Deploy create-a-derived-tables self-hosted runner to DPAT EKS Pro…

…duction (#2497) §Signed-off-by: Jacob Woffenden <jacob.woffenden@digital.justice.gov.uk>
ministryofjustice · Dec 15, 2023 · 8d9ce4a · 8d9ce4a
1 parent 6222be9
commit 8d9ce4a
Show file tree

Hide file tree

Showing 8 changed files with 258 additions and 2 deletions.
diff --git a/scripts/eks/terraform-authentication.sh b/scripts/eks/terraform-authentication.sh
@@ -2,9 +2,10 @@
 
 AWS_ACCOUNT_ID=${1}
 EKS_CLUSTER_NAME=${2}
+AWS_ROLE=${3}
 
 assumeRole=$(aws sts assume-role \
-  --role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/GlobalGitHubActionAdmin \
+  --role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${AWS_ROLE} \
   --role-session-name terraform-eks-authentication)
 export assumeRole
 

diff --git a/terraform/aws/analytical-platform-data-production/create-a-derived-table/iam-roles.tf b/terraform/aws/analytical-platform-data-production/create-a-derived-table/iam-roles.tf
@@ -17,9 +17,13 @@ module "create_a_derived_table_iam_role" {
       provider_arn               = "arn:aws:iam::593291632749:oidc-provider/oidc.eks.eu-west-2.amazonaws.com/id/DF366E49809688A3B16EEC29707D8C09"
       namespace_service_accounts = ["data-platform-production:gha-shr-mojas-create-a-derived-table"]
     }
-    data-platform = {
+    data-platform-development = {
       provider_arn               = "arn:aws:iam::593291632749:oidc-provider/oidc.eks.eu-west-2.amazonaws.com/id/BEE86BED6494692D4ED31C2ED2319E13"
       namespace_service_accounts = ["github-actions:gha-shr-mojas-create-a-derived-table"]
     }
+    data-platform-production = {
+      provider_arn               = "arn:aws:iam::593291632749:oidc-provider/oidc.eks.eu-west-2.amazonaws.com/id/F147414004D7C4CF820F21F453AF80F1"
+      namespace_service_accounts = ["actions-runners:actions-runner-mojas-create-a-derived-table"]
+    }
   }
 }
diff --git a/terraform/dpat-eks/production/actions-runners/.terraform.lock.hcl b/terraform/dpat-eks/production/actions-runners/.terraform.lock.hcl
diff --git a/terraform/dpat-eks/production/actions-runners/create-a-derived-table.tf b/terraform/dpat-eks/production/actions-runners/create-a-derived-table.tf
@@ -0,0 +1,44 @@
+data "aws_secretsmanager_secret" "github_actions_self_hosted_runner_create_a_derived_table" {
+  provider = aws.analytical-platform-management-production
+
+  name = "github/actions/self-hosted-runner/create-a-derived-table"
+}
+
+data "aws_secretsmanager_secret_version" "github_actions_self_hosted_runner_create_a_derived_table" {
+  provider = aws.analytical-platform-management-production
+
+  secret_id = data.aws_secretsmanager_secret.github_actions_self_hosted_runner_create_a_derived_table.id
+}
+
+resource "helm_release" "create_a_derived_table" {
+  name       = "actions-runner-mojas-create-a-derived-table"
+  repository = "oci://ghcr.io/ministryofjustice/data-platform-charts"
+  version    = "1.0.0"
+  chart      = "actions-runner"
+  namespace  = "actions-runners"
+
+  set {
+    name  = "github.organisation"
+    value = "moj-analytical-services"
+  }
+
+  set {
+    name  = "github.repository"
+    value = "create-a-derived-table"
+  }
+
+  set {
+    name  = "github.token"
+    value = data.aws_secretsmanager_secret_version.github_actions_self_hosted_runner_create_a_derived_table.secret_string
+  }
+
+  set {
+    name  = "irsa.roleArn"
+    value = "arn:aws:iam::593291632749:role/create-a-derived-table"
+  }
+
+  set {
+    name  = "runner.labels"
+    value = "moj-data-platform"
+  }
+}
diff --git a/terraform/dpat-eks/production/actions-runners/data.tf b/terraform/dpat-eks/production/actions-runners/data.tf
@@ -0,0 +1,57 @@
+data "aws_caller_identity" "session" {
+  provider = aws.session
+}
+
+data "aws_iam_session_context" "session" {
+  provider = aws.session
+
+  arn = data.aws_caller_identity.session.arn
+}
+
+data "aws_secretsmanager_secret" "dpat_eks_production_account" {
+  provider = aws.analytical-platform-management-production
+
+  name = "dpat-eks/production/account"
+}
+
+data "aws_secretsmanager_secret_version" "dpat_eks_production_account" {
+  provider = aws.analytical-platform-management-production
+
+  secret_id = data.aws_secretsmanager_secret.dpat_eks_production_account.id
+}
+
+data "aws_secretsmanager_secret" "dpat_eks_production_cluster_name" {
+  provider = aws.analytical-platform-management-production
+
+  name = "dpat-eks/production/cluster/name"
+}
+
+data "aws_secretsmanager_secret_version" "dpat_eks_production_cluster_name" {
