Review apps: add Terraform in support of forms-runner review apps

This Terraform is cloned from the equivalent code in forms-admin, and adjusted
for the needs of forms-runner. The code duplication is a choice we made,
because these two sets of Terraform code are only similar, and not the same bar
some parameter differences. Trying to share code between the two would cause
more problems than it solves.

Author: AP-Hunt

.github/workflows/terraform.yml

@@ -0,0 +1,37 @@
+name: "Terraform"
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - ".review_apps/**"
+  merge_group:
+    types: [checks_requested]
+env:
+  TERRAFORM_VERSION: "1.11.0"
+jobs:
+  terraform:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{env.TERRAFORM_VERSION}}
+
+      - name: Check Terraform style
+        id: tf_fmt
+        working-directory: ".review_apps/"
+        run: |
+          terraform fmt -write=false -diff=true -list=true -recursive -check
+
+      - name: Lint Terraform
+        run: |
+          pip install -r .review_apps/requirements.txt
+          checkov -d .review_apps/ --framework terraform --quiet
+
+      - name: Validate Terraform syntax
+        working-directory: ".review_apps/"
+        run : |
+          terraform init -backend=false || exit
+          terraform validate

.gitignore

@@ -54,3 +54,6 @@ config/settings/*.local.yml
 config/environments/*.local.yml
 
 .DS_Store
+
+# Terraform
+.terraform/

.review_apps/.terraform-version

@@ -0,0 +1 @@
+1.11.0

.review_apps/.terraform.lock.hcl

@@ -0,0 +1,19 @@
+# Review apps
+
+The Terraform code in this directory is used to deploy a review copy of `forms-admin`.
+
+It constructs a minimal, ephemeral version of a GOV.UK Forms environment in AWS ECS that can be used for reviews, then freely destroyed. This includes: 
+
+* a copy of `forms-admin` at the commit in question
+* a copy of the version of `forms-api` currently in production
+* a local PostgreSQL database with seed data for both `forms-api` and `forms-admin`
+
+Review apps rely on a set of underlying infrastructure managed and deployed in `forms-deploy`. The Terraform will require you to be targeting the `integration` AWS account (where the `review` environment lives), and you should not override this.
+
+### State files
+Each review app uses its own Terraform state file, stored in an S3 bucket. The bucket itself is created and managed by `forms-deploy` and its name is safely assumed.
+
+### `forms-admin` container image
+The `forms-admin` container image to deploy is supplied under the `forms_admin_container_image` variable. Terraform does not build the container. It is assumed to be built and stored ahead of time.
+
+

.review_apps/README.md

@@ -0,0 +1,38 @@
+resource "aws_appautoscaling_target" "review_app" {
+  service_namespace  = "ecs"
+  resource_id        = "service/${data.terraform_remote_state.review.outputs.ecs_cluster_id}/${aws_ecs_service.app.name}"
+  scalable_dimension = "ecs:service:DesiredCount"
+
+  max_capacity = 1
+  min_capacity = 1
+}
+
+resource "aws_appautoscaling_scheduled_action" "shutdown_at_night" {
+  name = "forms-runner-pr-${var.pull_request_number}-shutdown-at-night"
+
+  service_namespace  = aws_appautoscaling_target.review_app.service_namespace
+  resource_id        = aws_appautoscaling_target.review_app.resource_id
+  scalable_dimension = aws_appautoscaling_target.review_app.scalable_dimension
+
+  schedule = "cron(0 18 * * ? *)" # daily at 1800
+
+  scalable_target_action {
+    min_capacity = 0
+    max_capacity = 0
+  }
+}
+
+resource "aws_appautoscaling_scheduled_action" "startup_weekday_mornings" {
+  name = "forms-runner-pr-${var.pull_request_number}-startup-weekday-mornings"
+
+  service_namespace  = aws_appautoscaling_target.review_app.service_namespace
+  resource_id        = aws_appautoscaling_target.review_app.resource_id
+  scalable_dimension = aws_appautoscaling_target.review_app.scalable_dimension
+
+  schedule = "cron(0 8 ? * MON-FRI *)" # Monday-Friday at 0800
+
+  scalable_target_action {
+    min_capacity = 1
+    max_capacity = 1
+  }
+}

.review_apps/app_autoscaling.tf

@@ -0,0 +1,26 @@
+##
+# Terraform remote state data resources are
+# used to read the content of a Terraform state
+# file.
+#
+# This is common pattern in the `forms-deploy`
+# codebase, and is used to share information
+# between different Terraform roots without
+# having to do any external wiring of outputs
+# to inputs.
+#
+# In this instance, we will be sharing things
+# like the subnet and security groups ids that
+# are necessary for deploying to AWS ECS. 
+##
+data "terraform_remote_state" "review" {
+  backend = "s3"
+
+  config = {
+    key    = "review.tfstate"
+    bucket = "gds-forms-integration-tfstate"
+    region = "eu-west-2"
+
+    use_lockfile = true
+  }
+}

.review_apps/dependencies.tf

@@ -0,0 +1,24 @@
+resource "aws_ecs_service" "app" {
+  #checkov:skip=CKV_AWS_332:We don't want to target "LATEST" and get a surprise when a new version is released.
+  name = "forms-runner-pr-${var.pull_request_number}"
+
+  cluster         = data.terraform_remote_state.review.outputs.ecs_cluster_id
+  task_definition = aws_ecs_task_definition.task.arn
+
+  desired_count                      = 1
+  deployment_maximum_percent         = "200"
+  deployment_minimum_healthy_percent = "100"
+  force_new_deployment               = true
+
+
+  launch_type      = "FARGATE"
+  platform_version = "1.4.0"
+
+  network_configuration {
+    subnets          = data.terraform_remote_state.review.outputs.private_subnet_ids
+    security_groups  = [data.terraform_remote_state.review.outputs.review_apps_security_group_id]
+    assign_public_ip = false
+  }
+
+  depends_on = [aws_ecs_task_definition.task]
+}