ministryofjustice · EarthlingDavey · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025 · Jan 17, 2025
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: intranet-archive-production
+  labels:
+    cloud-platform.justice.gov.uk/is-production: "true"
+    cloud-platform.justice.gov.uk/environment-name: "production"
+    pod-security.kubernetes.io/enforce: restricted
+  annotations:
+    cloud-platform.justice.gov.uk/business-unit: "HQ"
+    cloud-platform.justice.gov.uk/slack-channel: "cdpt-intranet"
+    cloud-platform.justice.gov.uk/application: "Intranet Archive"
+    cloud-platform.justice.gov.uk/owner: "Central Digital: [email protected]"
+    cloud-platform.justice.gov.uk/source-code: "https://github.com/ministryofjustice/intranet-archive"
+    cloud-platform.justice.gov.uk/team-name: "central-digital-product-team"
+    cloud-platform.justice.gov.uk/review-after: "2025-25-11"
@@ -0,0 +1,13 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: intranet-archive-production-admin
+  namespace: intranet-archive-production
+subjects:
+  - kind: Group
+    name: "github:central-digital-product-team"
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: LimitRange
+metadata:
+  name: limitrange
+  namespace: intranet-archive-production
+spec:
+  limits:
+  - default:
+      cpu: 1000m
+      memory: 1000Mi
+    defaultRequest:
+      cpu: 10m
+      memory: 100Mi
+    type: Container
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: namespace-quota
+  namespace: intranet-archive-production
+spec:
+  hard:
+    pods: "20"
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default
+  namespace: intranet-archive-production
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector: {}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: allow-ingress-controllers
+  namespace: intranet-archive-production
+spec:
+  podSelector: {}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - namespaceSelector:
+        matchLabels:
+          component: ingress-controllers
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: intranet-archive-production-cert
+  namespace: intranet-archive-production
+spec:
+  secretName: intranet-archive-production-cert-secret
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - app.archive.intranet.justice.gov.uk
@@ -0,0 +1,47 @@
+# An aws_acm_certificate for the CloudFront alias.
+
+resource "aws_acm_certificate" "cloudfront_alias_cert" {
+  domain_name       = var.cloudfront_alias
+  validation_method = "DNS"
+
+  tags = {
+    business-unit          = var.business_unit
+    application            = var.application
+    is-production          = var.is_production
+    environment-name       = var.environment
+    owner                  = var.team_name
+    infrastructure-support = var.infrastructure_support
+    namespace              = var.namespace
+    team_name              = var.team_name
+  }
+
+  # For CloudFront, the ACM certificate must be in the us-east-1 region.
+  # https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html#https-requirements-certificate-issuer
+  provider = aws.virginia
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+# aws_acm_certificate_validation for the CloudFront alias.
+# This is part of the validation workflow and not a a real-world entity in AWS.
+# The resource is used together with aws_route53_record and aws_acm_certificate
+# to request a DNS validated certificate, deploy the required validation records 
+# and wait for validation to complete.
+
+resource "aws_acm_certificate_validation" "cloudfront_alias_cert_validation" {
+  certificate_arn         = aws_acm_certificate.cloudfront_alias_cert.arn
+  validation_record_fqdns = aws_route53_record.cert_validations[*].fqdn 
+
+  provider = aws.virginia
+
+  timeouts {
+    create = "10m"
+  }
+
+  depends_on = [
+    aws_acm_certificate.cloudfront_alias_cert,
+    aws_route53_record.cert_validations
+  ]
+}
@@ -0,0 +1,62 @@
+module "cloudfront" {
+  source = "github.com/ministryofjustice/cloud-platform-terraform-cloudfront?ref=1.3.0"
+
+  # Configuration
+  bucket_id            = module.s3_bucket.bucket_name
+  bucket_domain_name   = "${module.s3_bucket.bucket_name}.s3.eu-west-2.amazonaws.com"
+  # The cloudfront module accepts a list of aliases, but we only need one.
+  aliases              = [var.cloudfront_alias]
+  # SSL certificate for the CloudFront alias.
+  aliases_cert_arn     = aws_acm_certificate.cloudfront_alias_cert.arn
+  # An array of public keys with comments, to be used for CloudFront. Includes an optional entry for an expiring key
+  # !IMPORTANT! This value should NEVER be exactly equal to null. If it is, the CloudFront distribution & S3 bucket will be public.
+  # TODO: Uncomment after namespace has been created.
+  # trusted_public_keys  = local.expiring_trusted_key.encoded_key == null ? [local.trusted_key] : [local.trusted_key, local.expiring_trusted_key]
+  # Object to return when an end user requests the root URL
+  default_root_object  = "index.html"
+
+  # Tags
+  business_unit          = var.business_unit
+  application            = var.application
+  is_production          = var.is_production
+  team_name              = var.team_name
+  namespace              = var.namespace
+  environment_name       = var.environment
+  infrastructure_support = var.infrastructure_support
+
+  depends_on = [aws_acm_certificate.cloudfront_alias_cert]
+}
+
+data "kubernetes_secret" "cloudfront_input_secret" {
+  metadata {
+    name      = "cloudfront-input"
+    namespace = var.namespace
+  }
+}
+
+locals {
+  # TODO: Uncomment after namespace has been created.