+  provider = aws.analytical-platform-management-production
+
+  secret_id = data.aws_secretsmanager_secret.dpat_eks_production_cluster_name.id
+}
+
+data "aws_secretsmanager_secret" "dpat_eks_production_cluster_ca_cert" {
+  provider = aws.analytical-platform-management-production
+
+  name = "dpat-eks/production/cluster/ca-cert"
+}
+
+data "aws_secretsmanager_secret_version" "dpat_eks_production_cluster_ca_cert" {
+  provider = aws.analytical-platform-management-production
+
+  secret_id = data.aws_secretsmanager_secret.dpat_eks_production_cluster_ca_cert.id
+}
+
+data "aws_secretsmanager_secret" "dpat_eks_production_cluster_endpoint" {
+  provider = aws.analytical-platform-management-production
+
+  name = "dpat-eks/production/cluster/endpoint"
+}
+
+data "aws_secretsmanager_secret_version" "dpat_eks_production_cluster_endpoint" {
+  provider = aws.analytical-platform-management-production
+
+  secret_id = data.aws_secretsmanager_secret.dpat_eks_production_cluster_endpoint.id
+}
diff --git a/terraform/dpat-eks/production/actions-runners/terraform.tf b/terraform/dpat-eks/production/actions-runners/terraform.tf
@@ -0,0 +1,62 @@
+terraform {
+  backend "s3" {
+    acl            = "private"
+    bucket         = "global-tf-state-aqsvzyd5u9"
+    encrypt        = true
+    key            = "terraform/dpat-eks/production/actions-runners/terraform.tfstate"
+    region         = "eu-west-2"
+    dynamodb_table = "global-tf-state-aqsvzyd5u9-locks"
+  }
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "5.31.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.24.0"
+    }
+    helm = {
+      source  = "hashicorp/helm"
+      version = "2.12.1"
+    }
+  }
+  required_version = "~> 1.5"
+}
+
+provider "aws" {
+  alias = "session"
+}
+
+provider "aws" {
+  alias  = "analytical-platform-management-production"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = can(regex("AdministratorAccess", data.aws_iam_session_context.session.issuer_arn)) ? null : "arn:aws:iam::${var.account_ids["analytical-platform-management-production"]}:role/GlobalGitHubActionAdmin"
+  }
+  default_tags {
+    tags = var.tags
+  }
+}
+
+provider "kubernetes" {
+  host                   = data.aws_secretsmanager_secret_version.dpat_eks_production_cluster_endpoint.secret_string
+  cluster_ca_certificate = base64decode(data.aws_secretsmanager_secret_version.dpat_eks_production_cluster_ca_cert.secret_string)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "bash"
+    args        = ["../../../../scripts/eks/terraform-authentication.sh", data.aws_secretsmanager_secret_version.dpat_eks_production_account.secret_string, data.aws_secretsmanager_secret_version.dpat_eks_production_cluster_name.secret_string, "data-platform-eks-access"]
+  }
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = data.aws_secretsmanager_secret_version.dpat_eks_production_cluster_endpoint.secret_string
+    cluster_ca_certificate = base64decode(data.aws_secretsmanager_secret_version.dpat_eks_production_cluster_ca_cert.secret_string)
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "bash"
+      args        = ["../../../../scripts/eks/terraform-authentication.sh", data.aws_secretsmanager_secret_version.dpat_eks_production_account.secret_string, data.aws_secretsmanager_secret_version.dpat_eks_production_cluster_name.secret_string, "data-platform-eks-access"]
+    }
+  }
+}
diff --git a/terraform/dpat-eks/production/actions-runners/terraform.tfvars b/terraform/dpat-eks/production/actions-runners/terraform.tfvars
@@ -0,0 +1,14 @@
+account_ids = {
+  analytical-platform-management-production = "042130406152"
+}
+
+tags = {
+  business-unit          = "Platforms"
+  application            = "Data Platform"
+  component              = "Actions Runners"
+  environment            = "management"
+  is-production          = "true"
+  owner                  = "data-platform:data-platform-tech@digital.justice.gov.uk"
+  infrastructure-support = "data-platform:data-platform-tech@digital.justice.gov.uk"
+  source-code            = "github.com/ministryofjustice/data-platform/terraform/dpat-eks/production/actions-runners"
+}
diff --git a/terraform/dpat-eks/production/actions-runners/variables.tf b/terraform/dpat-eks/production/actions-runners/variables.tf
@@ -0,0 +1,9 @@
+variable "account_ids" {
+  type        = map(string)
+  description = "Map of account names to account IDs"
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Map of tags to apply to resources"
+}