diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-dev/05-certificate.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-dev/05-certificate.yaml index 4f18a822c06..7f6e76e9d22 100644 --- a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-dev/05-certificate.yaml +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-dev/05-certificate.yaml @@ -9,7 +9,7 @@ spec: name: letsencrypt-production kind: ClusterIssuer dnsNames: - - people-on-probation-dev.hmpps.service.justice.gov.uk + - probation-account-dev.hmpps.service.justice.gov.uk --- apiVersion: cert-manager.io/v1 diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/00-namespace.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/00-namespace.yaml new file mode 100644 index 00000000000..717403d4094 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/00-namespace.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "hmpps-people-on-probation-preprod" + labels: + cloud-platform.justice.gov.uk/is-production: "false" + cloud-platform.justice.gov.uk/environment-name: "preprod" + pod-security.kubernetes.io/enforce: restricted + annotations: + cloud-platform.justice.gov.uk/business-unit: "HMPPS" + cloud-platform.justice.gov.uk/slack-channel: "hmpps_people_on_probation" + cloud-platform.justice.gov.uk/application: "People on probation" + cloud-platform.justice.gov.uk/owner: "Manage my community service: manage.community.sentence@notifications.service.gov.uk" + cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/hmpps-people-on-probation-ui.git,https://github.com/ministryofjustice/hmpps-people-on-probation-api.git" + cloud-platform.justice.gov.uk/team-name: "hmpps-people-on-probation-platform-devs" + cloud-platform.justice.gov.uk/review-after: "" diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/01-rbac.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/01-rbac.yaml new file mode 100644 index 00000000000..4b0d411e8f6 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/01-rbac.yaml @@ -0,0 +1,16 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-people-on-probation-preprod-admin + namespace: hmpps-people-on-probation-preprod +subjects: + - kind: Group + name: "github:hmpps-people-on-probation-platform-devs" + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: "github:hmpps-sre" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/02-limitrange.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/02-limitrange.yaml new file mode 100644 index 00000000000..17e7252e47a --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/02-limitrange.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: limitrange + namespace: hmpps-people-on-probation-preprod +spec: + limits: + - default: + cpu: 1000m + memory: 1000Mi + defaultRequest: + cpu: 10m + memory: 100Mi + type: Container diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/03-resourcequota.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/03-resourcequota.yaml new file mode 100644 index 00000000000..e52aaa42e77 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/03-resourcequota.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: namespace-quota + namespace: hmpps-people-on-probation-preprod +spec: + hard: + pods: "50" diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/04-networkpolicy.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/04-networkpolicy.yaml new file mode 100644 index 00000000000..ea83ec72701 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/04-networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default + namespace: hmpps-people-on-probation-preprod +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: {} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-ingress-controllers + namespace: hmpps-people-on-probation-preprod +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + component: ingress-controllers diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/05-certificate.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/05-certificate.yaml new file mode 100644 index 00000000000..91f573533bd --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/05-certificate.yaml @@ -0,0 +1,26 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: people-on-probation-preprod.hmpps.service.justice.gov.uk + namespace: hmpps-people-on-probation-preprod +spec: + secretName: hmpps-people-on-probation-ui-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - probation-account-preprod.hmpps.service.justice.gov.uk + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: people-on-probation-api-preprod.hmpps.service.justice.gov.uk + namespace: hmpps-people-on-probation-preprod +spec: + secretName: hmpps-people-on-probation-api-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - people-on-probation-api-preprod.hmpps.service.justice.gov.uk \ No newline at end of file diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/06-rbac-haar-client-admin-team.