Merge branch 'main' into eks-addons

.github/dependabot.yml

@@ -283,6 +283,17 @@ updates:
       include: "scope"
     reviewers:
       - "ministryofjustice/data-platform-apps-and-tools"
+  - package-ecosystem: "terraform"
+    directory: "terraform/aws/analytical-platform-data-production/cjs-dashboard-app"
+    schedule:
+      interval: "daily"
+      time: "09:00"
+      timezone: "Europe/London"
+    commit-message:
+      prefix: "terraform"
+      include: "scope"
+    reviewers:
+      - "ministryofjustice/data-platform-apps-and-tools"
   - package-ecosystem: "terraform"
     directory: "terraform/aws/analytical-platform-data-production/control-panel-message-broker"
     schedule:

.github/path-filter/terraform.yml

@@ -10,6 +10,7 @@ aws-analytical-platform-baseline: terraform/aws/analytical-platform/baseline/**
 aws-analytical-platform-data-engineering-production-10ds: terraform/aws/analytical-platform-data-engineering-production/10ds/**
 aws-analytical-platform-data-production-airflow: terraform/aws/analytical-platform-data-production/airflow/**
 aws-analytical-platform-data-production-artifact-repos: terraform/aws/analytical-platform-data-production/artifact-repos/**
+aws-analytical-platform-data-production-cjs-dashboard-app: terraform/aws/analytical-platform-data-production/cjs-dashboard-app/**
 aws-analytical-platform-data-production-control-panel-message-broker: terraform/aws/analytical-platform-data-production/control-panel-message-broker/**
 aws-analytical-platform-data-production-create-a-derived-table: terraform/aws/analytical-platform-data-production/create-a-derived-table/**
 aws-analytical-platform-data-production-openmetadata: terraform/aws/analytical-platform-data-production/openmetadata/**
@@ -23,6 +24,7 @@ aws-analytical-platform-management-production-cluster: terraform/aws/analytical-
 aws-analytical-platform-oidc: terraform/aws/analytical-platform/oidc/**
 aws-analytical-platform-production-cluster: terraform/aws/analytical-platform-production/cluster/**
 cloud-platform-live-data-platform-development-static-assets: terraform/cloud-platform/live/data-platform-development/static-assets/**
-cloud-platform-live-data-platform-production-github-actions-self-hosted-runners: terraform/cloud-platform/live/data-platform-production/github-actions-self-hosted-runners/**
+cloud-platform-live-data-platform-production-actions-runners: terraform/cloud-platform/live/data-platform-production/actions-runners/**
+dpat-eks-production-actions-runners: terraform/dpat-eks/production/actions-runners/**
 github: terraform/github/**
 pagerduty: terraform/pagerduty/**

.github/workflows/reusable-workflow-terraform.yml

@@ -51,7 +51,7 @@ jobs:
       - name: Checkov
         if: github.ref != 'refs/heads/main'
         id: terraform_static_analysis_checkov
-        uses: bridgecrewio/checkov-action@75bdfb4b5e1332c35f82eb1fbdbf1f5b35366779 # v12.2641.0
+        uses: bridgecrewio/checkov-action@d72836860bd74dda0cec7ade4df5b9ca7aabd096 # v12.2643.0
         with:
           directory: ${{ env.working-directory }}
           framework: terraform

terraform/aws/analytical-platform-data-production/cjs-dashboard-app/data.tf

@@ -0,0 +1,9 @@
+data "aws_caller_identity" "session" {
+  provider = aws.session
+}
+
+data "aws_iam_session_context" "session" {
+  provider = aws.session
+
+  arn = data.aws_caller_identity.session.arn
+}

terraform/aws/analytical-platform-data-production/cjs-dashboard-app/iam-policies.tf

@@ -0,0 +1,25 @@
+data "aws_iam_policy_document" "cjs_dashboard_app" {
+  statement {
+    sid    = "BucketAccess"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject"
+    ]
+    resources = [
+      "arn:aws:s3:::mojap-cjs-dashboard",
+      "arn:aws:s3:::mojap-cjs-dashboard/*"
+    ]
+  }
+}
+
+module "cjs_dashboard_app_iam_policy" {
+  #checkov:skip=CKV_TF_1:Module is from Terraform registry
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
+  version = "5.33.0"
+
+  name_prefix = "github-cjs-dashboard-app"
+
+  policy = data.aws_iam_policy_document.cjs_dashboard_app.json
+}

terraform/aws/analytical-platform-data-production/cjs-dashboard-app/iam-roles.tf

@@ -0,0 +1,14 @@
+module "cjs_dashboard_app_iam_role" {
+  #checkov:skip=CKV_TF_1:Module is from Terraform registry
+
+  source  = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
+  version = "5.33.0"
+
+  name = "github-cjs-dashboard-app"
+
+  subjects = ["ministryofjustice/cjs_scorecard_exploratory_analysis:*"]
+
+  policies = {
+    cjs_dashboard_app = module.cjs_dashboard_app_iam_policy.arn
+  }
+}

terraform/aws/analytical-platform-data-production/cjs-dashboard-app/terraform.tf

@@ -0,0 +1,42 @@
+terraform {
+  backend "s3" {
+    acl            = "private"
+    bucket         = "global-tf-state-aqsvzyd5u9"
+    encrypt        = true
+    key            = "aws/analytical-platform-data-production/cjs-dashboard-app/terraform.tfstate"
+    region         = "eu-west-2"
+    dynamodb_table = "global-tf-state-aqsvzyd5u9-locks"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.32.1"
+    }
+  }
+  required_version = "~> 1.5"
+}
+
+provider "aws" {
+  alias = "session"
+}
+
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}
+
+provider "aws" {
+  alias  = "analytical-platform-management-production"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = can(regex("AdministratorAccess", data.aws_iam_session_context.session.issuer_arn)) ? null : "arn:aws:iam::${var.account_ids["analytical-platform-management-production"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}

terraform/aws/analytical-platform-data-production/cjs-dashboard-app/terraform.tfvars

@@ -0,0 +1,15 @@
+account_ids = {
+  analytical-platform-data-production       = "593291632749"
+  analytical-platform-management-production = "042130406152"
+}
+
+tags = {
+  business-unit          = "Platforms"
+  application            = "Data Platform"
+  component              = "cjs-dashboard-app"
+  environment            = "production"
+  is-production          = "true"
+  owner                  = "data-platform:data-platform-tech@digital.justice.gov.uk"
+  infrastructure-support = "data-platform:data-platform-tech@digital.justice.gov.uk"
+  source-code            = "github.com/ministryofjustice/data-platform/terraform/aws/analytical-platform-data-production/cjs-dashboard-app"
+}

terraform/aws/analytical-platform-data-production/cjs-dashboard-app/variables.tf

@@ -0,0 +1,9 @@
+variable "account_ids" {
+  type        = map(string)
+  description = "Map of account names to account IDs"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Map of tags to apply to resources"
+}

terraform/github/data-platform-teams.tf

@@ -34,7 +34,8 @@ locals {
         "BrianEllwood",      # Brian Ellwood
         "murad-ali-MoJ",     # Murad Ali
         "EO510",             # Eki Osehenye
-        "AntFMoJ"            # Anthony Fitzroy
+        "AntFMoJ",           # Anthony Fitzroy
+        "mitchdawson1982",   # Mitch Dawson
       ]
     },
     "data-platform-labs" = {