paas-cf

⚠️
When merging pull requests, use the gds-cli: gds git merge-sign alphagov/paas-cf PR_NUMBER
⚠️

GOV.UK Platform as a Service (PaaS) CF creates a deployment of Cloud Foundry (CF) on VMs for GOV.UK PaaS. It builds upon the foundations laid out in paas-bootstrap and it handles the following non-exhaustive list of duties:

Deploying CF using Concourse
Configuring CF based on cf-deployment
Provisioning AWS resources using Terraform. This includes
- load balancers
- databases
- IAM roles and policies
- DNS records
- networking
- S3 buckets
Configuring Prometheus based on prometheus-boshrelease
Running continuous platform-level tests
Deploying and configuring our different service brokers (for example, the RDS broker and Aiven broker)

It does not include the AWS IAM roles which are assumed by different system components. Those are created in the account wide terraform (private repository).

What does paas-cf contain?
Deploying a new environment
Cloud Foundry deployment configuration options
Accessing Concourse
Finding configuration
Utility Scripts

What does `paas-cf` contain?

paas-cf separates the responsibility for configuring, deploying, running, and monitoring Cloud Foundry, from those responsibilities held by paas-bootstrap.

This repository does not itself contain the code that runs in an environment (for the most part), but instead serves to compose the different pieces into a cohesive whole. As a result, it contains a variety of pieces that tell only part of the story. The table under the heading Finding configuration outlines some key directories and their purposes.

Deploying a new environment

At a very high level, the create-cloudfoundry Concourse pipeline generates a Bosh manifest which describes the virtual machines and their networking which make up the Cloud Foundry deployment, as well as the software which runs on each machine. The manifest is then submitted to the Bosh director configured in paas-bootstrap.

Pre-requisites

Before you can get a Cloud Foundry deployment up and running, you will need the following available

A running deployer-concourse instance from paas-bootstrap
Make
Ruby >= 2.7
GDS CLI
Access to paas-credentials (private repository) and tools installed
Connection to GDS VPN
Permission to assume the Admin role of the relevant AWS account (dev, ci, staging, production)
AWS_DEFAULT_REGION environment set the desired region for the environment
cf CLI >=7

Deploy Cloud Foundry

These instructions contain placeholders where the exact command may vary. The below table explains the purpose of those placeholders:

Placeholder	Purpose
`$ACCOUNT`	The AWS account being targeted (for example, `dev`, `staging`)
`$ENV`	The name of the environment being targeted. In the case of short lived development environments, this should have a value of `dev`, and the specific environment is set by the `DEPLOY_ENV` environment variable (max 8 chars)

Log in to CredHub in the environment by running this and following the instructions on screen. This will take you into a new shell session.
```
gds aws paas-$ACCOUNT-admin -- make $ENV credhub
```
Upload the secrets to CredHub from the CredHub shell session.
```
make $ENV upload-all-secrets
```
Note: you do not need to use GDS CLI here because the CredHub shell session contains the AWS credentials in environment variables
Exit the CredHub shell session
Deploy the pipeline configurations using make. This will upload or update the pipelines. Select the target based on which AWS account you want to work with:
```
gds aws paas-$ACCOUNT-admin -- make $ENV pipelines
```
Log in to Concourse. See the Accessing Concourse.
Tun the generate-paas-admin-git-keys, generate-paas-billing-git-keys and generate-paas-aiven-broker-git-keys jobs in the job group operator. This will generate and store some SSH keys needed by other jobs.
Run the create-cloudfoundry pipeline, starting from the left-hand pipeline-lock job. This will configure and deploy Cloud Foundry. It might take a couple of hours to complete.

Cloud Foundry deployment configuration options

There are a handful of configuration options which can change a Cloud Foundry deployment which can only be set at pipeline level. Each of the properties in the below table should be set as Make variables when setting the pipelines:

