Merge branch 'main' into migration_yjaf_initial

.github/CODEOWNERS

@@ -14,7 +14,7 @@
 /terraform/environments/cica-data-extraction @ministryofjustice/cica-extract-tool-admins @ministryofjustice/modernisation-platform
 /terraform/environments/cica-tariff @ministryofjustice/cica-mp-tariff @ministryofjustice/modernisation-platform
 /terraform/environments/contract-work-administration @ministryofjustice/laa-aws-infrastructure @ministryofjustice/laa-cwa-developer @ministryofjustice/modernisation-platform
-/terraform/environments/cooker @ministryofjustice/MoJRedTeam @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
+/terraform/environments/cooker @ministryofjustice/modernisation-platform @ministryofjustice/tvm-purple-team @ministryofjustice/modernisation-platform
 /terraform/environments/corporate-information-system @ministryofjustice/laa-aws-infrastructure @ministryofjustice/laa-cis-dbas @ministryofjustice/laa-cis-team @ministryofjustice/modernisation-platform
 /terraform/environments/corporate-staff-rostering @ministryofjustice/csr-application-support @ministryofjustice/hosting-migrations @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/dacp @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform

.github/workflows/code-scanning.yml

@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@4ad414b100f8415d05d88b6be40d7aa7aa38c057 # v12.2941.0
+        uses: bridgecrewio/checkov-action@d8d05796d44fbdd67576bd6ce831ac7b3bd072bd # v12.2942.0
         with:
           directory: ./
           framework: terraform

.github/workflows/generate-dependabot-file.yml

@@ -16,12 +16,11 @@ defaults:
     shell: bash
 
 permissions:
-  contents: read
+  contents: write
+  pull-requests: write
 
 jobs:
-  create-and-commit-dependabot-file:
-    permissions:
-      pull-requests: write
+  create-and-commit-dependabot-file:    
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4

scripts/generate-dependabot-file.sh

@@ -4,6 +4,9 @@ set -euo pipefail
 
 dependabot_file=.github/dependabot.yml
 
+# Clear the dependabot file
+> $dependabot_file
+
 # Get a list of Terraform folders
 all_tf_folders=`find . -type f -name '*.tf' | sed 's#/[^/]*$##' | sed 's/.\///'| sort | uniq`
 echo
@@ -14,7 +17,7 @@ echo "Writing dependabot.yml file"
 # Creates a dependabot file to avoid having to manually add each new TF folder
 # Add any additional fixed entries in this top section
   cat > $dependabot_file << EOL
-# This file is auto-generated here, do not manually amend. 
+# This file is auto-generated here, do not manually amend.
 # scripts/generate-dependabot.sh
 
 version: 2
@@ -24,22 +27,13 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
-  - package-ecosystem: "devcontainers"
-    directory: "/"
-    schedule:
-      interval: "daily"
-    reviewers:
-      - "ministryofjustice/devcontainer-community"
-  # Dependabot doesn't currently support wildcard or multiple directory declarations within
-  # a dependabot configuration, so we need to add all directories individually
-  # See: github.com/dependabot/dependabot-core/issues/2178
 EOL
 
-for folder in $all_tf_folders
-do
-echo "Generating entry for ${folder}"
+echo "Generating entry for Terraform ecosystem"
 echo "  - package-ecosystem: \"terraform\"" >> $dependabot_file
-echo "    directory: \"/${folder}\"" >> $dependabot_file
-echo "    schedule:" >> $dependabot_file
-echo "      interval: \"daily\"" >> $dependabot_file
+echo "    directories:" >> $dependabot_file
+for folder in $all_tf_folders; do
+  echo "      - \"/$folder\"" >> $dependabot_file
 done
+echo "    schedule:" >> $dependabot_file
+echo "      interval: \"daily\"" >> $dependabot_file

terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf

@@ -3,7 +3,7 @@ module "eks_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.6.1"
+  version = "5.7.0"
 
