diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 4168d999293..db891e96c94 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -52,7 +52,9 @@ locals { } baseline_all_environments = { - resource_explorer = true - security_groups = local.security_groups + options = { + enable_resource_explorer = true + } + security_groups = local.security_groups } } diff --git a/terraform/environments/oasys/main.tf b/terraform/environments/oasys/main.tf index 45a9461c148..de28fdf87bf 100644 --- a/terraform/environments/oasys/main.tf +++ b/terraform/environments/oasys/main.tf @@ -155,10 +155,9 @@ module "baseline" { lookup(local.baseline_environment_specific, "oam_sinks", {}), ) - resource_explorer = coalesce( - lookup(local.baseline_all_environments, "resource_explorer", null), - lookup(local.baseline_environment_specific, "resource_explorer", null), - false, + options = merge( + lookup(local.baseline_all_environments, "options", {}), + lookup(local.baseline_environment_specific, "options", {}), ) route53_resolvers = merge( diff --git a/terraform/environments/planetfm/locals.tf b/terraform/environments/planetfm/locals.tf index c3e02f09b31..2d3920823fa 100644 --- a/terraform/environments/planetfm/locals.tf +++ b/terraform/environments/planetfm/locals.tf @@ -1,102 +1,68 @@ -locals { - business_unit = var.networking[0].business-unit - region = "eu-west-2" +# define configuration common to all environments here +# define environment specific configuration in locals_development.tf, locals_test.tf etc. - environment_configs = { - development = local.development_config - test = local.test_config - preproduction = local.preproduction_config - production = local.production_config +locals { + baseline_presets_environments_specific = { + development = local.baseline_presets_development + test = local.baseline_presets_test + preproduction = local.baseline_presets_preproduction + production = local.baseline_presets_production } - baseline_environment_config = local.environment_configs[local.environment] + baseline_presets_environment_specific = local.baseline_presets_environments_specific[local.environment] - baseline_presets_options = { - enable_application_environment_wildcard_cert = false - enable_backup_plan_daily_and_weekly = true - enable_business_unit_kms_cmks = true - enable_hmpps_domain = true - enable_image_builder = true - enable_ec2_cloud_watch_agent = true - enable_ec2_self_provision = true - enable_oracle_secure_web = true - enable_ec2_put_parameter = false - enable_ec2_user_keypair = true - cloudwatch_metric_alarms_default_actions = ["planetfm_pagerduty"] - cloudwatch_metric_alarms = {} - route53_resolver_rules = { - # outbound-data-and-private-subnets = ["azure-fixngo-domain"] # already set by nomis account - } - iam_policies_filter = ["ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] - iam_policies_ec2_default = ["EC2S3BucketWriteAndDeleteAccessPolicy", "ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] - s3_iam_policies = ["EC2S3BucketWriteAndDeleteAccessPolicy"] - sns_topics = { - pagerduty_integrations = { - planetfm_pagerduty = "planetfm_alarms" - } - } + baseline_environments_specific = { + development = local.baseline_development + test = local.baseline_test + preproduction = local.baseline_preproduction + production = local.baseline_production } + baseline_environment_specific = local.baseline_environments_specific[local.environment] - baseline_acm_certificates = {} - baseline_cloudwatch_log_groups = merge( - local.ssm_doc_cloudwatch_log_groups, {} - ) + baseline_presets_all_environments = { + options = { + cloudwatch_metric_alarms_default_actions = ["planetfm_pagerduty"] + # cloudwatch_metric_oam_links_ssm_parameters = ["hmpps-oem-${local.environment}"] + # cloudwatch_metric_oam_links = ["hmpps-oem-${local.environment}"] + # enable_backup_plan_daily_and_weekly = true + enable_business_unit_kms_cmks = true + enable_ec2_cloud_watch_agent = true + enable_ec2_self_provision = true + enable_ec2_user_keypair = true + enable_hmpps_domain = true + enable_image_builder = true + enable_oracle_secure_web = true + iam_policies_filter = ["ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] + iam_policies_ec2_default = ["EC2S3BucketWriteAndDeleteAccessPolicy", "ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] + s3_iam_policies = ["EC2S3BucketWriteAndDeleteAccessPolicy"] - baseline_ec2_autoscaling_groups = {} - baseline_ec2_instances = {} - baseline_iam_policies = { - SSMPolicy = { - description = "Policy to allow ssm actions" - statements = [{ - effect = "Allow" - actions = [ - "ssm:SendCommand" - ] - resources = ["*"] - }] + sns_topics = { + pagerduty_integrations = { + planetfm_pagerduty = "planetfm_alarms" + } + } } } - baseline_iam_roles = {} - baseline_iam_service_linked_roles = {} - baseline_key_pairs = {} - baseline_kms_grants = {} - baseline_lbs = {} - baseline_route53_resolvers = {} - baseline_route53_zones = {} - baseline_s3_buckets = { - s3-bucket = { - iam_policies = module.baseline_presets.s3_iam_policies + baseline_all_environments = { + cloudwatch_log_groups = local.ssm_doc_cloudwatch_log_groups + iam_policies = { + SSMPolicy = { + description = "Policy to allow ssm actions" + statements = [{ + effect = "Allow" + actions = [ + "ssm:SendCommand" + ] + resources = ["*"] + }] + } } + resource_explorer = true + s3_buckets = { + s3-bucket = { + iam_policies = module.baseline_presets.s3_iam_policies + } + } + security_groups = local.security_groups } - - baseline_secretsmanager_secrets = {} - - baseline_security_groups = { - loadbalancer = local.security_groups.loadbalancer - web = local.security_groups.web - app = local.security_groups.app - database = local.security_groups.database - domain = local.security_groups.domain - jumpserver = local.security_groups.jumpserver - remotedesktop_sessionhost = local.security_groups.remotedesktop_sessionhost - } - - baseline_sns_topics = {} - baseline_ssm_parameters = {} - - environment_cloudwatch_monitoring_options = { - development = local.development_cloudwatch_monitoring_options - test = local.test_cloudwatch_monitoring_options - preproduction = local.preproduction_cloudwatch_monitoring_options - production = local.production_cloudwatch_monitoring_options - } - - cloudwatch_local_environment_monitoring_options = local.environment_cloudwatch_monitoring_options[local.environment] - - cloudwatch_monitoring_options = { - enable_cloudwatch_monitoring_account = false - enable_cloudwatch_cross_account_sharing = false - # enable_cloudwatch_dashboard = false - } - } diff --git a/terraform/environments/planetfm/locals_development.tf b/terraform/environments/planetfm/locals_development.tf index 4d6e396e577..9c62caee98a 100644 --- a/terraform/environments/planetfm/locals_development.tf +++ b/terraform/environments/planetfm/locals_development.tf @@ -1,16 +1,10 @@ -# nomis-development environment settings locals { - # cloudwatch monitoring config - development_cloudwatch_monitoring_options = {} - - # baseline config - development_config = { + baseline_presets_development = { + options = {} + } - # example code for creating a cost usage report in the development environment - # - # baseline_cost_usage_report = { - # create = true - # } + # please keep resources in alphabetical order + baseline_development = { } } diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index b5d1bf49b85..6dc77ef4186 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -1,83 +1,98 @@ locals { - # cloudwatch monitoring config - preproduction_cloudwatch_monitoring_options = {} + baseline_presets_preproduction = { + options = {} + } - # baseline config - preproduction_config = { - baseline_ec2_instances = { - # database server - pp-cafm-db-a = merge(local.defaults_database_ec2, { - config = merge(local.defaults_database_ec2.config, { - ami_name = "pp-cafm-db-a" - availability_zone = "${local.region}a" - }) - instance = merge(local.defaults_database_ec2.instance, { - instance_type = "r6i.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true - }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - "/dev/sdb" = { type = "gp3", size = 250 } - "/dev/sdc" = { type = "gp3", size = 50 } - "/dev/sdd" = { type = "gp3", size = 250 } - "/dev/sde" = { type = "gp3", size = 50 } - "/dev/sdf" = { type = "gp3", size = 250 } - "/dev/sdg" = { type = "gp3", size = 200 } + # please keep resources in alphabetical order + baseline_preproduction = { + + acm_certificates = { + planetfm_wildcard_cert = { + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm + domain_name = "modernisation-platform.service.justice.gov.uk" + external_validation_records_created = true + subject_alternate_names = [ + "*.pp.planetfm.service.justice.gov.uk", + "pp-cafmwebx.az.justice.gov.uk", + "pp-cafmtx.az.justice.gov.uk", + ] + tags = { + description = "wildcard cert for planetfm preproduction domains" } - tags = merge(local.defaults_database_ec2.tags, { - pre-migration = "PPFDW0030" - description = "SQL Server" - app-config-status = "pending" - ami = "pp-cafm-db-a" - }) - }) + } + } + ec2_instances = { # app servers pp-cafm-a-10-b = merge(local.defaults_app_ec2, { config = merge(local.defaults_app_ec2.config, { ami_name = "pp-cafm-a-10-b" - availability_zone = "${local.region}b" + availability_zone = "eu-west-2b" }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + } instance = merge(local.defaults_app_ec2.instance, { - instance_type = "t3.large" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.large" monitoring = true }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - } tags = merge(local.defaults_app_ec2.tags, { - pre-migration = "PPFAW0010" - description = "RDS Session Host and CAFM App Server/PFME Licence Server" ami = "pp-cafm-a-10-b" + description = "RDS Session Host and CAFM App Server/PFME Licence Server" + pre-migration = "PPFAW0010" }) }) pp-cafm-a-11-a = merge(local.defaults_app_ec2, { config = merge(local.defaults_app_ec2.config, { ami_name = "pp-cafm-a-11-a" - availability_zone = "${local.region}a" + availability_zone = "eu-west-2a" }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + } instance = merge(local.defaults_app_ec2.instance, { - instance_type = "t3.large" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.large" monitoring = true }) + tags = merge(local.defaults_app_ec2.tags, { + ami = "pp-cafm-a-11-a" + description = "RDS session host and app server" + pre-migration = "PPFAW011" + }) + }) + + # database servers + pp-cafm-db-a = merge(local.defaults_database_ec2, { + config = merge(local.defaults_database_ec2.config, { + ami_name = "pp-cafm-db-a" + availability_zone = "eu-west-2a" + }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume + "/dev/sdb" = { type = "gp3", size = 250 } + "/dev/sdc" = { type = "gp3", size = 50 } + "/dev/sdd" = { type = "gp3", size = 250 } + "/dev/sde" = { type = "gp3", size = 50 } + "/dev/sdf" = { type = "gp3", size = 250 } + "/dev/sdg" = { type = "gp3", size = 200 } } - tags = merge(local.defaults_app_ec2.tags, { - pre-migration = "PPFAW011" - description = "RDS session host and app server" - ami = "pp-cafm-a-11-a" + instance = merge(local.defaults_database_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "r6i.xlarge" + monitoring = true + }) + tags = merge(local.defaults_database_ec2.tags, { + app-config-status = "pending" + ami = "pp-cafm-db-a" + description = "SQL Server" + pre-migration = "PPFDW0030" }) }) @@ -85,85 +100,85 @@ locals { pp-cafm-w-4-b = merge(local.defaults_web_ec2, { config = merge(local.defaults_web_ec2.config, { ami_name = "pp-cafm-w-4-b" - availability_zone = "${local.region}b" + availability_zone = "eu-west-2b" }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + } instance = merge(local.defaults_web_ec2.instance, { - instance_type = "t3.large" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.large" monitoring = true }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - } tags = merge(local.defaults_web_ec2.tags, { - pre-migration = "PPFWW0004" - description = "Web Portal Server" ami = "pp-cafm-w-4-b" + description = "Web Portal Server" + pre-migration = "PPFWW0004" }) }) pp-cafm-w-5-a = merge(local.defaults_web_ec2, { config = merge(local.defaults_web_ec2.config, { ami_name = "pp-cafm-w-5-a" - availability_zone = "${local.region}a" + availability_zone = "eu-west-2a" }) instance = merge(local.defaults_web_ec2.instance, { - instance_type = "t3.large" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.large" monitoring = true }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume } tags = merge(local.defaults_web_ec2.tags, { - pre-migration = "PPFWW0005" - description = "Migrated server PPFWW0005 Web Portal Server" ami = "pp-cafm-w-5-a" + description = "Migrated server PPFWW0005 Web Portal Server" + pre-migration = "PPFWW0005" }) }) } - baseline_lbs = { + + lbs = { private = { - internal_lb = true + enable_cross_zone_load_balancing = true enable_delete_protection = false - load_balancer_type = "application" idle_timeout = 3600 + internal_lb = true + load_balancer_type = "application" security_groups = ["loadbalancer"] subnets = module.environment.subnets["private"].ids - enable_cross_zone_load_balancing = true instance_target_groups = { web-45-80 = { - port = 80 - protocol = "HTTP" + attachments = [ + { ec2_instance_name = "pp-cafm-w-4-b" }, + { ec2_instance_name = "pp-cafm-w-5-a" }, + ] health_check = { enabled = true - path = "/" healthy_threshold = 3 - unhealthy_threshold = 5 - timeout = 5 interval = 30 matcher = "200-399" + path = "/" port = 80 + timeout = 5 + unhealthy_threshold = 5 } + port = 80 + protocol = "HTTP" stickiness = { enabled = true type = "lb_cookie" } - attachments = [ - { ec2_instance_name = "pp-cafm-w-4-b" }, - { ec2_instance_name = "pp-cafm-w-5-a" }, - ] } } listeners = { http = { port = 80 protocol = "HTTP" + default_action = { type = "redirect" redirect = { @@ -174,10 +189,11 @@ locals { } } https = { + certificate_names_or_arns = ["planetfm_wildcard_cert"] port = 443 protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_names_or_arns = ["planetfm_wildcard_cert"] + default_action = { type = "fixed-response" fixed_response = { @@ -186,6 +202,7 @@ locals { status_code = "501" } } + rules = { web-45-80 = { priority = 4580 @@ -207,7 +224,8 @@ locals { } } } - baseline_route53_zones = { + + route53_zones = { "pp.planetfm.service.justice.gov.uk" = { records = [ { name = "_658adffab7a58a4d5a86804a2b6eb2f7", type = "CNAME", ttl = 86400, records = ["_c649cb794d2fa2e1ac4d3f6fb4e1c8a7.mhbtsbpdnt.acm-validations.aws"] }, @@ -218,23 +236,8 @@ locals { ] } } - baseline_acm_certificates = { - planetfm_wildcard_cert = { - domain_name = module.environment.domains.public.modernisation_platform - subject_alternate_names = [ - "*.pp.planetfm.service.justice.gov.uk", - "pp-cafmwebx.az.justice.gov.uk", - "pp-cafmtx.az.justice.gov.uk", - ] - external_validation_records_created = true - cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm - tags = { - description = "wildcard cert for planetfm ${local.environment} domains" - } - } - } - baseline_security_groups = { + security_groups = { cafm_app_fixngo = { description = "Allow fixngo cafm app connectivity" ingress = { @@ -287,7 +290,6 @@ locals { protocol = "TCP" cidr_blocks = ["10.40.50.64/26"] } - } egress = { all = { diff --git a/terraform/environments/planetfm/locals_production.tf b/terraform/environments/planetfm/locals_production.tf index d179620cfbe..885665534c7 100644 --- a/terraform/environments/planetfm/locals_production.tf +++ b/terraform/environments/planetfm/locals_production.tf @@ -1,323 +1,338 @@ locals { - # cloudwatch monitoring config - production_cloudwatch_monitoring_options = { - enable_cloudwatch_cross_account_sharing = true - # enable_cloudwatch_dashboard = true + baseline_presets_production = { + options = {} } - # baseline config - production_config = { + # please keep resources in alphabetical order + baseline_production = { - baseline_ec2_instances = { - # database servers - pd-cafm-db-a = merge(local.defaults_database_ec2, { - config = merge(local.defaults_database_ec2.config, { - ami_name = "pd-cafm-db-a" - availability_zone = "${local.region}a" - }) - instance = merge(local.defaults_database_ec2.instance, { - instance_type = "r6i.4xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true - }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - "/dev/sdb" = { type = "gp3", size = 500 } - "/dev/sdc" = { type = "gp3", size = 50 } - "/dev/sdd" = { type = "gp3", size = 224 } - "/dev/sde" = { type = "gp3", size = 500 } - "/dev/sdf" = { type = "gp3", size = 100 } - "/dev/sdg" = { type = "gp3", size = 85 } - "/dev/sdh" = { type = "gp3", size = 150 } # T: drive - "/dev/sdi" = { type = "gp3", size = 250 } # U: drive - } - tags = merge(local.defaults_database_ec2.tags, { - pre-migration = "PDFDW0030" - description = "SQL Server" - app-config-status = "pending" - ami = "pd-cafm-db-a" - }) - }) - pd-cafm-db-b = merge(local.defaults_database_ec2, { - config = merge(local.defaults_database_ec2.config, { - ami_name = "pd-cafm-db-b" - availability_zone = "${local.region}b" - }) - instance = merge(local.defaults_database_ec2.instance, { - instance_type = "r6i.4xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true - }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - "/dev/sdb" = { type = "gp3", size = 500 } - "/dev/sdc" = { type = "gp3", size = 112 } - "/dev/sdd" = { type = "gp3", size = 500 } - "/dev/sde" = { type = "gp3", size = 50 } - "/dev/sdf" = { type = "gp3", size = 85 } - "/dev/sdg" = { type = "gp3", size = 100 } - "/dev/sdh" = { type = "gp3", size = 150 } # T: drive - "/dev/sdi" = { type = "gp3", size = 250 } # U: drive + acm_certificates = { + planetfm_wildcard_cert = { + cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm + domain_name = "modernisation-platform.service.justice.gov.uk" + external_validation_records_created = true + subject_alternate_names = [ + "*.planetfm.service.justice.gov.uk", + "cafmwebx.az.justice.gov.uk", + "cafmwebx2.az.justice.gov.uk", + "cafmtx.az.justice.gov.uk", + "cafmtrainweb.az.justice.gov.uk", + ] + tags = { + description = "wildcard cert for planetfm production domains" } - tags = merge(local.defaults_database_ec2.tags, { - pre-migration = "PDFDW0031" - description = "SQL resilient Server" - app-config-status = "pending" - ami = "pd-cafm-db-b" - }) - }) + } + } + ec2_instances = { # app servers pd-cafm-a-10-b = merge(local.defaults_app_ec2, { config = merge(local.defaults_app_ec2.config, { ami_name = "pd-cafm-a-10-b" - availability_zone = "${local.region}b" - }) - instance = merge(local.defaults_app_ec2.instance, { - instance_type = "t3.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true + availability_zone = "eu-west-2b" }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume "/dev/sdb" = { type = "gp3", size = 200 } } - tags = { - pre-migration = "PDFAW0010" - description = "RDS Session Host and CAFM App Server/PFME Licence Server" - ami = "pd-cafm-a-10-b" - } + instance = merge(local.defaults_app_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "t3.xlarge" + monitoring = true + }) route53_records = { create_internal_record = true create_external_record = true } + tags = { + ami = "pd-cafm-a-10-b" + description = "RDS Session Host and CAFM App Server/PFME Licence Server" + pre-migration = "PDFAW0010" + } }) + pd-cafm-a-11-a = merge(local.defaults_app_ec2, { config = merge(local.defaults_app_ec2.config, { ami_name = "pd-cafm-a-11-a" - availability_zone = "${local.region}a" + availability_zone = "eu-west-2a" }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + "/dev/sdb" = { type = "gp3", size = 200 } + } instance = merge(local.defaults_app_ec2.instance, { - instance_type = "t3.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.xlarge" monitoring = true }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - "/dev/sdb" = { type = "gp3", size = 200 } + route53_records = { + create_internal_record = true + create_external_record = true } tags = { pre-migration = "PDFWA0011" description = "RDS session host and app server" ami = "pd-cafm-a-11-a" } - route53_records = { - create_internal_record = true - create_external_record = true - } }) + pd-cafm-a-12-b = merge(local.defaults_app_ec2, { config = merge(local.defaults_app_ec2.config, { ami_name = "pd-cafm-a-12-b" - availability_zone = "${local.region}b" - }) - instance = merge(local.defaults_app_ec2.instance, { - instance_type = "t3.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true + availability_zone = "eu-west-2b" }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume "/dev/sdb" = { type = "gp3", size = 200 } } - tags = { - pre-migration = "PDFAW0012" - description = "RDS session host and app Server" - ami = "pd-cafm-a-12-b" - } + instance = merge(local.defaults_app_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "t3.xlarge" + monitoring = true + }) route53_records = { create_internal_record = true create_external_record = true } + tags = { + ami = "pd-cafm-a-12-b" + description = "RDS session host and app Server" + pre-migration = "PDFAW0012" + } }) + pd-cafm-a-13-a = merge(local.defaults_app_ec2, { config = merge(local.defaults_app_ec2.config, { ami_name = "pd-cafm-a-13-a" - availability_zone = "${local.region}a" + availability_zone = "eu-west-2a" }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + "/dev/sdb" = { type = "gp3", size = 28 } + } instance = merge(local.defaults_app_ec2.instance, { - instance_type = "t3.