Merge pull request #1646 from alphagov/add-org-sync-cron-job

Add cronjob to run org list sync

Author: alice-carr

infra/deployments/forms/forms-admin/main.tf

@@ -25,6 +25,7 @@ module "forms_admin" {
   analytics_enabled                  = var.forms_admin_settings.analytics_enabled
   act_as_user_enabled                = var.forms_admin_settings.act_as_user_enabled
   enable_mailchimp_sync              = var.forms_admin_settings.synchronize_to_mailchimp
+  enable_organisations_sync          = var.forms_admin_settings.synchronize_orgs_from_govuk
   deploy_account_id                  = var.deploy_account_id
   describe_none_of_the_above_enabled = var.forms_admin_settings.describe_none_of_the_above_enabled
   vpc_id                             = data.terraform_remote_state.forms_environment.outputs.vpc_id

infra/deployments/forms/inputs.tf

@@ -141,6 +141,7 @@ variable "forms_admin_settings" {
     act_as_user_enabled                = bool
     govuk_app_domain                   = string
     synchronize_to_mailchimp           = bool
+    synchronize_orgs_from_govuk        = bool
     describe_none_of_the_above_enabled = bool
   })
   nullable = false

infra/deployments/forms/pipelines/buildspecs/update-orgs-sync-task/update-orgs-sync-task.yml

@@ -0,0 +1,31 @@
+version: 0.2
+phases:
+  pre_build:
+    commands:
+      # Check Image URI is not the default pipeline value
+      - |
+        if [[ "${IMAGE_URI}" = "MUST_BE_SET" ]]; then
+          echo "The IMAGE_URI has not been set by the caller. The value of IMAGE_URI is \"${IMAGE_URI}\""
+          exit 1
+        fi
+
+      # Get task definition with tags
+      - echo "Existing orgs-sync task definition name is ${TASK_DEFINITION_NAME}"
+      - ECS_TASK_DEFINITION=$(aws ecs describe-task-definition --task-definition "${TASK_DEFINITION_NAME}" --include TAGS)
+
+      # Extract tags to preserve them
+      - |
+        TAGS=$(echo "${ECS_TASK_DEFINITION}" | jq -c '.tags // []')
+        echo "Preserving tags: ${TAGS}"
+
+      # Delete any reference to the old image from the task definition and add the new image uri
+      - |
+        NEW_ECS_TASK_DEFINITION=$(echo "${ECS_TASK_DEFINITION}" | jq --arg "INPUT_IMAGE_URI" "${IMAGE_URI}" '.taskDefinition | .containerDefinitions[0].image = $INPUT_IMAGE_URI | del(.taskDefinitionArn) | del(.revision) | del(.status) | del(.requiresAttributes) | del(.compatibilities) |  del(.registeredAt)  | del(.registeredBy)')
+        echo "Replaced image uri with ${IMAGE_URI}"
+
+  build:
+    commands:
+      # Register a new task definition with tags
+      - |
+        NEW_ECS_TASK_DEFINITION_ARN=$(aws ecs register-task-definition --cli-input-json "$NEW_ECS_TASK_DEFINITION" --tags "$TAGS" | jq -r '.taskDefinition.taskDefinitionArn' )
+        echo "New orgs-sync task definition ARN: ${NEW_ECS_TASK_DEFINITION_ARN}"

infra/deployments/forms/pipelines/deploy-forms-admin-container.tf

@@ -251,6 +251,35 @@ resource "aws_codepipeline" "deploy_admin_container" {
       }
     }
 
+    dynamic "action" {
+      for_each = var.forms_admin_settings.synchronize_orgs_from_govuk ? [1] : []
+      content {
+        name            = "update-orgs-sync-task-definition"
+        category        = "Build"
+        owner           = "AWS"
+        provider        = "CodeBuild"
+        version         = "1"
+        run_order       = 2
+        input_artifacts = ["buildspec_source"]
+        # AWS requires an input artifact; using buildspec_source as a relevant default.
+        configuration = {
+          ProjectName = module.update_orgs_sync_task_definition[0].name
+          EnvironmentVariables = jsonencode([
+            {
+              name  = "TASK_DEFINITION_NAME"
+              value = "${var.environment_name}_forms-admin_organisations_sync"
+              type  = "PLAINTEXT"
+            },
+            {
+              name  = "IMAGE_URI"
+              value = "#{variables.container_image_uri}"
+              type  = "PLAINTEXT"
+            }
+          ])
+        }
+      }
+    }
+
     # It isn't possible to conditionally skip or disable an action in CodePipeline
     # but we need to be able to do so because we can't run the end-to-end tests in the user-research
     # environment. We don't want to make the end-to-end tests module responsible for skipping itself
@@ -329,6 +358,19 @@ module "update_mailchimp_sync_task_definition" {
   codebuild_service_role_arn = data.aws_iam_role.deployer_role.arn
 }
 
