Refactor content store

terraform/deployments/apps/content-store/draft.tf

@@ -0,0 +1,46 @@
+module "draft_container_definition" {
+  source = "../../../modules/app-container-definition"
+  name   = "draft-content-store"
+  image  = "govuk/content-store:bill-content-schemas" # TODO use "govuk/content-store:${var.image_tag}"
+  environment_variables = merge(
+    local.environment_variables,
+    {
+      PLEK_SERVICE_ROUTER_API_URI = "http://draft-router-api.${local.mesh_domain}"
+      MONGODB_URI                 = "mongodb://${local.mongodb_host}/draft_content_store_production"
+    },
+  )
+  log_group             = local.log_group
+  secrets_from_arns     = local.secrets_from_arns
+  aws_region            = data.aws_region.current.name
+  depends_on_containers = { envoy : "START" }
+}
+
+module "draft_envoy_configuration" {
+  source = "../../../modules/envoy-configuration"
+
+  mesh_name    = local.mesh_name
+  service_name = "draft-content-store"
+  log_group    = local.log_group
+  aws_region   = data.aws_region.current.name
+}
+
+resource "aws_ecs_task_definition" "draft" {
+  family                   = "draft-content-store"
+  requires_compatibilities = ["FARGATE"]
+  container_definitions = jsonencode([
+    module.draft_container_definition.value,
+    module.draft_envoy_configuration.container_definition,
+  ])
+
+  network_mode       = "awsvpc"
+  cpu                = 512
+  memory             = 1024
+  task_role_arn      = local.fargate_task_iam_role_arn
+  execution_role_arn = local.fargate_execution_iam_role_arn
+
+  proxy_configuration {
+    type           = "APPMESH"
+    container_name = "envoy"
+    properties     = module.draft_envoy_configuration.proxy_properties
+  }
+}

terraform/deployments/apps/content-store/live.tf

@@ -0,0 +1,46 @@
+module "live_container_definition" {
+  source = "../../../modules/app-container-definition"
+  name   = "live-content-store"
+  image  = "govuk/content-store:bill-content-schemas" # TODO use "govuk/content-store:${var.image_tag}"
+  environment_variables = merge(
+    local.environment_variables,
+    {
+      PLEK_SERVICE_ROUTER_API_URI = "http://router-api.${local.mesh_domain}"
+      MONGODB_URI                 = "mongodb://${local.mongodb_host}/live_content_store_production"
+    },
+  )
+  log_group             = local.log_group
+  secrets_from_arns     = local.secrets_from_arns
+  aws_region            = data.aws_region.current.name
+  depends_on_containers = { envoy : "START" }
+}
+
+module "live_envoy_configuration" {
+  source = "../../../modules/envoy-configuration"
+
+  mesh_name    = local.mesh_name
+  service_name = "live-content-store"
+  log_group    = local.log_group
+  aws_region   = data.aws_region.current.name
+}
+
+resource "aws_ecs_task_definition" "live" {
+  family                   = "content-store"
+  requires_compatibilities = ["FARGATE"]
+  container_definitions = jsonencode([
+    module.live_container_definition.value,
+    module.live_envoy_configuration.container_definition,
+  ])
+
+  network_mode       = "awsvpc"
+  cpu                = 512
+  memory             = 1024
+  task_role_arn      = local.fargate_task_iam_role_arn
+  execution_role_arn = local.fargate_execution_iam_role_arn
+
+  proxy_configuration {
+    type           = "APPMESH"
+    container_name = "envoy"
+    properties     = module.live_envoy_configuration.proxy_properties
+  }
+}

terraform/deployments/apps/content-store/main.tf

@@ -1,17 +1,9 @@
 terraform {
   backend "s3" {
-    bucket  = "govuk-terraform-test"
     key     = "projects/content-store.tfstate"
     region  = "eu-west-1"
     encrypt = true
   }
-
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 3.13"
-    }
-  }
 }
 