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/06-rbac-haar-client-admin-team.yaml new file mode 100644 index 00000000000..d58c0b94768 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/06-rbac-haar-client-admin-team.yaml @@ -0,0 +1,39 @@ +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-haar-client-admin-team + namespace: hmpps-people-on-probation-preprod +rules: + - apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "issuers"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [ "", "extensions" ] + resources: [ "services", "ingresses", "configmaps", "pods/log" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["events"] + verbs: [ "get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-haar-client-admin-team + namespace: hmpps-people-on-probation-preprod +subjects: + - kind: Group + name: "github:hmpps-haar-client-admin" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: hmpps-haar-client-admin-team + apiGroup: rbac.authorization.k8s.io diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/hmpps-people-on-probation-api.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/hmpps-people-on-probation-api.tf new file mode 100644 index 00000000000..67a696619fe --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/hmpps-people-on-probation-api.tf @@ -0,0 +1,18 @@ +module "hmpps_people_on_probation_api" { + source = "github.com/ministryofjustice/cloud-platform-terraform-hmpps-template?ref=1.2.1" + force_rotate_token = true + custom_token_rotation_date = "2026-03-20" + github_repo = "hmpps-people-on-probation-api" + application = "hmpps-people-on-probation-api" + github_team = "hmpps-people-on-probation-platform-devs" + environment = var.environment # Should match environment name used in helm values file e.g. values-dev.yaml + reviewer_teams = ["hmpps-people-on-probation-platform-devs", "hmpps-people-on-probation-platform-live"] # Optional team that should review deployments to this environment. + selected_branch_patterns = ["main", "release/*", "feature/*"] # Optional + #protected_branches_only = true # Optional, defaults to true unless selected_branch_patterns is set + is_production = var.is_production + application_insights_instance = "preprod" # Either "dev", "preprod" or "prod" + source_template_repo = "hmpps-template-kotlin" + github_token = var.github_token + namespace = var.namespace + kubernetes_cluster = var.kubernetes_cluster +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/hmpps-people-on-probation-ui.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/hmpps-people-on-probation-ui.tf new file mode 100644 index 00000000000..6b481cb5c21 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/hmpps-people-on-probation-ui.tf @@ -0,0 +1,59 @@ +# For Cloud Platform deployed projects based on the hmpps-template-typescript template: +# Make a copy of this file in your namespace, then modify according to the instructions here: +# https://tech-docs.hmpps.service.justice.gov.uk/creating-new-services/creating-resources-in-cloud-platform + +module "hmpps_people_on_probation_ui" { + source = "github.com/ministryofjustice/cloud-platform-terraform-hmpps-template?ref=1.2.1" + force_rotate_token = true + custom_token_rotation_date = "2026-03-20" + github_repo = "hmpps-people-on-probation-ui" + application = "hmpps-people-on-probation-ui" + github_team = "hmpps-people-on-probation-platform-devs" + environment = var.environment # Should match environment name used in helm values file e.g. values-dev.yaml + reviewer_teams = ["hmpps-people-on-probation-platform-devs", "hmpps-people-on-probation-platform-live"] # Optional team that should review deployments to this environment. + selected_branch_patterns = ["main", "release/*", "feature/*"] # Optional + #protected_branches_only = true # Optional, defaults to true unless selected_branch_patterns is set + is_production = var.is_production + application_insights_instance = "preprod" # Either "dev", "preprod" or "prod" + source_template_repo = "hmpps-template-typescript" + github_token = var.github_token + namespace = var.namespace + kubernetes_cluster = var.kubernetes_cluster +} + + +# Note, redis is a requirement for hmpps-template-typescript application. +module "elasticache_redis" { + source = "github.com/ministryofjustice/cloud-platform-terraform-elasticache-cluster?ref=8.1.0" + vpc_name = var.vpc_name + team_name = var.team_name + business_unit = var.business_unit + application = module.hmpps_people_on_probation_ui.application + is_production = var.is_production + namespace = var.namespace + environment_name = var.environment + infrastructure_support = var.infrastructure_support + + # sized for micro in dev, preprod, suggest small for production + node_type = "cache.t4g.small" + engine_version = "7.0" + parameter_group_name = "default.redis7" + + providers = { + aws = aws.london + } +} + +resource "kubernetes_secret" "elasticache_redis" { + metadata { + name = "${module.hmpps_people_on_probation_ui.application}-elasticache-redis" + namespace = var.namespace + } + + data = { + primary_endpoint_address = module.elasticache_redis.primary_endpoint_address + auth_token = module.elasticache_redis.auth_token + member_clusters = jsonencode(module.elasticache_redis.member_clusters) + replication_group_id = module.elasticache_redis.replication_group_id + } +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/main.