feature/PI-872-enable_immutable_backups_on_prod Move backups source account from dev to prod

Author: megan-bower4

.github/workflows/_deploy.yml

@@ -47,7 +47,7 @@ jobs:
           branch_name=${branch_name#*refs/tags/}
           echo "branch_name=${branch_name}" >> $GITHUB_OUTPUT
 
-  # BACKUPS_LOGIC (Source account needs layers building)
+  # Source account for immutable backups needs layers building
   build:
     runs-on: [self-hosted, ci]
     needs: get-branch-from-workflow-file
@@ -62,14 +62,14 @@ jobs:
           save-to-cache: "true"
           restore-from-cache: "false"
           cache-suffix: ${{ env.CACHE_NAME }}
-      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account == 'dev'}}
+      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account == 'prod'}}
         uses: ./.github/actions/make/
         with:
           command: build
           save-to-cache: "true"
           restore-from-cache: "false"
           cache-suffix: ${{ env.CACHE_NAME }}
-      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account != 'dev'}}
+      - if: ${{ env.SCOPE != 'per_workspace' && inputs.account != 'prod'}}
         uses: ./.github/actions/make/
         with:
           command: poetry--update

infrastructure/terraform/per_account/backups/aws-backups.tf

@@ -18,7 +18,7 @@ resource "aws_kms_key" "destination_backup_key" {
 module "destination" {
   source = "../modules/aws-backup-destination"
 
-  source_account_name     = "dev" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name - change to dev/prod BACKUPS_LOGIC
+  source_account_name     = "prod" # please note that the assigned value would be the prefix in aws_backup_vault.vault.name - change to dev/prod
   account_id              = var.assume_account
   source_account_id       = data.aws_secretsmanager_secret_version.source_account_id.secret_string
   kms_key                 = aws_kms_key.destination_backup_key.arn

infrastructure/terraform/per_account/dev/main.tf

@@ -95,23 +95,3 @@ resource "aws_s3_bucket_logging" "truststore_to_access_logs" {
 resource "aws_route53_zone" "dev-ns" {
   name = "api.cpm.dev.national.nhs.uk"
 }
-
-# BACKUPS_LOGIC
-module "layers" {
-  for_each       = toset(var.layers)
-  source         = "../../modules/api_worker/api_layer"
-  name           = each.key
-  python_version = var.python_version
-  layer_name     = "${local.project}--${replace(terraform.workspace, "_", "-")}--${replace(each.key, "_", "-")}"
-  source_path    = "${path.module}/../../../../src/layers/${each.key}/dist/${each.key}.zip"
-}
-
-# BACKUPS_LOGIC
-module "third_party_layers" {
-  for_each       = toset(var.third_party_layers)
-  source         = "../../modules/api_worker/api_layer"
-  name           = each.key
-  python_version = var.python_version
-  layer_name     = "${local.project}--${replace(terraform.workspace, "_", "-")}--${replace(each.key, "_", "-")}"
-  source_path    = "${path.module}/../../../../src/layers/third_party/dist/${each.key}.zip"
-}

infrastructure/terraform/per_account/dev/parameters/main.tf

@@ -55,24 +55,10 @@ resource "aws_secretsmanager_secret" "ldap-changelog-password" {
   name = "${terraform.workspace}-ldap-changelog-password"
 }
 
-resource "aws_secretsmanager_secret" "etl_notify_slack_webhook_url" {
-  name = "${terraform.workspace}--etl-notify-slack-webhook-url"
-}
-
 resource "aws_secretsmanager_secret" "apigee-app-client-info" {
   name = "${terraform.workspace}--apigee-app-client-info"
 }
 
 resource "aws_secretsmanager_secret" "external-id" {
   name = "${terraform.workspace}-external-id"
 }
-
-# BACKUPS_LOGIC
-resource "aws_secretsmanager_secret" "destination_vault_arn" {
-  name = "destination_vault_arn"
-}
-
-# BACKUPS_LOGIC
-resource "aws_secretsmanager_secret" "destination_account_id" {
-  name = "destination_account_id"
-}

infrastructure/terraform/per_account/dev/parameters/vars.tf

@@ -29,13 +29,3 @@ variable "workspace_type" {
   type    = string
   default = "PERSISTENT"
 }
-
-# BACKUPS_LOGIC
-variable "layers" {
-  type = list(string)
-}
-
-# BACKUPS_LOGIC
-variable "third_party_layers" {
-  type = list(string)
-}

infrastructure/terraform/per_account/dev/vars.tf

@@ -28,18 +28,3 @@ variable "budget_limit" {
   default = "1050"
   type    = string
 }
-
-# BACKUPS_LOGIC
-variable "python_version" {
-  default = "python3.12"
-}
-
-# BACKUPS_LOGIC
-variable "layers" {
-  type = list(string)
-}
-
-# BACKUPS_LOGIC
-variable "third_party_layers" {
-  type = list(string)
-}

