Create configuration for data replication (#3449)

- This produces a replicate DB with a single ECS task connected
- Useful for testing migrations/sql/etc on a production data without
actually modifying the production system
- The replicate system is completely ignorant of source db/service
- The replicate DB will be spawned from a snapshot which is passed as a
variable
- Some modification was done to the ecs module to ensure that task
definitions are distinct

Author: bogsi17

.github/workflows/data-replication-pipeline.yml

@@ -0,0 +1,196 @@
+name: Data replication pipeline
+run-name: ${{ inputs.action }} data replication resources for ${{ inputs.environment }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        description: Deployment environment
+        required: true
+        type: choice
+        options:
+          - training
+          - production
+          - test
+          - qa
+          - sandbox-alpha
+          - sandbox-beta
+      image_tag:
+        description: Docker image tag to deploy
+        required: false
+        type: string
+      action:
+        description: Action to perform on data replication env
+        required: true
+        type: choice
+        options:
+          - Destroy
+          - Recreate
+        default: Recreate
+      db_snapshot_arn:
+        description: ARN of the DB snapshot to use (optional)
+        required: false
+        type: string
+
+env:
+  aws_role: ${{ inputs.environment == 'production'
+    && 'arn:aws:iam::820242920762:role/GithubDeployDataReplicationInfrastructure'
+    || 'arn:aws:iam::393416225559:role/GithubDeployDataReplicationInfrastructure' }}
+
+defaults:
+  run:
+    working-directory: terraform/data_replication
+
+concurrency:
+  group: deploy-data-replica-${{ inputs.environment }}
+
+jobs:
+  prepare:
+    name: Prepare data replica
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: get latest snapshot
+        id: get-latest-snapshot
+        run: |
+          set -e
+          if [ -z "${{ inputs.db_snapshot_arn }}" ]; then
+              echo "No snapshot ARN provided, fetching the latest snapshot"
+              SNAPSHOT_ARN=$(aws rds describe-db-cluster-snapshots \
+              --query 'DBClusterSnapshots[?contains(DBClusterSnapshotIdentifier, `${{ inputs.environment}}`)].[DBClusterSnapshotArn, SnapshotCreateTime]' \
+              --output text | sort -k2 -r | head -n 1 | cut -f1)
+          else
+              echo "Using provided snapshot ARN: ${{ inputs.db_snapshot_arn }}"
+              SNAPSHOT_ARN="${{ inputs.db_snapshot_arn }}"
+          fi
+          echo "SNAPSHOT_ARN=$SNAPSHOT_ARN" >> $GITHUB_OUTPUT
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.10.5
+      - name: Get db secret arn
+        id: get-db-secret-arn
+        working-directory: terraform/app
+        run: |
+          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
+          DB_SECRET_ARN=$(terraform output --raw db_secret_arn)
+          echo "DB_SECRET_ARN=$DB_SECRET_ARN" >> $GITHUB_OUTPUT
+      - name: ECR login
+        id: login-ecr
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Get docker image digest
+        id: get-docker-image-digest
+        run: |
+          set -e
+          DOCKER_IMAGE="${{ steps.login-ecr.outputs.registry }}/mavis/webapp:${{ inputs.image_tag || github.sha }}"
+          docker pull "$DOCKER_IMAGE"
+          DOCKER_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "$DOCKER_IMAGE")
+          DIGEST="${DOCKER_DIGEST#*@}"
+          echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT
+    outputs:
+      SNAPSHOT_ARN: ${{ steps.get-latest-snapshot.outputs.SNAPSHOT_ARN }}
+      DB_SECRET_ARN: ${{ steps.get-db-secret-arn.outputs.DB_SECRET_ARN }}
+      DOCKER_DIGEST: ${{ steps.get-docker-image-digest.outputs.DIGEST }}
+
+  destroy:
+    name: Destroy data replication infrastructure
+    runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.10.5
+      - name: Terraform Destroy
+        id: destroy
+        run: |
+          set -e
+          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
+          terraform destroy -var-file="env/${{ inputs.environment }}.tfvars" -var="image_digest=filler_value" \
+          -var="db_secret_arn=filler_value" -var="imported_snapshot=filler_value" -auto-approve
+
+  plan:
+    if: ${{ inputs.action == 'Recreate' }}
+    name: Terraform plan
+    runs-on: ubuntu-latest
+    needs:
+      - prepare
+      - destroy
+    env:
+      SNAPSHOT_ARN: ${{ needs.prepare.outputs.SNAPSHOT_ARN }}
+      DB_SECRET_ARN: ${{ needs.prepare.outputs.DB_SECRET_ARN }}
+      DOCKER_DIGEST: ${{ needs.prepare.outputs.DOCKER_DIGEST }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.10.5
+      - name: Terraform Plan
+        id: plan
+        run: |
+          set -e
+          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
+          terraform plan -var="image_digest=${{ env.DOCKER_DIGEST }}" -var="db_secret_arn=${{ env.DB_SECRET_ARN }}" \
+          -var="imported_snapshot=${{ env.SNAPSHOT_ARN }}" -var-file="env/${{ inputs.environment }}.tfvars" \
+          -out ${{ runner.temp }}/tfplan | tee ${{ runner.temp }}/tf_stdout
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tfplan_infrastructure-${{ inputs.environment }}
+          path: ${{ runner.temp }}/tfplan
+
+  apply:
+    name: Terraform apply
+    runs-on: ubuntu-latest
+    needs: plan
+    environment: ${{ inputs.environment }}
+    permissions:
+      id-token: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ env.aws_role }}
+          aws-region: eu-west-2
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: tfplan_infrastructure-${{ inputs.environment }}
+          path: ${{ runner.temp }}
+      - name: Install terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: 1.10.5
+      - name: Apply the changes
+        run: |
+          set -e
+          terraform init -backend-config="env/${{ inputs.environment }}-backend.hcl" -upgrade
+          terraform apply ${{ runner.temp }}/tfplan