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/main.tf new file mode 100644 index 00000000000..8ed1c5d0806 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/main.tf @@ -0,0 +1,64 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + region = "eu-west-2" + + default_tags { + tags = { + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace + service-area = var.service_area + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + } + } +} + +provider "aws" { + alias = "london" + region = "eu-west-2" + + default_tags { + tags = { + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace + service-area = var.service_area + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + } + } +} + +provider "aws" { + alias = "ireland" + region = "eu-west-1" + + default_tags { + tags = { + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace + service-area = var.service_area + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + } + } +} + +provider "github" { + token = var.github_token + owner = var.github_owner +} + +provider "kubernetes" {} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/rds.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/rds.tf new file mode 100644 index 00000000000..990ef92c897 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/rds.tf @@ -0,0 +1,57 @@ +module "rds" { + source = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=9.2.0" + + # VPC configuration + vpc_name = var.vpc_name + + # RDS configuration + allow_minor_version_upgrade = true + allow_major_version_upgrade = false + performance_insights_enabled = false + db_max_allocated_storage = "500" + enable_rds_auto_start_stop = !var.is_production + enable_irsa = true + # db_password_rotated_date = "2023-04-17" # Uncomment to rotate your database password. + + # PostgreSQL specifics + db_engine = "postgres" + db_engine_version = "18" + rds_family = "postgres18" + db_instance_class = "db.t4g.micro" + + # Tags + application = var.application + business_unit = var.business_unit + environment_name = var.environment + infrastructure_support = var.infrastructure_support + is_production = var.is_production + namespace = var.namespace + team_name = var.team_name +} + +resource "kubernetes_secret" "rds" { + metadata { + name = "hmpps-people-on-probation-rds-settings" + namespace = var.namespace + } + + data = { + rds_instance_endpoint = module.rds.rds_instance_endpoint + database_name = module.rds.database_name + database_username = module.rds.database_username + database_password = module.rds.database_password + rds_instance_address = module.rds.rds_instance_address + } +} + +resource "kubernetes_config_map" "rds" { + metadata { + name = "rds-postgresql-instance-output" + namespace = var.namespace + } + + data = { + database_name = module.rds.database_name + db_identifier = module.rds.db_identifier + } +} \ No newline at end of file diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/variables.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/variables.tf new file mode 100644 index 00000000000..7d55ead2244 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/variables.tf @@ -0,0 +1,79 @@ +variable "vpc_name" { + description = "VPC name to create security groups in for the ElastiCache and RDS modules" + type = string +} + +variable "kubernetes_cluster" { + description = "Kubernetes cluster name for references to secrets for service accounts" + type = string +} + +variable "application" { + description = "Name of the application you are deploying" + type = string + default = "People on probation" +} + +variable "namespace" { + description = "Name of the namespace these resources are part of" + type = string + default = "hmpps-people-on-probation-preprod" +} + +variable "service_area" { + description = "Service area responsible for this service" + type = string + default = "Manage my community sentence" +} + +variable "business_unit" { + description = "Area of the MOJ responsible for this service" + type = string + default = "HMPPS" +} + +variable "team_name" { + description = "Name of the development team responsible for this service" + type = string + default = "hmpps-people-on-probation-platform-devs" +} + +variable "environment" { + description = "Name of the environment type for this service" + type = string + default = "preprod" +} + +variable "infrastructure_support" { + description = "Email address of the team responsible this service" + type = string + default = "TechforCOM@justice.gov.uk" +} + +variable "is_production" { + description = "Whether this environment type is production or not" + type = string + default = "false" +} + +variable "slack_channel" { + description = "Slack channel name for your team, if we need to contact you about this service" + type = string + default = "hmpps_people_on_probation" +} + +variable "github_owner" { + description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials" + type = string + default = "ministryofjustice" +} + +variable "github_token" { + type = string + description = "Required by the GitHub Terraform provider" + default = "" +} + +variable "number_cache_clusters" { + default = "2" +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/versions.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/versions.tf new file mode 100644 index 00000000000..98d0abd1f6e --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-preprod/resources/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.2.5" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.78.0" + } + github = { + source = "integrations/github" + version = "~> 6.6.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.23.0" + } + } +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/00-namespace.