Merge pull request #64 from NHSDigital/AMB-0008-Imms-aws-account-inte…

…gration AMB-0008-Imms-AWS-Account-Integration
NHSDigital · Oct 4, 2024 · c0323bc · c0323bc
2 parents feb050d + f8d9430
commit c0323bc
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 83 deletions.
diff --git a/azure/azure-pr-teardown-pipeline.yml b/azure/azure-pr-teardown-pipeline.yml
@@ -32,7 +32,7 @@ jobs:
           echo "##vso[task.setvariable variable=ACTION_PR_NUMBER]$(ACTION_PR_NUMBER)"
         displayName: Set workspace tag
 
-      - template: "azure/components/aws-assume-role.yml@common"
+      - template: ./templates/aws-assume-role.yml
         parameters:
             role: "auto-ops"
             profile: "apim-dev"

diff --git a/azure/templates/aws-assume-role.yml b/azure/templates/aws-assume-role.yml
@@ -0,0 +1,71 @@
+parameters:
+  - name: 'role'
+    type: string
+  - name: 'profile'
+    type: string
+    default: ''
+  - name: 'aws_account'
+    type: string
+    default: 'ptl'
+
+steps:
+    - template: "azure/components/aws-clean-config.yml@common"
+
+    - bash: |
+        set -e
+        echo "##vso[task.setvariable variable=ROLE]${{ parameters.role }}"
+      displayName: get imms role name
+    - bash: |
+        set -e
+        aws_role="$(ROLE)"
+        echo "assume role: '${aws_role}'"
+        if [[ "${{ parameters.aws_account }}" =~ ^(prod|dev)$ ]]; then
+            echo "account is ${{ parameters.aws_account }}"
+            account_id="$(aws ssm get-parameter --name /imms-account-ids/${{ parameters.aws_account }} --query Parameter.Value --output text)"
+            aws_role="arn:aws:iam::${account_id}:role/${aws_role}"
+        fi
+        if [[ "${aws_role}" != arn:aws:iam:* ]]; then
+            echo "check if role exists"
+            # iam synchronisation issues can take a few to make the role appear
+            for i in {1..15}; do
+              if aws iam get-role --role-name ${aws_role} > /dev/null; then
+                echo role exists
+                sleep 2
+                break
+              fi
+              echo waiting for role ...
+              sleep 2
+            done
+            account_id="$(aws sts get-caller-identity --query Account --output text)"
+            aws_role="arn:aws:iam::${account_id}:role/${aws_role}"
+        fi
+        cp ~/.aws/config.default ~/.aws/config
+        tmp_file="$(Agent.TempDirectory)/.aws.tmp.creds.json"
+        # add some backoff to allow for eventual consistency of IAM
+        for i in {2..4};
+        do
+            if aws sts assume-role --role-arn "${aws_role}" --role-session-name build-assume-role > ${tmp_file}; then
+                echo assumed role
+                assumed_role="yes"
+                break
+            fi
+            let "sleep_for=$i*10";
+            sleep $sleep_for
+        done
+        if [[ "${assumed_role}" != "yes" ]]; then
+            echo "assume role failed"
+            exit -1
+        fi
+        echo "aws_access_key_id = $(jq -r .Credentials.AccessKeyId ${tmp_file})" >> ~/.aws/config
+        echo "aws_secret_access_key = $(jq -r .Credentials.SecretAccessKey ${tmp_file})" >> ~/.aws/config
+        echo "aws_session_token = $(jq -r .Credentials.SessionToken ${tmp_file})" >> ~/.aws/config
+        expiry=$(jq -r .Credentials.Expiration ${tmp_file})
+        echo "##vso[task.setvariable variable=ASSUME_ROLE_EXPIRY;]$expiry"
+        rm ${tmp_file}
+        profile="${{ parameters.profile }}"
+        if [[ ! -z "${profile}" ]]; then
+          echo as profile ${profile}
+          sed -i "s#\[default\]#\[profile ${profile}\]#" ~/.aws/config
+        fi
+      displayName: assume role
+      condition: and(succeeded(), ne(variables['ROLE'], ''))
diff --git a/azure/templates/post-deploy.yml b/azure/templates/post-deploy.yml
@@ -5,31 +5,7 @@ parameters:
     default: true
 