   name              = local.eks_cloudwatch_log_group_name
   kms_key_id        = module.eks_cluster_logs_kms.key_arn
@@ -17,7 +17,7 @@ module "managed_prometheus_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.6.1"
+  version = "5.7.0"
 
   name              = local.amp_cloudwatch_log_group_name
   kms_key_id        = module.managed_prometheus_logs_kms.key_arn

terraform/environments/analytical-platform-compute/eks-cluster.tf

@@ -6,7 +6,7 @@ module "eks" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.29.0"
+  version = "20.31.6"
 
   cluster_name    = local.eks_cluster_name
   cluster_version = local.environment_configuration.eks_cluster_version
@@ -172,7 +172,7 @@ module "karpenter" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "20.29.0"
+  version = "20.31.6"
 
   cluster_name = module.eks.cluster_name
 

terraform/environments/analytical-platform-compute/eks-pod-identities.tf

@@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "1.7.0"
+  version = "1.9.0"
 
   name = "aws-cloudwatch-metrics"
 

terraform/environments/analytical-platform-compute/environment-configuration.tf

@@ -21,15 +21,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-sandbox"
       eks_cluster_version = "1.31"
-      eks_node_version    = "1.26.2-360b7a38"
+      eks_node_version    = "1.29.0-c55d099c"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.3-eksbuild.2"
-        kube_proxy             = "v1.31.2-eksbuild.2"
-        aws_ebs_csi_driver     = "v1.36.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.9-eksbuild.1"
-        aws_guardduty_agent    = "v1.7.1-eksbuild.2"
-        eks_pod_identity_agent = "v1.3.2-eksbuild.2"
-        vpc_cni                = "v1.19.0-eksbuild.1"
+        coredns                = "v1.11.4-eksbuild.2"
+        kube_proxy             = "v1.31.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.38.1-eksbuild.1"
+        aws_efs_csi_driver     = "v2.1.3-eksbuild.1"
+        aws_guardduty_agent    = "v1.8.1-eksbuild.2"
+        eks_pod_identity_agent = "v1.3.4-eksbuild.1"
+        vpc_cni                = "v1.19.2-eksbuild.1"
       }
 
       /* Data Engineering Airflow */
@@ -66,15 +66,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.31"
-      eks_node_version    = "1.26.2-360b7a38"
+      eks_node_version    = "1.29.0-c55d099c"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.3-eksbuild.2"
-        kube_proxy             = "v1.31.2-eksbuild.2"
-        aws_ebs_csi_driver     = "v1.36.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.9-eksbuild.1"
-        aws_guardduty_agent    = "v1.7.1-eksbuild.2"
-        eks_pod_identity_agent = "v1.3.2-eksbuild.2"
-        vpc_cni                = "v1.19.0-eksbuild.1"
+        coredns                = "v1.11.4-eksbuild.2"
+        kube_proxy             = "v1.31.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.38.1-eksbuild.1"
+        aws_efs_csi_driver     = "v2.1.3-eksbuild.1"
+        aws_guardduty_agent    = "v1.8.1-eksbuild.2"
+        eks_pod_identity_agent = "v1.3.4-eksbuild.1"
+        vpc_cni                = "v1.19.2-eksbuild.1"
       }
 
       /* Data Engineering Airflow */
@@ -110,15 +110,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.31"
-      eks_node_version    = "1.26.2-360b7a38"
+      eks_node_version    = "1.29.0-c55d099c"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.3-eksbuild.2"
-        kube_proxy             = "v1.31.2-eksbuild.2"
-        aws_ebs_csi_driver     = "v1.36.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.9-eksbuild.1"
-        aws_guardduty_agent    = "v1.7.1-eksbuild.2"
-        eks_pod_identity_agent = "v1.3.2-eksbuild.2"
-        vpc_cni                = "v1.19.0-eksbuild.1"
+        coredns                = "v1.11.4-eksbuild.2"
+        kube_proxy             = "v1.31.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.38.1-eksbuild.1"
+        aws_efs_csi_driver     = "v2.1.3-eksbuild.1"
+        aws_guardduty_agent    = "v1.8.1-eksbuild.2"
+        eks_pod_identity_agent = "v1.3.4-eksbuild.1"
+        vpc_cni                = "v1.19.2-eksbuild.1"
       }
 
