pre product infrastructure

Pre-Recorded Evidence Project - Core infrastructure

The infrastructure for PRE is brought up in 4 stages:

Getting started

The terraform version is managed by .terraform-version file in the root of the repo, you can update this whenever you want.

Lint

Please run terraform fmt before submitting a pull request.

Documentation is kept up-to-date using terraform-docs.

We've included pre-commit hooks to help with this.

Install it with:

$ brew install pre-commit
# or
$ pip3 install pre-commit

then run:

$ pre-commit install

Workflow

Make your changes locally
Format your change with terraform fmt or the pre-commit hook
Submit a pull request
Check the terraform plan from the build link that will be posted on your PR
Get someone else to review your PR
Merge the PR
It will automatically be deployed to AAT and Prod environments
Once successful in AAT and Prod then merge your change to demo, ithc, and perftest branches.

B2C

Bypassing 2FA

Sometimes it's useful to allow a set user to skip email verification (2FA). E.G. when testing. This can be done by editing the ./b2c/custom_policies/<env>/TrustFrameworkExtensions.xml file. You will need to add a snippet like the following:

<Precondition Type="ClaimEquals" ExecuteActionsIf="true">
  <Value>objectId</Value>
  <Value>a207a1b2-f39b-4e70-a211-bd7e26d7504e</Value>
  <Action>SkipThisOrchestrationStep</Action>
</Precondition>

to the

<OrchestrationStep Order="4" Type="ClaimsExchange">
  <Preconditions>
...

block. The object Id can be obtained from that environments Azure AD properties for the user.

Key Rotation Pipelines failing

These run on Mondays for Non-prod and Tuesdays for Prod.

When they fail it means that the edit VM can not read/write from the Storage Account.

This error has become a permanent issue since we enabled the resource locks in staging and production.

To fix this you need to:

Disable the resource lock on the appropriate resource group using this pipeline: https://dev.azure.com/hmcts/PlatformOperations/_build?definitionId=535
- Click on 'Run Pipeline'
- Select the subscription DTS-SHAREDSERVICES-{ENV}
- Select the resource group pre-{ENV}
- Click on 'Run'
Once the resource lock is removed, ensure the VM is running on the appropriate environment
- Go to https://dev.azure.com/hmcts/Pre-Recorded%20Evidence/_build?definitionId=1090 (non-prod) or https://dev.azure.com/hmcts/Pre-Recorded%20Evidence/_build?definitionId=1092 (prod)
- Click on 'Run Pipeline'
- Click on 'Run'
Once the VM is up then you just need to run the pre-shared-infrastructure pipeline: https://sds-build.hmcts.net/job/HMCTS/job/pre-shared-infrastructure/job/master/
- Click on 'Build Now'
Once green you should then shut down the VMs to ensure they load their new environment variables on the next boot.
- https://dev.azure.com/hmcts/Pre-Recorded%20Evidence/_build?definitionId=1091 (non-prod) or https://dev.azure.com/hmcts/Pre-Recorded%20Evidence/_build?definitionId=1093 (prod)
- Click on 'Run Pipeline'
- Click on 'Run'
The resource locks will re-enable themselves within 3 hours.

tooling script import for Demo remains in code

The code in PR 1049 was merged to prevent a repeating issue with demo needing a Terraform import of the tooling script into the Edit VM. #1049 Leaving that in place should simply import in demo each time its needed. Once the Edit VM is removed from Demo that code can be reverted.

LICENSE

This project is licensed under the MIT License - see the LICENSE file for details.

Requirements

Name	Version
azurerm	4.38.1
random	>= 2.2.0
time	~> 0.13

Providers

Name	Version
azuread	n/a
azurerm	4.38.1
azurerm.dev	4.38.1
azurerm.mgmt	4.38.1
azurerm.oms	4.38.1
azurerm.private_dns	4.38.1
azurerm.stg	4.38.1

Modules

Name	Source	Version
application_insights	git@github.com:hmcts/terraform-module-application-insights	4.x
data_store_db_v14	git@github.com:hmcts/terraform-module-postgresql-flexible.git	master
finalsa_storage_account	git@github.com:hmcts/cnp-module-storage-account	4.x
ingestsa_storage_account	git@github.com:hmcts/cnp-module-storage-account	4.x
log_analytics_workspace	git@github.com:hmcts/terraform-module-log-analytics-workspace-id.git	master
sa_storage_account	git@github.com:hmcts/cnp-module-storage-account	4.x
vodasa_storage_account	git@github.com:hmcts/cnp-module-storage-account	4.x

