Merge branch 'main' into dependabot/github_actions/oxsecurity/megalin…

…ter-8.3.0

management-account/terraform/organizations-accounts-hmpps.tf

@@ -42,26 +42,6 @@ resource "aws_organizations_account" "hmpps_engineering_production" {
   }
 }
 
-resource "aws_organizations_account" "hmpps_performance_hub" {
-  name                       = "HMPPS Performance Hub"
-  email                      = replace(local.aws_account_email_addresses_template, "{email}", "hmpps-performance-hub")
-  iam_user_access_to_billing = "ALLOW"
-  parent_id                  = aws_organizations_organizational_unit.hmpps.id
-
-  tags = merge(local.tags_hmpps, {
-
-  })
-
-  lifecycle {
-    ignore_changes = [
-      email,
-      iam_user_access_to_billing,
-      name,
-      role_name,
-    ]
-  }
-}
-
 resource "aws_organizations_account" "hmpps_probation_production" {
   name                       = "HMPPS Probation Production"
   email                      = replace(local.aws_account_email_addresses_template, "{email}", "hmpps-probation-prod")

management-account/terraform/sso-admin-account-assignments.tf

@@ -13,14 +13,16 @@ locals {
       github_team        = "aws-root-account-admin-team",
       permission_set_arn = aws_ssoadmin_permission_set.administrator_access.arn,
       account_ids = [
-        aws_organizations_organization.default.master_account_id
+        aws_organizations_organization.default.master_account_id,
+        aws_organizations_account.organisation_security.id,
       ]
     },
     {
       github_team        = "aws-root-account-admin-team",
       permission_set_arn = aws_ssoadmin_permission_set.aws_sso_read_only.arn,
       account_ids = [
-        aws_organizations_organization.default.master_account_id
+        aws_organizations_organization.default.master_account_id,
+        aws_organizations_account.organisation_security.id,
       ]
     },
     {
@@ -411,6 +413,13 @@ locals {
         aws_organizations_organization.default.master_account_id
       ]
     },
+    {
+      github_team        = "operations-engineering",
+      permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn,
+      account_ids = [
+        aws_organizations_organization.default.master_account_id
+      ]
+    },
   ]
   sso_admin_account_assignments_expanded = flatten([
     for assignment in local.sso_admin_account_assignments : [

management-account/terraform/sso.tf

@@ -1,6 +1,6 @@
 module "sso" {
   # tflint-ignore: terraform_module_pinned_source
-  source                            = "github.com/ministryofjustice/moj-terraform-aws-sso?ref=62751d63e06b0ae04a9f576ce857a99ff2526d4d" # v3.3.2
+  source                            = "github.com/ministryofjustice/moj-terraform-aws-sso?ref=79910dbc9771d24bfec4e255a13545d591def68f" # v3.4.2
   auth0_allowed_domains             = local.sso.email_suffix
   auth0_aws_sso_acs_url             = sensitive(local.sso.aws_saml.acs_url)
   auth0_aws_sso_issuer_url          = sensitive(local.sso.aws_saml.issuer_url)

organisation-security/terraform/cloudformation/OracleDbLTS-Orch.yaml

@@ -154,30 +154,6 @@ Resources:
                 Resource:
                   - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationAdministrationRole"
                   - !Sub "arn:${AWS::Partition}:iam::*:role/OracleDbLTS-SystemsManagerAutomationExecutionRole"
-  StackSetAdministrationRole:
-    Type: "AWS::IAM::Role"
-    Properties:
-      Path: /
-      RoleName: OracleDbLTS-CloudFormation-StackSetAdministrationRole
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Principal:
-              Service: cloudformation.amazonaws.com
-            Action:
-              - sts:AssumeRole
-      Policies:
-        - PolicyName: AdministrationPolicy
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
-              - Effect: Allow
-                Action:
-                  - sts:AssumeRole
-                Resource:
-                  - "arn:*:iam::*:role/OracleDbLTS-CloudFormation-StackSetExecutionRole"
-      Description: OracleDbLTS-CloudFormation-StackSetAdministrationRole to enable use of CloudFormation Stacksets
 
