Refactor ECS scheduled tasks for forms admin

theseanything · theseanything · commit 2e354aa78a42 · 2026-02-20T13:32:53.000Z
Consolidate ECS scheduled tasks for Mailchimp and organisations sync into a single module.
diff --git a/infra/modules/forms-admin/mailchimp-sync.tf b/infra/modules/forms-admin/mailchimp-sync.tf
@@ -1,87 +1,3 @@
-##
-# ECS
-##
-locals {
-  # Take the exported task container definition
-  # and override some parts of it, so that it doesn't fall out of sync
-  mailchimp_sync_container_definitions = merge(
-    module.ecs_service.task_container_definition,
-    {
-      name    = "forms-admin_mailchimp_sync",
-      command = ["rake", "mailchimp:synchronize_audiences"]
-      logConfiguration = {
-        logDriver = "awslogs",
-        options = {
-          awslogs-group         = module.ecs_service.application_log_group_name,
-          awslogs-region        = "eu-west-2",
-          awslogs-stream-prefix = "forms-admin-${var.env_name}-mailchimp-sync"
-        }
-      },
-    }
-  )
-}
-
-resource "aws_ecs_task_definition" "mailchimp_cron_job" {
-  count = var.enable_mailchimp_sync ? 1 : 0
-
-  family                = "${var.env_name}_forms-admin_mailchimp_sync"
-  container_definitions = jsonencode([local.mailchimp_sync_container_definitions])
-
-  execution_role_arn       = module.ecs_service.task_definition.execution_role_arn
-  task_role_arn            = module.ecs_service.task_definition.task_role_arn
-  requires_compatibilities = module.ecs_service.task_definition.requires_compatibilities
-  cpu                      = module.ecs_service.task_definition.cpu
-  memory                   = module.ecs_service.task_definition.memory
-  network_mode             = "awsvpc"
-
-  runtime_platform {
-    operating_system_family = "LINUX"
-    cpu_architecture        = "ARM64"
-  }
-
-  // As we deploy the forms-admin versions with codepipeline, terraform is not the source of truth for the task definition image. Therefore use `track_latest` to avoid drift.
-  track_latest = true
-}
-
-##
-# EventBridge
-##
-resource "aws_cloudwatch_event_rule" "sync_mailchimp_cron_job" {
-  count = var.enable_mailchimp_sync ? 1 : 0
-
-  name                = "${var.env_name}-forms-admin-mailchimp-sync-cron"
-  description         = "Trigger the forms-admin MailChimp synchronisation on a schedule"
-  schedule_expression = "cron(30 10 * * ? *)" # 10:30AM daily. In office hours so that we can respond to failures
-}
-
-resource "aws_cloudwatch_event_target" "ecs_mailchimp_sync_job" {
-  count = var.enable_mailchimp_sync ? 1 : 0
-
-  arn      = var.ecs_cluster_arn
-  rule     = aws_cloudwatch_event_rule.sync_mailchimp_cron_job[0].name
-  role_arn = aws_iam_role.ecs_mailchimp_cron_scheduler[0].arn
-
-  ecs_target {
-    # Construct ARN without revision number to always use the latest revision
-    # Format: arn:aws:ecs:region:account:task-definition/family
-    # This ensures the EventBridge rule always uses the latest revision
-    # which is updated by the forms-admin deployment pipeline
-    task_definition_arn = "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task-definition/${aws_ecs_task_definition.mailchimp_cron_job[0].family}"
-    launch_type         = "FARGATE"
-    platform_version    = "1.4.0"
-
-    network_configuration {
-      assign_public_ip = false
-      security_groups  = module.ecs_service.service.network_configuration[0].security_groups
-      subnets          = module.ecs_service.service.network_configuration[0].subnets
-    }
-  }
-
-  dead_letter_config {
-    arn = var.eventbridge_dead_letter_queue_arn
-  }
-}
-
 ## Monitor for failure
 resource "aws_cloudwatch_event_rule" "sync_mailchimp_cron_job_failed" {
   name        = "${var.env_name}-forms-admin-mailchimp-sync-failed"
@@ -98,8 +14,9 @@ resource "aws_cloudwatch_event_rule" "sync_mailchimp_cron_job_failed" {
 
