diff --git a/terraform/environments/youth-justice-app-framework/backend.tf b/terraform/environments/youth-justice-app-framework/backend.tf new file mode 100644 index 000000000..9cd59d71b --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/backend.tf @@ -0,0 +1,14 @@ +# Backend +terraform { + # `backend` blocks do not support variables, so the following are hard-coded here: + # - S3 bucket name, which is created in modernisation-platform-account/s3.tf + backend "s3" { + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "terraform.tfstate" + region = "eu-west-2" + workspace_key_prefix = "environments/accounts/youth-justice-app-framework" # This will store the object as environments/accounts/youth-justice-app-framework/${workspace}/terraform.tfstate + dynamodb_table = "modernisation-platform-terraform-state-lock" + } +} diff --git a/terraform/environments/youth-justice-app-framework/base_variables.tf b/terraform/environments/youth-justice-app-framework/base_variables.tf new file mode 100644 index 000000000..ced509673 --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/base_variables.tf @@ -0,0 +1,5 @@ +variable "networking" { + + type = list(any) + +} diff --git a/terraform/environments/youth-justice-app-framework/data.tf b/terraform/environments/youth-justice-app-framework/data.tf new file mode 100644 index 000000000..7430a89b2 --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/data.tf @@ -0,0 +1,4 @@ +# Get the environments file from the main repository +data "http" "environments_file" { + url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json" +} diff --git a/terraform/environments/youth-justice-app-framework/locals.tf b/terraform/environments/youth-justice-app-framework/locals.tf new file mode 100644 index 000000000..a2f11fba0 --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/locals.tf @@ -0,0 +1,35 @@ +locals { + + application_name = "youth-justice-app-framework" + + environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string) + + # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if + # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false. + is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" + is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" + is-test = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test" + is-development = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development" + + # Merge tags from the environment json file with additional ones + tags = merge( + jsondecode(data.http.environments_file.response_body).tags, + { "is-production" = local.is-production }, + { "environment-name" = terraform.workspace }, + { "source-code" = "https://github.com/ministryofjustice/modernisation-platform" } + ) + + environment = trimprefix(terraform.workspace, "${var.networking[0].application}-") + vpc_name = var.networking[0].business-unit + subnet_set = var.networking[0].set + vpc_all = "${local.vpc_name}-${local.environment}" + subnet_set_name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}" + + is_live = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"] + provider_name = "core-vpc-${local.environment}" + + # environment specfic variables + # example usage: + # example_data = local.application_data.accounts[local.environment].example_var + application_data = fileexists("./application_variables.json") ? jsondecode(file("./application_variables.json")) : {} +} diff --git a/terraform/environments/youth-justice-app-framework/networking.auto.tfvars.json b/terraform/environments/youth-justice-app-framework/networking.auto.tfvars.json new file mode 100644 index 000000000..07b0eb260 --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/networking.auto.tfvars.json @@ -0,0 +1,9 @@ +{ + "networking": [ + { + "business-unit": "", + "set": "", + "application": "youth-justice-app-framework" + } + ] +} diff --git a/terraform/environments/youth-justice-app-framework/providers.tf b/terraform/environments/youth-justice-app-framework/providers.tf new file mode 100644 index 000000000..1d557a209 --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/providers.tf @@ -0,0 +1,33 @@ +# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified) +provider "aws" { + region = "eu-west-2" + assume_role { + role_arn = "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/ModernisationPlatformAccess" + } +} + +# AWS provider for the Modernisation Platform, to get things from there if required +provider "aws" { + alias = "modernisation-platform" + region = "eu-west-2" +} + +# AWS provider for core-vpc-, to share VPCs into this account +provider "aws" { + alias = "core-vpc" + region = "eu-west-2" + + assume_role { + role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/ModernisationPlatformAccess" + } +} + +# AWS provider for core-network-services-production, to share VPCs into this account +provider "aws" { + alias = "core-network-services" + region = "eu-west-2" + + assume_role { + role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/ModernisationPlatformAccess" + } +} diff --git a/terraform/environments/youth-justice-app-framework/secrets.tf b/terraform/environments/youth-justice-app-framework/secrets.tf new file mode 100644 index 000000000..c8da4981e --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/secrets.tf @@ -0,0 +1,16 @@ +# Get modernisation account id from ssm parameter +data "aws_ssm_parameter" "modernisation_platform_account_id" { + name = "modernisation_platform_account_id" +} + +# Get secret by arn for environment management +data "aws_secretsmanager_secret" "environment_management" { + provider = aws.modernisation-platform + name = "environment_management" +} + +# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts +data "aws_secretsmanager_secret_version" "environment_management" { + provider = aws.modernisation-platform + secret_id = data.aws_secretsmanager_secret.environment_management.id +} diff --git a/terraform/environments/youth-justice-app-framework/subnet_share.tf b/terraform/environments/youth-justice-app-framework/subnet_share.tf new file mode 100644 index 000000000..f1d64badf --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/subnet_share.tf @@ -0,0 +1,41 @@ +######## DO NOT EDIT - THIS FILE WILL BE OVERWRITTEN BY TERRAFORM ######### + +data "aws_caller_identity" "current" {} + + +module "ram-principal-association" { + + count = (var.networking[0].set == "") ? 0 : 1 + + source = "../../modules/ram-principal-association" + + providers = { + aws.share-acm = aws.core-network-services + aws.share-host = aws.core-vpc + aws.share-tenant = aws + } + principal = data.aws_caller_identity.current.account_id + vpc_name = var.networking[0].business-unit + subnet_set = var.networking[0].set + acm_pca = "acm-pca-${local.is_live[0]}" + environment = local.environment + +} + +#ram-ec2-retagging module +module "ram-ec2-retagging" { + + count = (var.networking[0].set == "") ? 0 : 1 + + + source = "../../modules/ram-ec2-retagging" + providers = { + aws.share-host = aws.core-vpc + aws.share-tenant = aws + } + + vpc_name = "${var.networking[0].business-unit}-${local.environment}" + subnet_set = var.networking[0].set + + depends_on = [module.ram-principal-association[0]] +} diff --git a/terraform/environments/youth-justice-app-framework/versions.tf b/terraform/environments/youth-justice-app-framework/versions.tf new file mode 100644 index 000000000..6161ef3bc --- /dev/null +++ b/terraform/environments/youth-justice-app-framework/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + version = "~> 5.0" + source = "hashicorp/aws" + } + http = { + version = "~> 3.0" + source = "hashicorp/http" + } + } + required_version = "~> 1.0" +}