Skip to content

Commit 4a42dbb

Browse files
authored
KEH-1231 - Remove sandbox (#50)
* Remove sandbox - Move example_tfvars files to dev Terraform folders - Update domain and container image fields in example_tfvars to dev - Update links to example_tfvars in READMEs - Delete sandbox Terraform folders - Update default Terraform variables to dev * Update README - Add missing backticks - Improve formatting - Fix typo * Fix Markdown linting * Capitalise Concourse
1 parent 1036215 commit 4a42dbb

14 files changed

Lines changed: 41 additions & 57 deletions

File tree

README.md

Lines changed: 29 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ export AWS_ACCOUNT_NAME=sdp-dev
9191
github-policy-dashboard latest 9a9cb9286a7f 51 seconds ago 906MB
9292
```
9393

94-
3. Run the image locally mapping local port 8501 to container port 8501 and passing in AWS credentials to access a .pem file from AWS Secrets Manager while running container.
94+
3. Run the image locally mapping local port 8501 to container port 8501 and passing in AWS credentials to access a `.pem` file from AWS Secrets Manager while running container.
9595
These credentials should also allow access to S3.
9696

9797
```bash
@@ -139,8 +139,8 @@ When you make changes to the dashboard, a new container image must be pushed to
139139

140140
These instructions assume:
141141

142-
1. You have a repository set up in your AWS account named github-audit-dashboard.
143-
2. You have created an AWS IAM user with permissions to read/write to ECR (e.g AmazonEC2ContainerRegistryFullAccess policy) and that you have created the necessary access keys for this user. The credentials for this user are stored in ~/.aws/credentials and can be used by accessing --profile <aws-credentials-profile\>, if these are the only credentials in your file then the profile name is _default_
142+
1. You have a repository set up in your AWS account named `github-audit-dashboard`.
143+
2. You have created an AWS IAM user with permissions to read/write to ECR (e.g `AmazonEC2ContainerRegistryFullAccess` policy) and that you have created the necessary access keys for this user. The credentials for this user are stored in `~/.aws/credentials` and can be used by accessing `--profile <aws-credentials-profile\>`, if these are the only credentials in your file then the profile name is _default_
144144

145145
You can find the AWS repo push commands under your repository in ECR by selecting the "View Push Commands" button. This will display a guide to the following (replace <aws-credentials-profile\>, <aws-account-id\> and <version\> accordingly):
146146

@@ -150,7 +150,7 @@ You can find the AWS repo push commands under your repository in ECR by selectin
150150
aws ecr --profile <aws-credentials-profile> get-login-password --region eu-west-2 | docker login --username AWS --password-stdin <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com
151151
```
152152

153-
2. Tag your latest built docker image for ECR (assumes you have run _docker build -t github-audit-dashboard ._ locally first)
153+
2. Tag your latest built docker image for ECR (assumes you have run `docker build -t github-audit-dashboard .` locally first)
154154

155155
```bash
156156
docker tag github-audit-dashboard:latest <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/github-audit-dashboard:<version>
@@ -189,16 +189,16 @@ That infrastructure is defined in the repository [sdp-infrastructure](https://gi
189189

190190
The following users must be provisioned in AWS IAM:
191191

192-
- ecr-user
192+
- `ecr-user`
193193
- Used for interaction with the Elastic Container Registry from AWS cli
194-
- ecs-app-user
195-
- Used for terraform staging of the resources required to deploy the service
194+
- `ecs-app-user`
195+
- Used for Terraform staging of the resources required to deploy the service
196196

197197
The following groups and permissions must be defined and applied to the above users:
198198

199-
- ecr-user-group
199+
- `ecr-user-group`
200200
- EC2 Container Registry Access
201-
- ecs-application-user-group
201+
- `ecs-application-user-group`
202202
- Dynamo DB Access
203203
- EC2 Access
204204
- ECS Access
@@ -211,36 +211,38 @@ The following groups and permissions must be defined and applied to the above us
211211

212212
Further to the above an IAM Role must be defined to allow ECS tasks to be executed:
213213

214-
- ecsTaskExecutionRole
214+
- `ecsTaskExecutionRole`
215215
- See the [AWS guide to create the task execution role policy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html)
216216

217217
#### Bootstrap for Terraform
218218

219-
To store the state and implement a state locking mechanism for the service resources a Terraform backend is deployed in AWS (an S3 object and DynamoDbTable).
219+
To store the state and implement a state locking mechanism for the service resources, a Terraform backend is deployed in AWS (an S3 object and DynamoDbTable).
220220

