
     _truststore_build_ca "int"  "record-locator.int.national.nhs.uk"
     _truststore_build_ca "ref"  "record-locator.ref.national.nhs.uk"
+    _truststore_build_ca "qa"   "qa.record-locator.national.nhs.uk"
     _truststore_build_ca "dev"  "record-locator.dev.national.nhs.uk"
 
     _truststore_build_cert "prod" "prod" "api.record-locator.national.nhs.uk"
     _truststore_build_cert "int"  "int"  "int.api.record-locator.int.national.nhs.uk"
     _truststore_build_cert "ref"  "ref"  "ref.api.record-locator.ref.national.nhs.uk"
+    _truststore_build_cert "qa"   "qa"   "api.qa.record-locator.national.nhs.uk"
     _truststore_build_cert "dev"  "dev"  "dev.api.record-locator.dev.national.nhs.uk"
 }
 
@@ -141,13 +147,13 @@ function _truststore_pull_all() {
 }
 
 function _truststore() {
-    local command=$1
-    local args=(${@:2})
+    local command=$1; shift
+    local args=$@
 
     case $command in
         "build-all") _truststore_build_all $args ;;
         "build-ca") _truststore_build_ca $args ;;
-        "build-client") _truststore_build_cert $args ;;
+        "build-cert") _truststore_build_cert $args ;;
         "pull-all") _truststore_pull_all $args ;;
         "pull-server") _truststore_pull_server $args ;;
         "pull-client") _truststore_pull_client $args ;;
@@ -156,4 +162,4 @@ function _truststore() {
     esac
 }
 
-_truststore "${@:1}"
+_truststore $@

terraform/account-wide-infrastructure/README.md

@@ -29,8 +29,8 @@ Then, initialise your terraform workspace with:
 ```shell
 $ cd ACCOUNT_NAME
 $ terraform init && ( \
-    terraform workspace new account_wide || \
-    terraform workspace select account_wide )
+    terraform workspace new ACCOUNT_NAME || \
+    terraform workspace select ACCOUNT_NAME )
 ```
 
 Replacing ACCOUNT_NAME with the name of your account, e.g `dev`, `test` etc.
@@ -68,8 +68,8 @@ Then, initialise your terraform workspace with:
 ```shell
 $ cd ACCOUNT_NAME
 $ terraform init && ( \
-    terraform workspace new account_wide || \
-    terraform workspace select account_wide )
+    terraform workspace new ACCOUNT_NAME || \
+    terraform workspace select ACCOUNT_NAME )
 ```
 
 And then, to tear down:

terraform/account-wide-infrastructure/dev/route53.tf

@@ -1,3 +1,7 @@
 resource "aws_route53_zone" "dev-ns" {
   name = "api.record-locator.dev.national.nhs.uk"
 }
+
+resource "aws_route53_zone" "NEW_dev-ns" {
+  name = "dev.record-locator.national.nhs.uk"
+}

terraform/account-wide-infrastructure/mgmt/iam__developer-role.tf

@@ -45,10 +45,7 @@ module "developer_policy" {
       Effect = "Deny"
       Resource = [
         "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/prod/*",
-        "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/test/*",
-        "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/ref/*",
         "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/mgmt/*",
-        "${data.aws_s3_bucket.terraform_state.arn}/${local.project}/dev/terraform-state-infrastructure"
       ]
     },
     {

terraform/account-wide-infrastructure/mgmt/route53.tf

@@ -81,3 +81,67 @@ resource "aws_route53_record" "dev_zone" {
   ttl  = 300
   type = "NS"
 }
+
+/**
+ * NEW DNS Zone (all under record-locator.national.nhs.uk)
+ */
+resource "aws_route53_record" "NEW_ref_zone_delegation" {
+  zone_id = aws_route53_zone.prod_zone.zone_id
+  name    = "ref.record-locator.national.nhs.uk"
+  records = [
+    "ns-1654.awsdns-14.co.uk.",
+    "ns-1328.awsdns-38.org.",
+    "ns-47.awsdns-05.com.",
+    "ns-834.awsdns-40.net."
+  ]
+  ttl  = 300
+  type = "NS"
+}
+
+resource "aws_route53_record" "NEW_int_zone_delegation" {
+  zone_id = aws_route53_zone.prod_zone.zone_id
+  name    = "int.record-locator.national.nhs.uk"
+  records = [
+    "ns-1064.awsdns-05.org.",
+    "ns-609.awsdns-12.net.",
+    "ns-2014.awsdns-59.co.uk.",
+    "ns-386.awsdns-48.com."
+  ]
+  ttl  = 300
+  type = "NS"
+}
+
+resource "aws_route53_record" "NEW_dev_zone_delegation" {
+  zone_id = aws_route53_zone.prod_zone.zone_id
+  name    = "dev.record-locator.national.nhs.uk"
+  records = [
+    "ns-1331.awsdns-38.org.",
+    "ns-160.awsdns-20.com.",
+    "ns-1900.awsdns-45.co.uk.",
+    "ns-962.awsdns-56.net."
+  ]
+  ttl  = 300
+  type = "NS"
+}
+
+// TODO-NOW - Get these QA zone changes reflected in mgmt account (w/ Tom or Kate)
+resource "aws_route53_zone" "qa_zone" {
+  name = "qa.record-locator.national.nhs.uk"
+
+  tags = {
+    Environment = terraform.workspace
+  }
+}
+
+resource "aws_route53_record" "qa_zone_delegation" {
+  zone_id = aws_route53_zone.prod_zone.zone_id
+  name    = "qa.record-locator.national.nhs.uk"
+  records = [
+    "ns-1821.awsdns-35.co.uk.",
+    "ns-1449.awsdns-53.org.",
+    "ns-933.awsdns-52.net.",
+    "ns-500.awsdns-62.com."
+  ]
+  ttl  = 300
+  type = "NS"
+}