Merge pull request #154 from communitiesuk/AutoRedeploy

CLDC-3810: Automatically redeploy prod and staging when collection year rolls over

terraform/modules/application/scheduled_redeploy.tf

@@ -0,0 +1,100 @@
+resource "aws_scheduler_schedule" "app_collection_rollover_redeploy" {
+  #checkov:skip=CKV_AWS_297: CMK not required here and seems to cause issues
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  name = "${var.prefix}-app-collection-rollover-redeploy"
+
+  schedule_expression          = "cron(0 0 1 4 ? *)"
+  schedule_expression_timezone = "UTC"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = "arn:aws:scheduler:::aws-sdk:ecs:updateService"
+    role_arn = aws_iam_role.scheduler[0].arn
+
+    input = jsonencode({
+      Cluster            = aws_ecs_cluster.this.name,
+      Service            = aws_ecs_service.app.name,
+      ForceNewDeployment = true
+    })
+  }
+}
+
+resource "aws_scheduler_schedule" "sidekiq_collection_rollover_redeploy" {
+  #checkov:skip=CKV_AWS_297: CMK not required here and seems to cause issues
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  name = "${var.prefix}-sidekiq-collection-rollover-redeploy"
+
+  schedule_expression          = "cron(0 0 1 4 ? *)"
+  schedule_expression_timezone = "UTC"
+
+  flexible_time_window {
+    mode = "OFF"
+  }
+
+  target {
+    arn      = "arn:aws:scheduler:::aws-sdk:ecs:updateService"
+    role_arn = aws_iam_role.scheduler[0].arn
+
+    input = jsonencode({
+      Cluster            = aws_ecs_cluster.this.name,
+      Service            = aws_ecs_service.sidekiq.name,
+      ForceNewDeployment = true
+    })
+  }
+}
+
+resource "aws_iam_role" "scheduler" {
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  name               = "${var.prefix}-rds-scheduler"
+  assume_role_policy = data.aws_iam_policy_document.scheduler_assume_role[0].json
+}
+
+data "aws_iam_policy_document" "scheduler_assume_role" {
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["scheduler.amazonaws.com"]
+    }
+  }
+}
+
+data "aws_iam_policy_document" "allow_ecs_actions" {
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  statement {
+    actions = [
+      "ecs:Describe*",
+      "ecs:UpdateService"
+    ]
+    resources = [
+      aws_ecs_service.app.id,
+      aws_ecs_service.sidekiq.id
+    ]
+    effect = "Allow"
+  }
+}
+
+resource "aws_iam_policy" "allow_ecs_actions" {
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  name   = "${var.prefix}-allow-ecs-actions"
+  policy = data.aws_iam_policy_document.allow_ecs_actions[0].json
+}
+
+resource "aws_iam_role_policy_attachment" "scheduler_allow_ecs_actions" {
+  count = var.collection_rollover_redeploy_enabled ? 1 : 0
+
+  role       = aws_iam_role.scheduler[0].name
+  policy_arn = aws_iam_policy.allow_ecs_actions[0].arn
+}

terraform/modules/application/variables.tf

@@ -49,6 +49,12 @@ variable "collection_resources_bucket_details" {
   description = "Details block for collection resources bucket"
 }
 
+variable "collection_rollover_redeploy_enabled" {
+  type        = bool
+  description = "Schedules redeploy overnight on the 1st April if true"
+  default     = false
+}
+
 variable "database_name" {
   type        = string
   description = "The name of the database to connect to"

terraform/production/main.tf

@@ -108,6 +108,8 @@ module "application" {
     }
   }
 
+  collection_rollover_redeploy_enabled = true
+
   ecr_repository_url = "815624722760.dkr.ecr.eu-west-2.amazonaws.com/core"
 
   prefix                                            = local.prefix

terraform/staging/main.tf

@@ -108,6 +108,8 @@ module "application" {
     }
   }
 
+  collection_rollover_redeploy_enabled = true
+
   ecr_repository_url = "815624722760.dkr.ecr.eu-west-2.amazonaws.com/core"
 
   prefix                                            = local.prefix