Skip to content

VED-270: Terraform fixes.#408

Merged
mfjarvis merged 22 commits intomasterfrom
VED-270-terraform-fixes
May 30, 2025
Merged

VED-270: Terraform fixes.#408
mfjarvis merged 22 commits intomasterfrom
VED-270-terraform-fixes

Conversation

@mfjarvis
Copy link
Contributor

@mfjarvis mfjarvis commented May 9, 2025
edited
Loading

Summary

  • ❗ Breaking Change
  • 🤖 Operational or Infrastructure Change
  • ⚠️ Potential issues that might be caused by this change

Main changes:

  • Consolidate non-prod and prod folders in infra Terraform
  • Move environment-specific resources from infra to instance-level Terraform:
    • DynamoDB tables (audit, delta and events)
    • Batch destination S3 buckets
    • Config S3 buckets
  • Add dynamodb:BatchGetItem permission to delta access role in non-prod environments
  • Remove redundant data sources for resources managed in the same Terraform workspace
  • Inline some policy documents for readability
  • General tidying up
  • Format everything with terraform fmt

Before merging, we'll need to import various resources into Terraform state:

# internal-dev
terraform import aws_dynamodb_table.audit-table immunisation-batch-internal-dev-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-internal-dev-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-internal-dev-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-internal-dev-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-internal-dev-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-internal-dev-data-destinations

terraform import "aws_s3_bucket.batch_config_bucket[0]" imms-internal-dev-supplier-config
terraform import "aws_s3_bucket_public_access_block.batch_config_bucket_public_access_block[0]" imms-internal-dev-supplier-config
terraform import "aws_s3_bucket_policy.batch_config_bucket_policy[0]" imms-internal-dev-supplier-config

# int
terraform import aws_dynamodb_table.audit-table immunisation-batch-int-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-int-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-int-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-int-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-int-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-int-data-destinations

# ref
terraform import aws_dynamodb_table.audit-table immunisation-batch-ref-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-ref-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-ref-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-ref-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-ref-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-ref-data-destinations

# prod
terraform import aws_dynamodb_table.audit-table immunisation-batch-prod-audit-table
terraform import aws_dynamodb_table.delta-dynamodb-table imms-prod-delta
terraform import aws_dynamodb_table.events-dynamodb-table imms-prod-imms-events

terraform import aws_s3_bucket.batch_data_destination_bucket immunisation-batch-prod-data-destinations
terraform import aws_s3_bucket_policy.batch_data_destination_bucket_policy immunisation-batch-prod-data-destinations
terraform import aws_s3_bucket_server_side_encryption_configuration.s3_batch_destination_encryption immunisation-batch-prod-data-destinations
terraform import aws_s3_bucket_lifecycle_configuration.data_destinations immunisation-batch-prod-data-destinations

terraform import "aws_s3_bucket.batch_config_bucket[0]" imms-prod-supplier-config
terraform import "aws_s3_bucket_public_access_block.batch_config_bucket_public_access_block[0]" imms-prod-supplier-config
terraform import "aws_s3_bucket_policy.batch_config_bucket_policy[0]" imms-prod-supplier-config

Reviews Required

  • Dev
  • Test
  • Tech Author
  • Product Owner

Review Checklist

ℹ️ This section is to be filled in by the reviewer.

  • I have reviewed the changes in this PR and they fill all or part of the acceptance criteria of the ticket, and the code is in a mergeable state.
  • If there were infrastructure, operational, or build changes, I have made sure there is sufficient evidence that the changes will work.
  • I have ensured the changelog has been updated by the submitter, if necessary.

mfjarvis
mfjarvis commented May 23, 2025
View reviewed changes
infra/endpoints.tf
}

# TODO - remove and use the key we manage in this Terraform workspace
data "aws_kms_key" "existing_lambda_env_encryption" {
Copy link
Contributor Author

@mfjarvis mfjarvis May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seemed safest to add this in, but I'm not actually sure it's even used. The Lambda functions all seem to use the default KMS key for env var encryption.