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.xlarge" monitoring = true }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - "/dev/sdb" = { type = "gp3", size = 28 } + route53_records = { + create_internal_record = true + create_external_record = true } tags = { - pre-migration = "PDFAW0013" - description = "RDS session host and App Server" ami = "pd-cafm-a-13-a" + description = "RDS session host and App Server" + pre-migration = "PDFAW0013" } - route53_records = { - create_internal_record = true - create_external_record = true + }) + + # database servers + pd-cafm-db-a = merge(local.defaults_database_ec2, { + config = merge(local.defaults_database_ec2.config, { + ami_name = "pd-cafm-db-a" + availability_zone = "eu-west-2a" + }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + "/dev/sdb" = { type = "gp3", size = 500 } + "/dev/sdc" = { type = "gp3", size = 50 } + "/dev/sdd" = { type = "gp3", size = 224 } + "/dev/sde" = { type = "gp3", size = 500 } + "/dev/sdf" = { type = "gp3", size = 100 } + "/dev/sdg" = { type = "gp3", size = 85 } + "/dev/sdh" = { type = "gp3", size = 150 } # T: drive + "/dev/sdi" = { type = "gp3", size = 250 } # U: drive + } + instance = merge(local.defaults_database_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "r6i.4xlarge" + monitoring = true + }) + tags = merge(local.defaults_database_ec2.tags, { + app-config-status = "pending" + ami = "pd-cafm-db-a" + description = "SQL Server" + pre-migration = "PDFDW0030" + }) + }) + + pd-cafm-db-b = merge(local.defaults_database_ec2, { + config = merge(local.defaults_database_ec2.config, { + ami_name = "pd-cafm-db-b" + availability_zone = "eu-west-2b" + }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + "/dev/sdb" = { type = "gp3", size = 500 } + "/dev/sdc" = { type = "gp3", size = 112 } + "/dev/sdd" = { type = "gp3", size = 500 } + "/dev/sde" = { type = "gp3", size = 50 } + "/dev/sdf" = { type = "gp3", size = 85 } + "/dev/sdg" = { type = "gp3", size = 100 } + "/dev/sdh" = { type = "gp3", size = 150 } # T: drive + "/dev/sdi" = { type = "gp3", size = 250 } # U: drive } + instance = merge(local.defaults_database_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "r6i.4xlarge" + monitoring = true + }) + tags = merge(local.defaults_database_ec2.tags, { + app-config-status = "pending" + ami = "pd-cafm-db-b" + description = "SQL resilient Server" + pre-migration = "PDFDW0031" + }) }) # web servers pd-cafm-w-36-b = merge(local.defaults_web_ec2, { config = merge(local.defaults_web_ec2.config, { ami_name = "pd-cafm-w-36-b" - availability_zone = "${local.region}b" - }) - instance = merge(local.defaults_web_ec2.instance, { - instance_type = "t3.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true + availability_zone = "eu-west-2b" }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume "/dev/sdb" = { type = "gp3", size = 28 } } - tags = { - pre-migration = "PDFWW00036" - description = "CAFM Asset Management" - ami = "pd-cafm-w-36-b" - } + instance = merge(local.defaults_web_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "t3.xlarge" + monitoring = true + }) route53_records = { create_internal_record = true create_external_record = true } + tags = { + ami = "pd-cafm-w-36-b" + description = "CAFM Asset Management" + pre-migration = "PDFWW00036" + } }) + pd-cafm-w-37-a = merge(local.defaults_web_ec2, { config = merge(local.defaults_web_ec2.config, { ami_name = "pd-cafm-w-37-a" - availability_zone = "${local.region}a" + availability_zone = "eu-west-2a" }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + "/dev/sdb" = { type = "gp3", size = 28 } + } instance = merge(local.defaults_web_ec2.instance, { - instance_type = "t3.xlarge" - # set these to false and apply before instance can be deleted - disable_api_termination = true disable_api_stop = true + disable_api_termination = true + instance_type = "t3.xlarge" monitoring = true }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - "/dev/sdb" = { type = "gp3", size = 28 } + route53_records = { + create_internal_record = true + create_external_record = true } tags = { pre-migration = "PFWW00037" description = "CAFM Assessment Management" ami = "pd-cafm-w-37-a" } - route53_records = { - create_internal_record = true - create_external_record = true - } }) + pd-cafm-w-38-b = merge(local.defaults_web_ec2, { config = merge(local.defaults_web_ec2.config, { ami_name = "pd-cafm-w-38-b" - availability_zone = "${local.region}b" - }) - instance = merge(local.defaults_web_ec2.instance, { - instance_type = "t3.large" - # set these to false and apply before instance can be deleted - disable_api_termination = true - disable_api_stop = true - monitoring = true + availability_zone = "eu-west-2b" }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume "/dev/sdb" = { type = "gp3", size = 100 } } - tags = { - pre-migration = "PDFWW3QCP660001" - description = "CAFM Web Training" - ami = "pd-cafm-w-38-b" - } + instance = merge(local.defaults_web_ec2.instance, { + disable_api_stop = true + disable_api_termination = true + instance_type = "t3.large" + monitoring = true + }) route53_records = { create_internal_record = true create_external_record = true } + tags = { + ami = "pd-cafm-w-38-b" + description = "CAFM Web Training" + pre-migration = "PDFWW3QCP660001" + } }) } - baseline_lbs = { + + lbs = { private = { - internal_lb = true + enable_cross_zone_load_balancing = true