Resources

Name	Type
azuread_app_role_assignment.client_to_api	resource
azuread_application_password.client_secret	resource
azurerm_key_vault_secret.API_POSTGRES_DATABASE	resource
azurerm_key_vault_secret.API_POSTGRES_HOST	resource
azurerm_key_vault_secret.API_POSTGRES_PASS	resource
azurerm_key_vault_secret.API_POSTGRES_PORT	resource
azurerm_key_vault_secret.API_POSTGRES_USER	resource
azurerm_key_vault_secret.appinsights-key	resource
azurerm_key_vault_secret.appinsights_connection_string	resource
azurerm_key_vault_secret.client_secret_kv	resource
azurerm_key_vault_secret.finalsa_storage_account_connection_string	resource
azurerm_key_vault_secret.finalsa_storage_account_primary_access_key	resource
azurerm_key_vault_secret.ingestsa_storage_account_connection_string	resource
azurerm_key_vault_secret.sa_storage_account_connection_string	resource
azurerm_key_vault_secret.vodasa_storage_account_connection_string	resource
azurerm_key_vault_secret.vodasa_storage_account_primary_access_key	resource
azurerm_monitor_action_group.pre-support	resource
azurerm_monitor_diagnostic_setting.storageblobfinalsa	resource
azurerm_monitor_diagnostic_setting.storageblobingestsa	resource
azurerm_monitor_diagnostic_setting.storageblobsa	resource
azurerm_monitor_diagnostic_setting.storageblobvodasa	resource
azurerm_monitor_metric_alert.postgres_alert_active_connections	resource
azurerm_monitor_metric_alert.postgres_alert_cpu	resource
azurerm_monitor_metric_alert.postgres_alert_failed_connections	resource
azurerm_monitor_metric_alert.postgres_alert_memory	resource
azurerm_monitor_metric_alert.postgres_alert_storage_utilization	resource
azurerm_monitor_metric_alert.redis_alert_errors	resource
azurerm_monitor_metric_alert.storage_final_alert_capacity	resource
azurerm_monitor_metric_alert.storage_ingest_alert_capacity	resource
azurerm_monitor_metric_alert.storage_voda_alert_capacity	resource
azurerm_private_dns_zone_virtual_network_link.ams_zone_link	resource
azurerm_role_assignment.powerapp_appreg_final_contrib	resource
azurerm_role_assignment.powerapp_appreg_ingest_contrib	resource
azurerm_role_assignment.pre_dev_mi_appreg_final_contrib	resource
azurerm_role_assignment.pre_dev_mi_appreg_ingest_contrib	resource
azurerm_role_assignment.pre_stg_mi_appreg_final_contrib	resource
azurerm_role_assignment.pre_stg_mi_appreg_ingest_contrib	resource
azurerm_role_assignment.sc_team_members_final_readers	resource
azurerm_role_assignment.sc_team_members_ingest_readers	resource
azurerm_role_assignment.sc_team_members_voda_contrib	resource
azurerm_role_assignment.sc_team_members_voda_data_contrib	resource
azurerm_role_assignment.sp_contributor	resource
azurerm_storage_blob.b2c_config	resource
azurerm_storage_blob.b2c_config_assets	resource
azurerm_storage_blob.b2c_config_maps	resource
azurerm_storage_blob.b2c_html_file	resource
azurerm_storage_management_policy.delete_processed_blobs	resource
azuread_application.client_app	data source
azuread_application.resource_app	data source
azuread_group.prod_reader_group	data source
azuread_service_principal.client_sp	data source
azuread_service_principal.pre_sp	data source
azuread_service_principal.resource_sp	data source
azurerm_client_config.current	data source
azurerm_key_vault.keyvault	data source
azurerm_key_vault_secret.slack_monitoring_address	data source
azurerm_log_analytics_workspace.loganalytics	data source
azurerm_redis_cache.portal_redis_cache	data source
azurerm_resource_group.rg	data source
azurerm_resource_group.rg-cache	data source
azurerm_subnet.endpoint_subnet	data source
azurerm_subnet.jenkins_subnet	data source
azurerm_subnet.videoedit_subnet	data source
azurerm_user_assigned_identity.managed_identity	data source
azurerm_user_assigned_identity.pre_dev_mi	data source
azurerm_user_assigned_identity.pre_stg_mi	data source
azurerm_virtual_network.vnet	data source