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/00-namespace.yaml new file mode 100644 index 00000000000..3d4c02f782c --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/00-namespace.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "hmpps-people-on-probation-prod" + labels: + cloud-platform.justice.gov.uk/is-production: "true" + cloud-platform.justice.gov.uk/environment-name: "prod" + pod-security.kubernetes.io/enforce: restricted + annotations: + cloud-platform.justice.gov.uk/business-unit: "HMPPS" + cloud-platform.justice.gov.uk/slack-channel: "hmpps_people_on_probation" + cloud-platform.justice.gov.uk/application: "People on probation" + cloud-platform.justice.gov.uk/owner: "Manage my community service: manage.community.sentence@notifications.service.gov.uk" + cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/hmpps-people-on-probation-ui.git,https://github.com/ministryofjustice/hmpps-people-on-probation-api.git" + cloud-platform.justice.gov.uk/team-name: "hmpps-people-on-probation-platform-devs" + cloud-platform.justice.gov.uk/review-after: "" diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/01-rbac.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/01-rbac.yaml new file mode 100644 index 00000000000..f79202f0a1c --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/01-rbac.yaml @@ -0,0 +1,16 @@ +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-people-on-probation-prod-admin + namespace: hmpps-people-on-probation-prod +subjects: + - kind: Group + name: "github:hmpps-people-on-probation-platform-devs" + apiGroup: rbac.authorization.k8s.io + - kind: Group + name: "github:hmpps-sre" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: admin + apiGroup: rbac.authorization.k8s.io diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/02-limitrange.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/02-limitrange.yaml new file mode 100644 index 00000000000..71756cff163 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/02-limitrange.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: limitrange + namespace: hmpps-people-on-probation-prod +spec: + limits: + - default: + cpu: 1000m + memory: 1000Mi + defaultRequest: + cpu: 10m + memory: 100Mi + type: Container diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/03-resourcequota.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/03-resourcequota.yaml new file mode 100644 index 00000000000..5f7fdfe7ec3 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/03-resourcequota.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: namespace-quota + namespace: hmpps-people-on-probation-prod +spec: + hard: + pods: "50" diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/04-networkpolicy.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/04-networkpolicy.yaml new file mode 100644 index 00000000000..a2875aa95ae --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/04-networkpolicy.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default + namespace: hmpps-people-on-probation-prod +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - podSelector: {} +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: allow-ingress-controllers + namespace: hmpps-people-on-probation-prod +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + component: ingress-controllers diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/05-certificate.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/05-certificate.yaml new file mode 100644 index 00000000000..6758b5ba237 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/05-certificate.yaml @@ -0,0 +1,26 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: people-on-probation-prod.hmpps.service.justice.gov.uk + namespace: hmpps-people-on-probation-prod +spec: + secretName: hmpps-people-on-probation-ui-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - probation-account.hmpps.service.justice.gov.uk + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: people-on-probation-api-prod.hmpps.service.justice.gov.uk + namespace: hmpps-people-on-probation-prod +spec: + secretName: hmpps-people-on-probation-api-cert + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - people-on-probation-api.hmpps.service.justice.gov.uk \ No newline at end of file diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/06-rbac-haar-client-admin-team.yaml b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/06-rbac-haar-client-admin-team.yaml new file mode 100644 index 00000000000..dea51f13d1f --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/06-rbac-haar-client-admin-team.yaml @@ -0,0 +1,39 @@ +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-haar-client-admin-team + namespace: hmpps-people-on-probation-prod +rules: + - apiGroups: ["extensions", "apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "issuers"] + verbs: ["get", "list", "watch", "create", "update", "patch"] + - apiGroups: [ "", "extensions" ] + resources: [ "services", "ingresses", "configmaps", "pods/log" ] + verbs: [ "get", "list", "watch" ] + - apiGroups: [""] + resources: ["events"] + verbs: [ "get", "list", "watch", "create", "update", "patch"] +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hmpps-haar-client-admin-team + namespace: hmpps-people-on-probation-prod +subjects: + - kind: Group + name: "github:hmpps-haar-client-admin" + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: hmpps-haar-client-admin-team + apiGroup: rbac.authorization.k8s.io diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/hmpps-people-on-probation-api.