bin/docker-start

@@ -8,7 +8,10 @@ if [ "$SERVER_TYPE" == "web" ]; then
 elif [ "$SERVER_TYPE" == "good-job" ]; then
   echo "Starting good-job server..."
   exec "$BIN_DIR"/good_job start
+elif [ "$SERVER_TYPE" == "none" ]; then
+  echo "No server started"
+  exec tail -f /dev/null  # Keep container running
 else
-  echo "SERVER_TYPE variable: '$SERVER_TYPE' unknown. Allowed values ['web','good-job']"
+  echo "SERVER_TYPE variable: '$SERVER_TYPE' unknown. Allowed values ['web','good-job', 'none']"
   exit 1
 fi

terraform/app/modules/ecs_service/autoscaling.tf

@@ -10,7 +10,7 @@ resource "aws_appautoscaling_target" "this" {
 
 resource "aws_appautoscaling_policy" "this" {
   for_each           = local.autoscaling_enabled ? var.autoscaling_policies : {}
-  name               = "${var.server_type}-${each.key}-scaling-${var.environment}"
+  name               = "${local.server_type_name}-${each.key}-scaling-${var.environment}"
   policy_type        = "TargetTrackingScaling"
   resource_id        = aws_appautoscaling_target.this[0].resource_id
   scalable_dimension = aws_appautoscaling_target.this[0].scalable_dimension

terraform/app/modules/ecs_service/main.tf

@@ -9,7 +9,7 @@ terraform {
 }
 
 resource "aws_security_group" "this" {
-  name        = "${var.server_type}-service-${var.environment}"
+  name        = "${local.server_type_name}-service-${var.environment}"
   description = "Security Group for communication with ECS Service"
   vpc_id      = var.network_params.vpc_id
   lifecycle {
@@ -27,7 +27,7 @@ resource "aws_security_group_rule" "egress_all" {
 }
 
 resource "aws_ecs_service" "this" {
-  name                              = "mavis-${var.environment}-${var.server_type}"
+  name                              = "mavis-${var.environment}-${local.server_type_name}"
   cluster                           = var.cluster_id
   task_definition                   = aws_ecs_task_definition.this.arn
   desired_count                     = var.minimum_replica_count
@@ -70,7 +70,7 @@ resource "aws_ecs_service" "this" {
 }
 
 resource "aws_ecs_task_definition" "this" {
-  family                   = "mavis-${var.server_type}-task-definition-${var.environment}"
+  family                   = "mavis-${local.server_type_name}-task-definition-${var.environment}"
   requires_compatibilities = ["FARGATE"]
   network_mode             = "awsvpc"
   cpu                      = var.task_config.cpu
@@ -95,7 +95,7 @@ resource "aws_ecs_task_definition" "this" {
         options = {
           awslogs-group         = var.task_config.log_group_name
           awslogs-region        = var.task_config.region
-          awslogs-stream-prefix = "${var.environment}-${var.server_type}-logs"
+          awslogs-stream-prefix = "${var.environment}-${local.server_type_name}-logs"
         }
       }
       healthCheck = {

terraform/app/modules/ecs_service/variables.tf

@@ -6,10 +6,17 @@ variable "environment" {
 
 variable "server_type" {
   type        = string
-  description = "Type of server to be deployed. This is set as an environment variable in the main container, and is used to determine how the application is launched"
+  description = "Type of server to be deployed. This is set as an environment variable in the main container, and is used to determine how the application is launched."
   nullable    = false
 }
 
