Currently, the routes to 172.16.181.0/24 and 172.16.181.0/24 have been manually configured and must be provisioned as code.

These routes are for production only and should be configured here

Hi there
The default branch protection setting called administrators require review is not enabled for this repository
See repository settings/Branches/Branch protection rules
Either add a new Branch protection rule or edit the existing branch protection rule and select the Require a pull request before merging option
See the repository standards: https://github.com/ministryofjustice/github-repository-standards
See the report: https://operations-engineering-reports.cloud-platform.service.justice.gov.uk/github_repositories
Please contact Operations Engineering on Slack #ask-operations-engineering, if you need any assistance

User Story
As a Cloud Ops Engineer
I want to see metrics from all environments
So that I can successfully and easily manage DHCP.

Value / Purpose
All data is available on Grafana in one place making it easy to monitor our enviroments.

Definition of Done (DoD)
metric 'DHCP ECS Task count' is available for dev / pre-prod in Grafana.

Prod:

Pre-Prod / Dev:

timebox 1hr

User Story

As an Infrastructure Engineer for Devices and Apps
I want a view of live data from Intune in Grafana
So that I can create a consolidated view of application deployments

Value / Purpose

Intune shows individual deployments with no way to get a overall view of deployments

Useful Contacts

Matt W, Rich B

Additional Information

Microsoft Graph API docs

Definition of Done (DoD)

Prometheus or exporter is available to scrape MS GraphAPI JSON

• Test data has been scraped into Prometheus.
• Any further issues created
• Documentation has been written / updated

Reference

How to write good user stories

User Story

As a… developer in CloudOps team
I want to… test my code in development environment in Production EKS cluster
So that… I can my code in isolation without having to create a whole new EKS cluster

Value / Purpose

This is reduce the cost of running additional EKS clusters for non-production environments.

Useful Contacts

Touhidul Islam, Rich Baguley

Additional Information

No response

Definition of Done

• Production EKS cluster has all environments in separate namespaces
• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

Hi there

We now have a process to manage github collaborators in code:
https://github.com/ministryofjustice/github-collaborators/blob/main/README.md#github-external-collaborators

Please follow the procedure described there to grant @andycohen access to this repository.

If you have any questions, please post in #ask-operations-engineering on Slack.

Describe the problem

As part of the Terraform upgrade, the AWS provider needed to be upgraded also. Upgrading the AWS provider meant making a lot of changes to the S3 bucket resources as per the new syntax.

The KMS key used to be part of the s3 bucket module but is now split out into an individual resource. This has caused buckets that were previously encrypted to enter a state of flux whereby the bucket shows as unencrypted but the objects within it remain encrypted with the old KMS key (now deleted).

S3 buckets will not successfully encrypt with the new KMS key.

User Story

As a network engineer
I want to view my device or instance by DNS hostname
So that I don't have to cross-reference IP addresses to hostnames

Value

Consistency of instance naming across the platform

Questions / Assumptions

Internal Zone within our DNS platform for e.g. network.service
we can join metrics if the instance changes from IP to hostname

Definition of done

• Add internal zone
• IMAP to use MoJO DNS
• Network devices to use MoJO DNS
• Prometheus to use dns_sd_config

Reference

How to write good user stories

Several security groups have unrestricted access:

• mojo-production-ima-alb-grafana-sg tcp 443-3000 0.0.0.0/0

• mojo-production-ima-db-in tcp 5432 0.0.0.0/0

• mojo-production-ima-route53-resolver -1 0.0.0.0/0

• test-bastion tcp 22 0.0.0.0/0

• Update Trusted Advisor

Restrict these security groups.

User Story

As a member of the CloudOps team
I want to understand and document s3 use throughout IMA, and ensure all resources are necessary
So that I am better prepared for any s3 related issues in future

Value / Purpose

A better understanding of S3's role within the IMA platform.

Additional Information

Please see #181

Definition of Done (DoD)

S3 section added to the documentation, any s3 buckets not being used by another resource should be deleted.

• README has been updated
• pttp-prometheus-thanos-storage buckets are removed from each environment

Describe the bug
There appears to be no data held longer than 24 hours for custom metrics in grafana.
To Reproduce
Steps to reproduce the behavior:

1. Go to service dashboard identify a custom metric graph.
2. Click on 'Time period > 24 Hours'
3. Scroll down to '....'
4. See No Data is visble

Expected behavior
No data is seen in custom metric graphs when the time period is > 24 hours.

Screenshots

Desktop (please complete the following information):

• OS: [e.g. iOS] Win10 Dev Build
• Browser [e.g. chrome, safari] Chrome
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context
Add any other context about the problem here.

User Story

As an… Engineer
I need/want/expect to… be running the latest versions of software
So that… we don't fall out of date, stay up to date security-wise, get new features etc etc

Value / Purpose

No response

Useful Contacts

No response

Additional Information

• Kubernetes Versions
• Updating a Cluster
• Pre-Requisites

Definition of Done

• Read upgrade docs
• Document the steps taken in this ticket - a runbook for future upgrades
• Update the terraform and any dependencies
• Test in Dev / Pre-Prod
• Allow into Live

User Story

Network Operations are now monitoring physical devices.

We can remove this functionality from IMAP

Value / Purpose

Reduce IMAP complexity
Remove unneeded AWS resources
🔥 Code!

