You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+29-27Lines changed: 29 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -91,7 +91,7 @@ export AWS_ACCOUNT_NAME=sdp-dev
91
91
github-policy-dashboard latest 9a9cb9286a7f 51 seconds ago 906MB
92
92
```
93
93
94
-
3. Run the image locally mapping local port 8501 to container port 8501 and passing in AWS credentials to access a .pem file from AWS Secrets Manager while running container.
94
+
3. Run the image locally mapping local port 8501 to container port 8501 and passing in AWS credentials to access a `.pem` file from AWS Secrets Manager while running container.
95
95
These credentials should also allow access to S3.
96
96
97
97
```bash
@@ -139,8 +139,8 @@ When you make changes to the dashboard, a new container image must be pushed to
139
139
140
140
These instructions assume:
141
141
142
-
1. You have a repository set up in your AWS account named github-audit-dashboard.
143
-
2. You have created an AWS IAM user with permissions to read/write to ECR (e.g AmazonEC2ContainerRegistryFullAccess policy) and that you have created the necessary access keys forthis user. The credentials for this user are storedin~/.aws/credentials and can be used by accessing --profile <aws-credentials-profile\>, if these are the only credentials in your file then the profile name is _default_
142
+
1. You have a repository set up in your AWS account named `github-audit-dashboard`.
143
+
2. You have created an AWS IAM user with permissions to read/write to ECR (e.g `AmazonEC2ContainerRegistryFullAccess` policy) and that you have created the necessary access keys forthis user. The credentials for this user are storedin`~/.aws/credentials` and can be used by accessing `--profile <aws-credentials-profile\>`, if these are the only credentials in your file then the profile name is _default_
144
144
145
145
You can find the AWS repo push commands under your repository in ECR by selecting the "View Push Commands" button. This will display a guide to the following (replace <aws-credentials-profile\>, <aws-account-id\> and <version\> accordingly):
146
146
@@ -150,7 +150,7 @@ You can find the AWS repo push commands under your repository in ECR by selectin
2. Tag your latest built docker image for ECR (assumes you have run _docker build -t github-audit-dashboard ._ locally first)
153
+
2. Tag your latest built docker image for ECR (assumes you have run `docker build -t github-audit-dashboard .` locally first)
154
154
155
155
```bash
156
156
docker tag github-audit-dashboard:latest <aws-account-id>.dkr.ecr.eu-west-2.amazonaws.com/github-audit-dashboard:<version>
@@ -189,16 +189,16 @@ That infrastructure is defined in the repository [sdp-infrastructure](https://gi
189
189
190
190
The following users must be provisioned in AWS IAM:
191
191
192
-
- ecr-user
192
+
- `ecr-user`
193
193
- Used for interaction with the Elastic Container Registry from AWS cli
194
-
- ecs-app-user
195
-
- Used forterraform staging of the resources required to deploy the service
194
+
- `ecs-app-user`
195
+
- Used forTerraform staging of the resources required to deploy the service
196
196
197
197
The following groups and permissions must be defined and applied to the above users:
198
198
199
-
- ecr-user-group
199
+
- `ecr-user-group`
200
200
- EC2 Container Registry Access
201
-
- ecs-application-user-group
201
+
- `ecs-application-user-group`
202
202
- Dynamo DB Access
203
203
- EC2 Access
204
204
- ECS Access
@@ -211,36 +211,38 @@ The following groups and permissions must be defined and applied to the above us
211
211
212
212
Further to the above an IAM Role must be defined to allow ECS tasks to be executed:
213
213
214
-
- ecsTaskExecutionRole
214
+
- `ecsTaskExecutionRole`
215
215
- See the [AWS guide to create the task execution role policy](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task_execution_IAM_role.html)
216
216
217
217
#### Bootstrap for Terraform
218
218
219
-
To store the state and implement a state locking mechanism forthe service resources a Terraform backend is deployedin AWS (an S3 object and DynamoDbTable).
219
+
To store the state and implement a state locking mechanism forthe service resources, a Terraform backend is deployedin AWS (an S3 object and DynamoDbTable).
220
220
221
221
#### Running the Terraform
222
222
223
223
There are associated README files in each of the Terraform modules in this repository.
224
224
225
-
- terraform/dashboard/main.tf
225
+
- `terraform/dashboard/main.tf`
226
226
- This provisions the resources required to launch the service.
227
-
- terraform/data_logger/main.tf
227
+
- `terraform/data_logger/main.tf`
228
228
- This provisions the resources required to launch the Policy Dashboard's data collection Lambda script (data logger).
229
-
- terraform/authentication/main.tf
229
+
- `terraform/authentication/main.tf`
230
230
- This provisions the Cognito authentication used by the service.
231
231
232
-
Depending upon which environment you are deploying to you will want to run your terraform by pointing at an appropriate environment tfvars file.
232
+
Depending upon which environment you are deploying to, you will want to run your Terraform by pointing at an appropriate environment `tfvars` file.
When the service is first deployed an admin user must be created in the Cognito User Pool that was created when the authentication terraform was applied.