221221
#### Running the Terraform
222222

223223
There are associated README files in each of the Terraform modules in this repository.
224224

225-
- terraform/dashboard/main.tf
225+
- `terraform/dashboard/main.tf`
226226
- This provisions the resources required to launch the service.
227-
- terraform/data_logger/main.tf
227+
- `terraform/data_logger/main.tf`
228228
- This provisions the resources required to launch the Policy Dashboard's data collection Lambda script (data logger).
229-
- terraform/authentication/main.tf
229+
- `terraform/authentication/main.tf`
230230
- This provisions the Cognito authentication used by the service.
231231
232-
Depending upon which environment you are deploying to you will want to run your terraform by pointing at an appropriate environment tfvars file.
232+
Depending upon which environment you are deploying to, you will want to run your Terraform by pointing at an appropriate environment `tfvars` file.
233233
234234
Example dashboard tfvars file:
235-
[dashboard/env/sandbox/example_tfvars.txt](./terraform/dashboard/env/sandbox/example_tfvars.txt)
235+
[dashboard/env/dev/example_tfvars.txt](./terraform/dashboard/env/dev/example_tfvars.txt)
236+
236237
Example data_logger tfvars file:
237-
[data_logger/env/sandbox/example_tfvars.txt](./terraform/data_logger/env/sandbox/example_tfvars.txt)
238+
[data_logger/env/dev/example_tfvars.txt](./terraform/data_logger/env/dev/example_tfvars.txt)
239+
238240
Example authentication tfvars file:
239-
[authentication/env/sandbox/example_tfvars.txt](./terraform/authentication/env/sandbox/example_tfvars.txt)
241+
[authentication/env/dev/example_tfvars.txt](./terraform/authentication/env/dev/example_tfvars.txt)
240242
241243
#### Provision Users
242244
243-
When the service is first deployed an admin user must be created in the Cognito User Pool that was created when the authentication terraform was applied.
245+
When the service is first deployed, an admin user must be created in the Cognito User Pool that was created when the authentication Terraform was applied.
244246
245247
New users are manually provisioned in the AWS Console:
246248
@@ -316,16 +318,16 @@ make mypy
316318

317319
#### Allowlisting your IP
318320

319-
To setup the deployment pipeline with concourse, you must first allowlist your IP address on the Concourse
320-
server. IP addresses are flushed everyday at 00:00 so this must be done at the beginning of every working day
321-
whenever the deployment pipeline needs to be used. Follow the instructions on the Confluence page (SDP Homepage > SDP Concourse > Concourse Login) to
322-
login. All our pipelines run on sdp-pipeline-prod, whereas sdp-pipeline-dev is the account used for
323-
changes to Concourse instance itself. Make sure to export all necessary environment variables from sdp-pipeline-prod (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).
321+
To setup the deployment pipeline with Concourse, you must first allowlist your IP address on the Concourse server. IP addresses are flushed everyday at 00:00 so this must be done at the beginning of every working day whenever the deployment pipeline needs to be used.
322+
323+
Follow the instructions on the Confluence page (SDP Homepage > SDP Concourse > Concourse Login) to login.
324+
325+
All our pipelines run on `sdp-pipeline-prod`, whereas `sdp-pipeline-dev` is the account used for changes to Concourse instance itself. Make sure to export all necessary environment variables from `sdp-pipeline-prod` (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).
324326

325327
#### Setting up a pipeline
326328

327-
When setting up our pipelines, we use ecs-infra-user on sdp-dev to be able to interact with our infrastructure on AWS. The credentials for this are stored on
328-
AWS Secrets Manager so you do not need to set up anything yourself. Since this repository has two services that need to be deployed, you can set up a seprate
329+
When setting up our pipelines, we use `ecs-infra-user` on `sdp-dev` to be able to interact with our infrastructure on AWS. The credentials for this are stored on
330+
AWS Secrets Manager so you do not need to set up anything yourself. Since this repository has two services that need to be deployed, you can set up a separate
329331
pipeline for each by either specifying the pipeline name as `github-policy-dashboard` or `github-policy-lambda`.
330332

