Merge branch 'main' into panda-cyber-defect-dojo

.devcontainer/README.md

@@ -1,36 +1,37 @@
 # Dev Container
 
+> [!NOTE]
 > This is a community supported feature
 
-To assist in the development of `modernisation-platform-environments`, the community have built a [dev container](https://containers.dev/) with the required tooling
+To assist with working on this repository, the community has configured a [dev container](https://containers.dev/) with the required tooling.
 
-## Prerequisites
+You can run this locally, or with [GitHub Codespaces](https://docs.github.com/en/codespaces/overview).
 
-- GitHub Codespaces
+## Locally
 
-or
+> [!WARNING]  
+> This has only been tested on macOS
+
+### Prerequisites
 
 - Docker
 
 - Visual Studio Code
 
   - Dev Containers Extention
 
-## Running
-
-### GitHub Codespaces
-
-Launch from GitHub
+To launch locally, ensure the prerequisites are met, and then click the button below
 
-### Locally
+[![Open in Dev Container](https://raw.githubusercontent.com/ministryofjustice/.devcontainer/refs/heads/main/contrib/badge.svg)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/ministryofjustice/modernisation-platform-environments)
 
-1. Ensure prerequisites are met
+## GitHub Codespaces
 
-1. Clone repository
+> [!IMPORTANT]  
+> GitHub Codespaces are not currently paid for by the Ministry of Justice and are subject to the quotas [here](https://docs.github.com/en/billing/managing-billing-for-your-products/managing-billing-for-github-codespaces/about-billing-for-github-codespaces#monthly-included-storage-and-core-hours-for-personal-accounts)
 
-1. Open repository in Visual Studio Code
+To launch a GitHub Codespace, click the button below
 
-1. Reopen in container
+[![Open in Codespace](https://github.com/codespaces/badge.svg)](https://codespaces.new/ministryofjustice/modernisation-platform-environments)
 
 ## Tools
 

.github/CODEOWNERS

@@ -27,7 +27,7 @@
 /terraform/environments/delius-nextcloud @ministryofjustice/hmpps-migration @ministryofjustice/hosting-migrations @ministryofjustice/modernisation-platform
 /terraform/environments/digital-prison-reporting @ministryofjustice/digital-prisons-reporting-development-data-engineer @ministryofjustice/digital-prisons-reporting-preproduction-data-engineer @ministryofjustice/digital-prisons-reporting-production-data-engineer @ministryofjustice/digital-prisons-reporting-test-data-engineer @ministryofjustice/hmpps-digital-prison-reporting @ministryofjustice/hmpps-digital-prison-reporting-non-cleared-team @ministryofjustice/modernisation-platform
 /terraform/environments/edw @ministryofjustice/laa-aws-infrastructure @ministryofjustice/laa-edw-developer @ministryofjustice/modernisation-platform
-/terraform/environments/electronic-monitoring-data @ministryofjustice/hmpps-electronic-monitoring-data-store @ministryofjustice/hmpps-electronic-monitoring-data-store-appsec-202410 @ministryofjustice/modernisation-platform
+/terraform/environments/electronic-monitoring-data @ministryofjustice/hmpps-electronic-monitoring-data-store @ministryofjustice/modernisation-platform
 /terraform/environments/equip @ministryofjustice/modernisation-platform-engineers @ministryofjustice/modernisation-platform
 /terraform/environments/eric @ministryofjustice/laa-aws-infrastructure @ministryofjustice/modernisation-platform
 /terraform/environments/example @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
@@ -64,7 +64,6 @@
 /terraform/environments/tribunals @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
 /terraform/environments/wardship @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
 /terraform/environments/xhibit-portal @ministryofjustice/cjse-xhibit-portal-discovery @ministryofjustice/xhibit-portal-dev @ministryofjustice/modernisation-platform
-**/providers.tf @ministryofjustice/modernisation-platform
 **/backend.tf @ministryofjustice/modernisation-platform
 **/subnet_share.tf @ministryofjustice/modernisation-platform
 **/networking.auto.tfvars.json @ministryofjustice/modernisation-platform

