Merge pull request #566 from NHSDigital/release/2025-04-02

Release/2025 04 02

Author: megan-bower4

.github/workflows/_deploy.yml

@@ -47,7 +47,7 @@ jobs:
           branch_name=${branch_name#*refs/tags/}
           echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
 
-  # BACKUPS_LOGIC (Source account needs layers building)
+  # Source account for immutable backups needs layers building
   build:
     runs-on: [self-hosted, ci]
     needs: get-branch-from-workflow-file
@@ -62,14 +62,14 @@ jobs:
           save-to-cache: "true"
           restore-from-cache: "false"
           cache-suffix: ${{ env.CACHE_NAME }}
-      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account == 'dev'}}
+      - if: ${{ env.SCOPE != 'per_workspace' && (inputs.account == 'prod' || inputs.account == 'dev') }}
         uses: ./.github/actions/make/
         with:
           command: build
           save-to-cache: "true"
           restore-from-cache: "false"
           cache-suffix: ${{ env.CACHE_NAME }}
-      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account != 'dev'}}
+      - if: ${{ env.SCOPE != 'per_workspace' && (inputs.account != 'prod' && inputs.account != 'dev' )}}
         uses: ./.github/actions/make/
         with:
           command: poetry--update

CHANGELOG.md

@@ -1,5 +1,9 @@
 # Changelog
 
+## 2025-04-02
+- [PI-872] Enable backups in PROD
+- [PI-873] Update support policy to have 2 policies
+
 ## 2025-04-01
 - [PI-848] Add info box to swaager explaining prodID usage in non-prod envs
 - [PI-870] Sonarcloud fixes

VERSION

@@ -1 +1 @@
-2025.04.01
+2025.04.02

changelog/2025-04-02.md

@@ -0,0 +1,2 @@
+- [PI-872] Enable backups in PROD
+- [PI-873] Update support policy to have 2 policies

infrastructure/terraform/per_account/backups/aws-backups.tf

@@ -1,9 +1,17 @@
-data "aws_secretsmanager_secret" "source_account_id" {
-  name = "backups-source-account-id"
+data "aws_secretsmanager_secret" "source_account_id_prod" {
+  name = "backups-source-account-id-prod"
 }
 
-data "aws_secretsmanager_secret_version" "source_account_id" {
-  secret_id = data.aws_secretsmanager_secret.source_account_id.id
+data "aws_secretsmanager_secret_version" "source_account_id_prod" {
+  secret_id = data.aws_secretsmanager_secret.source_account_id_prod.id
+}
+
+data "aws_secretsmanager_secret" "source_account_id_dev" {
+  name = "backups-source-account-id-dev"
+}
+
+data "aws_secretsmanager_secret_version" "source_account_id_dev" {
+  secret_id = data.aws_secretsmanager_secret.source_account_id_dev.id
 }
 
 
@@ -15,12 +23,33 @@ resource "aws_kms_key" "destination_backup_key" {
   enable_key_rotation     = true
 }
 
-module "destination" {
+module "destination_prod" {
+  source = "../modules/aws-backup-destination"
+
+  source_account_name     = "prod" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name - change to dev/prod
+  account_id              = var.assume_account
+  source_account_id       = data.aws_secretsmanager_secret_version.source_account_id_prod.secret_string
+  kms_key                 = aws_kms_key.destination_backup_key.arn
+  enable_vault_protection = false
+}
+
+###
+# Destination vault ARN output
+###
+
+output "destination_vault_arn_prod" {
+  # The ARN of the backup vault in the destination account is needed by
+  # the source account to copy backups into it.
+  value = module.destination_prod.vault_arn
+}
+
+
+module "destination_dev" {
   source = "../modules/aws-backup-destination"
 
-  source_account_name     = "dev" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name - change to dev/prod BACKUPS_LOGIC
+  source_account_name     = "dev" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name - change to dev/prod
   account_id              = var.assume_account
-  source_account_id       = data.aws_secretsmanager_secret_version.source_account_id.secret_string
+  source_account_id       = data.aws_secretsmanager_secret_version.source_account_id_dev.secret_string
   kms_key                 = aws_kms_key.destination_backup_key.arn
   enable_vault_protection = false
 }
@@ -29,8 +58,8 @@ module "destination" {
 # Destination vault ARN output
 ###
 
-output "destination_vault_arn" {
+output "destination_vault_arn_dev" {
   # The ARN of the backup vault in the destination account is needed by
   # the source account to copy backups into it.
-  value = module.destination.vault_arn
+  value = module.destination_dev.vault_arn
 }

infrastructure/terraform/per_account/backups/parameters/main.tf

@@ -28,8 +28,13 @@ JSON
 }
 
 
-resource "aws_secretsmanager_secret" "source-account-id-for-backup" {
-  name        = "${terraform.workspace}-source-account-id"
+resource "aws_secretsmanager_secret" "source-account-id-for-backup-prod" {
+  name        = "${terraform.workspace}-source-account-id-prod"
+  description = "ID of the account we want to backup"
+}
+
+resource "aws_secretsmanager_secret" "source-account-id-for-backup-dev" {
+  name        = "${terraform.workspace}-source-account-id-dev"
   description = "ID of the account we want to backup"
 }
 

infrastructure/terraform/per_account/dev/aws-backups.tf

@@ -1,4 +1,3 @@
-# BACKUPS_LOGIC
 data "aws_secretsmanager_secret" "destination_vault_arn" {
   name = "destination_vault_arn"
 }

infrastructure/terraform/per_account/dev/main.tf

@@ -96,7 +96,6 @@ resource "aws_route53_zone" "dev-ns" {
   name = "api.cpm.dev.national.nhs.uk"
 }
 
-# BACKUPS_LOGIC
 module "layers" {
   for_each       = toset(var.layers)
   source         = "../../modules/api_worker/api_layer"
@@ -106,7 +105,6 @@ module "layers" {
   source_path    = "${path.module}/../../../../src/layers/${each.key}/dist/${each.key}.zip"
 }
 
-# BACKUPS_LOGIC
 module "third_party_layers" {
   for_each       = toset(var.third_party_layers)
   source         = "../../modules/api_worker/api_layer"

infrastructure/terraform/per_account/dev/parameters/main.tf

@@ -55,8 +55,8 @@ resource "aws_secretsmanager_secret" "ldap-changelog-password" {
   name = "${terraform.workspace}-ldap-changelog-password"
 }
 
-resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
-  name = "${terraform.workspace}--etl-notify-slack-webhook-url"
+resource "aws_secretsmanager_secret" "notify_slack_webhook_url" {
+  name = "${terraform.workspace}-notify-slack-webhook-url"
 }
 
 resource "aws_secretsmanager_secret" "apigee-app-client-info" {
@@ -67,12 +67,10 @@ resource "aws_secretsmanager_secret" "external-id" {
   name = "${terraform.workspace}-external-id"
 }
 
-# BACKUPS_LOGIC
 resource "aws_secretsmanager_secret" "destination_vault_arn" {
   name = "destination_vault_arn"
 }
 
-# BACKUPS_LOGIC
 resource "aws_secretsmanager_secret" "destination_account_id" {
   name = "destination_account_id"
 }

infrastructure/terraform/per_account/dev/parameters/vars.tf

@@ -30,12 +30,10 @@ variable "workspace_type" {
   default = "PERSISTENT"
 }
 
-# BACKUPS_LOGIC
 variable "layers" {
   type = list(string)
 }
 
-# BACKUPS_LOGIC
 variable "third_party_layers" {
   type = list(string)
 }