From d0f39b9dc6998aa76eb8365d0c931d9d0ad156b0 Mon Sep 17 00:00:00 2001 From: "matt.mercer" Date: Wed, 17 Feb 2021 20:54:53 +0000 Subject: [PATCH 1/3] apm-1865: terraform upgrade --- ansible/Makefile | 12 ------- ansible/destroy-api-deployment-dns-entry.yml | 34 ------------------- ansible/destroy-ecs-proxies.yml | 33 ------------------ .../remove-api-deployment-user-access-key.yml | 32 ----------------- ansible/remove-ecr-build-user.yml | 19 ----------- ansible/remove-ecs-proxy-deployment.yml | 1 - .../templates/terraform/versions.tf | 8 +++++ .../templates/terraform/versions.tf | 8 +++++ .../templates/terraform/versions.tf | 8 +++++ .../templates/terraform/versions.tf | 8 +++++ .../tasks/main.yml | 34 ------------------- .../vars/main.yml | 3 -- ....yml => _deprecated-become-build-user.yml} | 2 +- ...yml => _deprecated-deploy-ecs-proxies.yml} | 0 azure/build-prereqs.yml | 4 +-- azure/cleanup-ecs-pr-proxies.yml | 29 +++++++++++----- azure/cleanup-pr-portal-apis-and-specs.yml | 22 ++++++++++-- azure/common/apigee-build.yml | 2 +- azure/templates/deploy-service.yml | 12 +------ 19 files changed, 76 insertions(+), 195 deletions(-) delete mode 100644 ansible/destroy-api-deployment-dns-entry.yml delete mode 100644 ansible/destroy-ecs-proxies.yml delete mode 100644 ansible/remove-api-deployment-user-access-key.yml delete mode 100644 ansible/remove-ecr-build-user.yml create mode 100644 ansible/roles/create-api-deployment-pre-reqs/templates/terraform/versions.tf create mode 100644 ansible/roles/deploy-ecs-proxies/templates/terraform/versions.tf create mode 100644 ansible/roles/destroy-api-deployment-pre-reqs/templates/terraform/versions.tf create mode 100644 ansible/roles/destroy-ecs-proxies/templates/terraform/versions.tf delete mode 100644 ansible/roles/remove-api-deployment-user-access-key/tasks/main.yml delete mode 100644 ansible/roles/remove-api-deployment-user-access-key/vars/main.yml rename azure/{become-build-user.yml => _deprecated-become-build-user.yml} (97%) rename azure/{deploy-ecs-proxies.yml => _deprecated-deploy-ecs-proxies.yml} (100%) diff --git a/ansible/Makefile b/ansible/Makefile index d75e62cf..4ed37613 100644 --- a/ansible/Makefile +++ b/ansible/Makefile @@ -54,24 +54,12 @@ deploy-apigee-product-and-spec: guard-SERVICE_NAME guard-FULLY_QUALIFIED_SERVICE template-proxies: guard-PROXIES_DIR guard-SERVICE_BASE_PATH guard-APIGEE_ENVIRONMENT @poetry run ansible-playbook -i local template-proxies.yml -destroy-ecs-proxies: guard-service_id guard-APIGEE_ENVIRONMENT - @poetry run ansible-playbook -i local destroy-ecs-proxies.yml - -destroy-api-deployment-dns-entry: guard-service_id guard-APIGEE_ENVIRONMENT - @poetry run ansible-playbook -i local destroy-api-deployment-dns-entry.yml - -remove-api-deployment-user-access-key: guard-account guard-service_id guard-APIGEE_ENVIRONMENT - @poetry run ansible-playbook -i local remove-api-deployment-user-access-key.yml - remove-ecs-proxy-pre-reqs: guard-account guard-service_id guard-APIGEE_ENVIRONMENT @poetry run ansible-playbook -i local remove-ecs-proxy-pre-reqs.yml create-ecr-build-role: guard-account guard-service_id @poetry run ansible-playbook -i local create-ecr-build-role.yml -remove-ecr-build-user: guard-account guard-service_id - @poetry run ansible-playbook -i local remove-ecr-build-user.yml - remove-ecr-build-role: guard-account guard-service_id @poetry run ansible-playbook -i local remove-ecr-build-role.yml diff --git a/ansible/destroy-api-deployment-dns-entry.yml b/ansible/destroy-api-deployment-dns-entry.yml deleted file mode 100644 index 22ebef0b..00000000 --- a/ansible/destroy-api-deployment-dns-entry.yml +++ /dev/null @@ -1,34 +0,0 @@ -- name: create api deployment dns entry - hosts: 127.0.0.1 - connection: local - gather_facts: no - - vars: - service_id: "{{ lookup('env','service_id') }}" - APIGEE_ENVIRONMENT: "{{ lookup('env','APIGEE_ENVIRONMENT') }}" - pr_number: "{{ lookup('env','pr_number') }}" - account: "{{ lookup('env','account') }}" - aws_profile: "apm_{{ account }}" - - - pre_tasks: - - - name: check account - fail: - msg: "account not set" - when: not account - - - name: check service_id - fail: - msg: "service_id not set" - when: not service_id - - - name: check APIGEE_ENVIRONMENT - fail: - msg: "APIGEE_ENVIRONMENT not set" - when: not APIGEE_ENVIRONMENT - - - roles: - - setup-facts - - destroy-api-deployment-dns-entry \ No newline at end of file diff --git a/ansible/destroy-ecs-proxies.yml b/ansible/destroy-ecs-proxies.yml deleted file mode 100644 index bc990614..00000000 --- a/ansible/destroy-ecs-proxies.yml +++ /dev/null @@ -1,33 +0,0 @@ -- name: destroy ecs proxies - hosts: 127.0.0.1 - connection: local - gather_facts: no - - vars: - service_id: "{{ lookup('env','service_id') }}" - APIGEE_ENVIRONMENT: "{{ lookup('env','APIGEE_ENVIRONMENT') }}" - pr_number: "{{ lookup('env','pr_number') }}" - account: "{{ lookup('env','account') }}" - aws_profile: "apm_{{ account }}" - - pre_tasks: - - - name: check account - fail: - msg: "account not set" - when: not account - - - name: check service_id - fail: - msg: "service_id not set" - when: not service_id - - - name: check APIGEE_ENVIRONMENT - fail: - msg: "APIGEE_ENVIRONMENT not set" - when: not APIGEE_ENVIRONMENT - - - roles: - - setup-facts - - destroy-ecs-proxies \ No newline at end of file diff --git a/ansible/remove-api-deployment-user-access-key.yml b/ansible/remove-api-deployment-user-access-key.yml deleted file mode 100644 index 72cee082..00000000 --- a/ansible/remove-api-deployment-user-access-key.yml +++ /dev/null @@ -1,32 +0,0 @@ -- name: remove api deployment access key - hosts: 127.0.0.1 - connection: local - gather_facts: no - - vars: - service_id: "{{ lookup('env','service_id') }}" - APIGEE_ENVIRONMENT: "{{ lookup('env', 'APIGEE_ENVIRONMENT') }}" - account: "{{ lookup('env','account') }}" - aws_profile: "apm_{{ account }}" - - pre_tasks: - - - name: check account - fail: - msg: "account not set" - when: not account - - - name: check service_id - fail: - msg: "service_id not set" - when: not service_id - - - name: check APIGEE_ENVIRONMENT - fail: - msg: "APIGEE_ENVIRONMENT not set" - when: not APIGEE_ENVIRONMENT - - - roles: - - setup-facts - - remove-api-deployment-user-access-key \ No newline at end of file diff --git a/ansible/remove-ecr-build-user.yml b/ansible/remove-ecr-build-user.yml deleted file mode 100644 index 63c94aad..00000000 --- a/ansible/remove-ecr-build-user.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: remove ecr build user - hosts: 127.0.0.1 - connection: local - gather_facts: no - - vars: - service_id: "{{ lookup('env','service_id') }}" - account: "{{ lookup('env','account') }}" - aws_profile: "apm_{{ account }}" - - pre_tasks: - - name: check service_id - fail: - msg: "service_id not set" - when: not service_id - - roles: - - setup-facts - - remove-ecr-build-user \ No newline at end of file diff --git a/ansible/remove-ecs-proxy-deployment.yml b/ansible/remove-ecs-proxy-deployment.yml index b0cfcddf..e71842eb 100644 --- a/ansible/remove-ecs-proxy-deployment.yml +++ b/ansible/remove-ecs-proxy-deployment.yml @@ -30,5 +30,4 @@ roles: - setup-facts - - destroy-api-deployment-dns-entry - destroy-ecs-proxies \ No newline at end of file diff --git a/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/versions.tf b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/versions.tf new file mode 100644 index 00000000..05d35f53 --- /dev/null +++ b/ansible/roles/create-api-deployment-pre-reqs/templates/terraform/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } + required_version = ">= 0.13.6" +} diff --git a/ansible/roles/deploy-ecs-proxies/templates/terraform/versions.tf b/ansible/roles/deploy-ecs-proxies/templates/terraform/versions.tf new file mode 100644 index 00000000..05d35f53 --- /dev/null +++ b/ansible/roles/deploy-ecs-proxies/templates/terraform/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } + required_version = ">= 0.13.6" +} diff --git a/ansible/roles/destroy-api-deployment-pre-reqs/templates/terraform/versions.tf b/ansible/roles/destroy-api-deployment-pre-reqs/templates/terraform/versions.tf new file mode 100644 index 00000000..05d35f53 --- /dev/null +++ b/ansible/roles/destroy-api-deployment-pre-reqs/templates/terraform/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } + required_version = ">= 0.13.6" +} diff --git a/ansible/roles/destroy-ecs-proxies/templates/terraform/versions.tf b/ansible/roles/destroy-ecs-proxies/templates/terraform/versions.tf new file mode 100644 index 00000000..05d35f53 --- /dev/null +++ b/ansible/roles/destroy-ecs-proxies/templates/terraform/versions.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + } + required_version = ">= 0.13.6" +} diff --git a/ansible/roles/remove-api-deployment-user-access-key/tasks/main.yml b/ansible/roles/remove-api-deployment-user-access-key/tasks/main.yml deleted file mode 100644 index fbc1388c..00000000 --- a/ansible/roles/remove-api-deployment-user-access-key/tasks/main.yml +++ /dev/null @@ -1,34 +0,0 @@ - -- name: check for access key secret - command: "{{ aws_cmd }} secretsmanager describe-secret --secret-id {{ deploy_user_secret }}" - register: describe_secret - changed_when: no - failed_when: describe_secret.rc !=0 and 'ResourceNotFoundException' not in describe_secret.stderr - -- name: remove access key secret - command: > - {{ aws_cmd }} secretsmanager delete-secret --secret-id {{ deploy_user_secret }} --force-delete-without-recovery - register: create_access_key - when: describe_secret.rc == 0 - -- name: check if user exists - command: "{{ aws_cmd }} iam get-user --user-name {{ deploy_user_name }} --query User" - register: get_user - changed_when: no - failed_when: get_user.rc !=0 and 'NoSuchEntity' not in get_user.stderr - -- name: list access keys - command: "{{ aws_cmd }} iam list-access-keys --user-name {{ deploy_user_name }} --query AccessKeyMetadata" - register: list_acess_keys - changed_when: no - when: get_user.rc == 0 - -- name: parse access keys - set_fact: - access_keys: "{{ list_acess_keys.stdout | from_json }}" - when: get_user.rc == 0 - -- name: delete access key - command: "{{ aws_cmd }} iam delete-access-key --user-name {{ deploy_user_name }} --access-key-id {{ item.AccessKeyId }}" - with_items: "{{ access_keys }}" - when: get_user.rc == 0 diff --git a/ansible/roles/remove-api-deployment-user-access-key/vars/main.yml b/ansible/roles/remove-api-deployment-user-access-key/vars/main.yml deleted file mode 100644 index 361ade19..00000000 --- a/ansible/roles/remove-api-deployment-user-access-key/vars/main.yml +++ /dev/null @@ -1,3 +0,0 @@ -deploy_user_name: "deploy-{{ APIGEE_ENVIRONMENT }}-{{ service_id }}" -deploy_user_secret: "{{ account }}/api-deploy-users/{{ deploy_user_name }}/aws_config" - diff --git a/azure/become-build-user.yml b/azure/_deprecated-become-build-user.yml similarity index 97% rename from azure/become-build-user.yml rename to azure/_deprecated-become-build-user.yml index d177e08d..5b5b050d 100644 --- a/azure/become-build-user.yml +++ b/azure/_deprecated-become-build-user.yml @@ -10,7 +10,7 @@ parameters: steps: - bash: | - tfenv use 0.12.29 + tfenv use 0.13.6 displayName: use terraform - bash: | diff --git a/azure/deploy-ecs-proxies.yml b/azure/_deprecated-deploy-ecs-proxies.yml similarity index 100% rename from azure/deploy-ecs-proxies.yml rename to azure/_deprecated-deploy-ecs-proxies.yml diff --git a/azure/build-prereqs.yml b/azure/build-prereqs.yml index 17494add..641e9705 100644 --- a/azure/build-prereqs.yml +++ b/azure/build-prereqs.yml @@ -9,9 +9,7 @@ steps: versionSpec: '3.8' - bash: | - brew install tfenv - tfenv install 0.12.29 - tfenv use 0.12.29 + tfenv use 0.13.6 displayName: setup terraform - bash: | diff --git