.github/workflows/awsnuke.yml

@@ -131,7 +131,7 @@ jobs:
             --force \
             --no-dry-run
       - name: Slack failure notification
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
         with:
           payload: |
             {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
@@ -215,7 +215,7 @@ jobs:
             --force \
             --no-dry-run
       - name: Slack failure notification
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
         with:
           payload: |
             {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}

.github/workflows/code-scanning.yml

@@ -38,7 +38,7 @@ jobs:
         run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: tflint.sarif
   trivy:
@@ -53,7 +53,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
         with:
           scan-type: 'fs'
           scanners: misconfig,vuln,secret
@@ -63,7 +63,7 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: 'trivy-results.sarif'
   checkov:
@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@37026823bd2a0a70f8aedd88f8a3e9cb342418af # v12.2893.0
+        uses: bridgecrewio/checkov-action@05decb42b761b4c4ce4927c084165bb4705bbcef # v12.2918.0
         with:
           directory: ./
           framework: terraform
@@ -90,6 +90,6 @@ jobs:
           skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: ./checkov.sarif

.github/workflows/format-code.yml

@@ -40,7 +40,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter/flavors/terraform@b38cdf1f0cbe056fad4112cb7cd99c2b574c9617 #v8.1.0
+        uses: oxsecurity/megalinter/flavors/terraform@1fc052d03c7a43c78fe0fee19c9d648b749e0c01 #v8.3.0
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/#shared-variables

.github/workflows/generate-dependabot-file.yml

@@ -34,7 +34,7 @@ jobs:
         env:
           SECRET: ${{ secrets.GITHUB_TOKEN }}
       - name: Slack failure notification
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.26.0
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v1.26.0
         with:
           payload: |
             {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}

.github/workflows/nuke-redeploy.yml

@@ -91,7 +91,7 @@ jobs:
           bash scripts/terraform-apply.sh terraform/environments/${ACCOUNT_NAME%-development}
 
       - name: Slack failure notification
-        uses: slackapi/slack-github-action@37ebaef184d7626c5f204ab8d3baff4262dd30f0 # v1.27.0
+        uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d # v2.0.0
         with:
           payload: |
             {"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}

.github/workflows/scorecards.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
         with:
           sarif_file: results.sarif

terraform/environments/analytical-platform-compute/data.tf

@@ -76,3 +76,9 @@ data "http" "prometheus_operator_crds" {
 
   url = each.value
 }
+
+data "aws_secretsmanager_secret_version" "actions_runners_token_apc_self_hosted_runners_github_app" {
+  count = terraform.workspace == "analytical-platform-compute-production" ? 1 : 0
+
+  secret_id = module.actions_runners_token_apc_self_hosted_runners_github_app[0].secret_id
+}

terraform/environments/analytical-platform-compute/eks-cluster.tf

@@ -6,7 +6,7 @@ module "eks" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.26.0"
+  version = "20.29.0"
 
   cluster_name    = local.eks_cluster_name
   cluster_version = local.environment_configuration.eks_cluster_version
@@ -172,7 +172,7 @@ module "karpenter" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "20.26.0"
+  version = "20.29.0"
 
   cluster_name = module.eks.cluster_name
 

terraform/environments/analytical-platform-compute/eks-pod-identities.tf

@@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "1.5.0"
+  version = "1.7.0"
 
   name = "aws-cloudwatch-metrics"
 

terraform/environments/analytical-platform-compute/environment-configuration.tf

@@ -1,6 +1,4 @@
 locals {
-  ap_data_prod_account_id = local.environment_management.account_ids["analytical-platform-data-production"]
-
   environment_configurations = {
     development = {
       /* VPC */
@@ -15,31 +13,27 @@ locals {
       vpc_single_nat_gateway     = false
 
       /* Transit Gateway */
-      transit_gateway_routes = [
-        "10.26.0.0/15", # modernisation-platform
-        "10.40.0.0/18", # noms-live-vnet
-        "10.205.0.0/20" # laa-lz-prod
-      ]
+      transit_gateway_routes = ["10.0.0.0/8"]
 
       /* Route53 */
       route53_zone = "compute.development.analytical-platform.service.justice.gov.uk"
 