331333
To set the pipeline, run the following script:
@@ -348,7 +350,7 @@ If you wish to set a pipeline for another branch without checking out, you can r
348350
./concourse/scripts/set_pipeline.sh github-policy-lambda <branch_name> # For policy lambda
349351
```
350352

351-
If the branch you are deploying is "main" or "master", it will trigger a deployment to the sdp-prod environment. To set the ECR image tag, you must draft a Github release pointing to the latest release of the main/master branch that has a tag in the form of vX.Y.Z. Drafting up a release will automatically deploy the latest version of the main/master branch with the associated release tag, but you can also manually trigger a build through the Concourse UI or the terminal prompt.
353+
If the branch you are deploying is `main`, it will trigger a deployment to the `sdp-prod` environment. To set the ECR image tag, you must draft a GitHub release pointing to the latest release of the `main` branch that has a tag in the form of `vX.Y.Z`. Drafting up a release will automatically deploy the latest version of the `main` branch with the associated release tag, but you can also manually trigger a build through the Concourse UI or the terminal prompt.
352354

353355
#### Triggering a pipeline
354356

data_logger/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@ There are 2 parts to deployment:
222222
223223
Before following the instructions below, we assume that:
224224
225-
- An ECR repository exists on AWS that aligns with the Lambda's naming convention, `{env_name}-{lambda_name}` (these can be set within the `.tfvars` file. See [example_tfvars.txt](../terraform/data_logger/env/sandbox/example_tfvars.txt)).
225+
- An ECR repository exists on AWS that aligns with the Lambda's naming convention, `{env_name}-{lambda_name}` (these can be set within the `.tfvars` file. See [example_tfvars.txt](../terraform/data_logger/env/dev/example_tfvars.txt)).
226226
- The AWS account contains underlying infrastructure to deploy on top of. This infrastructure is defined within [sdp-infrastructure](https://github.com/ONS-Innovation/sdp-infrastructure) on GitHub.
227227
- An AWS IAM user has been setup with appropriate permissions.
228228
@@ -313,7 +313,7 @@ Within the terraform directory, there is a [service](../terraform/data_logger/)
313313
- `env/dev/dev.tfvars` for sdp-dev.
314314
- `env/prod/prod.tfvars` for sdp-prod.
315315
316-
These files can be created based on [`example_tfvars.txt`](../terraform/data_logger/env/sandbox/example_tfvars.txt).
316+
These files can be created based on [`example_tfvars.txt`](../terraform/data_logger/env/dev/example_tfvars.txt).
317317
318318
**It is crucial that the completed `.tfvars` file does not get committed to GitHub.**
319319

terraform/authentication/env/sandbox/example_tfvars.txt renamed to terraform/authentication/env/dev/example_tfvars.txt

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22
aws_account_id = "99999999999"
33
aws_access_key_id = "AWSACCCESSKEYID"
44
aws_secret_access_key = "AWSSECRETASSOCIATEDWITHACCESSKEY"
5-
domain = "sdp-sandbox"
5+
domain = "sdp-dev"

terraform/authentication/env/sandbox/backend-sandbox.tfbackend

Lines changed: 0 additions & 6 deletions
This file was deleted.

terraform/authentication/variables.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@ variable "service_title" {
2828
variable "domain" {
2929
description = "Domain"
3030
type = string
31-
default = "sdp-sandbox"
31+
default = "sdp-dev"
3232
}
3333
variable "region" {
3434
description = "AWS region"

terraform/dashboard/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ The service terraform is bootstrapped with a separate terraform state key so tha
1111
Depending upon which environment you are deploying to you will want to run your terraform by pointing at an appropriate environment tfvars file.
1212

1313
Example service tfvars file:
14-
[dashboard/env/sandbox/example_tfvars.txt](./env/sandbox/example_tfvars.txt)
14+
[dashboard/env/dev/example_tfvars.txt](./env/dev/example_tfvars.txt)
1515

1616
### Update Existing Service
1717

terraform/dashboard/env/sandbox/example_tfvars.txt renamed to terraform/dashboard/env/dev/example_tfvars.txt

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,9 @@ aws_account_id = "999999999"
33
aws_access_key_id = "AWSACCCESSKEYID"
44
aws_secret_access_key = "AWSSECRETASSOCIATEDWITHACCESSKEY"
55
aws_secret_name = "sdp/pem"
6-
domain = "sdp-sandbox"
6+
domain = "sdp-dev"
77
service_subdomain = "policy-dashboard"
8-
container_image = "sdp-sandbox-policy-dashboard"
8+
container_image = "sdp-dev-policy-dashboard"
99
container_ver = "v0.0.1"
1010
force_deployment = "true"
1111
container_port = "8501"

terraform/dashboard/env/sandbox/backend-sandbox.tfbackend

Lines changed: 0 additions & 6 deletions
This file was deleted.

terraform/dashboard/variables.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ variable "service_subdomain" {
5252
variable "domain" {
5353
description = "Domain"
5454
type = string
55-
default = "sdp-sandbox"
55+
default = "sdp-dev"
5656
}
5757

5858
variable "domain_extension" {

terraform/data_logger/env/dev/backend-dev.tfbackend

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# For sandbox environment
1+
# For dev environment
22
# terraform init -backend-config="env/dev/backend-dev.tfbackend"
33
bucket = "sdp-dev-tf-state"
44
key = "sdp-dev-ecs-policy-dashboard-lambda/terraform.tfstate"

0 commit comments

Comments
 (0)