First of many

.github/.github.env

@@ -2,3 +2,5 @@ COGNITO_USER_POOL_ID=rapid-pool
 RESOURCE_PREFIX=rapid
 ALLOWED_EMAIL_DOMAINS=example1.com,example2.com
 LAYERS=raw,layer
+DOMAIN_NAME=example.com
+DATA_BUCKET=the-bucket

.github/workflows/dev.yml

@@ -45,8 +45,6 @@ jobs:
       - name: Populate .env with additional vars
         run: |
           cp ./.github/.github.env .env
-          echo DOMAIN_NAME=${{ secrets.DOMAIN_NAME }} >> .env
-          echo DATA_BUCKET=${{ secrets.DATA_BUCKET }} >> .env
           echo AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT }} >> .env
           echo AWS_REGION=${{ secrets.AWS_REGION }} >> .env
           echo AWS_DEFAULT_REGION=${{ secrets.AWS_REGION }} >> .env
@@ -76,7 +74,7 @@ jobs:
         run: |
           echo "TWINE_USERNAME=${{ secrets.TWINE_USERNAME_TEST }}" >> .env
           echo "TWINE_PASSWORD=${{ secrets.TWINE_PASSWORD_TEST }}" >> .env
-          echo TWINE_NON_INTERACTIVE=${{ secrets.TWINE_NON_INTERACTIVE }} >> .env
+          echo "TWINE_NON_INTERACTIVE=true" >> .env
 
       - name: Setup Python
         uses: actions/setup-python@v4

.github/workflows/main.yml

@@ -44,8 +44,6 @@ jobs:
       - name: Populate .env with additional vars
         run: |
           cp ./.github/.github.env .env
-          echo DOMAIN_NAME=${{ secrets.DOMAIN_NAME }} >> .env
-          echo DATA_BUCKET=${{ secrets.DATA_BUCKET }} >> .env
           echo AWS_ACCOUNT=${{ secrets.AWS_ACCOUNT }} >> .env
           echo AWS_REGION=${{ secrets.AWS_REGION }} >> .env
           echo AWS_DEFAULT_REGION=${{ secrets.AWS_REGION }} >> .env
@@ -69,7 +67,7 @@ jobs:
         run: make api-tag-prod-candidate
 
       - name: API Deploy Image to Prod
-        run: make api-tag-live-in-prod
+        run: make api-app-live-in-prod
 
       - name: API Allow for Application to Start
         run: sleep 120
@@ -81,6 +79,8 @@ jobs:
       - name: API E2E Tests
         id: e2e-tests
         env:
+          DOMAIN_NAME: ${{ secrets.DOMAIN_NAME }}
+          DATA_BUCKET: ${{ secrets.DATA_BUCKET }}
           COGNITO_USER_POOL_ID: ${{ secrets.COGNITO_USER_POOL_ID }}
           RESOURCE_PREFIX: ${{ secrets.RESOURCE_PREFIX }}
           ALLOWED_EMAIL_DOMAINS: ${{ secrets.ALLOWED_EMAIL_DOMAINS }}

Makefile

@@ -88,8 +88,8 @@ api-tag-and-upload-release-image:## Tag and upload the api release image
 api-tag-prod-candidate:		## Tag the uploaded api image as a candidate for PROD deployment
 	@cd api/; $(MAKE) tag-prod-candidate
 