+  # trusted_key          = {
+  #   encoded_key = data.kubernetes_secret.cloudfront_input_secret.data.AWS_CLOUDFRONT_PUBLIC_KEY
+  #   comment     = ""
+  #   associate   = true
+  # }
+  expiring_trusted_key = {
+    encoded_key = try(data.kubernetes_secret.cloudfront_input_secret.data.AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING, null)
+    comment     = ""
+    associate   = true
+  }
+}
+
+resource "kubernetes_secret" "cloudfront_url" {
+  metadata {
+    name      = "cloudfront-output"
+    namespace = var.namespace
+  }
+
+  data = {
+    cloudfront_alias       = var.cloudfront_alias
+    cloudfront_url         = module.cloudfront.cloudfront_url
+    cloudfront_public_keys = module.cloudfront.cloudfront_public_keys
+  }
+}
@@ -0,0 +1,29 @@
+module "ecr" {
+  source = "github.com/ministryofjustice/cloud-platform-terraform-ecr-credentials?ref=7.1.0"
+
+  repo_name = "${var.namespace}-ecr"
+
+  oidc_providers = ["github"]
+  github_repositories = ["intranet-archive"]
+
+  # Tags
+  business_unit          = var.business_unit
+  application            = var.application
+  is_production          = var.is_production
+  team_name              = var.team_name # also used for naming the container repository
+  namespace              = var.namespace # also used for creating a Kubernetes ConfigMap
+  environment_name       = var.environment
+  infrastructure_support = var.infrastructure_support
+}
+
+resource "kubernetes_secret" "ecr_credentials" {
+  metadata {
+    name      = "ecr-${var.namespace}"
+    namespace = var.namespace
+  }
+
+  data = {
+    repo_arn = module.ecr.repo_arn
+    repo_url = module.ecr.repo_url
+  }
+}
@@ -0,0 +1,22 @@
+module "irsa" {
+  source = "github.com/ministryofjustice/cloud-platform-terraform-irsa?ref=2.0.0"
+
+  # EKS configuration
+  eks_cluster_name = var.eks_cluster_name
+
+  # IRSA configuration
+  service_account_name = "${var.namespace}-service"
+
+  role_policy_arns = {
+    s3  = module.s3_bucket.irsa_policy_arn
+  }
+
+  # Tags
+  business_unit          = var.business_unit
+  application            = var.application
+  is_production          = var.is_production
+  team_name              = var.team_name
+  namespace              = var.namespace
+  environment_name       = var.environment
+  infrastructure_support = var.infrastructure_support
+}
@@ -0,0 +1,28 @@
+terraform {
+  backend "s3" {
+  }
+}
+
+provider "aws" {
+  region = "eu-west-2"
+}
+
+provider "aws" {
+  alias  = "london"
+  region = "eu-west-2"
+  default_tags {
+    tags = {
+      GithubTeam = "central-digital-product-team"
+    }
+  }
+}
+
+provider "aws" {
+  alias = "virginia"
+  region = "us-east-1"
+}
+
+provider "github" {
+  token = var.github_token
+  owner = var.github_owner
+}
@@ -0,0 +1,40 @@
+# Get the kubernetes secret 'route53-zone-output' from intranet-production namespace.
+# This secret contains the zone_id of the hosted zone.
+
+data "kubernetes_secret" "route53_zone_output" {
+  metadata {
+    name      = "route53-zone-output"
+    namespace = "intranet-production"
+  }
+}
+
+# Create an A record in the hosted zone for the CloudFront alias.
+# Note, the zone_id parameter is set to the zone_id from the intranet-production kubernetes secret.
+# And the alias.zone_id parameter is set to the CloudFront hosted zone id.
+
+resource "aws_route53_record" "data" {
+  zone_id = data.kubernetes_secret.route53_zone_output.data["zone_id"]
+  name    = var.cloudfront_alias
+  type    = "A"
+
+  alias {
+    evaluate_target_health = false
+    name                   = module.cloudfront.cloudfront_url
+    zone_id                = module.cloudfront.cloudfront_hosted_zone_id
+  }
+}
+
+# In acm.tf, an aws_acm_certificate resource is created for the CloudFront alias.
+# As the validation method is set to DNS, a route53 record is created here for the certificate validation.
+
+resource "aws_route53_record" "cert_validations" {
+  count           = length(aws_acm_certificate.cloudfront_alias_cert.domain_validation_options)
+
+  zone_id         = data.kubernetes_secret.route53_zone_output.data["zone_id"]
+
+  name            = element(aws_acm_certificate.cloudfront_alias_cert.domain_validation_options[*].resource_record_name, count.index)
+  type            = element(aws_acm_certificate.cloudfront_alias_cert.domain_validation_options[*].resource_record_type, count.index)
+  records         = [element(aws_acm_certificate.cloudfront_alias_cert.domain_validation_options[*].resource_record_value, count.index)]
+  ttl             = 60
+  allow_overwrite = true
+}
@@ -0,0 +1,25 @@
+module "s3_bucket" {
+  source                 = "github.com/ministryofjustice/cloud-platform-terraform-s3-bucket?ref=5.2.0"
+  team_name              = var.team_name
+  business_unit          = var.business_unit
+  application            = var.application
+  is_production          = var.is_production
+  environment_name       = var.environment
+  infrastructure_support = var.infrastructure_support
+  namespace              = var.namespace
+  providers = {
+    aws = aws.london
+  }
+}
+
+resource "kubernetes_secret" "s3_bucket" {
+  metadata {
+    name      = "s3-bucket-output"
+    namespace = var.namespace
+  }
+
+  data = {
+    bucket_arn  = module.s3_bucket.bucket_arn
+    bucket_name = module.s3_bucket.bucket_name
+  }
+}