+module "update_orgs_sync_task_definition" {
+  count = var.forms_admin_settings.synchronize_orgs_from_govuk ? 1 : 0
+
+  source                     = "../../../modules/code-build-build"
+  project_name               = "update_orgs_sync_task_definition_${var.environment_name}"
+  project_description        = "Update orgs-sync task definition with new container image"
+  environment                = var.environment_name
+  artifact_store_arn         = module.artifact_bucket.arn
+  buildspec                  = file("${path.root}/buildspecs/update-orgs-sync-task/update-orgs-sync-task.yml")
+  log_group_name             = "codebuild/update_orgs_sync_task_definition_${var.environment_name}"
+  codebuild_service_role_arn = data.aws_iam_role.deployer_role.arn
+}
+
 module "generate_forms_admin_container_image_defs" {
   source              = "../../../modules/code-build-build"
   project_name        = "generate_forms_admin_container_image_defs_${var.environment_name}"

infra/deployments/forms/tfvars/dev.tfvars

@@ -79,6 +79,7 @@ forms_admin_settings = {
   analytics_enabled                  = true
   act_as_user_enabled                = true
   govuk_app_domain                   = "integration.publishing.service.gov.uk"
+  synchronize_orgs_from_govuk        = false
   synchronize_to_mailchimp           = false
   describe_none_of_the_above_enabled = true
 }

infra/deployments/forms/tfvars/production.tfvars

@@ -136,6 +136,7 @@ forms_admin_settings = {
   act_as_user_enabled                = false
   govuk_app_domain                   = "publishing.service.gov.uk"
   synchronize_to_mailchimp           = true
+  synchronize_orgs_from_govuk        = true
   describe_none_of_the_above_enabled = false
 }
 forms_product_page_settings = {

infra/deployments/forms/tfvars/staging.tfvars

@@ -44,6 +44,7 @@ forms_admin_settings = {
   analytics_enabled                  = true
   act_as_user_enabled                = true
   govuk_app_domain                   = "staging.publishing.service.gov.uk"
+  synchronize_orgs_from_govuk        = false
   synchronize_to_mailchimp           = false
   describe_none_of_the_above_enabled = false
 }

infra/deployments/forms/tfvars/user-research.tfvars

@@ -42,6 +42,7 @@ forms_admin_settings = {
   analytics_enabled                  = false
   act_as_user_enabled                = false
   govuk_app_domain                   = ""
+  synchronize_orgs_from_govuk        = false
   synchronize_to_mailchimp           = false
   describe_none_of_the_above_enabled = false
 }

infra/modules/forms-admin/mailchimp-sync.tf

@@ -21,7 +21,7 @@ locals {
   )
 }
 
-resource "aws_ecs_task_definition" "cron_job" {
+resource "aws_ecs_task_definition" "mailchimp_cron_job" {
   count = var.enable_mailchimp_sync ? 1 : 0
 
   family                = "${var.env_name}_forms-admin_mailchimp_sync"
@@ -46,27 +46,27 @@ resource "aws_ecs_task_definition" "cron_job" {
 ##
 # EventBridge
 ##
-resource "aws_cloudwatch_event_rule" "sync_cron_job" {
+resource "aws_cloudwatch_event_rule" "sync_mailchimp_cron_job" {
   count = var.enable_mailchimp_sync ? 1 : 0
 
-  name                = "${var.env_name}-forms-admin-sync-cron"
+  name                = "${var.env_name}-forms-admin-mailchimp-sync-cron"
   description         = "Trigger the forms-admin MailChimp synchronisation on a schedule"
   schedule_expression = "cron(30 10 * * ? *)" # 10:30AM daily. In office hours so that we can respond to failures
 }
 