enable_delete_protection = false - load_balancer_type = "application" idle_timeout = 3600 + internal_lb = true + load_balancer_type = "application" security_groups = ["loadbalancer"] subnets = module.environment.subnets["private"].ids - enable_cross_zone_load_balancing = true instance_target_groups = { - web-3637-80 = { - port = 80 - protocol = "HTTP" + attachments = [ + { ec2_instance_name = "pd-cafm-w-36-b" }, + { ec2_instance_name = "pd-cafm-w-37-a" }, + ] health_check = { enabled = true - path = "/" healthy_threshold = 3 - unhealthy_threshold = 5 - timeout = 5 interval = 30 matcher = "200-399" + path = "/" port = 80 + timeout = 5 + unhealthy_threshold = 5 } + port = 80 + protocol = "HTTP" stickiness = { enabled = true type = "lb_cookie" } - attachments = [ - { ec2_instance_name = "pd-cafm-w-36-b" }, - { ec2_instance_name = "pd-cafm-w-37-a" }, - ] } web-38-80 = { - port = 80 - protocol = "HTTP" + attachments = [ + { ec2_instance_name = "pd-cafm-w-38-b" }, + ] health_check = { enabled = true - path = "/" healthy_threshold = 3 - unhealthy_threshold = 5 - timeout = 5 interval = 30 matcher = "200-399" + path = "/" port = 80 + timeout = 5 + unhealthy_threshold = 5 } + port = 80 + protocol = "HTTP" stickiness = { enabled = true type = "lb_cookie" } - attachments = [ - { ec2_instance_name = "pd-cafm-w-38-b" }, - ] } } + listeners = { http = { port = 80 protocol = "HTTP" + default_action = { type = "redirect" redirect = { @@ -328,10 +343,11 @@ locals { } } https = { + certificate_names_or_arns = ["planetfm_wildcard_cert"] port = 443 protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_names_or_arns = ["planetfm_wildcard_cert"] + default_action = { type = "fixed-response" fixed_response = { @@ -340,6 +356,7 @@ locals { status_code = "501" } } + rules = { web-3637-80 = { priority = 3637 @@ -376,36 +393,20 @@ locals { } } } - baseline_route53_zones = { + + route53_zones = { "planetfm.service.justice.gov.uk" = { records = [ - { name = "test", type = "NS", ttl = "86400", records = ["ns-1128.awsdns-13.org", "ns-2027.awsdns-61.co.uk", "ns-854.awsdns-42.net", "ns-90.awsdns-11.com"] }, - { name = "pp", type = "NS", ttl = "86400", records = ["ns-1407.awsdns-47.org", "ns-1645.awsdns-13.co.uk", "ns-63.awsdns-07.com", "ns-730.awsdns-27.net"] }, { name = "_a6a2b9e651b91ed3f1e906b4f1c3c317", type = "CNAME", ttl = 86400, records = ["_c4257165635a7b495df6c4fbd986c09f.mhbtsbpdnt.acm-validations.aws"] }, { name = "cafmtx", type = "CNAME", ttl = 3600, records = ["rdweb1.hmpps-domain.service.justice.gov.uk"] }, + { name = "pp", type = "NS", ttl = "86400", records = ["ns-1407.awsdns-47.org", "ns-1645.awsdns-13.co.uk", "ns-63.awsdns-07.com", "ns-730.awsdns-27.net"] }, + { name = "test", type = "NS", ttl = "86400", records = ["ns-1128.awsdns-13.org", "ns-2027.awsdns-61.co.uk", "ns-854.awsdns-42.net", "ns-90.awsdns-11.com"] }, ] lb_alias_records = [ - { name = "cafmwebx2", type = "A", lbs_map_key = "private" }, { name = "cafmtrainweb", type = "A", lbs_map_key = "private" }, + { name = "cafmwebx2", type = "A", lbs_map_key = "private" }, ] } } - baseline_acm_certificates = { - planetfm_wildcard_cert = { - domain_name = module.environment.domains.public.modernisation_platform - subject_alternate_names = [ - "*.planetfm.service.justice.gov.uk", - "cafmwebx.az.justice.gov.uk", - "cafmwebx2.az.justice.gov.uk", - "cafmtx.az.justice.gov.uk", - "cafmtrainweb.az.justice.gov.uk", - ] - external_validation_records_created = true - cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm - tags = { - description = "wildcard cert for planetfm ${local.environment} domains" - } - } - } } } diff --git a/terraform/environments/planetfm/locals_test.tf b/terraform/environments/planetfm/locals_test.tf index 8f3248ba40f..3ed60720379 100644 --- a/terraform/environments/planetfm/locals_test.tf +++ b/terraform/environments/planetfm/locals_test.tf @@ -1,14 +1,17 @@ locals { - # cloudwatch monitoring config - test_cloudwatch_monitoring_options = {} + baseline_presets_test = { + options = {} + } - # baseline config - test_config = { + # please keep resources in alphabetical order + baseline_test = { - baseline_ec2_autoscaling_groups = {} + route53_zones = { + "test.planetfm.service.justice.gov.uk" = {} + } - baseline_s3_buckets = { + s3_buckets = { # use this bucket for storing artefacts for use across all accounts planetfm-software = { custom_kms_key = module.environment.kms_keys["general"].arn @@ -19,9 +22,5 @@ locals { iam_policies = module.baseline_presets.s3_iam_policies } } - - baseline_route53_zones = { - "test.planetfm.service.justice.gov.uk" = {} - } } } diff --git a/terraform/environments/planetfm/main.tf b/terraform/environments/planetfm/main.tf index 30c3ab05eea..de28fdf87bf 100644 --- a/terraform/environments/planetfm/main.tf +++ b/terraform/environments/planetfm/main.tf @@ -16,7 +16,7 @@ module "environment" { } environment_management = local.environment_management - business_unit = local.business_unit + business_unit = var.networking[0].business-unit application_name = local.application_name environment = local.environment subnet_set = local.subnet_set @@ -27,7 +27,11 @@ module "baseline_presets" { environment = module.environment ip_addresses = module.ip_addresses - options = local.baseline_presets_options + + options = merge( + local.baseline_presets_all_environments.options, + local.baseline_presets_environment_specific.options + ) } module "baseline" { @@ -44,103 +48,161 @@ module "baseline" { acm_certificates = merge( module.baseline_presets.acm_certificates, - local.baseline_acm_certificates, - lookup(local.baseline_environment_config, "baseline_acm_certificates", {}) + lookup(local.baseline_all_environments, "acm_certificates", {}), + lookup(local.baseline_environment_specific, "acm_certificates", {}), + ) + + backups = { + "everything" = { + plans = merge( + module.baseline_presets.backup_plans, + lookup(local.baseline_all_environments, "backup_plans", {}), + lookup(local.baseline_environment_specific, "backup_plans", {}), + ) + } + } + + bastion_linux = merge( + lookup(local.baseline_all_environments, "bastion_linux", {}), + lookup(local.baseline_environment_specific, "bastion_linux", {}), + ) + + cloudwatch_dashboards = merge( + module.baseline_presets.cloudwatch_dashboards, + lookup(local.baseline_all_environments, "cloudwatch_dashboards", {}), + lookup(local.baseline_environment_specific, "cloudwatch_dashboards", {}), + ) + + cloudwatch_metric_alarms = merge( + lookup(local.baseline_all_environments, "cloudwatch_metric_alarms", {}), + lookup(local.baseline_environment_specific, "cloudwatch_metric_alarms", {}), + ) + + cloudwatch_log_metric_filters = merge( + lookup(local.baseline_all_environments, "cloudwatch_log_metric_filters", {}), + lookup(local.baseline_environment_specific, "cloudwatch_log_metric_filters", {}), ) cloudwatch_log_groups = merge( module.baseline_presets.cloudwatch_log_groups, - local.baseline_cloudwatch_log_groups, - lookup(local.baseline_environment_config, "baseline_cloudwatch_log_groups", {}) + lookup(local.baseline_all_environments, "cloudwatch_log_groups", {}), + lookup(local.baseline_environment_specific, "cloudwatch_log_groups", {}), ) ec2_autoscaling_groups = merge( - local.baseline_ec2_autoscaling_groups, - lookup(local.baseline_environment_config, "baseline_ec2_autoscaling_groups", {}) + lookup(local.baseline_all_environments, "ec2_autoscaling_groups", {}), + lookup(local.baseline_environment_specific, "ec2_autoscaling_groups", {}), ) ec2_instances = merge( - local.baseline_ec2_instances, - lookup(local.baseline_environment_config, "baseline_ec2_instances", {}) + lookup(local.baseline_all_environments, "ec2_instances", {}), + lookup(local.baseline_environment_specific, "ec2_instances", {}), + ) + + efs = merge( + lookup(local.baseline_all_environments, "efs", {}), + lookup(local.baseline_environment_specific, "efs", {}), + ) + + fsx_windows = merge( + lookup(local.baseline_all_environments, "fsx_windows", {}), + lookup(local.baseline_environment_specific, "fsx_windows", {}), ) iam_policies = merge( module.baseline_presets.iam_policies, - local.baseline_iam_policies, - lookup(local.baseline_environment_config, "baseline_iam_policies", {}) + lookup(local.baseline_all_environments, "iam_policies", {}), + lookup(local.baseline_environment_specific, "iam_policies", {}), ) iam_roles = merge( module.baseline_presets.iam_roles, - local.baseline_iam_roles, - lookup(local.baseline_environment_config, "baseline_iam_roles", {}) + lookup(local.baseline_all_environments, "iam_roles", {}), + lookup(local.baseline_environment_specific, "iam_roles", {}), ) iam_service_linked_roles = merge( module.baseline_presets.iam_service_linked_roles, - local.baseline_iam_service_linked_roles, - lookup(local.baseline_environment_config, "baseline_iam_service_linked_roles", {}) + lookup(local.baseline_all_environments, "iam_service_linked_roles", {}), + lookup(local.baseline_environment_specific, "iam_service_linked_roles", {}), ) key_pairs = merge( module.baseline_presets.key_pairs, - local.baseline_key_pairs, - lookup(local.baseline_environment_config, "baseline_key_pairs", {}) + lookup(local.baseline_all_environments, "key_pairs", {}), + lookup(local.baseline_environment_specific, "key_pairs", {}), ) kms_grants = merge( module.baseline_presets.kms_grants, - local.baseline_kms_grants, - lookup(local.baseline_environment_config, "baseline_kms_grants", {}) + lookup(local.baseline_all_environments, "kms_grants", {}), + lookup(local.baseline_environment_specific, "kms_grants", {}), ) lbs = merge( - local.baseline_lbs, - lookup(local.baseline_environment_config, "baseline_lbs", {}) + lookup(local.baseline_all_environments, "lbs", {}), + lookup(local.baseline_environment_specific, "lbs", {}), + ) + + oam_links = merge( + module.baseline_presets.oam_links, + lookup(local.baseline_all_environments, "oam_links", {}), + lookup(local.baseline_environment_specific, "oam_links", {}), + ) + + oam_sinks = merge( + lookup(local.baseline_all_environments, "oam_sinks", {}), + lookup(local.baseline_environment_specific, "oam_sinks", {}), + ) + + options = merge( + lookup(local.baseline_all_environments, "options", {}), + lookup(local.baseline_environment_specific, "options", {}), ) route53_resolvers = merge( module.baseline_presets.route53_resolvers, - local.baseline_route53_resolvers, - lookup(local.baseline_environment_config, "baseline_route53_resolvers", {}) + lookup(local.baseline_all_environments, "route53_resolvers", {}), + lookup(local.baseline_environment_specific, "route53_resolvers", {}), ) route53_zones = merge( - local.baseline_route53_zones, - lookup(local.baseline_environment_config, "baseline_route53_zones", {}) + lookup(local.baseline_all_environments, "route53_zones", {}), + lookup(local.baseline_environment_specific, "route53_zones", {}), ) s3_buckets = merge( module.baseline_presets.s3_buckets, - local.baseline_s3_buckets, - lookup(local.baseline_environment_config, "baseline_s3_buckets", {}) + lookup(local.baseline_all_environments, "s3_buckets", {}), + lookup(local.baseline_environment_specific, "s3_buckets", {}), ) secretsmanager_secrets = merge( module.baseline_presets.secretsmanager_secrets, - local.baseline_secretsmanager_secrets, - lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {}) + lookup(local.baseline_all_environments, "secretsmanager_secrets", {}), + lookup(local.baseline_environment_specific, "secretsmanager_secrets", {}), ) security_groups = merge( - local.baseline_security_groups, - lookup(local.baseline_environment_config, "baseline_security_groups", {}) + lookup(local.baseline_all_environments, "security_groups", {}), + lookup(local.baseline_environment_specific, "security_groups", {}), ) sns_topics = merge( module.baseline_presets.sns_topics, - local.baseline_sns_topics, - lookup(local.baseline_environment_config, "baseline_sns_topics", {}) + lookup(local.baseline_all_environments, "sns_topics", {}), + lookup(local.baseline_environment_specific, "sns_topics", {}), + ) + + ssm_documents = merge( + module.baseline_presets.ssm_documents, + lookup(local.baseline_all_environments, "ssm_documents", {}), + lookup(local.baseline_environment_specific, "ssm_documents", {}), ) ssm_parameters = merge( module.baseline_presets.ssm_parameters, - local.baseline_ssm_parameters, - lookup(local.baseline_environment_config, "baseline_ssm_parameters", {}), + lookup(local.baseline_all_environments, "ssm_parameters", {}), + lookup(local.baseline_environment_specific, "ssm_parameters", {}), ) - - # example code for creating a cost usage report - locals_development.tf - cost_usage_report = lookup(local.baseline_environment_config, "baseline_cost_usage_report", { create = false }) - } - diff --git a/terraform/environments/planetfm/outputs.tf b/terraform/environments/planetfm/outputs.tf index 43bec77fe90..b743768da96 100644 --- a/terraform/environments/planetfm/outputs.tf +++ b/terraform/environments/planetfm/outputs.tf @@ -3,6 +3,16 @@ output "acm_certificates_validation_records_external" { value = { for key, value in module.baseline.acm_certificates : key => value.validation_records_external } } +output "efs_dns_names" { + description = "EFS DNS names" + value = { for key, value in module.baseline.efs : key => value.file_system.dns_name } +} + +output "fsx_windows_dns_names" { + description = "FSX Windows DNS Names" + value = { for key, value in module.baseline.fsx_windows : key => value.windows_file_system.dns_name } +} + output "route53_zone_ns_records" { description = "NS records of created zones" value = { for key, value in module.baseline.route53_zones : key => value.name_servers } diff --git a/terraform/modules/baseline/cost_usage_report.tf b/terraform/modules/baseline/cost_usage_report.tf index c551d9e81f6..1963546797d 100644 --- a/terraform/modules/baseline/cost_usage_report.tf +++ b/terraform/modules/baseline/cost_usage_report.tf @@ -1,6 +1,5 @@ module "cost_usage_report" { - - count = lookup(var.cost_usage_report, "create", false) ? 1 : 0 + count = var.options.enable_cost_usage_report == true ? 1 : 0 source = "../../modules/cost_usage_report" @@ -13,5 +12,4 @@ module "cost_usage_report" { account_number = var.environment.account_id environment = var.environment.environment tags = local.tags - } diff --git a/terraform/modules/baseline/resource_explorer.tf b/terraform/modules/baseline/resource_explorer.tf index e6b74c82a82..e60d7694d2a 100644 --- a/terraform/modules/baseline/resource_explorer.tf +++ b/terraform/modules/baseline/resource_explorer.tf @@ -1,10 +1,10 @@ resource "aws_resourceexplorer2_index" "this" { - count = var.resource_explorer ? 1 : 0 + count = var.options.enable_resource_explorer == true ? 1 : 0 type = "LOCAL" } resource "aws_resourceexplorer2_view" "all_resources" { - count = var.resource_explorer ? 1 : 0 + count = var.options.enable_resource_explorer == true ? 1 : 0 name = "all-resources" default_view = true depends_on = [aws_resourceexplorer2_index.this] diff --git a/terraform/modules/baseline/variables.tf b/terraform/modules/baseline/variables.tf index cb121429855..3c9e0433162 100644 --- a/terraform/modules/baseline/variables.tf +++ b/terraform/modules/baseline/variables.tf @@ -865,6 +865,18 @@ variable "oam_sinks" { default = {} } +variable "options" { + description = "options to enable standalone resources" + type = object({ + enable_cost_usage_report = optional(bool, false) + enable_resource_explorer = optional(bool, false) + }) + default = { + enable_cost_usage_report = false + enable_resource_explorer = false + } +} + variable "route53_resolvers" { description = "map of resolver endpoints and associated rules to configure, where map keys are the names of the resources. The application name is automatically added as a prefix to the resource names" type = map(object({ @@ -1163,18 +1175,3 @@ variable "tags" { default = {} } -variable "resource_explorer" { - description = "Enables AWS Resource Explorer" - type = bool - default = false -} - -variable "cost_usage_report" { - description = "Enables AWS Cost Usage Report" - type = object({ - create = bool - }) - default = { - create = false - } -}