 provider "aws" {
@@ -22,18 +14,99 @@ provider "aws" {
   }
 }
 
-module "task_definition" {
-  source                           = "../../../modules/task-definitions/content-store"
-  service_name                     = "content-store"
-  govuk_app_domain_external        = var.app_domain
-  govuk_website_root               = local.website_root
-  image_tag                        = "bill-content-schemas" # TODO: Change back once content schemas are available
-  mesh_name                        = var.mesh_name
-  mongodb_url                      = "mongodb://${var.mongodb_host}/content_store_production"
-  service_discovery_namespace_name = local.service_discovery_namespace_name
-  statsd_host                      = local.statsd_host
-  execution_role_arn               = data.aws_iam_role.execution.arn
-  task_role_arn                    = data.aws_iam_role.task.arn
-  sentry_environment               = var.sentry_environment
-  assume_role_arn                  = var.assume_role_arn
+data "aws_region" "current" {}
+
+data "aws_secretsmanager_secret" "oauth_id" {
+  name = "content-store_OAUTH_ID"
+}
+data "aws_secretsmanager_secret" "oauth_secret" {
+  name = "content-store_OAUTH_SECRET"
+}
+data "aws_secretsmanager_secret" "publishing_api_bearer_token" {
+  name = "content-store_PUBLISHING_API_BEARER_TOKEN" # pragma: allowlist secret
+}
+data "aws_secretsmanager_secret" "router_api_bearer_token" {
+  name = "content-store_ROUTER_API_BEARER_TOKEN" # pragma: allowlist secret
+}
+data "aws_secretsmanager_secret" "secret_key_base" {
+  name = "content-store_SECRET_KEY_BASE" # pragma: allowlist secret
+}
+data "aws_secretsmanager_secret" "sentry_dsn" {
+  name = "SENTRY_DSN"
+}
+
+data "terraform_remote_state" "govuk_aws_mongo" {
+  backend = "s3"
+  config = {
+    bucket   = "govuk-terraform-steppingstone-${var.environment}"
+    key      = "${var.environment == "test" ? "pink" : "blue"}/app-mongo.tfstate"
+    region   = data.aws_region.current.name
+    role_arn = var.assume_role_arn
+  }
+}
+
+data "terraform_remote_state" "govuk" {
+  backend   = "s3"
+  workspace = terraform.workspace
+  config = {
+    bucket   = "govuk-terraform-${var.environment}"
+    key      = "projects/govuk.tfstate"
+    region   = data.aws_region.current.name
+    role_arn = var.assume_role_arn
+  }
+}
+
+locals {
+  app_domain                     = data.terraform_remote_state.govuk.outputs.app_domain
+  app_domain_internal            = data.terraform_remote_state.govuk.outputs.app_domain_internal
+  fargate_execution_iam_role_arn = data.terraform_remote_state.govuk.outputs.fargate_execution_iam_role_arn
+  fargate_task_iam_role_arn      = data.terraform_remote_state.govuk.outputs.fargate_task_iam_role_arn
+  govuk_website_root             = data.terraform_remote_state.govuk.outputs.govuk_website_root
+  log_group                      = data.terraform_remote_state.govuk.outputs.log_group
+  mesh_domain                    = data.terraform_remote_state.govuk.outputs.mesh_domain
+  mesh_name                      = data.terraform_remote_state.govuk.outputs.mesh_name
+
+  mongodb_host = join(",", [
+    data.terraform_remote_state.govuk_aws_mongo.outputs.mongo_1_service_dns_name,
+    data.terraform_remote_state.govuk_aws_mongo.outputs.mongo_2_service_dns_name,
+    data.terraform_remote_state.govuk_aws_mongo.outputs.mongo_3_service_dns_name,
+  ])
+
+  sentry_environment = "${var.environment}-ecs"
+  statsd_host        = "statsd.${local.mesh_domain}" # TODO: Put Statsd in App Mesh
+
+  environment_variables = {
+    DEFAULT_TTL                     = 1800,
+    GOVUK_APP_DOMAIN                = local.mesh_domain,
+    GOVUK_APP_DOMAIN_EXTERNAL       = local.app_domain,
+    GOVUK_APP_NAME                  = "content-store",
+    GOVUK_APP_TYPE                  = "rack",
+    GOVUK_CONTENT_SCHEMAS_PATH      = "/govuk-content-schemas",
+    GOVUK_GROUP                     = "deploy",  # TODO: clean up?
+    GOVUK_STATSD_PREFIX             = "fargate", # TODO: use a better prefix?
+    GOVUK_USER                      = "deploy",  # TODO: clean up?
+    GOVUK_WEBSITE_ROOT              = local.govuk_website_root,
+    PLEK_SERVICE_PUBLISHING_API_URI = "http://publishing-api-web.${local.mesh_domain}",
+    PLEK_SERVICE_ROUTER_API_URI     = "http://router-api.${local.mesh_domain}",
+    PLEK_SERVICE_RUMMAGER_URI       = "",
+    PLEK_SERVICE_SIGNON_URI         = "https://signon-ecs.${local.app_domain}",
+    PLEK_SERVICE_SPOTLIGHT_URI      = "",
+    PORT                            = 80,
+    RAILS_ENV                       = "production",
+    SENTRY_ENVIRONMENT              = local.sentry_environment,
+    STATSD_PROTOCOL                 = "tcp",
+    STATSD_HOST                     = local.statsd_host,
+    UNICORN_WORKER_PROCESSES        = 12,
+
+    PLEK_SERVICE_PERFORMANCEPLATFORM_BIG_SCREEN_VIEW_URI = "",
+  }
+
+  secrets_from_arns = {
+    GDS_SSO_OAUTH_ID            = data.aws_secretsmanager_secret.oauth_id.arn,
+    GDS_SSO_OAUTH_SECRET        = data.aws_secretsmanager_secret.oauth_secret.arn,
+    PUBLISHING_API_BEARER_TOKEN = data.aws_secretsmanager_secret.publishing_api_bearer_token.arn,
+    ROUTER_API_BEARER_TOKEN     = data.aws_secretsmanager_secret.router_api_bearer_token.arn,
+    SECRET_KEY_BASE             = data.aws_secretsmanager_secret.secret_key_base.arn,
+    SENTRY_DSN                  = data.aws_secretsmanager_secret.sentry_dsn.arn,
+  }
 }