     detail = {
       lastStatus = ["STOPPED"]
+      group      = ["family:forms-admin-mailchimp-sync"]
       containers = {
-        name     = [local.mailchimp_sync_container_definitions.name]
+        name     = ["main"]
         exitCode = [{ "anything-but" : [0] }]
       }
     }
@@ -119,7 +36,7 @@ resource "aws_cloudwatch_event_target" "sync_mailchimp_cron_job_alert_message" {
       "description": "GOV.UK Forms has a scheduled ECS task to sync our Mailchimp mailing list with new users in the users database (only applied in production). When this task fails an email is sent to Zendesk.",
       "next-steps": {
         "1": "Navigate to Splunk: https://gds.splunkcloud.com/en-GB/app/gds-543-forms/search.",
-        "2": "Search for index=gds_dsp_production_forms log_stream=forms-admin-production-mailchimp-sync/forms-admin_mailchimp_sync/*. Use the 'Today' date-time preset to find today's logs.",
+        "2": "Search for index=gds_dsp_production_forms log_stream=forms-admin-production-mailchimp-sync/main/*. Use the 'Today' date-time preset to find today's logs.",
         "3": "Review logs for errors."
       }
     }
@@ -131,35 +48,6 @@ resource "aws_cloudwatch_event_target" "sync_mailchimp_cron_job_alert_message" {
   }
 }
 
-##
-# IAM
-##
-resource "aws_iam_role" "ecs_mailchimp_cron_scheduler" {
-  count = var.enable_mailchimp_sync ? 1 : 0
-
-  name = "${var.env_name}-forms-admin-mailchimp-ecs-cron-scheduler"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "events.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_mailchimp_events_policy" {
-  count = var.enable_mailchimp_sync ? 1 : 0
-
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
-  role       = aws_iam_role.ecs_mailchimp_cron_scheduler[0].name
-}
-
 moved {
   from = aws_cloudwatch_event_rule.sync_cron_job_failed
   to   = aws_cloudwatch_event_rule.sync_mailchimp_cron_job_failed
diff --git a/infra/modules/forms-admin/orgs-sync.tf b/infra/modules/forms-admin/orgs-sync.tf
@@ -1,81 +1,3 @@
-##
-# ECS
-##
-locals {
-  # Take the exported task container definition
-  # and override some parts of it, so that it doesn't fall out of sync
-  organisations_sync_container_definitions = merge(
-    module.ecs_service.task_container_definition,
-    {
-      name    = "forms-admin_organisations_sync",
-      command = ["rake", "organisations:fetch"]
-      logConfiguration = {
-        logDriver = "awslogs",
-        options = {
-          awslogs-group         = module.ecs_service.application_log_group_name,
-          awslogs-region        = "eu-west-2",
-          awslogs-stream-prefix = "forms-admin-${var.env_name}-organisations-sync"
-        }
-      },
-    }
-  )
-}
-
-resource "aws_ecs_task_definition" "orgs_cron_job" {
-  count = var.enable_organisations_sync ? 1 : 0
-
-  family                = "${var.env_name}_forms-admin_organisations_sync"
-  container_definitions = jsonencode([local.organisations_sync_container_definitions])
-
-  execution_role_arn       = module.ecs_service.task_definition.execution_role_arn
-  task_role_arn            = module.ecs_service.task_definition.task_role_arn
-  requires_compatibilities = module.ecs_service.task_definition.requires_compatibilities
-  cpu                      = module.ecs_service.task_definition.cpu
-  memory                   = module.ecs_service.task_definition.memory
-  network_mode             = "awsvpc"
-  track_latest             = true
-
-  runtime_platform {
-    operating_system_family = "LINUX"
-    cpu_architecture        = "ARM64"
-  }
-}
-
-##
-# EventBridge
-##
-resource "aws_cloudwatch_event_rule" "sync_orgs_cron_job" {
-  count = var.enable_organisations_sync ? 1 : 0
-
-  name                = "${var.env_name}-forms-admin-orgs-sync-cron"
-  description         = "Trigger the forms-admin organisations synchronisation on a schedule"
-  schedule_expression = "cron(30 11 ? * TUE *)" # 11:30AM every Tuesday. In office hours so that we can respond to failures
-}
-
-resource "aws_cloudwatch_event_target" "ecs_org_sync_job" {
-  count = var.enable_organisations_sync ? 1 : 0
-
-  arn      = var.ecs_cluster_arn
-  rule     = aws_cloudwatch_event_rule.sync_orgs_cron_job[0].name
-  role_arn = aws_iam_role.ecs_orgs_cron_scheduler[0].arn
-
-  ecs_target {
-    task_definition_arn = "arn:aws:ecs:eu-west-2:${data.aws_caller_identity.current.account_id}:task-definition/${aws_ecs_task_definition.orgs_cron_job[0].family}"
-    launch_type         = "FARGATE"
-    platform_version    = "1.4.0"
-
-    network_configuration {
-      assign_public_ip = false
-      security_groups  = module.ecs_service.service.network_configuration[0].security_groups
-      subnets          = module.ecs_service.service.network_configuration[0].subnets
-    }
-  }
-
-  dead_letter_config {
-    arn = var.eventbridge_dead_letter_queue_arn
-  }
-}
-
 ## Monitor for failure
 resource "aws_cloudwatch_event_rule" "sync_orgs_cron_job_failed" {
   count = var.enable_organisations_sync ? 1 : 0
@@ -94,8 +16,9 @@ resource "aws_cloudwatch_event_rule" "sync_orgs_cron_job_failed" {
 
