Merge branch 'reporting_service_infrastructure' into spike/MAV-1406-auth-sharing-with-reporting

Alistair Davidson · Alistair Davidson · commit 3efbf98c6c0a · 2025-08-12T11:08:03.000+01:00
diff --git a/terraform/account/deployment_permissions.tf b/terraform/account/deployment_permissions.tf
@@ -55,7 +55,33 @@ resource "aws_iam_role" "deploy_ecs_service" {
   description = "Role allowing terraform deployment of ECS services from github workflows"
   assume_role_policy = templatefile("resources/iam_role_github_trust_policy_${var.environment}.json.tftpl", {
     account_id = var.account_id,
-    repository = "NHSDigital/mavis-reporting-prototype"
+    repository = "NHSDigital/manage-vaccinations-in-schools-reporting"
+  })
+}
+
+resource "aws_iam_policy" "deploy_ecs_service" {
+  name        = "DeployECSServiceResources"
+  description = "Permissions for GithubDeployECSService role"
+  policy      = file("resources/iam_policy_DeployECSServiceResources.json")
+  lifecycle {
+    ignore_changes = [description]
+  }
+}
+
+resource "aws_iam_role_policy_attachment" "deploy_ecs_service" {
+  for_each   = local.ecs_deploy_policies
+  role       = aws_iam_role.deploy_ecs_service.name
+  policy_arn = each.value
+}
+
+################# Deploy Monitoring ################
+
+resource "aws_iam_role" "deploy_ecs_service" {
+  name        = "GithubDeployECSService"
+  description = "Role allowing terraform deployment of ECS services from github workflows"
+  assume_role_policy = templatefile("resources/iam_role_github_trust_policy_${var.environment}.json.tftpl", {
+    account_id = var.account_id,
+    repository = "nhsuk/manage-vaccinations-in-schools"
   })
 }
 
diff --git a/terraform/account/resources/iam_policy_DeployMavisResources.json b/terraform/account/resources/iam_policy_DeployMavisResources.json
@@ -133,7 +133,13 @@
         "secretsmanager:CancelRotateSecret",
         "ssm:DeleteParameter",
         "ssm:DeleteParameters",
-        "ssm:PutParameter"
+        "ssm:PutParameter",
+        "lambda:InvokeFunction",
+        "lambda:DeleteFunction",
+        "lambda:CreateFunction",
+        "lambda:CreateAlias",
+        "lambda:DeleteAlias",
+        "lambda:UpdateAlias"
       ],
       "Resource": ["*"]
     }
diff --git a/terraform/app/ecs.tf b/terraform/app/ecs.tf
@@ -73,11 +73,17 @@ resource "aws_service_discovery_service" "web" {
 module "web_service" {
   source = "./modules/ecs_service"
   task_config = {
-    environment = local.task_envs
+    environment = concat(local.task_envs, [
+      {
+        name  = "MAVIS__REPORTING_API__CLIENT_APP__CLIENT_ID"
+        value = aws_secretsmanager_secret.jwt_sign.name
+      }
+      ]
+    )
     secrets = concat(
       local.task_secrets,
       [{
-        name      = "JSON_SIGNING_SECRET"
+        name      = "MAVIS__REPORTING_API__CLIENT_APP__SECRET"
         valueFrom = aws_secretsmanager_secret.jwt_sign.arn
       }]
     )
@@ -153,10 +159,14 @@ module "reporting_service" {
       {
         name  = "VALKEY_PORT"
         value = aws_elasticache_serverless_cache.reporting_service.endpoint[0].port
+      },
+      {
+        name  = "CLIENT_ID"
+        value = aws_secretsmanager_secret.jwt_sign.name
       }
     ]
     secrets = [{
-      name      = "JSON_SIGNING_SECRET"
+      name      = "CLIENT_SECRET"
       valueFrom = aws_secretsmanager_secret.jwt_sign.arn
     }]
     cpu                  = 1024
@@ -166,7 +176,7 @@ module "reporting_service" {
     task_role_arn        = aws_iam_role.ecs_task_role.arn
     log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
     region               = var.region
-    health_check_command = ["CMD-SHELL", "wget http://localhost:${local.container_ports.reporting}/healthcheck || exit 0"] #TODO: Fix healthcheck and change to exit 1
+    health_check_command = ["CMD-SHELL", "wget --no-cache --spider -S http://localhost:${local.container_ports.reporting}/reporting/healthcheck || exit 1"]
   }
   network_params = {
     subnets = [aws_subnet.private_subnet_a.id, aws_subnet.private_subnet_b.id]
diff --git a/terraform/app/loadbalancer.tf b/terraform/app/loadbalancer.tf
@@ -68,6 +68,7 @@ resource "aws_lb" "app_lb" {
   }
   security_groups            = [aws_security_group.lb_service_sg.id]
   subnets                    = [aws_subnet.public_subnet_a.id, aws_subnet.public_subnet_b.id]
+  depends_on                 = [aws_security_group_rule.lb_ingress_https] #TODO: Delete after migration
   drop_invalid_header_fields = true
 }
 
@@ -114,7 +115,7 @@ resource "aws_lb_target_group" "reporting_blue" {
   vpc_id      = aws_vpc.application_vpc.id
   target_type = "ip"
   health_check {
-    path                = "/healthcheck"
+    path                = "/reporting/healthcheck"
     protocol            = "HTTP"
     port                = "traffic-port"
     matcher             = "200"
@@ -132,7 +133,7 @@ resource "aws_lb_target_group" "reporting_green" {
   vpc_id      = aws_vpc.application_vpc.id
   target_type = "ip"
   health_check {
-    path                = "/healthcheck"
+    path                = "/reporting/healthcheck"
     protocol            = "HTTP"
     port                = "traffic-port"
     matcher             = "200"
