diff --git a/management-account/terraform/organizations-accounts-hmpps.tf b/management-account/terraform/organizations-accounts-hmpps.tf index 9f06f5c1..95664d4a 100644 --- a/management-account/terraform/organizations-accounts-hmpps.tf +++ b/management-account/terraform/organizations-accounts-hmpps.tf @@ -42,26 +42,6 @@ resource "aws_organizations_account" "hmpps_engineering_production" { } } -resource "aws_organizations_account" "hmpps_performance_hub" { - name = "HMPPS Performance Hub" - email = replace(local.aws_account_email_addresses_template, "{email}", "hmpps-performance-hub") - iam_user_access_to_billing = "ALLOW" - parent_id = aws_organizations_organizational_unit.hmpps.id - - tags = merge(local.tags_hmpps, { - - }) - - lifecycle { - ignore_changes = [ - email, - iam_user_access_to_billing, - name, - role_name, - ] - } -} - resource "aws_organizations_account" "hmpps_probation_production" { name = "HMPPS Probation Production" email = replace(local.aws_account_email_addresses_template, "{email}", "hmpps-probation-prod") diff --git a/management-account/terraform/sso-admin-account-assignments.tf b/management-account/terraform/sso-admin-account-assignments.tf index 9f8886d6..e0a76ef9 100644 --- a/management-account/terraform/sso-admin-account-assignments.tf +++ b/management-account/terraform/sso-admin-account-assignments.tf @@ -13,14 +13,16 @@ locals { github_team = "aws-root-account-admin-team", permission_set_arn = aws_ssoadmin_permission_set.administrator_access.arn, account_ids = [ - aws_organizations_organization.default.master_account_id + aws_organizations_organization.default.master_account_id, + aws_organizations_account.organisation_security.id, ] }, { github_team = "aws-root-account-admin-team", permission_set_arn = aws_ssoadmin_permission_set.aws_sso_read_only.arn, account_ids = [ - aws_organizations_organization.default.master_account_id + aws_organizations_organization.default.master_account_id, + aws_organizations_account.organisation_security.id, ] }, { @@ -411,6 +413,13 @@ locals { aws_organizations_organization.default.master_account_id ] }, + { + github_team = "operations-engineering", + permission_set_arn = aws_ssoadmin_permission_set.read_only_access.arn, + account_ids = [ + aws_organizations_organization.default.master_account_id + ] + }, ] sso_admin_account_assignments_expanded = flatten([ for assignment in local.sso_admin_account_assignments : [ diff --git a/management-account/terraform/sso.tf b/management-account/terraform/sso.tf index 27190950..27fa6295 100644 --- a/management-account/terraform/sso.tf +++ b/management-account/terraform/sso.tf @@ -1,6 +1,6 @@ module "sso" { # tflint-ignore: terraform_module_pinned_source - source = "github.com/ministryofjustice/moj-terraform-aws-sso?ref=62751d63e06b0ae04a9f576ce857a99ff2526d4d" # v3.3.2 + source = "github.com/ministryofjustice/moj-terraform-aws-sso?ref=79910dbc9771d24bfec4e255a13545d591def68f" # v3.4.2 auth0_allowed_domains = local.sso.email_suffix auth0_aws_sso_acs_url = sensitive(local.sso.aws_saml.acs_url) auth0_aws_sso_issuer_url = sensitive(local.sso.aws_saml.issuer_url) diff --git a/organisation-security/terraform/cloudformation/OracleDbLTS-Orch.yaml b/organisation-security/terraform/cloudformation/OracleDbLTS-Orch.yaml index 6116d827..2a19cb66 100644 --- a/organisation-security/terraform/cloudformation/OracleDbLTS-Orch.yaml +++ b/organisation-security/terraform/cloudformation/OracleDbLTS-Orch.yaml @@ -154,30 +154,6 @@ Resources: Resource: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationAdministrationRole" - !Sub "arn:${AWS::Partition}:iam::*:role/OracleDbLTS-SystemsManagerAutomationExecutionRole" - StackSetAdministrationRole: - Type: "AWS::IAM::Role" - Properties: - Path: / - RoleName: OracleDbLTS-CloudFormation-StackSetAdministrationRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - Service: cloudformation.amazonaws.com - Action: - - sts:AssumeRole - Policies: - - PolicyName: AdministrationPolicy - PolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Action: - - sts:AssumeRole - Resource: - - "arn:*:iam::*:role/OracleDbLTS-CloudFormation-StackSetExecutionRole" - Description: OracleDbLTS-CloudFormation-StackSetAdministrationRole to enable use of CloudFormation Stacksets ArtifactsS3: Type: "AWS::S3::Bucket" @@ -217,7 +193,6 @@ Resources: OracleDbLTSUtilityFunctionRole: Type: "AWS::IAM::Role" Properties: - Path: / RoleName: OracleDbLTSUtilityFunctionRole AssumeRolePolicyDocument: Version: 2012-10-17 @@ -228,6 +203,7 @@ Resources: Action: ["sts:AssumeRole"] ManagedPolicyArns: - !Sub "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole" + Path: / Policies: - PolicyName: OracleDbLTS-CreateAssociationPermissionManagementLambdaPolicy PolicyDocument: @@ -288,64 +264,6 @@ Resources: - "arn:aws:s3:::pb-solution-artifacts/*" - "arn:aws:s3:::pb-solution-artifacts" - StackSetExecutionRole: - Type: "AWS::IAM::Role" - Properties: - Path: / - RoleName: OracleDbLTS-CloudFormation-StackSetExecutionRole - AssumeRolePolicyDocument: - Version: 2012-10-17 - Statement: - - Effect: Allow - Principal: - AWS: - - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:root" - Action: - - sts:AssumeRole - Policies: - - PolicyName: ExecutionPolicy - PolicyDocument: - Version: 2012-10-17 - Statement: - - Sid: Sid0 - Effect: Allow - Action: - - "iam:CreateRole" - - "iam:AttachRolePolicy" - - "iam:PutRolePolicy" - - "iam:PassRole" - - "iam:DetachRolePolicy" - - "iam:DeleteRolePolicy" - - "iam:DeleteRole" - Resource: - - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationAdministrationRole" - - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationAdministrationRole" - - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/OracleDbLTS-SystemsManagerAutomationExecutionRole" - - Sid: Sid1 - Effect: Allow - Action: - - "ssm:CreateDocument" - - "ssm:DeleteDocument" - Resource: - - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:document/OracleDbLTS-DeleteInventory" - - !Sub "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:document/OracleDbLTS-ManageLicenceUtilization" - - Sid: Sid2 - Effect: Allow - Action: - - "iam:GetRolePolicy" - - "iam:GetRole" - - "ssm:ListTagsForResource" - - "ssm:DescribeDocument" - Resource: "*" - - Sid: Sid3 - Effect: Allow - Action: - - "sns:*" - - "cloudformation:*" - Resource: "*" - Description: OracleDbLTS-CloudFormation-StackSetExecutionRole to enable use of CloudFormation Stacksets - DependsOn: StackSetAdministrationRole - AutomationPermissionsStackSet: Type: AWS::CloudFormation::StackSet Properties: @@ -485,10 +403,10 @@ Resources: Description: "Utility Lambda function to create the State Manager associations and copy some of the required scripts for the solution" FunctionName: "OracleDbLTS-UtilityFunction" Handler: "index.lambda_handler" - MemorySize: 128 + MemorySize: 256 Role: !GetAtt OracleDbLTSUtilityFunctionRole.Arn Runtime: "python3.9" - Timeout: 30 + Timeout: 900 Code: ZipFile: !Sub | import