terraform/deployments/apps/content-store/variables.tf

@@ -0,0 +1,15 @@
+variable "image_tag" {
+  type        = string
+  description = "The Docker image tag to be specified in a task definition"
+}
+
+variable "environment" {
+  type        = string
+  description = "test, integration, staging or production"
+}
+
+variable "assume_role_arn" {
+  type        = string
+  description = "(optional) AWS IAM role to assume. Uses the role from the environment by default."
+  default     = null
+}

terraform/deployments/apps/content-store/versions.tf

@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 3.13"
+    }
+  }
+}

terraform/modules/app-container-definition/main.tf

@@ -16,7 +16,7 @@ variable "secrets_from_arns" {
 variable "aws_region" {
   type = string
 }
-variable "depends_on" {
+variable "depends_on_containers" {
   type        = map
   default     = {}
   description = "Other containers which this depends on (e.g. for envoy, set this to {envoy: \"START\"})"
@@ -27,8 +27,8 @@ output "value" {
     "name" : var.name,
     "image" : var.image,
     "essential" : true,
-    "environment" : [for key, value in var.environment_variables : { name : key, value : value }],
-    "dependsOn" : [for key, value in var.depends_on : { containerName : key, condition : value }],
+    "environment" : [for key, value in var.environment_variables : { name : key, value : tostring(value) }],
+    "dependsOn" : [for key, value in var.depends_on_containers : { containerName : key, condition : value }],
     "logConfiguration" : {
       "logDriver" : "awslogs",
       "options" : {