add noncore

add noncore

environments/noncore.json

@@ -0,0 +1,36 @@
+{
+  "account-type": "member",
+  "codeowners": ["hosting-migrations", "studio-webops"],
+  "environments": [
+    {
+      "name": "production",
+      "access": [
+        {
+          "sso_group_name": "hosting-migrations",
+          "level": "developer",
+          "github_action_reviewer": "true"
+        },
+        {
+          "sso_group_name": "studio-webops",
+          "level": "developer",
+          "github_action_reviewer": "true"
+        },
+        {
+          "sso_group_name": "azure-aws-sso-digital-studio-operations",
+          "level": "developer"
+        }
+      ]
+    }
+  ],
+  "tags": {
+    "application": "noncore",
+    "business-unit": "HMPPS",
+    "infrastructure-support": "digital-studio-operations-team@digital.justice.gov.uk",
+    "owner": "digital-studio-operations-team@digital.justice.gov.uk",
+    "critical-national-infrastructure": true
+  },
+  "github-oidc-team-repositories": [
+    "ministryofjustice/dso-modernisation-platform-automation"
+  ],
+  "go-live-date": "2023-04-16"
+}

terraform/environments/noncore/backend.tf

@@ -0,0 +1,14 @@
+# Backend
+terraform {
+  # `backend` blocks do not support variables, so the following are hard-coded here:
+  # - S3 bucket name, which is created in modernisation-platform-account/s3.tf
+  backend "s3" {
+    acl                  = "bucket-owner-full-control"
+    bucket               = "modernisation-platform-terraform-state"
+    encrypt              = true
+    key                  = "terraform.tfstate"
+    region               = "eu-west-2"
+    workspace_key_prefix = "environments/accounts/noncore" # This will store the object as environments/accounts/oasys/${workspace}/terraform.tfstate
+    dynamodb_table       = "modernisation-platform-terraform-state-lock"
+  }
+}

terraform/environments/noncore/base_variables.tf

@@ -0,0 +1,5 @@
+variable "networking" {
+
+  type = list(any)
+
+}

terraform/environments/noncore/data.tf

@@ -0,0 +1,4 @@
+# Get the environments file from the main repository
+data "http" "environments_file" {
+  url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json"
+}

terraform/environments/noncore/locals.tf

@@ -0,0 +1,35 @@
+locals {
+
+  application_name = "noncore"
+
+  environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string)
+
+  # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if
+  # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false.
+  is-production    = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production"
+  is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction"
+  is-test          = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test"
+  is-development   = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development"
+
+  # Merge tags from the environment json file with additional ones
+  tags = merge(
+    jsondecode(data.http.environments_file.response_body).tags,
+    { "is-production" = local.is-production },
+    { "environment-name" = terraform.workspace },
+    { "source-code" = "https://github.com/ministryofjustice/modernisation-platform" }
+  )
+
+  environment     = trimprefix(terraform.workspace, "${var.networking[0].application}-")
+  vpc_name        = var.networking[0].business-unit
+  subnet_set      = var.networking[0].set
+  vpc_all         = "${local.vpc_name}-${local.environment}"
+  subnet_set_name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}"
+
+  is_live       = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"]
+  provider_name = "core-vpc-${local.environment}"
+
+  # environment specfic variables
+  # example usage:
+  # example_data = local.application_data.accounts[local.environment].example_var
+  application_data = fileexists("./application_variables.json") ? jsondecode(file("./application_variables.json")) : {}
+}

terraform/environments/noncore/networking.auto.tfvars.json

@@ -0,0 +1,9 @@
+{
+  "networking": [
+    {
+      "business-unit": "hmpps",
+      "set": "general",
+      "application": "noncore"
+    }
+  ]
+}

terraform/environments/noncore/providers.tf

@@ -0,0 +1,33 @@
+# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified)
+provider "aws" {
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for the Modernisation Platform, to get things from there if required
+provider "aws" {
+  alias  = "modernisation-platform"
+  region = "eu-west-2"
+}
+
+# AWS provider for core-vpc-<environment>, to share VPCs into this account
+provider "aws" {
+  alias  = "core-vpc"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/ModernisationPlatformAccess"
+  }
+}
+
+# AWS provider for core-network-services-production, to share VPCs into this account
+provider "aws" {
+  alias  = "core-network-services"
+  region = "eu-west-2"
+
+  assume_role {
+    role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/ModernisationPlatformAccess"
+  }
+}

terraform/environments/noncore/secrets.tf

@@ -0,0 +1,16 @@
+# Get modernisation account id from ssm parameter
+data "aws_ssm_parameter" "modernisation_platform_account_id" {
+  name = "modernisation_platform_account_id"
+}
+
+# Get secret by arn for environment management
+data "aws_secretsmanager_secret" "environment_management" {
+  provider = aws.modernisation-platform
+  name     = "environment_management"
+}
+
+# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts
+data "aws_secretsmanager_secret_version" "environment_management" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.environment_management.id
+}

terraform/environments/noncore/subnet_share.tf

@@ -0,0 +1,41 @@
+######## DO NOT EDIT - THIS FILE WILL BE OVERWRITTEN BY TERRAFORM #########
+
+data "aws_caller_identity" "current" {}
+
+
+module "ram-principal-association" {
+
+  count = (var.networking[0].set == "") ? 0 : 1
+
+  source = "../../modules/ram-principal-association"
+
+  providers = {
+    aws.share-acm    = aws.core-network-services
+    aws.share-host   = aws.core-vpc
+    aws.share-tenant = aws
+  }
+  principal   = data.aws_caller_identity.current.account_id
+  vpc_name    = var.networking[0].business-unit
+  subnet_set  = var.networking[0].set
+  acm_pca     = "acm-pca-${local.is_live[0]}"
+  environment = local.environment
+
+}
+
+#ram-ec2-retagging module 
+module "ram-ec2-retagging" {
+
+  count = (var.networking[0].set == "") ? 0 : 1
+
+
+  source = "../../modules/ram-ec2-retagging"
+  providers = {
+    aws.share-host   = aws.core-vpc
+    aws.share-tenant = aws
+  }
+
+  vpc_name   = "${var.networking[0].business-unit}-${local.environment}"
+  subnet_set = var.networking[0].set
+
+  depends_on = [module.ram-principal-association[0]]
+}

terraform/environments/noncore/versions.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+      source  = "hashicorp/aws"
+    }
+    http = {
+      version = "~> 3.0"
+      source  = "hashicorp/http"
+    }
+  }
+  required_version = "~> 1.0"
+}