infrastructure/terraform/per_account/modules/notify/main.tf

@@ -1,5 +1,5 @@
 data "aws_secretsmanager_secret" "slack_webhook_url" {
-  name = "${var.environment}--etl-notify-slack-webhook-url"
+  name = "${var.environment}-notify-slack-webhook-url"
 }
 
 data "aws_secretsmanager_secret_version" "slack_webhook_url" {

…terraform/per_account/dev/aws-backups.tf …erraform/per_account/prod/aws-backups.tfinfrastructure/terraform/per_account/dev/aws-backups.tf renamed to infrastructure/terraform/per_account/prod/aws-backups.tf infrastructure/terraform/per_account/dev/aws-backups.tf renamed to infrastructure/terraform/per_account/prod/aws-backups.tf

@@ -96,69 +96,20 @@ resource "aws_route53_zone" "prod-ns" {
   name = "api.cpm.national.nhs.uk"
 }
 
-module "snapshot_bucket" {
-  source  = "terraform-aws-modules/s3-bucket/aws"
-  version = "3.15.2"
-  bucket  = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
-  versioning = {
-    enabled = true
-  }
-  tags = {
-    Name = "${local.project}--${replace(terraform.workspace, "_", "-")}--snapshot"
-  }
+module "layers" {
+  for_each       = toset(var.layers)
+  source         = "../../modules/api_worker/api_layer"
+  name           = each.key
+  python_version = var.python_version
+  layer_name     = "${local.project}--${replace(terraform.workspace, "_", "-")}--${replace(each.key, "_", "-")}"
+  source_path    = "${path.module}/../../../../src/layers/${each.key}/dist/${each.key}.zip"
 }
-resource "aws_s3_bucket_policy" "snapshot_bucket_policy" {
-  bucket = module.snapshot_bucket.s3_bucket_id
 
-  policy = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Sid    = "AWSAccessLogDeliveryWrite",
-        Effect = "Allow",
-        Principal = {
-          Service = "logging.s3.amazonaws.com"
-        },
-        Action   = "s3:PutObject",
-        Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
-      },
-      {
-        Sid    = "AWSAccessLogDeliveryAclCheck",
-        Effect = "Allow",
-        Principal = {
-          Service = "logging.s3.amazonaws.com"
-        },
-        Action   = "s3:GetBucketAcl",
-        Resource = "${module.snapshot_bucket.s3_bucket_arn}"
-      },
-      {
-        Sid       = "denyInsecureTransport",
-        Effect    = "Deny",
-        Principal = "*",
-        Action    = "s3:*",
-        Resource = [
-          "${module.snapshot_bucket.s3_bucket_arn}",
-          "${module.snapshot_bucket.s3_bucket_arn}/*"
-        ],
-        Condition = {
-          Bool = {
-            "aws:SecureTransport" = "false"
-          }
-        }
-      },
-      {
-        Sid    = "AllowDynamoDBExport",
-        Effect = "Allow",
-        Principal = {
-          Service = "dynamodb.amazonaws.com"
-        },
-        Action = [
-          "s3:PutObject",
-          "s3:AbortMultipartUpload",
-          "s3:ListMultipartUploadParts"
-        ],
-        Resource = "${module.snapshot_bucket.s3_bucket_arn}/*"
-      }
-    ]
-  })
+module "third_party_layers" {
+  for_each       = toset(var.third_party_layers)
+  source         = "../../modules/api_worker/api_layer"
+  name           = each.key
+  python_version = var.python_version
+  layer_name     = "${local.project}--${replace(terraform.workspace, "_", "-")}--${replace(each.key, "_", "-")}"
+  source_path    = "${path.module}/../../../../src/layers/third_party/dist/${each.key}.zip"
 }

infrastructure/terraform/per_account/prod/main.tf

@@ -59,6 +59,18 @@ resource "aws_secretsmanager_secret" "ldap-changelog-password" {
   name = "${terraform.workspace}-ldap-changelog-password"
 }
 
+resource "aws_secretsmanager_secret" "notify_slack_webhook_url" {
+  name = "${terraform.workspace}-notify-slack-webhook-url"
+}
+
 resource "aws_secretsmanager_secret" "external-id" {
   name = "${terraform.workspace}-external-id"
 }
+
+resource "aws_secretsmanager_secret" "destination_vault_arn" {
+  name = "destination_vault_arn"
+}
+
+resource "aws_secretsmanager_secret" "destination_account_id" {
+  name = "destination_account_id"
+}