+variable "server_type_name" {
+  type        = string
+  description = "Name of the server type to be deployed."
+  default     = null
+  nullable    = true
+}
+
 variable "minimum_replica_count" {
   type        = number
   description = "Minimum amount of allowed replicas for the service. Also the replica count when creating th service."
@@ -109,4 +116,5 @@ variable "container_name" {
 
 locals {
   autoscaling_enabled = var.maximum_replica_count > var.minimum_replica_count
+  server_type_name    = var.server_type_name != null ? var.server_type_name : var.server_type
 }

terraform/data_replication/README.md

@@ -0,0 +1,32 @@
+# Data replication module
+
+## Overview
+
+This module can be used to verify data migration tasks on a copy of actual production data before running them on production.
+
+It creates
+
+- A replication of a given database based on a provided snapshot
+- A dedicated ECS service connected to the database
+
+## Setup
+
+This module is managed via a GitHub Actions workflow. To separate it from the rest of the infrastructure, the workflow uses a dedicated IAM role. To set up everything from scratch, manually create the role
+`GithubDeployDataReplicationInfrastructure` based on the policy template `github_data_replication_actions_policy.json` and the trust policy `github_role_<ENVIRONMENT>_trust_policy.json`.
+
+## Usage
+
+### Manage the database replication infrastructure
+
+To create the infrastructure, run the `data-replication-pipeline.yml` workflow and select the 'Recreate' option.
+This will destroy any existing replication infrastructure and create a new replicated database from the latest snapshot.
+
+To destroy the resources, run the `data-replication-pipeline.yml` with the 'Destroy' option.
+
+### Connect to the dedicated ECS task
+
+To connect to the dedicated ECS task, run
+
+```
+./script/shell.sh <ENV>-data-replication
+```

terraform/data_replication/ecs.tf

@@ -0,0 +1,44 @@
+
+resource "aws_ecs_cluster" "cluster" {
+  name = local.name_prefix
+
+  setting {
+    name  = "containerInsights"
+    value = "enabled"
+  }
+}
+
+resource "aws_cloudwatch_log_group" "ecs_log_group" {
+  name              = "${local.name_prefix}-ecs"
+  retention_in_days = 14
+  skip_destroy      = false
+}
+
+
+module "db_access_service" {
+  source                = "../app/modules/ecs_service"
+  cluster_id            = aws_ecs_cluster.cluster.id
+  cluster_name          = aws_ecs_cluster.cluster.name
+  environment           = var.environment
+  maximum_replica_count = 1
+  minimum_replica_count = 1
+  network_params = {
+    subnets = local.subnet_list
+    vpc_id  = aws_vpc.vpc.id
+  }
+  server_type      = "none"
+  server_type_name = "data-replication"
+  task_config = {
+    environment          = local.task_envs
+    secrets              = local.task_secrets
+    cpu                  = 1024
+    memory               = 2048
+    docker_image         = "${var.account_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.docker_image}@${var.image_digest}"
+    execution_role_arn   = aws_iam_role.ecs_task_execution_role.arn
+    task_role_arn        = aws_iam_role.ecs_task_role.arn
+    log_group_name       = aws_cloudwatch_log_group.ecs_log_group.name
+    region               = var.region
+    health_check_command = ["CMD-SHELL", "echo 'alive' || exit 1"]
+  }
+  depends_on = [aws_rds_cluster_instance.instance]
+}

terraform/data_replication/env/production-backend.hcl

@@ -0,0 +1,4 @@
+bucket         = "nhse-mavis-terraform-state-production"
+key            = "terraform-data-replication-production.tfstate"
+region         = "eu-west-2"
+dynamodb_table = "mavis-terraform-state-lock"

terraform/data_replication/env/production.tfvars

@@ -0,0 +1,4 @@
+environment               = "production"
+rails_env                 = "production"
+rails_master_key_path     = "/copilot/mavis/production/secrets/RAILS_MASTER_KEY"
+max_aurora_capacity_units = 16

terraform/data_replication/env/qa-backend.hcl

@@ -0,0 +1,4 @@
+bucket         = "nhse-mavis-terraform-state"
+key            = "terraform-data-replication-qa.tfstate"
+region         = "eu-west-2"
+dynamodb_table = "mavis-terraform-state-lock"