   ArtifactsS3:
     Type: "AWS::S3::Bucket"
@@ -217,7 +193,6 @@ Resources:
   OracleDbLTSUtilityFunctionRole:
     Type: "AWS::IAM::Role"
     Properties:
-      Path: /
       RoleName: OracleDbLTSUtilityFunctionRole
       AssumeRolePolicyDocument:
         Version: 2012-10-17
@@ -228,6 +203,7 @@ Resources:
             Action: ["sts:AssumeRole"]
       ManagedPolicyArns:
         - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
+      Path: /
       Policies:
         - PolicyName: OracleDbLTS-CreateAssociationPermissionManagementLambdaPolicy
           PolicyDocument:
@@ -288,64 +264,6 @@ Resources:
                   - "arn:aws:s3:::pb-solution-artifacts/*"
                   - "arn:aws:s3:::pb-solution-artifacts"
 
-  StackSetExecutionRole:
-    Type: "AWS::IAM::Role"
-    Properties:
-      Path: /
-      RoleName: OracleDbLTS-CloudFormation-StackSetExecutionRole
-      AssumeRolePolicyDocument:
-        Version: 2012-10-17
-        Statement:
-          - Effect: Allow
-            Principal:
-              AWS:
-                - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root"
-            Action:
-              - sts:AssumeRole
-      Policies:
-        - PolicyName: ExecutionPolicy
-          PolicyDocument:
-            Version: 2012-10-17
-            Statement:
-              - Sid: Sid0
-                Effect: Allow
-                Action:
-                  - "iam:CreateRole"
-                  - "iam:AttachRolePolicy"
-                  - "iam:PutRolePolicy"
-                  - "iam:PassRole"
-                  - "iam:DetachRolePolicy"
-                  - "iam:DeleteRolePolicy"
-                  - "iam:DeleteRole"
-                Resource:
-                  - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationAdministrationRole"
-                  - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationAdministrationRole"
-                  - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationExecutionRole"
-              - Sid: Sid1
-                Effect: Allow
-                Action:
-                  - "ssm:CreateDocument"
-                  - "ssm:DeleteDocument"
-                Resource:
-                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:document/OracleDbLTS-DeleteInventory"
-                  - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:document/OracleDbLTS-ManageLicenceUtilization"
-              - Sid: Sid2
-                Effect: Allow
-                Action:
-                  - "iam:GetRolePolicy"
-                  - "iam:GetRole"
-                  - "ssm:ListTagsForResource"
-                  - "ssm:DescribeDocument"
-                Resource: "*"
-              - Sid: Sid3
-                Effect: Allow
-                Action:
-                  - "sns:*"
-                  - "cloudformation:*"
-                Resource: "*"
-      Description: OracleDbLTS-CloudFormation-StackSetExecutionRole to enable use of CloudFormation Stacksets
-    DependsOn: StackSetAdministrationRole
-
   AutomationPermissionsStackSet:
     Type: AWS::CloudFormation::StackSet
     Properties:
@@ -485,10 +403,10 @@ Resources:
       Description: "Utility Lambda function to create the State Manager associations and copy some of the required scripts for the solution"
       FunctionName: "OracleDbLTS-UtilityFunction"
       Handler: "index.lambda_handler"
-      MemorySize: 128
+      MemorySize: 256
       Role: !GetAtt OracleDbLTSUtilityFunctionRole.Arn
       Runtime: "python3.9"
-      Timeout: 30
+      Timeout: 900
       Code:
         ZipFile: !Sub |
           import boto3
@@ -701,7 +619,7 @@ Resources:
           # function: lambda_handler
           #--------------------------------------------------
           def lambda_handler(event, context):
-
+            print(event)
             try:
 
               targetDeploymentList = []
@@ -723,7 +641,7 @@ Resources:
 