boto3 @@ -701,7 +619,7 @@ Resources: # function: lambda_handler #-------------------------------------------------- def lambda_handler(event, context): - + print(event) try: targetDeploymentList = [] @@ -723,7 +641,7 @@ Resources: # Determine what action to take. if event['RequestType'] in ['Create', 'Update']: - + print(deploymentTargets) for dt in deploymentTargets: targetDeploymentList.extend(get_child_ou_ids(dt)) targetDeploymentList.append(dt) @@ -776,6 +694,7 @@ Resources: TargetKey: !Ref TargetKey TargetValues: !Ref TargetValues Schedule: !Ref Schedule + ServiceTimeout: 1000 OracleDbLTSOrchestrate: Type: "AWS::SSM::Document" diff --git a/organisation-security/terraform/license-manager.tf b/organisation-security/terraform/license-manager.tf index 34c45482..bbc5bca1 100644 --- a/organisation-security/terraform/license-manager.tf +++ b/organisation-security/terraform/license-manager.tf @@ -49,37 +49,38 @@ resource "aws_s3_object" "oracle_db_lts_orch" { key = "OracleDbLTS-Orch.yaml" source = "./cloudformation/OracleDbLTS-Orch.yaml" acl = "private" + etag = filemd5("./cloudformation/OracleDbLTS-Orch.yaml") } # Cloudformation stack for Oracle Database auto detection -# resource "aws_cloudformation_stack" "oracleblts" { -# name = "OracleDbLTS" -# capabilities = ["CAPABILITY_NAMED_IAM"] -# parameters = { -# IsDelegatedAdministrator = true -# ArtifactsS3Bucket = "license-manager-artifact-bucket" -# AdministratorAccountId = data.aws_caller_identity.current.id -# OrganizationId = local.organizations_organization.id -# TargetOUs = local.ou_modernisation_platform_member_id -# TargetRegions = "eu-west-2" -# TargetKey = "tag:OracleDbLTS-ManagedInstance" -# TargetValues = true -# MaxConcurrency = 4 -# MaxErrors = 4 -# Schedule = "cron(15 0 ? * MON *)" -# } -# template_url = "https://aws-license-manager-service-643d94b3-abff-46cd-as.s3.eu-west-2.amazonaws.com/OracleDbLTS-Orch.yaml" - -# depends_on = [ -# module.oracle_ec2_license_configurations, -# aws_s3_object.oracle_db_lts_orch -# ] -# timeouts { -# create = "60m" -# update = "60m" -# delete = "60m" -# } -# } +resource "aws_cloudformation_stack" "oracleblts" { + name = "OracleDbLTS" + capabilities = ["CAPABILITY_NAMED_IAM"] + parameters = { + IsDelegatedAdministrator = true + ArtifactsS3Bucket = "license-manager-artifact-bucket" + AdministratorAccountId = data.aws_caller_identity.current.id + OrganizationId = local.organizations_organization.id + TargetOUs = local.license_manager_ous_string + TargetRegions = "eu-west-2" + TargetKey = "tag:OracleDbLTS-ManagedInstance" + TargetValues = true + MaxConcurrency = 4 + MaxErrors = 4 + Schedule = "cron(15 0 ? * MON *)" + } + template_url = "https://aws-license-manager-service-643d94b3-abff-46cd-as.s3.eu-west-2.amazonaws.com/OracleDbLTS-Orch.yaml" + + depends_on = [ + module.oracle_ec2_license_configurations, + aws_s3_object.oracle_db_lts_orch + ] + timeouts { + create = "120m" + update = "60m" + delete = "60m" + } +} # Athena resources diff --git a/organisation-security/terraform/locals.tf b/organisation-security/terraform/locals.tf index 1d4b7e6c..1e8aa258 100644 --- a/organisation-security/terraform/locals.tf +++ b/organisation-security/terraform/locals.tf @@ -104,6 +104,8 @@ locals { local.ou_ccms_ebs, local.ou_oasys ] + license_manager_ous_string = join(",", local.license_mamager_ous) + # modernisation_platform_member_ous = [ # for ou in data.aws_organizations_organizational_units.modernisation_platform_member.children :