mfjarvis
mfjarvis commented May 23, 2025
View reviewed changes
mfjarvis
mfjarvis commented May 23, 2025
View reviewed changes
terraform/mesh_processor.tf
source_arn = "arn:aws:s3:::local-immunisation-mesh"
}

# TODO - This is scoped to the bucket, so is overwritten by each deployment
Copy link
Contributor Author

@mfjarvis mfjarvis May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create ticket for this

mfjarvis
mfjarvis commented May 23, 2025
View reviewed changes
terraform/api_gateway/logs.tf
retention_in_days = 30
}

# TODO - This is global, so is overwritten by each deployment - move to infra Terraform?
Copy link
Contributor Author

@mfjarvis mfjarvis May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create ticket for this

mfjarvis
mfjarvis commented May 23, 2025
View reviewed changes
terraform/variables.tf
project_domain_name = data.aws_route53_zone.project_zone.name
service_domain_name = "${local.env}.${local.project_domain_name}"

# For now, only create the config bucket in internal-dev and prod as we only have one Redis instance per account.
Copy link
Contributor Author

@mfjarvis mfjarvis May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create ticket for a better fix - if we didn't use a whole Redis instance for config, we could have one bucket per instance of the API

mfjarvis added 15 commits May 26, 2025 02:03
@mfjarvis
VED-270: WIP: Resolve duplication in infra terraform.
5c64eec
@mfjarvis
VED-270: WIP: Add removed blocks to prevent destruction of unmanaged …
875650c 
…resources.
@mfjarvis
VED-270: Only create environment-level sources bucket in prod. Make c…
ab60d38 
…omments clearer.
@mfjarvis
VED-270: Move DynamoDB resources from infra to instance Terraform.
5cf436d
@mfjarvis
VED-270: Remove some data sources for managed resources. Some tidying…
712af22 
… up.
@mfjarvis
VED-270: Replace some of the longhand table / index ARNs.
f25a678
@mfjarvis
VED-270: Format.
90fabb0
@mfjarvis
VED-270: More issues found.
2371666
@mfjarvis
VED-270: Move config and batch destination buckets to instance terraf…
c5d75c8 
…orm. Add missing BatchGetItem permission for testing in non-prod.
@mfjarvis
VED-270: Rename environment in infra terraform for clarity.
05c2418
@mfjarvis
VED-270: Remove old infra terraform. Move new infra terraform up a le…
b0b60b3 
…vel.
@mfjarvis
VED-270: Inline some policy documents for clarity.
aef7f4d
@mfjarvis
VED-270: Add more imports.
b542371
@mfjarvis
VED-270: Add mystery KMS key to non-prod KMS endpoint policy for now.
bfd89f1
@mfjarvis
VED-270: Fix float serialisation issue.
1773d5f
@mfjarvis mfjarvis force-pushed the VED-270-terraform-fixes branch from 4fe3286 to 1773d5f Compare May 26, 2025 01:08
mfjarvis
mfjarvis commented May 26, 2025
View reviewed changes
mfjarvis
mfjarvis commented May 27, 2025
View reviewed changes
@robertnovac1
Copy link
Contributor

robertnovac1 commented May 27, 2025

Generally looks really good. Sonar reported some security hotspots maybe it's worth looking into those or resolving them later. Also the docker provider is pinned to 3.0.2 in main.tf in both infra and terraform folders. Might be the cause of the issues we are seeing with debendabot

docker = { source = "kreuzwerker/docker" version = "3.0.2" }

@mfjarvis mfjarvis marked this pull request as ready for review May 30, 2025 15:41
@mfjarvis mfjarvis enabled auto-merge (squash) May 30, 2025 15:41
@sonarqubecloud
Copy link

sonarqubecloud bot commented May 30, 2025

Quality Gate Passed Quality Gate passed

Issues
5 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@mfjarvis mfjarvis merged commit 84e10aa into master May 30, 2025
8 checks passed
@mfjarvis mfjarvis deleted the VED-270-terraform-fixes branch May 30, 2025 15:53
@mfjarvis mfjarvis mentioned this pull request Jun 3, 2025
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@nhsdevws nhsdevws nhsdevws approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mfjarvis @robertnovac1 @nhsdevws