a/azure/cleanup-ecs-pr-proxies.yml b/azure/cleanup-ecs-pr-proxies.yml index 71697339..97bb8241 100644 --- a/azure/cleanup-ecs-pr-proxies.yml +++ b/azure/cleanup-ecs-pr-proxies.yml @@ -17,23 +17,36 @@ jobs: timeoutInMinutes: 240 pool: name: 'AWS-ECS' + + workspace: + clean: all + steps: + - checkout: self - - template: ./components/aws-assume-role.yml + - bash: | + instance_id="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)" + echo instance-id: "${instance_id}" + echo connect to: https://eu-west-2.console.aws.amazon.com/systems-manager/session-manager/${instance_id} + echo sudo su - ubuntu + echo working directory: $(System.DefaultWorkingDirectory) + displayName: print aws info + + - template: ./components/aws-assume-role.yml parameters: role: "auto-ops" profile: "apm_ptl" - - template: build-prereqs.yml - parameters: - utils_dir: './' + - bash: | + tfenv use 0.13.6 + displayName: setup terraform + + - bash: | + make install + displayName: install dependencies - bash: | - # temp this is till we can update to terraform 0.13.0 (which respects the profile setting over metadata) - export AWS_ACCESS_KEY_ID="$(grep 'aws_access_key_id = ' ~/.aws/config | cut -d ' ' -f3)" - export AWS_SECRET_ACCESS_KEY="$(grep 'aws_secret_access_key = ' ~/.aws/config | cut -d ' ' -f3)" - export AWS_SESSION_TOKEN="$(grep 'aws_session_token = ' ~/.aws/config | cut -d ' ' -f3)" export retain_hours=72 ANSIBLE_FORCE_COLOR=yes make -C ansible remove-old-ecs-pr-deploys displayName: "cleanup older pr deploys" diff --git a/azure/cleanup-pr-portal-apis-and-specs.yml b/azure/cleanup-pr-portal-apis-and-specs.yml index 9d28ce0b..1ee59fed 100644 --- a/azure/cleanup-pr-portal-apis-and-specs.yml +++ b/azure/cleanup-pr-portal-apis-and-specs.yml @@ -17,17 +17,33 @@ jobs: timeoutInMinutes: 240 pool: name: 'AWS-ECS' + workspace: + clean: all + steps: + - checkout: self + - bash: | + instance_id="$(curl -s http://169.254.169.254/latest/meta-data/instance-id)" + echo instance-id: "${instance_id}" + echo connect to: https://eu-west-2.console.aws.amazon.com/systems-manager/session-manager/${instance_id} + echo sudo su - ubuntu + echo working directory: $(System.DefaultWorkingDirectory) + displayName: print aws info + - template: ./components/aws-assume-role.yml parameters: role: "auto-ops" profile: "apm_ptl" - - template: build-prereqs.yml - parameters: - utils_dir: "./" + - bash: | + tfenv use 0.13.6 + displayName: setup terraform + + - bash: | + make install + displayName: install dependencies - template: ./components/get-aws-secrets-and-ssm-params.yml parameters: diff --git a/azure/common/apigee-build.yml b/azure/common/apigee-build.yml index ce4efc45..7b33201e 100644 --- a/azure/common/apigee-build.yml +++ b/azure/common/apigee-build.yml @@ -205,7 +205,7 @@ jobs: condition: and(succeeded(), eq(variables['build_containers'], 'true')) - bash: | - tfenv use 0.12.29 + tfenv use 0.13.6 displayName: use terraforn condition: and(succeeded(), eq(variables['build_containers'], 'true')) diff --git a/azure/templates/deploy-service.yml b/azure/templates/deploy-service.yml index 88ededb3..4bf5c556 100644 --- a/azure/templates/deploy-service.yml +++ b/azure/templates/deploy-service.yml @@ -59,7 +59,7 @@ steps: displayName: "Install utils pre-requisites" - bash: | - tfenv use 0.12.29 + tfenv use 0.13.6 displayName: setup terraform condition: and(succeeded(), eq(variables['deploy_containers'], 'true')) @@ -135,11 +135,6 @@ steps: source $(SERVICE_DIR)/.build_env_vars deploy_role="deploy-${{ parameters.apigee_environment }}-${service_id}" - # temp this is till we can update to terraform 0.13.0 (which respects the profile setting over metadata) - export AWS_ACCESS_KEY_ID="$(grep 'aws_access_key_id = ' ~/.aws/config | cut -d ' ' -f3)" - export AWS_SECRET_ACCESS_KEY="$(grep 'aws_secret_access_key = ' ~/.aws/config | cut -d ' ' -f3)" - export AWS_SESSION_TOKEN="$(grep 'aws_session_token = ' ~/.aws/config | cut -d ' ' -f3)" - account=${{ parameters.aws_account }} \ SERVICE_BASE_PATH=${{ parameters.service_base_path }} \ APIGEE_ENVIRONMENT=${{ parameters.apigee_environment }} \ @@ -171,11 +166,6 @@ steps: export DEPLOYED_VERSION="${{ parameters.fully_qualified_service_name }}" fi - # temp this is till we can update to terraform 0.13.0 (which respects the profile setting over metadata) - export AWS_ACCESS_KEY_ID="$(grep 'aws_access_key_id = ' ~/.aws/config | cut -d ' ' -f3)" - export AWS_SECRET_ACCESS_KEY="$(grep 'aws_secret_access_key = ' ~/.aws/config | cut -d ' ' -f3)" - export AWS_SESSION_TOKEN="$(grep 'aws_session_token = ' ~/.aws/config | cut -d ' ' -f3)" - account=${{ parameters.aws_account }} \ PROXY_VARS_FILE="${proxy_vars_file}" \ SOURCE_COMMIT_ID="$(Build.SourceVersion)" \ From 616cd2a6333e3d642450d88ebb101f06d84499c0 Mon Sep 17 00:00:00 2001 From: Ben Davies Date: Wed, 3 Mar 2021 10:53:14 +0000 Subject: [PATCH 2/3] Merge pull request #271 from NHSDigital/AMB-527-Fix-prod-url MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AMB-527 Removed unnecessary prod env prefix from prod url, as this is… --- azure/templates/deploy-service.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/azure/templates/deploy-service.yml b/azure/templates/deploy-service.yml index f72bc289..69bccfed 100644 --- a/azure/templates/deploy-service.yml +++ b/azure/templates/deploy-service.yml @@ -245,7 +245,7 @@ steps: method: POST headers: "apikey: $(MONITORING_API_KEY)" ${{ if eq(parameters.apigee_environment, 'prod') }}: - url: "https://prod.api.service.nhs.uk/monitoring-sd/service" + url: "https://api.service.nhs.uk/monitoring-sd/service" body: '{ "${{ parameters.service_name }}": { "${{ parameters.apigee_environment }}": [ "${{ parameters.service_name }}@${{ parameters.apigee_environment }}=http_2xx https://api.service.nhs.uk/${{ parameters.service_base_path }}/_ping" ] } }' ${{ if not(eq(parameters.apigee_environment, 'prod')) }}: url: "https://internal-dev.api.service.nhs.uk/monitoring-sd/service" @@ -258,7 +258,7 @@ steps: method: POST headers: "apikey: $(MONITORING_API_KEY)" ${{ if eq(parameters.apigee_environment, 'prod') }}: - url: "https://prod.api.service.nhs.uk/monitoring-sd/service" + url: "https://api.service.nhs.uk/monitoring-sd/service" body: '{ "${{ parameters.service_name }}": { "${{ parameters.apigee_environment }}": [ "${{ parameters.service_name }}@${{ parameters.apigee_environment }}=http_2xx https://api.service.nhs.uk/${{ parameters.service_base_path }}/_ping", "${{ parameters.service_name }}@${{ parameters.apigee_environment }}=http_2xx_with_api_key https://api.service.nhs.uk/${{ parameters.service_base_path }}/_status" ] } }' ${{ if not(eq(parameters.apigee_environment, 'prod')) }}: url: "https://internal-dev.api.service.nhs.uk/monitoring-sd/service" From f73aac470598cbb230ceda2f20e772df9fbc6438 Mon Sep 17 00:00:00 2001 From: Richard Crawley <768747+ri-ch@users.noreply.github.com> Date: Thu, 1 Apr 2021 11:11:04 +0100 Subject: [PATCH 3/3] Switch back to correct build context after pre_template steps have completed --- azure/templates/deploy-service.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/azure/templates/deploy-service.yml b/azure/templates/deploy-service.yml index 7f8c917a..c5c4ea21 100644 --- a/azure/templates/deploy-service.yml +++ b/azure/templates/deploy-service.yml @@ -81,6 +81,14 @@ steps: - ${{ each pre_template_step in parameters.pre_template }}: - ${{ pre_template_step }} + # pre_template steps might have been doing cross account stuff + # make sure we bring everything back to the correct AWS role here + - template: ../components/aws-assume-role.yml + parameters: + role: "auto-ops" + profile: "apm_${{ parameters.aws_account }}" + aws_account: "${{ parameters.aws_account }}" + - ${{ if parameters.jinja_templates }}: - bash: mkdir -p group_vars/all && touch jinja_templates.yml workingDirectory: "$(UTILS_DIR)/ansible/"