 steps:
-  - ${{ if parameters.is_ptl }}:
-    - template: "azure/components/aws-assume-role.yml@common"
-      parameters:
-        role: "auto-ops"
-        profile: "apm_ptl"
-
-    - template: "azure/components/get-aws-secrets-and-ssm-params.yml@common"
-      parameters:
-        secret_file_ids:
-          - ptl/app-credentials/jwt_testing/non-prod/JWT_TESTING_PRIVATE_KEY
-        secret_ids:
-          - ptl/app-credentials/immunisation-fhir-api-testing-app/non-prod/INTROSPECTION_CLIENT_ID
-          - ptl/app-credentials/immunisation-fhir-api-testing-app/non-prod/INTROSPECTION_CLIENT_SECRET
-          - ptl/app-credentials/immunisation-fhir-api-testing-app/non-prod/INTROSPECTION_CLIENT_ID_INT
-          - ptl/app-credentials/immunisation-fhir-api-testing-app/non-prod/INTROSPECTION_CLIENT_SECRET_INT
-          - ptl/app-credentials/immunisation-fhir-api-testing-app/non-prod/INT_CLIENT_ID
-          - ptl/app-credentials/immunisation-fhir-api-testing-app/non-prod/INT_CLIENT_SECRET
-
-  - bash: |
-      make install-python
-    workingDirectory: $(Pipeline.Workspace)/s/$(SERVICE_NAME)/$(SERVICE_ARTIFACT_NAME)
-    displayName: Setup pytests
-    condition: always()
-
-  - template: "azure/components/aws-assume-role.yml@common"
+  - template: ./aws-assume-role.yml
     parameters:
       role: "auto-ops"
       profile: "apim-dev"

diff --git a/azure/templates/run-tests.yml b/azure/templates/run-tests.yml
diff --git a/terraform/Makefile b/terraform/Makefile
@@ -7,7 +7,7 @@ tf_cmd = AWS_PROFILE=$(aws_profile) terraform
 
 project_name = immunisation-batch
 project_short_name = imms-batch
-state_bucket = $(project_name)-terraform-state
+state_bucket = $(project_name)-terraform-state-files
 tf_state= -backend-config="bucket=$(state_bucket)"
 
 tf_vars= -var="project_name=$(project_name)" -var="project_short_name=$(project_short_name)"

diff --git a/terraform/ecs_batch_processor_config.tf b/terraform/ecs_batch_processor_config.tf
@@ -256,7 +256,7 @@ resource "aws_iam_policy" "fifo_pipe_policy" {
 resource "aws_pipes_pipe" "fifo_pipe" {
   name       = "${local.prefix}-pipe"
   role_arn   = aws_iam_role.fifo_pipe_role.arn
-  source     = "arn:aws:sqs:eu-west-2:790083933819:${local.short_prefix}-metadata-queue.fifo"
+  source     = "arn:aws:sqs:eu-west-2:${local.local_account_id}:${local.short_prefix}-metadata-queue.fifo"
   target     = aws_ecs_cluster.ecs_cluster.arn
 
   target_parameters {

diff --git a/terraform/s3_config.tf b/terraform/s3_config.tf
@@ -2,7 +2,7 @@ locals {
     policy_path = "${path.root}/policies"
     is_temp = length(regexall("[a-z]{2,4}-?[0-9]+", local.environment)) > 0
     account_id = local.environment == "prod" ? 232116723729 : 603871901111
-    local_account_id = local.environment == "prod" ? 790083933819 : 790083933819
+    local_account_id = local.environment == "prod" ? 345594581768 : 345594581768
 }
 
  resource "aws_kms_key" "shared_key" {