Useful Contacts

Rich B, Touhid, Ronak

Additional Information

Archive
https://github.com/ministryofjustice/staff-infrastructure-monitoring-snmpexporter
Remove

https://github.com/ministryofjustice/staff-infrastructure-monitoring-deployments/blob/main/kubernetes/infrastructure-monitoring/templates/prometheus-jobs/_snmp-exporter-production.tpl

https://github.com/ministryofjustice/staff-infrastructure-monitoring-deployments/blob/454f8316247b34aeb90164a6928bf7bd517b9eb9/kubernetes/infrastructure-monitoring/templates/prometheus-configmap.yaml#L156

Definition of Done

• AlertManager config removed and channels archived
• ECS or EKS resources 🔥
• README has been updated
• Repo's archived
• Tests are green

Affected Environments:

• mojo-development-ima-cluster
• mojo-pre-production-ima-cluster
• mojo-production-ima-cluster

VPC CNI versions starting with v1.8.0 have the required fix to address this issue. Please upgrade to VPC CNI v1.8.0 or above if you are currently on the affected CNI versions on EKS v1.21 clusters. Our recommendation is to upgrade one minor version at a time.

For example, if your current minor version is 1.8 and you want to update to 1.10, you should update to the latest patch version of 1.9 first, then update to the latest patch version of 1.10. Please refer to EKS documentation for instructions on upgrading the VPC CNI plugin [2].

NOTE:

We are currently configured to use the self managed add-on.

Procedure for migrating from the self managed add on to the eks add-on - https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#adding-vpc-cni-eks-add-on

Procedure to update the self managed add-on - https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-add-on

Procedure to update the eks add-on - https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-eks-add-on

If you have any questions or concerns, please contact AWS Support [3].

[1] https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume
[2] https://docs.aws.amazon.com/eks/latest/userguide/managing-vpc-cni.html#updating-vpc-cni-eks-add-on
[3] https://aws.amazon.com/support

User Story

As a member of the CloudOps team
I want to make sure unnecessary ec2 instances aren't live in AWS.
So that we don't waste money and increase our security posture

Value / Purpose

Ensure bastion ec2 isn't spun up when it shouldn't be

Useful Contacts

Additional Information

Definition of Done (DoD)

Any test bastion ec2 instances are feature flagged and not created unnecessarily

User Story

As a member of the CloudOps team
I want Prometheus and exporters to be running in the EKS cluster only
So that we aren't wasting money on unused resources in AWS Fargate

Value / Purpose

Prometheus and exporters have been running successfully in EKS for some time. It's now time to locate the resources in ECS Fargate and make sure they are removed as they're no longer used and are wasting money.

Useful Contacts

No response

Additional Information

No response

Definition of Done

Example - [ ] Documentation has been written / updated

• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

User Story

As a… developer in the CloudOps team
I want to… update the terraform so that it does not create EKS clusters for dev and pre-prod envs
So that… Only the prod env has a EKS cluster running

Value / Purpose

This will reduce the running costs of EKS clusters

Useful Contacts

Touhidul Islam, Rich Baguley

Additional Information

No response

Definition of Done

• Terraform no longer creates EKS clusters in development and in pre-production by default
• Documentation has been written / updated
• README has been updated
• User docs have been updated
• Another team member has reviewed
• Tests are green

Aim for the latest version.
Information here: https://www.terraform.io/language/upgrade-guides/1-1

User Story:As a Cloud Ops engineerI want to ensure secrets are stored securely in the parameter storeSo that they are not visible in our repositories

Value / Purpose ensure secrets are securely stored and not openly available in code to improve security.

Useful ContactsAaron Robinson and CloudOps team

Additional Informationhttps://github.com/ministryofjustice/staff-infrastructure-monitoring/security/secret-scanning/1

Definition of Done (DoD)slack_webhook_urls are referenced from the parameter store rather than being stored in code.

The EKS cluster is configured to allow nodes to obtain IP addresses from both public and private subnets. See code snippet below:

module "monitoring_alerting_cluster" {
  source                          = "terraform-aws-modules/eks/aws"
  version                         = "14.0.0"
  create_eks                      = var.is_eks_enabled
  cluster_name                    = "${var.prefix}-cluster"
  cluster_version                 = "1.19"
  manage_aws_auth                 = false
  cluster_endpoint_private_access = true
  cluster_enabled_log_types       = ["api", "authenticator", "controllerManager"]
  tags                            = var.tags

  subnets = concat(aws_subnet.private.*.id, aws_subnet.public.*.id)
  vpc_id  = aws_vpc.main.id

  worker_groups = [
    {
      name                 = "prometheus-worker-group"
      instance_type        = "t3.medium"
      asg_desired_capacity = 3
      root_volume_type     = "gp2"
    },
  ]
}

This presents a security concern as nodes should not be exposed to the internet unnecessarily.

Hi there

The user @richrace has its access for this repository maintained in code here:
https://github.com/ministryofjustice/github-collaborators/blob/main/README.md#github-external-collaborators

The review_after date is due to expire within one month, please update this via a PR if they still require access.

If you have any questions, please post in #ask-operations-engineering on Slack.

The README does not currently contain this variable and should be updated accordingly.

User Story

As a… Cloud Ops Engineer
I expect Renovate to create an Issue when we are not running the latest version of EKS in our clusters
So that… we don't fall behind, out of date etc.

Value / Purpose

• Team won't fall behind / have a better view of the work we need to do
• Software will be more up to date / secure etc etc

Useful Contacts

No response

Additional Information

If this is done prior to this 1.21 -> 1.22, this can easily be tested.

Definition of Done

• Renovate creates an issue when we are not running the latest K8s version of EKS