       /* EKS */
       eks_sso_access_role = "modernisation-platform-sandbox"
       eks_cluster_version = "1.31"
-      eks_node_version    = "1.25.0-388e1050"
+      eks_node_version    = "1.26.2-360b7a38"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.3-eksbuild.1"
-        kube_proxy             = "v1.31.0-eksbuild.5"
-        aws_ebs_csi_driver     = "v1.35.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.7-eksbuild.1"
+        coredns                = "v1.11.3-eksbuild.2"
+        kube_proxy             = "v1.31.2-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.36.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.9-eksbuild.1"
         aws_guardduty_agent    = "v1.7.1-eksbuild.2"
         eks_pod_identity_agent = "v1.3.2-eksbuild.2"
-        vpc_cni                = "v1.18.5-eksbuild.1"
+        vpc_cni                = "v1.19.0-eksbuild.1"
       }
 
       /* Data Engineering Airflow */
-      data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.ap_data_prod_account_id}:role/airflow-dev-execution-role"
+      data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/airflow-dev-execution-role"
 
       /* MLFlow */
       mlflow_s3_bucket_name = "alpha-analytical-platform-mlflow-development"
@@ -66,34 +60,30 @@ locals {
       vpc_single_nat_gateway     = false
 
       /* Transit Gateway */
-      transit_gateway_routes = [
-        "10.26.0.0/15", # modernisation-platform
-        "10.40.0.0/18", # noms-live-vnet
-        "10.205.0.0/20" # laa-lz-prod
-      ]
+      transit_gateway_routes = ["10.0.0.0/8"]
 
       /* Route53 */
       route53_zone = "compute.test.analytical-platform.service.justice.gov.uk"
 
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.31"
-      eks_node_version    = "1.25.0-388e1050"
+      eks_node_version    = "1.26.2-360b7a38"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.3-eksbuild.1"
-        kube_proxy             = "v1.31.0-eksbuild.5"
-        aws_ebs_csi_driver     = "v1.35.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.7-eksbuild.1"
+        coredns                = "v1.11.3-eksbuild.2"
+        kube_proxy             = "v1.31.2-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.36.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.9-eksbuild.1"
         aws_guardduty_agent    = "v1.7.1-eksbuild.2"
         eks_pod_identity_agent = "v1.3.2-eksbuild.2"
-        vpc_cni                = "v1.18.5-eksbuild.1"
+        vpc_cni                = "v1.19.0-eksbuild.1"
       }
 
       /* Observability Platform */
       observability_platform = "development"
 
       /* Data Engineering Airflow */
-      data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.ap_data_prod_account_id}:role/airflow-dev-execution-role"
+      data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/airflow-dev-execution-role"
 
       /* MLFlow */
       mlflow_s3_bucket_name = "alpha-analytical-platform-mlflow-test"
@@ -117,30 +107,27 @@ locals {
       vpc_single_nat_gateway     = false
 
       /* Transit Gateway */
-      transit_gateway_routes = [
-        "10.26.0.0/15", # modernisation-platform
-        "10.40.0.0/18"  # noms-live-vnet
-      ]
+      transit_gateway_routes = ["10.0.0.0/8"]
 
       /* Route53 */
       route53_zone = "compute.analytical-platform.service.justice.gov.uk"
 
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.31"
-      eks_node_version    = "1.25.0-388e1050"
+      eks_node_version    = "1.26.2-360b7a38"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.3-eksbuild.1"
-        kube_proxy             = "v1.31.0-eksbuild.5"
-        aws_ebs_csi_driver     = "v1.35.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.7-eksbuild.1"
+        coredns                = "v1.11.3-eksbuild.2"
+        kube_proxy             = "v1.31.2-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.36.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.9-eksbuild.1"
         aws_guardduty_agent    = "v1.7.1-eksbuild.2"
         eks_pod_identity_agent = "v1.3.2-eksbuild.2"
-        vpc_cni                = "v1.18.5-eksbuild.1"
+        vpc_cni                = "v1.19.0-eksbuild.1"
       }
 
       /* Data Engineering Airflow */
-      data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.ap_data_prod_account_id}:role/airflow-prod-execution-role"
+      data_engineering_airflow_execution_role_arn = "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-data-production"]}:role/airflow-prod-execution-role"
 
       /* MLFlow */
       mlflow_s3_bucket_name = "alpha-analytical-platform-mlflow"