     detail = {
       lastStatus = ["STOPPED"]
+      group      = ["family:forms-admin-organisations-sync"]
       containers = {
-        name     = [local.organisations_sync_container_definitions.name]
+        name     = ["main"]
         exitCode = [{ "anything-but" : [0] }]
       }
     }
@@ -117,7 +40,7 @@ resource "aws_cloudwatch_event_target" "sync_orgs_cron_job_alert_message" {
       "description": "GOV.UK Forms has a scheduled ECS task to sync our organisations from GOV.UK. When this task fails an email is sent to Zendesk.",
       "next-steps": {
         "1": "Navigate to Splunk: https://gds.splunkcloud.com/en-GB/app/gds-543-forms/search.",
-        "2": "Search for index=gds_dsp_production_forms log_stream=forms-admin-production-organisations-sync/forms-admin_organisations_sync/*. Use the 'Today' date-time preset to find today's logs.",
+        "2": "Search for index=gds_dsp_production_forms log_stream=forms-admin-production-organisations-sync/main/*. Use the 'Today' date-time preset to find today's logs.",
         "3": "Review logs for errors."
       }
     }
@@ -128,32 +51,3 @@ resource "aws_cloudwatch_event_target" "sync_orgs_cron_job_alert_message" {
     arn = var.eventbridge_dead_letter_queue_arn
   }
 }
-
-##
-# IAM
-##
-resource "aws_iam_role" "ecs_orgs_cron_scheduler" {
-  count = var.enable_organisations_sync ? 1 : 0
-
-  name = "${var.env_name}-forms-admin-orgs-ecs-cron-scheduler"
-
-  assume_role_policy = jsonencode({
-    Version = "2012-10-17"
-    Statement = [
-      {
-        Action = "sts:AssumeRole"
-        Effect = "Allow"
-        Principal = {
-          Service = "events.amazonaws.com"
-        }
-      }
-    ]
-  })
-}
-
-resource "aws_iam_role_policy_attachment" "ecs_orgs_events_policy" {
-  count = var.enable_organisations_sync ? 1 : 0
-
-  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceEventsRole"
-  role       = aws_iam_role.ecs_orgs_cron_scheduler[0].name
-}
diff --git a/infra/modules/forms-admin/scheduled-tasks.tf b/infra/modules/forms-admin/scheduled-tasks.tf
@@ -1,5 +1,14 @@
 locals {
-  scheduled_tasks = {}
+  scheduled_tasks = {
+    organisations_sync = {
+      schedule_expression = "cron(30 11 ? * TUE *)" # 11:30AM every Tuesday. In office hours so that we can respond to failures
+      command             = ["rake", "organisations:fetch"]
+    }
+    mailchimp_sync = {
+      schedule_expression = "cron(30 10 * * ? *)" # 10:30AM daily. In office hours so that we can respond to failures
+      command             = ["rake", "mailchimp:synchronize_audiences"]
+    }
+  }
 }
 
 module "scheduled_tasks" {
@@ -22,3 +31,34 @@ module "scheduled_tasks" {
   network_security_groups           = module.ecs_service.service.network_configuration[0].security_groups
   network_subnets                   = module.ecs_service.service.network_configuration[0].subnets
 }
+
+moved {
+  from = aws_ecs_task_definition.orgs_cron_job[0]
+  to   = module.scheduled_tasks["organisations_sync"].aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_cloudwatch_event_rule.sync_orgs_cron_job[0]
+  to   = module.scheduled_tasks["organisations_sync"].aws_cloudwatch_event_rule.this
+}
+
+moved {
+  from = aws_cloudwatch_event_target.ecs_org_sync_job[0]
+  to   = module.scheduled_tasks["organisations_sync"].aws_cloudwatch_event_target.this
+}
+
+moved {
+  from = aws_ecs_task_definition.mailchimp_cron_job[0]
+  to   = module.scheduled_tasks["mailchimp_sync"].aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_cloudwatch_event_rule.sync_mailchimp_cron_job[0]
+  to   = module.scheduled_tasks["mailchimp_sync"].aws_cloudwatch_event_rule.this
+}
+
+moved {
+  from = aws_cloudwatch_event_target.ecs_mailchimp_sync_job[0]
+  to   = module.scheduled_tasks["mailchimp_sync"].aws_cloudwatch_event_target.this
+}
+
