🧱 Fix bastion and add uat rules

Fix bastion and uat security group
ministryofjustice · Sep 12, 2024 · 06d60de · 06d60de
1 parent 024c3ff
commit 06d60de
Show file tree

Hide file tree

Showing 4 changed files with 109 additions and 62 deletions.
diff --git a/terraform/environments/cica-tariff/bastion_linux.json b/terraform/environments/cica-tariff/bastion_linux.json
@@ -0,0 +1,9 @@
+{
+  "keys": {
+    "development": {
+      "ed": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJa3flPvFH6LHw9VLhoAFFZl+ETpm5VO+X7qRkYyw1pU"
+    },
+    "preproduction": {},
+    "production": {}
+  }
+}
diff --git a/terraform/environments/cica-tariff/ec2_bastion_linux.tf b/terraform/environments/cica-tariff/ec2_bastion_linux.tf
@@ -0,0 +1,34 @@
+# tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
+module "bastion_linux" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1
+
+  providers = {
+    aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
+    aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
+  }
+  # s3 - used for logs and user ssh public keys
+  bucket_name = "tariff-bastion"
+  # public keys
+  public_key_data = local.public_key_data.keys[local.environment]
+  # logs
+  log_auto_clean       = "Enabled"
+  log_standard_ia_days = 30  # days before moving to IA storage
+  log_glacier_days     = 60  # days before moving to Glacier
+  log_expiry_days      = 180 # days before log expiration
+  # bastion
+  allow_ssh_commands = true
+  app_name           = var.networking[0].application
+  business_unit      = local.vpc_name
+  subnet_set         = local.subnet_set
+  environment        = local.environment
+  region             = "eu-west-2"
+
+  # Tags
+  tags_common = local.tags
+  tags_prefix = terraform.workspace
+}
+
+
+locals {
+  public_key_data = jsondecode(file("./bastion_linux.json"))
+}
diff --git a/terraform/environments/cica-tariff/platform_providers.tf b/terraform/environments/cica-tariff/platform_providers.tf
@@ -56,3 +56,7 @@ provider "aws" {
     role_arn = "arn:aws:iam::${local.environment_management.aws_organizations_root_account_id}:role/ModernisationPlatformSSOReadOnly"
   }
 }
+
+provider "random" {
+
+}
diff --git a/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf b/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf
@@ -1,74 +1,74 @@
-#Create endpoints to allow SSM from within private subnets
+# #Create endpoints to allow SSM from within private subnets
 
-#ssm
-resource "aws_vpc_endpoint" "ssm" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ssm"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ssm-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# #ssm
+# resource "aws_vpc_endpoint" "ssm" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ssm"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ssm-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
-resource "aws_vpc_endpoint" "ec2messages" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ec2messages"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ec2-messages-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# resource "aws_vpc_endpoint" "ec2messages" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ec2messages"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ec2-messages-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
 
 
-resource "aws_vpc_endpoint" "ec2" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ec2"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ec2-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# resource "aws_vpc_endpoint" "ec2" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ec2"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ec2-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
-resource "aws_vpc_endpoint" "ssm_messages" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ssmmessages"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ssm-messages-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# }
+# resource "aws_vpc_endpoint" "ssm_messages" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ssmmessages"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ssm-messages-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
-resource "aws_vpc_endpoint" "kms" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.kms"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("kms-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# resource "aws_vpc_endpoint" "kms" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.kms"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("kms-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
-resource "aws_vpc_endpoint" "logs" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.logs"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("logs-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
-}
+# resource "aws_vpc_endpoint" "logs" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.logs"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("logs-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
+# }
-Original file line number
+Diff line change
@@ Expand Up / @@ -56,3 +56,7 @@ provider "aws" { @@
         role_arn = "arn:aws:iam::${local.environment_management.aws_organizations_root_account_id}:role/ModernisationPlatformSSOReadOnly"
       }
     }
+    provider "random" {
+    }