               # Determine what action to take.
               if event['RequestType'] in ['Create', 'Update']:
-                
+                print(deploymentTargets)
                 for dt in deploymentTargets:
                   targetDeploymentList.extend(get_child_ou_ids(dt))
                   targetDeploymentList.append(dt)
@@ -776,6 +694,7 @@ Resources:
       TargetKey: !Ref TargetKey
       TargetValues: !Ref TargetValues
       Schedule: !Ref Schedule
+      ServiceTimeout: 1000
 
   OracleDbLTSOrchestrate:
     Type: "AWS::SSM::Document"

organisation-security/terraform/license-manager.tf

@@ -49,37 +49,38 @@ resource "aws_s3_object" "oracle_db_lts_orch" {
   key    = "OracleDbLTS-Orch.yaml"
   source = "./cloudformation/OracleDbLTS-Orch.yaml"
   acl    = "private"
+  etag   = filemd5("./cloudformation/OracleDbLTS-Orch.yaml")
 }
 
 # Cloudformation stack for Oracle Database auto detection
-# resource "aws_cloudformation_stack" "oracleblts" {
-#   name         = "OracleDbLTS"
-#   capabilities = ["CAPABILITY_NAMED_IAM"]
-#   parameters = {
-#     IsDelegatedAdministrator = true
-#     ArtifactsS3Bucket        = "license-manager-artifact-bucket"
-#     AdministratorAccountId   = data.aws_caller_identity.current.id
-#     OrganizationId           = local.organizations_organization.id
-#     TargetOUs                = local.ou_modernisation_platform_member_id
-#     TargetRegions            = "eu-west-2"
-#     TargetKey                = "tag:OracleDbLTS-ManagedInstance"
-#     TargetValues             = true
-#     MaxConcurrency           = 4
-#     MaxErrors                = 4
-#     Schedule                 = "cron(15 0 ? * MON *)"
-#   }
-#   template_url = "https://aws-license-manager-service-643d94b3-abff-46cd-as.s3.eu-west-2.amazonaws.com/OracleDbLTS-Orch.yaml"
-
-#   depends_on = [
-#     module.oracle_ec2_license_configurations,
-#     aws_s3_object.oracle_db_lts_orch
-#   ]
-#   timeouts {
-#     create = "60m"
-#     update = "60m"
-#     delete = "60m"
-#   }
-# }
+resource "aws_cloudformation_stack" "oracleblts" {
+  name         = "OracleDbLTS"
+  capabilities = ["CAPABILITY_NAMED_IAM"]
+  parameters = {
+    IsDelegatedAdministrator = true
+    ArtifactsS3Bucket        = "license-manager-artifact-bucket"
+    AdministratorAccountId   = data.aws_caller_identity.current.id
+    OrganizationId           = local.organizations_organization.id
+    TargetOUs                = local.license_manager_ous_string
+    TargetRegions            = "eu-west-2"
+    TargetKey                = "tag:OracleDbLTS-ManagedInstance"
+    TargetValues             = true
+    MaxConcurrency           = 4
+    MaxErrors                = 4
+    Schedule                 = "cron(15 0 ? * MON *)"
+  }
+  template_url = "https://aws-license-manager-service-643d94b3-abff-46cd-as.s3.eu-west-2.amazonaws.com/OracleDbLTS-Orch.yaml"
+
+  depends_on = [
+    module.oracle_ec2_license_configurations,
+    aws_s3_object.oracle_db_lts_orch
+  ]
+  timeouts {
+    create = "120m"
+    update = "60m"
+    delete = "60m"
+  }
+}
 
 
 # Athena resources

organisation-security/terraform/locals.tf

@@ -104,6 +104,8 @@ locals {
     local.ou_ccms_ebs,
     local.ou_oasys
   ]
+  license_manager_ous_string = join(",", local.license_mamager_ous)
+
 
   # modernisation_platform_member_ous = [
   #   for ou in data.aws_organizations_organizational_units.modernisation_platform_member.children :