-api-tag-live-in-prod:		## Deploy the latest version of the api
-	@cd api/; $(MAKE) tag-live-in-prod
+api-app-live-in-prod:		## Deploy the latest version of the api
+	@cd api/; $(MAKE) app-live-in-prod
 
 api-check-app-is-running:
 	@cd api/; $(MAKE) check-app-is-running

api/Makefile

@@ -1,5 +1,5 @@
-ECS_SERVICE=rapid-ecs-service
-ECS_CLUSTER=rapid-cluster
+ECS_SERVICE=rapid-preprod-ecs-service
+ECS_CLUSTER=rapid-preprod-cluster
 LATEST_COMMIT_HASH=$(shell git rev-parse --short HEAD)
 ACCOUNT_ECR_URI=$(AWS_ACCOUNT).dkr.ecr.$(AWS_REGION).amazonaws.com
 IMAGE_NAME=data-f1-registry

docs/infrastructure/deployment.md

@@ -74,9 +74,6 @@ Our infrastructure is built using AWS, so you'll need an AWS account, and access
 Follow these steps to set up the AWS profile:
 
 - [Install/Update AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
-- [Set up a named profile](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html) if you already have the AWS cli.
-
-After setting up the named profile, the current session can be checked by running ```aws sts get-caller-identity```. We have a file (`scripts/env_setup.sh) with the required exports to use the 'gov' profile. These exports have to be run when starting a new session.
 
 We use `jq` in our scripts to help the `make` targets work correctly, please [Install jq](https://stedolan.github.io/jq/download/) before running any make command.
 
@@ -184,8 +181,6 @@ In order to gain the admin privileges necessary for infrastructure changes one n
 enabled only for user's defined in `input-params.tfvars`, only after logging into the AWS console for the first time as an
 IAM user and enabling MFA.
 
-Then, to assume the role, set up the profile (`scripts/env_setup.sh`), run ```make infra-assume-role``` and follow the prompts.
-
 ### Deploying remaining infra-blocks
 
 Once the state backend has been configured, provide/change the following inputs in `input-params.tfvars`.

infrastructure/blocks/pipeline-ami/data.tf

@@ -0,0 +1,9 @@
+data "terraform_remote_state" "vpc-state" {
+  backend   = "s3"
+  workspace = "prod"
+
+  config = {
+    key    = "vpc/terraform.tfstate"
+    bucket = var.state_bucket
+  }
+}

infrastructure/scripts/initialisation-script.sh.tpl → infrastructure/blocks/pipeline-ami/install.sh

@@ -1,5 +1,3 @@
-#!/usr/bin/env bash
-
 # Enable SSM
 sudo snap install amazon-ssm-agent --classic
 sudo snap start amazon-ssm-agent
@@ -38,23 +36,3 @@ sudo apt install gh -y
 curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
 unzip awscliv2.zip
 sudo ./aws/install
-
-# ---- Start docker service
-sudo service docker start
-
-# ---- Allow ubuntu user to manage Docker service
-sudo usermod -a -G docker ubuntu
-
-# Install GitHub Actions Runner
-# Need to run these commands as the ubuntu user for correct permissions
-sudo -u ubuntu mkdir /home/ubuntu/actions-runner
-cd /home/ubuntu/actions-runner
-sudo -u ubuntu curl -o actions-runner-linux-x64-2.307.1.tar.gz -L https://github.com/actions/runner/releases/download/v2.307.1/actions-runner-linux-x64-2.307.1.tar.gz
-sudo -u ubuntu tar xzf ./actions-runner-linux-x64-2.307.1.tar.gz
-sudo -u ubuntu ./config.sh --url https://github.com/no10ds --token "${runner-registration-token}" --name Data-F1-Pipeline-Runner --unattended --replace
-
-# Run the GitHub Actions Runner
-sudo -u ubuntu ./run.sh &
-
-# # Configure the GitHub Actions Runner to start on reboot
-sudo crontab -l -u ubuntu | echo "@reboot sudo -u ubuntu /home/ubuntu/actions-runner/run.sh &" | sudo crontab -u ubuntu -