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/hmpps-people-on-probation-api.tf new file mode 100644 index 00000000000..cee896f2e32 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/hmpps-people-on-probation-api.tf @@ -0,0 +1,18 @@ +module "hmpps_people_on_probation_api" { + source = "github.com/ministryofjustice/cloud-platform-terraform-hmpps-template?ref=1.2.1" + force_rotate_token = true + custom_token_rotation_date = "2026-03-20" + github_repo = "hmpps-people-on-probation-api" + application = "hmpps-people-on-probation-api" + github_team = "hmpps-people-on-probation-platform-devs" + environment = var.environment # Should match environment name used in helm values file e.g. values-dev.yaml + reviewer_teams = ["hmpps-people-on-probation-platform-devs", "hmpps-people-on-probation-platform-live"] # Optional team that should review deployments to this environment. + selected_branch_patterns = ["main", "release/*", "feature/*"] # Optional + #protected_branches_only = true # Optional, defaults to true unless selected_branch_patterns is set + is_production = var.is_production + application_insights_instance = "prod" # Either "dev", "preprod" or "prod" + source_template_repo = "hmpps-template-kotlin" + github_token = var.github_token + namespace = var.namespace + kubernetes_cluster = var.kubernetes_cluster +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/hmpps-people-on-probation-ui.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/hmpps-people-on-probation-ui.tf new file mode 100644 index 00000000000..5f5b1fbc686 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/hmpps-people-on-probation-ui.tf @@ -0,0 +1,59 @@ +# For Cloud Platform deployed projects based on the hmpps-template-typescript template: +# Make a copy of this file in your namespace, then modify according to the instructions here: +# https://tech-docs.hmpps.service.justice.gov.uk/creating-new-services/creating-resources-in-cloud-platform + +module "hmpps_people_on_probation_ui" { + source = "github.com/ministryofjustice/cloud-platform-terraform-hmpps-template?ref=1.2.1" + force_rotate_token = true + custom_token_rotation_date = "2026-03-20" + github_repo = "hmpps-people-on-probation-ui" + application = "hmpps-people-on-probation-ui" + github_team = "hmpps-people-on-probation-platform-devs" + environment = var.environment # Should match environment name used in helm values file e.g. values-dev.yaml + reviewer_teams = ["hmpps-people-on-probation-platform-devs", "hmpps-people-on-probation-platform-live"] # Optional team that should review deployments to this environment. + selected_branch_patterns = ["main", "release/*", "feature/*"] # Optional + #protected_branches_only = true # Optional, defaults to true unless selected_branch_patterns is set + is_production = var.is_production + application_insights_instance = "prod" # Either "dev", "preprod" or "prod" + source_template_repo = "hmpps-template-typescript" + github_token = var.github_token + namespace = var.namespace + kubernetes_cluster = var.kubernetes_cluster +} + + +# Note, redis is a requirement for hmpps-template-typescript application. +module "elasticache_redis" { + source = "github.com/ministryofjustice/cloud-platform-terraform-elasticache-cluster?ref=8.1.0" + vpc_name = var.vpc_name + team_name = var.team_name + business_unit = var.business_unit + application = module.hmpps_people_on_probation_ui.application + is_production = var.is_production + namespace = var.namespace + environment_name = var.environment + infrastructure_support = var.infrastructure_support + + # sized for micro in dev, preprod, suggest small for production + node_type = "cache.t4g.small" + engine_version = "7.0" + parameter_group_name = "default.redis7" + + providers = { + aws = aws.london + } +} + +resource "kubernetes_secret" "elasticache_redis" { + metadata { + name = "${module.hmpps_people_on_probation_ui.application}-elasticache-redis" + namespace = var.namespace + } + + data = { + primary_endpoint_address = module.elasticache_redis.primary_endpoint_address + auth_token = module.elasticache_redis.auth_token + member_clusters = jsonencode(module.elasticache_redis.member_clusters) + replication_group_id = module.elasticache_redis.replication_group_id + } +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/main.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/main.tf new file mode 100644 index 00000000000..8ed1c5d0806 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/main.tf @@ -0,0 +1,64 @@ +terraform { + backend "s3" { + } +} + +provider "aws" { + region = "eu-west-2" + + default_tags { + tags = { + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace + service-area = var.service_area + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + } + } +} + +provider "aws" { + alias = "london" + region = "eu-west-2" + + default_tags { + tags = { + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace + service-area = var.service_area + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + } + } +} + +provider "aws" { + alias = "ireland" + region = "eu-west-1" + + default_tags { + tags = { + business-unit = var.business_unit + application = var.application + is-production = var.is_production + owner = var.team_name + namespace = var.namespace + service-area = var.service_area + source-code = "github.com/ministryofjustice/cloud-platform-environments" + slack-channel = var.slack_channel + } + } +} + +provider "github" { + token = var.github_token + owner = var.github_owner +} + +provider "kubernetes" {} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/rds.