diff --git a/.github/workflows/copilot_deploy.yml b/.github/workflows/copilot_deploy.yml index 9541575..1df9fc1 100644 --- a/.github/workflows/copilot_deploy.yml +++ b/.github/workflows/copilot_deploy.yml @@ -43,7 +43,7 @@ on: env: DOCKER_REGISTRY: ghcr.io - IMAGE_NAME: "funding-service-design-form-runner" + IMAGE_NAME: "funding-service-design-adapter-form-runner" IMAGE_REPO_PATH: "ghcr.io/${{github.repository_owner}}" jobs: @@ -97,7 +97,7 @@ jobs: tags: ${{ steps.metadata.outputs.tags}} labels: ${{ steps.metadata.outputs.labels }} push: true - file: ./fsd_config/Dockerfile + file: ./runner/Dockerfile build-args: | LAST_TAG='${{env.VERSION}}' LAST_COMMIT='${{ github.sha }}' @@ -114,7 +114,7 @@ jobs: AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} with: environment: dev - app_name: "form-runner" + app_name: "form-runner-adapter" version: sha-${{ github.sha }} post_dev_deploy_tests: @@ -145,7 +145,7 @@ jobs: AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} with: environment: "test" - app_name: "form-runner" + app_name: "form-runner-adapter" version: sha-${{ github.sha }} post_test_deploy_tests: @@ -185,7 +185,7 @@ jobs: AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} with: environment: "uat" - app_name: "form-runner" + app_name: "form-runner-adapter" version: sha-${{ github.sha }} post_uat_deploy_tests: @@ -234,5 +234,5 @@ jobs: AWS_ACCOUNT: ${{ secrets.AWS_ACCOUNT }} with: environment: "prod" - app_name: "form-runner" + app_name: "form-runner-adapter" version: sha-${{ github.sha }} diff --git a/.gitmodules b/.gitmodules index e512311..3ba1aae 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,3 @@ [submodule "digital-form-builder"] path = digital-form-builder - url = git@github.com:XGovFormBuilder/digital-form-builder.git + url = https://github.com/XGovFormBuilder/digital-form-builder.git diff --git a/copilot/.workspace b/copilot/.workspace new file mode 100644 index 0000000..92b2058 --- /dev/null +++ b/copilot/.workspace @@ -0,0 +1 @@ +application: pre-award diff --git a/copilot/fsd-form-runner/addons/form-runner-data.yml b/copilot/fsd-form-runner/addons/form-runner-data.yml new file mode 100644 index 0000000..42983ad --- /dev/null +++ b/copilot/fsd-form-runner/addons/form-runner-data.yml @@ -0,0 +1,120 @@ +Parameters: + App: + Type: String + Description: Your application's name. + Env: + Type: String + Description: The environment name your service, job, or workflow is being deployed to. + Name: + Type: String + Description: The name of the service, job, or workflow being deployed. + +Resources: + # Subnet group to control where the Redis gets placed + FormRunnerRedisSubnetGroup: + Type: AWS::ElastiCache::SubnetGroup + Properties: + Description: Group of subnets to place Redis into + SubnetIds: + !Split [",", { "Fn::ImportValue": !Sub "${App}-${Env}-PrivateSubnets" }] + + # Security group to add the Redis cluster to the VPC, + # and to allow the Fargate containers to talk to Redis on port 6379 + FormRunnerRedisSecurityGroup: + Type: AWS::EC2::SecurityGroup + Properties: + GroupDescription: "Redis Security Group" + VpcId: + Fn::ImportValue: !Sub "${App}-${Env}-VpcId" + + # Enable ingress from other ECS services created within the environment. + FormRunnerRedisIngress: + Type: AWS::EC2::SecurityGroupIngress + Properties: + Description: Ingress from Fargate containers + GroupId: !Ref "FormRunnerRedisSecurityGroup" + IpProtocol: tcp + FromPort: 6379 + ToPort: 6379 + SourceSecurityGroupId: + Fn::ImportValue: !Sub "${App}-${Env}-EnvironmentSecurityGroup" + + # Secret Storage of access credentials + FormRunnerRedisSecret: + Metadata: + "aws:copilot:description": "A Secrets Manager secret to store your DB credentials" + Type: AWS::SecretsManager::Secret + Properties: + Description: !Sub "Redis main user secret for ${AWS::StackName}" + GenerateSecretString: + SecretStringTemplate: '{"username": "redis"}' + GenerateStringKey: "password" + ExcludePunctuation: true + IncludeSpace: false + PasswordLength: 16 + + # Creation of the cluster itself + FormRunnerRedisReplicationGroup: + Type: AWS::ElastiCache::ReplicationGroup + Properties: + ReplicationGroupDescription: !Sub "${Env} Funding Service Form Runner" + AutomaticFailoverEnabled: true + AtRestEncryptionEnabled: true + TransitEncryptionEnabled: true + AutoMinorVersionUpgrade: true + MultiAZEnabled: true + CacheNodeType: cache.t3.micro + CacheSubnetGroupName: !Ref "FormRunnerRedisSubnetGroup" + SecurityGroupIds: + - !GetAtt "FormRunnerRedisSecurityGroup.GroupId" + Engine: redis + NumCacheClusters: 2 + + # Redis endpoint stored in SSM so that other services can retrieve the endpoint. + FormRunnerRedisEndpointAddressParam: + Type: AWS::SSM::Parameter + Properties: + Name: !Sub "/${App}/${Env}/${Name}/redis" # Other services can retrieve the endpoint from this path. + Type: String + Value: !GetAtt "FormRunnerRedisReplicationGroup.PrimaryEndPoint.Address" + + FormRunnerFormUploadsBucketAccessPolicy: + Type: AWS::IAM::ManagedPolicy + Properties: + PolicyDocument: + Version: "2012-10-17" + Statement: + - Sid: S3FormUploadBucketActions + Effect: Allow + Action: + - s3:Get* + - s3:List* + - s3:Describe* + - s3:PutObject + - s3:PutObjectACL + - s3:DeleteObject + - s3:ReplicateObject + Resource: + - Fn::ImportValue: !Sub ${App}-${Env}-FormUploadsBucketARN + - !Sub + - "${FullBucketARN}/*" + - FullBucketARN: + Fn::ImportValue: !Sub "${App}-${Env}-FormUploadsBucketARN" + +Outputs: + FormRunnerRedisEndpoint: + Description: The endpoint of the redis cluster + Value: !GetAtt "FormRunnerRedisReplicationGroup.PrimaryEndPoint.Address" + Export: + Name: !Sub ${App}-${Env}-FormRunnerRedisEndpoint + FormRunnerRedisInstanceURI: + Description: "The URI of the redis cluster." + Value: !Sub + - "rediss://${HOSTNAME}:${PORT}" + - HOSTNAME: !GetAtt "FormRunnerRedisReplicationGroup.PrimaryEndPoint.Address" + PORT: !GetAtt "FormRunnerRedisReplicationGroup.PrimaryEndPoint.Port" + Export: + Name: !Sub ${App}-${Env}-FormRunnerRedisInstanceURI + FormRunnerFormUploadsBucketAccessPolicyArn: + Description: "The ARN of the ManagedPolicy to attach to the task role." + Value: !Ref FormRunnerFormUploadsBucketAccessPolicy diff --git a/copilot/fsd-form-runner/manifest.yml b/copilot/fsd-form-runner/manifest.yml new file mode 100644 index 0000000..f6d78b9 --- /dev/null +++ b/copilot/fsd-form-runner/manifest.yml @@ -0,0 +1,127 @@ +# The manifest for the "form-runner" service. +# Read the full specification for the "Load Balanced Web Service" type at: +# https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/ +name: "fsd-form-runner" +type: "Load Balanced Web Service" + +# Distribute traffic to your service. +http: + # Requests to this path will be forwarded to your service. + # To match all requests you can use the "/" path. + path: "/" + # You can specify a custom health check path. The default is "/". + healthcheck: "/health-check" + alias: forms.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk + +# Configuration for your containers and service. +image: + # Docker build arguments. For additional overrides: https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#image-build + location: ghcr.io/communitiesuk/runner:latest + # Port exposed through your container to route traffic to it. + port: 3009 + +# Valid values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-cpu-memory-error.html +# Number of CPU units for the task. +cpu: 1024 +# Amount of memory in MiB used by the task. +memory: 2048 + +# See https://aws.github.io/copilot-cli/docs/manifest/lb-web-service/#platform +platform: linux/x86_64 + +# Number of tasks that should be running in your service. +count: 1 + +# Enable running commands in your container. +exec: true + +network: + connect: true # Enable Service Connect for intra-environment traffic between services. + + # Override the network configuration with the public/private/data subnets built using terraform + # notification should be private (internal) + # vpc: + # placement: + # subnets: ["subnet-04851bdddcd8f5bbc", "subnet-0178ac1212c96b6c4"] + +# storage: +# readonly_fs: true # Limit to read-only access to mounted root filesystems. + +# Optional fields for more advanced use-cases. +# +# Pass environment variables as key value pairs. +variables: + ACCESSIBILITY_STATEMENT_URL: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/accessibility_statement" + AWS_BUCKET_NAME: + from_cfn: ${COPILOT_APPLICATION_NAME}-${COPILOT_ENVIRONMENT_NAME}-FormUploadsBucket + BASIC_AUTH_ON: false + CONTACT_US_URL: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/contact_us" + COOKIE_POLICY_URL: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/cookie_policy" + FEEDBACK_LINK: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/feedback" + JWT_REDIRECT_TO_AUTHENTICATION_URL: "https://authenticator.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/sessions/sign-out" + LOGOUT_URL: "https://authenticator.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/sessions/sign-out" + MULTIFUND_URL: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/account" + NODE_CONFIG: '{"safelist": ["fsd-application-store"]}' + NODE_ENV: production + PRIVACY_POLICY_URL: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/privacy" + SERVICE_START_PAGE: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/account" + SINGLE_REDIS: true + JWT_AUTH_COOKIE_NAME: "fsd_user_token" + ELIGIBILITY_RESULT_URL: "https://frontend.${COPILOT_ENVIRONMENT_NAME}.access-funding.test.levellingup.gov.uk/eligibility-result" + +secrets: + RSA256_PUBLIC_KEY_BASE64: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/RSA256_PUBLIC_KEY_BASE64 + SESSION_COOKIE_PASSWORD: /copilot/${COPILOT_APPLICATION_NAME}/${COPILOT_ENVIRONMENT_NAME}/secrets/SESSION_COOKIE_PASSWORD + +# You can override any of the values defined above by environment. +environments: + dev: + count: + spot: 1 + test: + deployment: + rolling: "recreate" + count: + spot: 2 + uat: + count: + range: 2-4 + cooldown: + in: 60s + out: 30s + cpu_percentage: + value: 70 + memory_percentage: + value: 80 + requests: 30 + response_time: 2s + prod: + http: + alias: + [ + "forms.prod.access-funding.levellingup.gov.uk", + "forms.access-funding.levellingup.gov.uk", + ] + hosted_zone: Z0686469NF3ZJTU9I02M + variables: + ACCESSIBILITY_STATEMENT_URL: "https://frontend.access-funding.levellingup.gov.uk/accessibility_statement" + BASIC_AUTH_ON: false + CONTACT_US_URL: "https://frontend.access-funding.levellingup.gov.uk/contact_us" + COOKIE_POLICY_URL: "https://frontend.access-funding.levellingup.gov.uk/cookie_policy" + FEEDBACK_LINK: "https://frontend.access-funding.levellingup.gov.uk/feedback" + JWT_REDIRECT_TO_AUTHENTICATION_URL: "https://authenticator.access-funding.levellingup.gov.uk/sessions/sign-out" + LOGOUT_URL: "https://authenticator.access-funding.levellingup.gov.uk/sessions/sign-out" + MULTIFUND_URL: "https://frontend.access-funding.levellingup.gov.uk/account" + PRIVACY_POLICY_URL: "https://frontend.access-funding.levellingup.gov.uk/privacy" + SERVICE_START_PAGE: "https://frontend.access-funding.levellingup.gov.uk/account" + ELIGIBILITY_RESULT_URL: "https://frontend.access-funding.levellingup.gov.uk/eligibility-result" + count: + range: 2-4 + cooldown: + in: 60s + out: 30s + cpu_percentage: + value: 70 + memory_percentage: + value: 80 + requests: 30