infrastructure/blocks/pipeline-ami/packer.tf

@@ -0,0 +1,25 @@
+resource "null_resource" "packer_build" {
+  triggers = {
+    sha256_ami_config  = filesha256("${path.module}/template.json")
+    sha256_ami_install = filesha256("${path.module}/install.sh")
+    version            = var.pipeline_ami_version
+  }
+
+  provisioner "local-exec" {
+    command = <<EOF
+    set -ex;
+    PACKER_LOG=1 packer validate \
+      -var "version=${var.pipeline_ami_version}" \
+      -var "subnet_id=${data.terraform_remote_state.vpc-state.outputs.public_subnets_ids[0]}" \
+      -var "vpc_id=${data.terraform_remote_state.vpc-state.outputs.vpc_id}" \
+      -var "region=${var.aws_region}" \
+      template.json
+    PACKER_LOG=1 packer build \
+      -var "version=${var.pipeline_ami_version}" \
+      -var "subnet_id=${data.terraform_remote_state.vpc-state.outputs.public_subnets_ids[0]}" \
+      -var "vpc_id=${data.terraform_remote_state.vpc-state.outputs.vpc_id}" \
+      -var "region=${var.aws_region}" \
+      template.json
+EOF
+  }
+}

infrastructure/blocks/pipeline-ami/provider.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "s3" {
+    key = "pipeline-ami/terraform.tfstate"
+  }
+}
+

infrastructure/blocks/pipeline-ami/template.json

@@ -0,0 +1,58 @@
+{
+    "variables": {
+        "version": "",
+        "region": "",
+        "subnet_id": "",
+        "vpc_id": ""
+    },
+    "builders": [
+        {
+            "ami_description": "An AMI for creating github runners",
+            "ami_name": "pipeline-ami-{{user `version`}}",
+            "instance_type": "t3.large",
+            "region": "{{user `region`}}",
+            "force_deregister": "true",
+            "force_delete_snapshot": "true",
+            "vpc_id": "{{user `vpc_id`}}",
+            "subnet_id": "{{user `subnet_id`}}",
+            "associate_public_ip_address": true,
+            "ami_block_device_mappings": [
+                {
+                    "device_name": "/dev/sda1",
+                    "encrypted": false,
+                    "volume_type": "gp2",
+                    "volume_size": 32,
+                    "delete_on_termination": true
+                }
+            ],
+            "source_ami_filter": {
+                "filters": {
+                    "name": "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*",
+                    "virtualization-type": "hvm",
+                    "root-device-type": "ebs"
+                },
+                "most_recent": true,
+                "owners": [
+                    "099720109477"
+                ]
+            },
+            "ssh_username": "ubuntu",
+            "type": "amazon-ebs"
+        }
+    ],
+    "provisioners": [
+        {
+            "inline": [
+                "echo 'Sleeping for 30 seconds to give Ubuntu enough time to initialize (otherwise, packages may fail to install).'",
+                "sleep 30"
+            ],
+            "type": "shell"
+        },
+        {
+            "scripts": [
+                "{{template_dir}}/install.sh"
+            ],
+            "type": "shell"
+        }
+    ]
+}

infrastructure/blocks/pipeline-ami/variables.tf

@@ -0,0 +1,33 @@
+variable "tags" {
+  type        = map(string)
+  description = "A common map of tags for all VPC resources that are created (for e.g. billing purposes)"
+}
+
+variable "state_bucket" {
+  type        = string
+  description = "Bucket name for backend state"
+}
+
+variable "aws_account" {
+  type        = string
+  description = "AWS Account number to host the rAPId service"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "The region of the AWS Account for the rAPId service"
+}
+
+variable "version_check" {
+  description = "Ensure that you have incremented the version of the ami. Enter 'yes' to continue"
+  validation {
+    condition     = var.version_check == "yes"
+    error_message = "You must enter 'yes' to continue"
+  }
+}
+
+
+variable "pipeline_ami_version" {
+  type        = string
+  description = "The version of the pipeline AMI to use"
+}