-resource "aws_cloudwatch_event_target" "ecs_sync_job" {
+resource "aws_cloudwatch_event_target" "ecs_mailchimp_sync_job" {
   count = var.enable_mailchimp_sync ? 1 : 0
 
   arn      = var.ecs_cluster_arn
-  rule     = aws_cloudwatch_event_rule.sync_cron_job[0].name
-  role_arn = aws_iam_role.ecs_cron_scheduler[0].arn
+  rule     = aws_cloudwatch_event_rule.sync_mailchimp_cron_job[0].name
+  role_arn = aws_iam_role.ecs_mailchimp_cron_scheduler[0].arn
 
   ecs_target {
     # Construct ARN without revision number to always use the latest revision
     # Format: arn:aws:ecs:region:account:task-definition/family
     # This ensures the EventBridge rule always uses the latest revision
     # which is updated by the forms-admin deployment pipeline
-    task_definition_arn = "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task-definition/${aws_ecs_task_definition.cron_job[0].family}"
+    task_definition_arn = "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task-definition/${aws_ecs_task_definition.mailchimp_cron_job[0].family}"
     launch_type         = "FARGATE"
     platform_version    = "1.4.0"
 
@@ -83,8 +83,8 @@ resource "aws_cloudwatch_event_target" "ecs_sync_job" {
 }
 
 ## Monitor for failure
-resource "aws_cloudwatch_event_rule" "sync_cron_job_failed" {
-  name        = "${var.env_name}-forms-admin-sync-failed"
+resource "aws_cloudwatch_event_rule" "sync_mailchimp_cron_job_failed" {
+  name        = "${var.env_name}-forms-admin-mailchimp-sync-failed"
   description = "Trigger when the MailChimp sync job has exited with a non-zero exit code"
 
   event_pattern = jsonencode({
@@ -106,8 +106,8 @@ resource "aws_cloudwatch_event_rule" "sync_cron_job_failed" {
   })
 }
 
-resource "aws_cloudwatch_event_target" "sync_cron_job_alert_message" {
-  rule = aws_cloudwatch_event_rule.sync_cron_job_failed.name
+resource "aws_cloudwatch_event_target" "sync_mailchimp_cron_job_alert_message" {
+  rule = aws_cloudwatch_event_rule.sync_mailchimp_cron_job_failed.name
 
   # defined in 'environment' module. Sends alarms/errors via ZenDesk
   arn = var.zendesk_sns_topic_arn
@@ -134,10 +134,10 @@ resource "aws_cloudwatch_event_target" "sync_cron_job_alert_message" {
 ##
 # IAM
 ##
-resource "aws_iam_role" "ecs_cron_scheduler" {
+resource "aws_iam_role" "ecs_mailchimp_cron_scheduler" {
   count = var.enable_mailchimp_sync ? 1 : 0
 
-  name = "${var.env_name}-forms-admin-ecs-cron-scheduler"
+  name = "${var.env_name}-forms-admin-mailchimp-ecs-cron-scheduler"
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
@@ -153,9 +153,19 @@ resource "aws_iam_role" "ecs_cron_scheduler" {
   })
 }
 
-resource "aws_iam_role_policy_attachment" "ecs_events_policy" {
+resource "aws_iam_role_policy_attachment" "ecs_mailchimp_events_policy" {
   count = var.enable_mailchimp_sync ? 1 : 0
 
   policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
-  role       = aws_iam_role.ecs_cron_scheduler[0].name
+  role       = aws_iam_role.ecs_mailchimp_cron_scheduler[0].name
+}
+
+moved {
+  from = aws_cloudwatch_event_rule.sync_cron_job_failed
+  to   = aws_cloudwatch_event_rule.sync_mailchimp_cron_job_failed
+}
+
+moved {
+  from = aws_cloudwatch_event_target.sync_cron_job_alert_message
+  to   = aws_cloudwatch_event_target.sync_mailchimp_cron_job_alert_message
 }