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/rds.tf new file mode 100644 index 00000000000..990ef92c897 --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/rds.tf @@ -0,0 +1,57 @@ +module "rds" { + source = "github.com/ministryofjustice/cloud-platform-terraform-rds-instance?ref=9.2.0" + + # VPC configuration + vpc_name = var.vpc_name + + # RDS configuration + allow_minor_version_upgrade = true + allow_major_version_upgrade = false + performance_insights_enabled = false + db_max_allocated_storage = "500" + enable_rds_auto_start_stop = !var.is_production + enable_irsa = true + # db_password_rotated_date = "2023-04-17" # Uncomment to rotate your database password. + + # PostgreSQL specifics + db_engine = "postgres" + db_engine_version = "18" + rds_family = "postgres18" + db_instance_class = "db.t4g.micro" + + # Tags + application = var.application + business_unit = var.business_unit + environment_name = var.environment + infrastructure_support = var.infrastructure_support + is_production = var.is_production + namespace = var.namespace + team_name = var.team_name +} + +resource "kubernetes_secret" "rds" { + metadata { + name = "hmpps-people-on-probation-rds-settings" + namespace = var.namespace + } + + data = { + rds_instance_endpoint = module.rds.rds_instance_endpoint + database_name = module.rds.database_name + database_username = module.rds.database_username + database_password = module.rds.database_password + rds_instance_address = module.rds.rds_instance_address + } +} + +resource "kubernetes_config_map" "rds" { + metadata { + name = "rds-postgresql-instance-output" + namespace = var.namespace + } + + data = { + database_name = module.rds.database_name + db_identifier = module.rds.db_identifier + } +} \ No newline at end of file diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/variables.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/variables.tf new file mode 100644 index 00000000000..a8587263f1b --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/variables.tf @@ -0,0 +1,79 @@ +variable "vpc_name" { + description = "VPC name to create security groups in for the ElastiCache and RDS modules" + type = string +} + +variable "kubernetes_cluster" { + description = "Kubernetes cluster name for references to secrets for service accounts" + type = string +} + +variable "application" { + description = "Name of the application you are deploying" + type = string + default = "People on probation" +} + +variable "namespace" { + description = "Name of the namespace these resources are part of" + type = string + default = "hmpps-people-on-probation-prod" +} + +variable "service_area" { + description = "Service area responsible for this service" + type = string + default = "Manage my community sentence" +} + +variable "business_unit" { + description = "Area of the MOJ responsible for this service" + type = string + default = "HMPPS" +} + +variable "team_name" { + description = "Name of the development team responsible for this service" + type = string + default = "hmpps-people-on-probation-platform-devs" +} + +variable "environment" { + description = "Name of the environment type for this service" + type = string + default = "prod" +} + +variable "infrastructure_support" { + description = "Email address of the team responsible this service" + type = string + default = "TechforCOM@justice.gov.uk" +} + +variable "is_production" { + description = "Whether this environment type is production or not" + type = string + default = "false" +} + +variable "slack_channel" { + description = "Slack channel name for your team, if we need to contact you about this service" + type = string + default = "hmpps_people_on_probation" +} + +variable "github_owner" { + description = "The GitHub organization or individual user account containing the app's code repo. Used by the Github Terraform provider. See: https://user-guide.cloud-platform.service.justice.gov.uk/documentation/getting-started/ecr-setup.html#accessing-the-credentials" + type = string + default = "ministryofjustice" +} + +variable "github_token" { + type = string + description = "Required by the GitHub Terraform provider" + default = "" +} + +variable "number_cache_clusters" { + default = "2" +} diff --git a/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/versions.tf b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/versions.tf new file mode 100644 index 00000000000..98d0abd1f6e --- /dev/null +++ b/namespaces/live.cloud-platform.service.justice.gov.uk/hmpps-people-on-probation-prod/resources/versions.tf @@ -0,0 +1,17 @@ +terraform { + required_version = ">= 1.2.5" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.78.0" + } + github = { + source = "integrations/github" + version = "~> 6.6.0" + } + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.23.0" + } + } +}