Inputs

Name	Description	Type	Default	Required
aks_subscription_id	n/a	`string`	`"867a878b-cb68-4de5-9741-361ac9e178b6"`	no
cnp_vault_sub	The subscription ID of the subscription that contains the CNP KeyVault	`any`	n/a	yes
common_tags	n/a	`map(string)`	n/a	yes
cors_rules	cors rule for final storage account	list(object({ allowed_headers = list(string) allowed_methods = list(string) allowed_origins = list(string) exposed_headers = list(string) max_age_in_seconds = number }))	[ { "allowed_headers": [ "" ], "allowed_methods": [ "GET", "POST" ], "allowed_origins": [ "https://.justice.gov.uk", "https://.blob.core.windows.net", "https://.files.core.windows.net" ], "exposed_headers": [ "*" ], "max_age_in_seconds": 600 } ]	no
database_name	n/a	`string`	`"pre-db"`	no
delete_after_days_since_creation_greater_than	Number of days to keep an ingest file for before deleting it. Default 90 days	`number`	`90`	no
dev_subscription_id	n/a	`string`	`"867a878b-cb68-4de5-9741-361ac9e178b6"`	no
dns_resource_group	Private DNS zone configuration (for postgres)	`string`	`"core-infra-intsvc-rg"`	no
dts_pre_backup_appreg_oid	n/a	`any`	n/a	yes
env	n/a	`any`	n/a	yes
jenkins_AAD_objectId	n/a	`any`	n/a	yes
location	n/a	`string`	`"UK South"`	no
mgmt_net_name	n/a	`any`	n/a	yes
mgmt_net_rg_name	n/a	`any`	n/a	yes
mgmt_subscription_id	n/a	`any`	n/a	yes
pgsql_admin_username	n/a	`string`	`"psqladmin"`	no
pgsql_storage_mb	n/a	`string`	`"32768"`	no
product	n/a	`string`	`"pre"`	no
project	Addtional variables required for postgres	`string`	`"sds"`	no
restore_policy_days	n/a	`any`	n/a	yes
sa_account_tier	n/a	`string`	`"Standard"`	no
sa_replication_type	n/a	`string`	`"GRS"`	no
stg_subscription_id	n/a	`string`	`"74dacd4f-a248-45bb-a2f0-af700dc4cf68"`	no
storage_policy_enabled	Status of the storage account lifecycle policy. Default 'false'	`bool`	`false`	no

Outputs

Name	Description
b2c_asset_files	n/a
b2c_content_files	n/a
b2c_html_files	n/a
b2c_map_files	n/a

Name		Name	Last commit message	Last commit date
Latest commit History 2,492 Commits
.github		.github
b2c		b2c
.editorconfig		.editorconfig
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
.terraform-docs.yml		.terraform-docs.yml
.terraform-version		.terraform-version
CODEOWNERS		CODEOWNERS
Jenkinsfile_CNP		Jenkinsfile_CNP
Jenkinsfile_parameterized		Jenkinsfile_parameterized
LICENSE		LICENSE
README.md		README.md
ams.tf		ams.tf
apim.tf		apim.tf
b2c-templates.tf		b2c-templates.tf
catalog-info.yaml		catalog-info.yaml
data.tf		data.tf
demo.tfvars		demo.tfvars
dev.tfvars		dev.tfvars
import.tf		import.tf
main.tf		main.tf
postgres.tf		postgres.tf
pre-apim-b2c.tf		pre-apim-b2c.tf
prod.tfvars		prod.tfvars
provider.tf		provider.tf
redis.tf		redis.tf
renovate.json		renovate.json
sa-final.tf		sa-final.tf
sa-ingest.tf		sa-ingest.tf
sa-sa.tf		sa-sa.tf
sa-voda.tf		sa-voda.tf
sbox.tfvars		sbox.tfvars
security.md		security.md
stg.tfvars		stg.tfvars
test.tfvars		test.tfvars
variables.tf		variables.tf

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

pre product infrastructure

Getting started

Lint

Workflow

B2C

Bypassing 2FA

Key Rotation Pipelines failing

tooling script import for Demo remains in code

LICENSE

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Uh oh!

Releases

Packages

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

pre product infrastructure

Getting started

Lint

Workflow

B2C

Bypassing 2FA

Key Rotation Pipelines failing

tooling script import for Demo remains in code

LICENSE

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Topics

Resources

License

Contributing

Security policy

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Packages