gds aws paas-$ACCOUNT-admin -- make $ENV pipelines VAR=value

Property (VAR)	Type	Default	Description
`BRANCH`	String	`main`	Sets the `paas-cf` branch which will be used in the pipeline
`DEPLOY_ENV`	String	`null` for short-lived dev envs, fixed in `Makefile` for other envs	Sets the name of the environment
`SELF_UPDATE_PIPELINE`	Bool	`true`	Whether the pipeline should update its own definition from the current branch at runtime. Disable this if you’re making a pipeline change which has not been pushed to branch yet
`SLIM_DEV_DEPLOYMET`	Bool	`true` in dev, `false` elsewhere	If `true`, reduces the number and size of VMs created for each component to 2. In dev, set this to `false` when testing the impact of a change on platform availability
`DISABLED_AZS`	String list, space separated	`""`	Disables the given availability zones in Bosh. This is used when an availability zone goes away, and we need to redistribute virtual machines away from that AZ. Set to a value like `"z1 z2"`
`ENABLE_AUTODELETE`	Bool	`true` in dev, `false` elsewhere	If `true`, deploys a pipeline which tears down Cloud Foundry at 8pm each day as a cost saving measure. This should absolutely never be set to `true` in a staging or production deployment
`ENABLE_DESTROY`	Bool	`true` in dev, `false` elsewhere	If `true`, deploys a pipeline which, when run, will completely destroy Cloud Foundry and all of its data This should absolutely never be set to `true` in a staging or production deployment

Accessing Concourse

Once deployed, Concourse can be accessed from the URLs below. By default, authentication with Github is enabled.

Environment type	Environment name	URL
Dev	Unique name	https://deployer.$NAME.dev.cloudpipeline.digital/
Dev	Dev[0-9]+	https://deployer.dev$NUMBER.dev.cloudpipeline.digital/
Staging	`stg-lon`	https://deployer.london.staging.cloudpipeline.digital/
CI	`build`	https://concourse.build.ci.cloudpipeline.digital/
Production	`prod`	https://deployer.cloud.service.gov.uk/
Production	`prod-lon`	https://deployer.london.cloud.service.gov.uk/

Non-development URLs are also accessible via the gds paas open command.

Finding configuration

The following table outlines some important directories in the repository, their purpose, and when you might need to look in them.

Directory	Purpose	I will need this when ..
`concourse/pipelines/`	YAML definitions of the Concourse pipelines	I want to make a change to how the platform is deployed, monitored, or torn down
`config/billing/`	The scripts and static files used to generate configuration for the billing system.	I’m adding a new backing service, so that I can set how much it costs. The VAT rate has changed The cost of an AWS resource has changed
`manifests/cf-manifest/`	The Bosh manifest configuration for Cloud Foundry	See specific directories below
`manifests/cf-manifest/operations.d/`	Customisations applied to `cf-deployment`, applicable to all environments	I want to make a configuration change that will affect every environment I want to deploy a new piece of software with a Bosh release
`manifests/cf-manifest/operations`	Customisations applied to `cf-deployment` based on some condition	I want to make a configuration change that will only be applied in certain circumstances
`manifests/cf-manifest/spec`	Unit tests applied to the generated manifest file	I want to make sure a property of the manifest is not invalidated (for example, correct number of instances of some VM)
`manifests/cf-manifest/env-specific`	Values of variables per environment	I want to change things like the number of Diego cells deployed in an environment
`terraform/az-monitoring`	Terraform configuration for out availability zone monitoring solution	I want to make a change to how we monitoring how alive an availability zone is
`terraform/cloudfoundry`	Terraform configuration for the AWS resources associated with running Cloud Foundry	I want to set/unset DNS records I want to configure ingress for a new service broker I want to alter Cloud Foundry’s AWS network architecture
`terraform/spec`	Unit tests applied to Terraform configuration	I want to make an assertion about Terraform configuration as part of the unit tests
`terraform/vpc-peering`	Terraform configuration for VPC peering between the Cloud Foundry VPC and others	I want to change a property of our existing VPC peers, and future ones
`tools/buildpacks`	Golang implementation of our regular buildpack update emails	I want to make a change to the email we send to tenants about buildpack updates
`tools/metrics`	A Prometheus exporter which exposes a variety of platform-level metrics collected from different sources	I want to add a new metrics I want to change the frequency of the measurement of an existing metric

Utility Scripts

Add a permissions boundary policy to paas-s3-broker users

Configure the POLICY_NAME variable within the Makefile with the name of the Permissions Boundary policy that you wish to add to the paas-s3-broker users.

Run this command to add a permissions boundary to paas-s3-broker users:

gds aws paas-<ENV-ROLE> -- make <BUILD_ENV> add_permissions_boundary_to_existing_s3_broker_users ARGS="<--dry-run>"

Replace:

<ENV-ROLE> with the environment and role that you want to use e.g. prod-admin.
<BUILD_ENV> with the environment that you want to update e.g. prod-lon.
Only use the —dry-run flag if you would like the script to run but not change anything.

If the command is successful, the output will look similar to this:

Dry run? false
Policy attached to user: paas-s3-broker-dev05-0a094c73-7ae7-42cc-b028-6c78b93985d7
Policy attached to user: paas-s3-broker-dev05-dad332ff-3557-4f13-a768-5dc0e8421cd4