infra/modules/forms-admin/orgs-sync.tf

@@ -0,0 +1,159 @@
+##
+# ECS
+##
+locals {
+  # Take the exported task container definition
+  # and override some parts of it, so that it doesn't fall out of sync
+  organisations_sync_container_definitions = merge(
+    module.ecs_service.task_container_definition,
+    {
+      name    = "forms-admin_organisations_sync",
+      command = ["rake", "organisations:fetch"]
+      logConfiguration = {
+        logDriver = "awslogs",
+        options = {
+          awslogs-group         = module.ecs_service.application_log_group_name,
+          awslogs-region        = "eu-west-2",
+          awslogs-stream-prefix = "forms-admin-${var.env_name}-organisations-sync"
+        }
+      },
+    }
+  )
+}
+
+resource "aws_ecs_task_definition" "orgs_cron_job" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  family                = "${var.env_name}_forms-admin_organisations_sync"
+  container_definitions = jsonencode([local.organisations_sync_container_definitions])
+
+  execution_role_arn       = module.ecs_service.task_definition.execution_role_arn
+  task_role_arn            = module.ecs_service.task_definition.task_role_arn
+  requires_compatibilities = module.ecs_service.task_definition.requires_compatibilities
+  cpu                      = module.ecs_service.task_definition.cpu
+  memory                   = module.ecs_service.task_definition.memory
+  network_mode             = "awsvpc"
+  track_latest             = true
+
+  runtime_platform {
+    operating_system_family = "LINUX"
+    cpu_architecture        = "ARM64"
+  }
+}
+
+##
+# EventBridge
+##
+resource "aws_cloudwatch_event_rule" "sync_orgs_cron_job" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  name                = "${var.env_name}-forms-admin-orgs-sync-cron"
+  description         = "Trigger the forms-admin organisations synchronisation on a schedule"
+  schedule_expression = "cron(30 11 * * 2 *)" # 11:30AM every Tuesday. In office hours so that we can respond to failures
+}
+
+resource "aws_cloudwatch_event_target" "ecs_org_sync_job" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  arn      = var.ecs_cluster_arn
+  rule     = aws_cloudwatch_event_rule.sync_orgs_cron_job[0].name
+  role_arn = aws_iam_role.ecs_orgs_cron_scheduler[0].arn
+
+  ecs_target {
+    task_definition_arn = "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task-definition/${aws_ecs_task_definition.orgs_cron_job[0].family}"
+    launch_type         = "FARGATE"
+    platform_version    = "1.4.0"
+
+    network_configuration {
+      assign_public_ip = false
+      security_groups  = module.ecs_service.service.network_configuration[0].security_groups
+      subnets          = module.ecs_service.service.network_configuration[0].subnets
+    }
+  }
+
+  dead_letter_config {
+    arn = var.eventbridge_dead_letter_queue_arn
+  }
+}
+
+## Monitor for failure
+resource "aws_cloudwatch_event_rule" "sync_orgs_cron_job_failed" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  name        = "${var.env_name}-forms-admin-org-sync-failed"
+  description = "Trigger when the organisations sync job has exited with a non-zero exit code"
+
+  event_pattern = jsonencode({
+    source      = ["aws.ecs"]
+    detail-type = ["ECS Task State Change"]
+    resources = [
+      {
+        wildcard : "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task/*"
+      }
+    ]
+
+    detail = {
+      lastStatus = ["STOPPED"]
+      containers = {
+        name     = [local.organisations_sync_container_definitions.name]
+        exitCode = [{ "anything-but" : [0] }]
+      }
+    }
+  })
+}
+
+resource "aws_cloudwatch_event_target" "sync_orgs_cron_job_alert_message" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  rule = aws_cloudwatch_event_rule.sync_orgs_cron_job_failed[0].name
+
+  # defined in 'environment' module. Sends alarms/errors via ZenDesk
+  arn = var.zendesk_sns_topic_arn
+
+  input_transformer {
+    input_template = <<EOF
+    {
+      "title": "WARNING: Synchronising organisations from GOV.UK has failed.",
+      "description": "GOV.UK Forms has a scheduled ECS task to sync our organisations from GOV.UK. When this task fails an email is sent to Zendesk.",
+      "next-steps": {
+        "1": "Navigate to Splunk: https://gds.splunkcloud.com/en-GB/app/gds-543-forms/search.",
+        "2": "Search for index=gds_dsp_production_forms log_stream=forms-admin-production-organisations-sync/forms-admin_organisations_sync/*. Use the 'Today' date-time preset to find today's logs.",
+        "3": "Review logs for errors."
+      }
+    }
+    EOF
+  }
+
+  dead_letter_config {
+    arn = var.eventbridge_dead_letter_queue_arn
+  }
+}
+
+##
+# IAM
+##
+resource "aws_iam_role" "ecs_orgs_cron_scheduler" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  name = "${var.env_name}-forms-admin-orgs-ecs-cron-scheduler"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Principal = {
+          Service = "events.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_orgs_events_policy" {
+  count = var.enable_organisations_sync ? 1 : 0
+
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
+  role       = aws_iam_role.ecs_orgs_cron_scheduler[0].name
+}