       /* Data Engineering Airflow */

terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf

@@ -6,7 +6,7 @@ resource "helm_release" "actions_runner_mojas_airflow" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -32,7 +32,7 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow-create-a-pipeline"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -57,7 +57,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -81,7 +81,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_non_spot" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-non-spot"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -109,7 +109,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-dpr"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -133,7 +133,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr_pp" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-dpr-pp"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -157,7 +157,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds_test"
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-emds-test"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -181,7 +181,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_emds" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-emds"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.320.0-4"
+  version    = "2.321.0"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [

terraform/environments/analytical-platform-compute/helm-charts-system.tf

@@ -4,7 +4,7 @@ resource "helm_release" "kyverno" {
   name       = "kyverno"
   repository = "https://kyverno.github.io/kyverno"
   chart      = "kyverno"
-  version    = "3.3.3"
+  version    = "3.3.4"
   namespace  = kubernetes_namespace.kyverno.metadata[0].name
   values = [
     templatefile(
@@ -71,7 +71,7 @@ resource "helm_release" "amazon_prometheus_proxy" {
   name       = "amazon-prometheus-proxy"
   repository = "https://prometheus-community.github.io/helm-charts"
   chart      = "kube-prometheus-stack"
-  version    = "66.2.1"
+  version    = "67.8.0"
   namespace  = kubernetes_namespace.aws_observability.metadata[0].name
   values = [
     templatefile(
@@ -96,7 +96,7 @@ resource "helm_release" "cluster_autoscaler" {
   name       = "cluster-autoscaler"
   repository = "https://kubernetes.github.io/autoscaler"
   chart      = "cluster-autoscaler"
-  version    = "9.43.2"
+  version    = "9.45.0"
   namespace  = kubernetes_namespace.cluster_autoscaler.metadata[0].name
 
   values = [
@@ -119,7 +119,7 @@ resource "helm_release" "karpenter_crd" {
   name       = "karpenter-crd"
   repository = "oci://public.ecr.aws/karpenter"
   chart      = "karpenter-crd"
-  version    = "1.0.8"
+  version    = "1.1.1"
   namespace  = kubernetes_namespace.karpenter.metadata[0].name
 
   values = [
@@ -141,7 +141,7 @@ resource "helm_release" "karpenter" {
   name       = "karpenter"
   repository = "oci://public.ecr.aws/karpenter"
   chart      = "karpenter"
-  version    = "1.0.8"
+  version    = "1.1.1"
   namespace  = kubernetes_namespace.karpenter.metadata[0].name
 
   values = [
@@ -209,7 +209,7 @@ resource "helm_release" "cert_manager" {
   name       = "cert-manager"
   repository = "https://charts.jetstack.io"
   chart      = "cert-manager"
-  version    = "v1.16.1"
+  version    = "v1.16.2"
   namespace  = kubernetes_namespace.cert_manager.metadata[0].name
   values = [
     templatefile(
@@ -262,7 +262,7 @@ resource "helm_release" "ingress_nginx" {
   name       = "ingress-nginx"
   repository = "https://kubernetes.github.io/ingress-nginx"
   chart      = "ingress-nginx"
-  version    = "4.11.3"
+  version    = "4.12.0"
   namespace  = kubernetes_namespace.ingress_nginx.metadata[0].name
   values = [
     templatefile(
@@ -283,7 +283,7 @@ resource "helm_release" "external_secrets" {
   name       = "external-secrets"
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.10.5"
+  version    = "0.12.1"
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   values = [
     templatefile(
@@ -310,7 +310,7 @@ resource "helm_release" "keda" {
   name       = "keda"
   repository = "https://kedacore.github.io/charts"
   chart      = "keda"
-  version    = "2.16.0"
+  version    = "2.16.1"
   namespace  = kubernetes_namespace.keda.metadata[0].name
   values = [
     templatefile(