feat: Remove dead code for managing CDNs (DBTP-2774)

[kierdavis]

Addresses https://uktrade.atlassian.net/browse/DBTP-2774

Motivation

All CDNs for all apps are now managed by platform-public-ingress. However platform-tools still has the capability to manage CDNs, and there's a risk that this codepath can still be activated if a developer team does not include managed_ingress: true in the definition of an ALB or S3 static site extension.

What this PR does

This PR removes the terraform code for managing CDNs.

In its place, it adds an assertion that managed_ingress: true is present for all ALBs and S3 static site extensions. This assertion is implemented as a precondition on a null_resource, and takes effect at terraform plan time.

Impact

For ALB/S3 extensions that are already marked with managed_ingress: true (which, right now, is all of them), there is no change in behaviour.

For extensions that don't have this setting, the natural behaviour would be for terraform to plan to destroy the CDNs because they're no longer present in the configuration. However, the newly added assertion will fail, meaning that the plan stage as a whole will fail and cannot lead to terraform actually destroying CDNs.

Testing

Tested a terraform plan of the environment terraform for all apps/envs; confirmed this doesn't break anything or introduce any changes we don't expect.

Example of an assertion failure

kier.davis@U-1GNNG2V65JWLB:~/checkouts/demodjango-deploy/terraform/environments/ben$ terraform plan
...
╷
│ Error: Resource precondition failed
│ 
│   on .terraform/modules/extensions/terraform/extensions/main.tf line 187, in resource "null_resource" "check_extension_uses_managed_ingress":
│  187:       condition     = each.value
│     ├────────────────
│     │ each.value is false
│ 
│ Expected managed_ingress to be set to true for extension 'demodjango-s3-bucket-static', environment 'ben'
╵

Follow-ups

Future PRs will introduce a deprecation warning for managed_ingress (along with many other platform-config.yml options that now become redundant), and ultimately remove this option from schema.

---

Checklist:

Title:

• Conforms to our pull request title guidance. E.g. feat: Add new feature (DBTP-1234) or chore: Correct typo (off-ticket)

Description:

• Link to ticket included (unless it's a quick out of ticket thing)
• Includes tests (or an explanation for why it doesn't)
• If the work includes user interface changes, before and after screenshots included in description
• Includes any applicable changes to the documentation in this code base
• Includes link(s) to any applicable changes to the documentation in the DBT Platform Documentation (can be to a pull request)
  • Will do this afterwards, under DBTP-2776.

Tasks:

• Run the end to end tests for this branch and confirm that they are passing
  • pull-request-end-to-end-tests execution ID: 52dfbd7c

Reviewer Checklist

• I have reviewed the PR and ensured no secret values are present

[github-actions]

Dependency Review

✅ No vulnerabilities or OpenSSF Scorecard issues found.

Scanned Files

None

[github-actions]

Your PR has commits that are missing the Signed-off-by trailer. This is likely due to the pre-commit hook not being configured on your local machine. The usual fix for this issue is to run pre-commit install --install-hooks --overwrite -t commit-msg -t pre-commit, however for more detailed help in setting up the pre-commit hooks, follow the instructions at https://github.com/uktrade/github-standards/blob/main/README.md#usage

[alimbada]

Is there any benefit/drawbacks for managed_ingress: true to become the default so that it doesn't need to be explicitly defined?

[kierdavis]

@alimbada if we flip the default value for managed_ingress from false to true, it'll cause havoc for any extensions that aren't currently defining an explicit value. There aren't any such extensions last time I checked, but someone could sneak one into a deploy repo before we get round to releasing this PR.

Once this PR has been released to all apps I think it'll be safe to change the default - or just ignore the value of managed_ingress entirely.