infrastructure/blocks/pipeline/data.tf

@@ -0,0 +1,35 @@
+data "terraform_remote_state" "vpc-state" {
+  backend   = "s3"
+  workspace = "prod"
+
+  config = {
+    key    = "vpc/terraform.tfstate"
+    bucket = var.state_bucket
+  }
+}
+
+
+data "terraform_remote_state" "s3-state" {
+  backend   = "s3"
+  workspace = "prod"
+
+  config = {
+    key    = "s3/terraform.tfstate"
+    bucket = var.state_bucket
+  }
+}
+
+data "terraform_remote_state" "ecr-state" {
+  backend = "s3"
+
+  config = {
+    key    = "ecr/terraform.tfstate"
+    bucket = var.state_bucket
+  }
+}
+
+data "aws_ami" "this" {
+  most_recent = true
+  name_regex  = "pipeline-ami-${var.pipeline_ami_version}"
+  owners      = ["self"]
+}

infrastructure/blocks/pipeline/iam.tf

@@ -151,29 +151,6 @@ resource "aws_iam_policy" "pipeline_secrets_manager_access" {
   })
 }
 
-resource "aws_iam_policy" "pipeline_ssm_access" {
-  name        = "pipeline_ssm_access"
-  description = "Allow pipeline to use SSM"
-  tags        = var.tags
-
-  policy = jsonencode({
-    "Statement" : [
-      {
-        "Effect" : "Allow",
-        "Action" : [
-          "ssm:UpdateInstanceInformation",
-          "ssmmessages:CreateControlChannel",
-          "ssmmessages:CreateDataChannel",
-          "ssmmessages:OpenControlChannel",
-          "ssmmessages:OpenDataChannel"
-        ],
-        "Resource" : "*"
-      }
-    ],
-    "Version" : "2012-10-17"
-  })
-}
-
 resource "aws_iam_policy" "pipeline_dynamodb_access" {
   name        = "pipeline_dynamodb_access"
   description = "Allow pipeline to access DynamoDB"
@@ -235,11 +212,13 @@ resource "aws_iam_role" "pipeline_ecr_role" {
 EOF
 }
 
-resource "aws_iam_role_policy_attachment" "ssm_role_policy_attach" {
+
+resource "aws_iam_role_policy_attachment" "ssm_policy_attachment" {
   role       = aws_iam_role.pipeline_ecr_role.name
-  policy_arn = aws_iam_policy.pipeline_ssm_access.arn
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
 
+
 resource "aws_iam_role_policy_attachment" "ecr_role_policy_attach" {
   role       = aws_iam_role.pipeline_ecr_role.name
   policy_arn = aws_iam_policy.pipeline_ecr_access.arn

infrastructure/blocks/pipeline/initialisation-script.sh.tpl

@@ -0,0 +1,20 @@
+#!/bin/bash 
+# ---- Start docker service
+sudo service docker start
+
+# ---- Allow ubuntu user to manage Docker service
+sudo usermod -a -G docker ubuntu
+
+# Install GitHub Actions Runner
+# Need to run these commands as the ubuntu user for correct permissions
+sudo -u ubuntu mkdir /home/ubuntu/actions-runner
+cd /home/ubuntu/actions-runner
+sudo -u ubuntu curl -o actions-runner-linux-x64-2.307.1.tar.gz -L https://github.com/actions/runner/releases/download/v2.307.1/actions-runner-linux-x64-2.307.1.tar.gz
+sudo -u ubuntu tar xzf ./actions-runner-linux-x64-2.307.1.tar.gz
+sudo -u ubuntu ./config.sh --url https://github.com/no10ds --token "${runner-registration-token}" --name Data-F1-Pipeline-Runner --unattended --replace
+
+# Run the GitHub Actions Runner
+sudo -u ubuntu ./run.sh &
+
+# # Configure the GitHub Actions Runner to start on reboot
+sudo crontab -l -u ubuntu | echo "@reboot sudo -u ubuntu /home/ubuntu/actions-runner/run.sh &" | sudo crontab -u ubuntu -