Merge pull request #958 from NHSDigital/feature/made14-NRL-1511-ptl-dashboards-updates

NRL-1511 Pre-prod release fixups for dashboards changes

Author: mattdean3-nhs

terraform/account-wide-infrastructure/README.md

@@ -136,35 +136,20 @@ To disable reporting resources for the account, do the following:
 1. Set the `enable_reporting` variable to `true` in `./ACCOUNT_NAME/vars.tf`
 2. Deploy the account-wide infrastructure to the account
 
-#### Deploying the PowerBI Gateway
+#### Deploy the PowerBI Gateway
 
-The first time you deploy the PowerBI Gateway set up to a new account, these steps need to be followed:
+The first time you deploy the PowerBI Gateway to an AWS account you need to create, install and configure a gateway image. Instruction on how to do this can be found in [KOP-NRLF-012](https://nhsd-confluence.digital.nhs.uk/x/8BXXQg).
 
-1. Set the `enable_powerbi_auto_push` variable to `true` in `./ACCOUNT_NAME/vars.tf`
-2. Set the `use_powerbi_gw_custom_ami` variable to `false` in `./ACCOUNT_NAME/vars.tf`
-3. Deploy the account-wide infrastructure for the account
-4. Run the below CLI command, and RDP into the newly created EC2 instance (localhost:13389)
-
-```
-aws ssm start-session --target <AMI> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=13389,portNumber=3389"
-```
+To enable the PowerBI Gateway in the account:
 
-5. Install Athena ODBC driver and Power BI standard on premises gateway
-6. Configure ODBC driver to connect to relevant Athena instance
-7. Log in to the gateway using NHS email, name the cluster to nhsd-nrlf-{env}--reporting-gw
-8. Log on to power bi, navigate to Manage Connections and Gateways in settings and set up Athena connector with authentication method: Anonymous and privacy level: Private
-9. Set dataset to point to this gateway, define schedule as needed
-10. In the AWS Console, create an AMI from the instance called `PowerBI_GW`
-11. Set the `use_powerbi_gw_custom_ami` variable to `true`
-12. Deploy the account-wide infrastructure for the account
-13. Run the below CLI command, and RDP into the newly created EC2 instance (localhost:13389)
+1. Set the `enable_powerbi_auto_push` variable to `true` in `./ACCOUNT_NAME/vars.tf`
+2. Deploy the account-wide infrastructure to the account
+3. Access the EC2 Serial Console for the instance and run this command to start the PowerBI Gateway:
 
 ```
-aws ssm start-session --target <AMI> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=13389,portNumber=3389"
+Start-Service -Name "PBIEgwService"
 ```
 
-14. Start the PowerBI Gateway service on the instance
-
 To disable the PowerBI Gateway from the account:
 
 1. Set the `enable_powerbi_auto_push` variable to `false` in `./ACCOUNT_NAME/vars.tf`

terraform/account-wide-infrastructure/dev/athena.tf

@@ -3,5 +3,6 @@ module "dev-athena" {
   source             = "../modules/athena"
   name_prefix        = "nhsd-nrlf--dev"
   target_bucket_name = module.dev-glue.target_bucket_name
+  bucket_region      = data.aws_region.current.region
   glue_database      = module.dev-glue.glue_database
 }

terraform/account-wide-infrastructure/dev/data.tf

@@ -1,3 +1,5 @@
+data "aws_region" "current" {}
+
 data "aws_secretsmanager_secret_version" "identities_account_id" {
   secret_id = aws_secretsmanager_secret.identities_account_id.name
 }

terraform/account-wide-infrastructure/dev/main.tf

@@ -29,4 +29,12 @@ terraform {
     key                  = "terraform-state-account-wide-infrastructure"
     workspace_key_prefix = "nhsd-nrlf"
   }
+
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 6.0"
+    }
+  }
 }

terraform/account-wide-infrastructure/dev/outputs.tf

@@ -0,0 +1,24 @@
+output "powerbi_gw_instance_id" {
+  description = "The ID of the PowerBI Gateway EC2 instance."
+  value       = var.enable_powerbi_auto_push ? module.powerbi_gw_instance[0].instance_id : null
+}
+
+output "reporting_database_name" {
+  description = "Name of the reporting Athena database"
+  value       = var.enable_reporting ? module.dev-glue.glue_database : null
+}
+
+output "athena_workgroup_name" {
+  description = "Name of the Athena workgroup"
+  value       = var.enable_reporting ? module.dev-athena[0].workgroup_name : null
+}
+
+output "athena_s3_output_location" {
+  description = "S3 output location for Athena queries"
+  value       = var.enable_reporting ? "s3://${module.dev-athena[0].bucket.id}/" : null
+}
+
+output "athena_kms_key_arn" {
+  description = "KMS key ARN for Athena encryption"
+  value       = var.enable_reporting ? module.dev-athena[0].kms_key_arn : null
+}

terraform/account-wide-infrastructure/dev/secrets.tf

@@ -41,3 +41,13 @@ resource "aws_secretsmanager_secret" "devsandbox_environment_configuration" {
   name        = "${local.project}--dev-sandbox--env-config"
   description = "The environment configuration for the Dev Sandbox environment"
 }
+
+resource "aws_secretsmanager_secret" "powerbi_gw_instance_admin_pwd" {
+  count       = var.enable_reporting && var.enable_powerbi_auto_push ? 1 : 0
+  name        = "${local.project}--dev-powerbi-gw-instance-admin-pwd"
+  description = "Admin password for the PowerBI Gateway EC2 instance"
+}
+resource "aws_secretsmanager_secret" "powerbi_gw_recovery_key" {
+  name        = "${local.project}--dev-powerbi-gw-recovery-key"
+  description = "Recovery key for the PowerBI Gateway EC2 instance"
+}

terraform/account-wide-infrastructure/mgmt/codebuild.tf

@@ -56,7 +56,7 @@ data "aws_iam_policy_document" "codebuild_policy" {
       "secretsmanager:ListSecretVersionIds"
     ]
     resources = [
-      "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
+      "arn:aws:secretsmanager:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:secret:${local.project}--codebuild-github-pat-*",
     ]
   }
 

terraform/account-wide-infrastructure/modules/athena/outputs.tf

@@ -1,5 +1,5 @@
-output "workgroup" {
-  value = aws_athena_workgroup.athena
+output "workgroup_name" {
+  value = aws_athena_workgroup.athena.name
 }
 
 output "bucket" {

terraform/account-wide-infrastructure/modules/athena/vars.tf

@@ -3,6 +3,11 @@ variable "name_prefix" {
   description = "The prefix to apply to all resources in the module."
 }
 
+variable "bucket_region" {
+  type        = string
+  description = "The AWS region where the S3 bucket will be created."
+}
+
 variable "target_bucket_name" {
   type = string
 }

terraform/account-wide-infrastructure/modules/backup-source/locals.tf

@@ -1,3 +1,3 @@
 locals {
-  resource_name_prefix = "${data.aws_region.current.name}-${data.aws_caller_identity.current.account_id}-backup"
+  resource_name_prefix = "${data.aws_region.current.region}-${data.aws_caller_identity.current.account_id}-backup"
 }