245
+
When the service is first deployed, an admin user must be created in the Cognito User Pool that was created when the authentication Terraform was applied.
244
246
245
247
New users are manually provisioned in the AWS Console:
246
248
@@ -316,16 +318,16 @@ make mypy
316
318
317
319
#### Allowlisting your IP
318
320
319
-
To setup the deployment pipeline with concourse, you must first allowlist your IP address on the Concourse
320
-
server. IP addresses are flushed everyday at 00:00 so this must be done at the beginning of every working day
321
-
whenever the deployment pipeline needs to be used. Follow the instructions on the Confluence page (SDP Homepage > SDP Concourse > Concourse Login) to
322
-
login. All our pipelines run on sdp-pipeline-prod, whereas sdp-pipeline-dev is the account used for
323
-
changes to Concourse instance itself. Make sure to export all necessary environment variables from sdp-pipeline-prod (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).
321
+
To setup the deployment pipeline with Concourse, you must first allowlist your IP address on the Concourse server. IP addresses are flushed everyday at 00:00 so this must be done at the beginning of every working day whenever the deployment pipeline needs to be used.
322
+
323
+
Follow the instructions on the Confluence page (SDP Homepage > SDP Concourse > Concourse Login) to login.
324
+
325
+
All our pipelines run on `sdp-pipeline-prod`, whereas `sdp-pipeline-dev` is the account used forchanges to Concourse instance itself. Make sure to export all necessary environment variables from `sdp-pipeline-prod` (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_SESSION_TOKEN).
324
326
325
327
#### Setting up a pipeline
326
328
327
-
When setting up our pipelines, we use ecs-infra-user on sdp-dev to be able to interact with our infrastructure on AWS. The credentials for this are stored on
328
-
AWS Secrets Manager so you do not need to set up anything yourself. Since this repository has two services that need to be deployed, you can set up a seprate
329
+
When setting up our pipelines, we use `ecs-infra-user` on `sdp-dev` to be able to interact with our infrastructure on AWS. The credentials for this are stored on
330
+
AWS Secrets Manager so you do not need to set up anything yourself. Since this repository has two services that need to be deployed, you can set up a separate
329
331
pipeline for each by either specifying the pipeline name as `github-policy-dashboard` or `github-policy-lambda`.
330
332
331
333
To set the pipeline, run the following script:
@@ -348,7 +350,7 @@ If you wish to set a pipeline for another branch without checking out, you can r
348
350
./concourse/scripts/set_pipeline.sh github-policy-lambda <branch_name> # For policy lambda
349
351
```
350
352
351
-
If the branch you are deploying is "main" or "master", it will trigger a deployment to the sdp-prod environment. To set the ECR image tag, you must draft a Github release pointing to the latest release of the main/master branch that has a tag in the form of vX.Y.Z. Drafting up a release will automatically deploy the latest version of the main/master branch with the associated release tag, but you can also manually trigger a build through the Concourse UI or the terminal prompt.
353
+
If the branch you are deploying is `main`, it will trigger a deployment to the `sdp-prod` environment. To set the ECR image tag, you must draft a GitHub release pointing to the latest release of the `main` branch that has a tag in the form of `vX.Y.Z`. Drafting up a release will automatically deploy the latest version of the `main` branch with the associated release tag, but you can also manually trigger a build through the Concourse UI or the terminal prompt.
Copy file name to clipboardExpand all lines: data_logger/README.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -222,7 +222,7 @@ There are 2 parts to deployment:
222
222
223
223
Before following the instructions below, we assume that:
224
224
225
-
- An ECR repository exists on AWS that aligns with the Lambda's naming convention, `{env_name}-{lambda_name}` (these can be set within the `.tfvars` file. See [example_tfvars.txt](../terraform/data_logger/env/sandbox/example_tfvars.txt)).
225
+
- An ECR repository exists on AWS that aligns with the Lambda's naming convention, `{env_name}-{lambda_name}` (these can be set within the `.tfvars` file. See [example_tfvars.txt](../terraform/data_logger/env/dev/example_tfvars.txt)).
226
226
- The AWS account contains underlying infrastructure to deploy on top of. This infrastructure is defined within [sdp-infrastructure](https://github.com/ONS-Innovation/sdp-infrastructure) on GitHub.
227
227
- An AWS IAM user has been setup with appropriate permissions.
228
228
@@ -313,7 +313,7 @@ Within the terraform directory, there is a [service](../terraform/data_logger/)
313
313
- `env/dev/dev.tfvars` for sdp-dev.
314
314
- `env/prod/prod.tfvars` for sdp-prod.
315
315
316
-
These files can be created based on [`example_tfvars.txt`](../terraform/data_logger/env/sandbox/example_tfvars.txt).
316
+
These files can be created based on [`example_tfvars.txt`](../terraform/data_logger/env/dev/example_tfvars.txt).
317
317
318
318
**It is crucial that the completed `.tfvars` file does not get committed to GitHub.**
0 commit comments