From 06d60def47e8c429725081e8f3a5338fe01bddaa Mon Sep 17 00:00:00 2001 From: Edward Duddy Date: Thu, 12 Sep 2024 16:52:47 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=B1=20Fix=20bastion=20and=20add=20uat?= =?UTF-8?q?=20rules?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix bastion and uat security group --- .../cica-tariff/bastion_linux.json | 9 ++ .../cica-tariff/ec2_bastion_linux.tf | 34 +++++ .../cica-tariff/platform_providers.tf | 4 + .../cica-tariff/tariff_vpc_endpoints.tf | 124 +++++++++--------- 4 files changed, 109 insertions(+), 62 deletions(-) create mode 100644 terraform/environments/cica-tariff/bastion_linux.json create mode 100644 terraform/environments/cica-tariff/ec2_bastion_linux.tf diff --git a/terraform/environments/cica-tariff/bastion_linux.json b/terraform/environments/cica-tariff/bastion_linux.json new file mode 100644 index 00000000000..c861e1bcc02 --- /dev/null +++ b/terraform/environments/cica-tariff/bastion_linux.json @@ -0,0 +1,9 @@ +{ + "keys": { + "development": { + "ed": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJa3flPvFH6LHw9VLhoAFFZl+ETpm5VO+X7qRkYyw1pU" + }, + "preproduction": {}, + "production": {} + } +} diff --git a/terraform/environments/cica-tariff/ec2_bastion_linux.tf b/terraform/environments/cica-tariff/ec2_bastion_linux.tf new file mode 100644 index 00000000000..b91f1b23698 --- /dev/null +++ b/terraform/environments/cica-tariff/ec2_bastion_linux.tf @@ -0,0 +1,34 @@ +# tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning +module "bastion_linux" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1 + + providers = { + aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts + aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant + } + # s3 - used for logs and user ssh public keys + bucket_name = "tariff-bastion" + # public keys + public_key_data = local.public_key_data.keys[local.environment] + # logs + log_auto_clean = "Enabled" + log_standard_ia_days = 30 # days before moving to IA storage + log_glacier_days = 60 # days before moving to Glacier + log_expiry_days = 180 # days before log expiration + # bastion + allow_ssh_commands = true + app_name = var.networking[0].application + business_unit = local.vpc_name + subnet_set = local.subnet_set + environment = local.environment + region = "eu-west-2" + + # Tags + tags_common = local.tags + tags_prefix = terraform.workspace +} + + +locals { + public_key_data = jsondecode(file("./bastion_linux.json")) +} diff --git a/terraform/environments/cica-tariff/platform_providers.tf b/terraform/environments/cica-tariff/platform_providers.tf index 828f987c7aa..86abd0565dc 100644 --- a/terraform/environments/cica-tariff/platform_providers.tf +++ b/terraform/environments/cica-tariff/platform_providers.tf @@ -56,3 +56,7 @@ provider "aws" { role_arn = "arn:aws:iam::${local.environment_management.aws_organizations_root_account_id}:role/ModernisationPlatformSSOReadOnly" } } + +provider "random" { + +} diff --git a/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf b/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf index 8665be14027..f5fd410d8de 100644 --- a/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf +++ b/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf @@ -1,74 +1,74 @@ -#Create endpoints to allow SSM from within private subnets +# #Create endpoints to allow SSM from within private subnets -#ssm -resource "aws_vpc_endpoint" "ssm" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.ssm" - vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.shared-private.ids - tags = merge(tomap({ - "Name" = lower(format("ssm-%s-endpoint", local.application_name)), - "hostname" = "${local.application_name}-app", - }), local.tags) +# #ssm +# resource "aws_vpc_endpoint" "ssm" { +# vpc_id = data.aws_vpc.shared.id +# service_name = "com.amazonaws.eu-west-2.ssm" +# vpc_endpoint_type = "Interface" +# subnet_ids = data.aws_subnets.shared-private.ids +# tags = merge(tomap({ +# "Name" = lower(format("ssm-%s-endpoint", local.application_name)), +# "hostname" = "${local.application_name}-app", +# }), local.tags) -} +# } -resource "aws_vpc_endpoint" "ec2messages" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.ec2messages" - vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.shared-private.ids - tags = merge(tomap({ - "Name" = lower(format("ec2-messages-%s-endpoint", local.application_name)), - "hostname" = "${local.application_name}-app", - }), local.tags) +# resource "aws_vpc_endpoint" "ec2messages" { +# vpc_id = data.aws_vpc.shared.id +# service_name = "com.amazonaws.eu-west-2.ec2messages" +# vpc_endpoint_type = "Interface" +# subnet_ids = data.aws_subnets.shared-private.ids +# tags = merge(tomap({ +# "Name" = lower(format("ec2-messages-%s-endpoint", local.application_name)), +# "hostname" = "${local.application_name}-app", +# }), local.tags) -} +# } -resource "aws_vpc_endpoint" "ec2" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.ec2" - vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.shared-private.ids - tags = merge(tomap({ - "Name" = lower(format("ec2-%s-endpoint", local.application_name)), - "hostname" = "${local.application_name}-app", - }), local.tags) +# resource "aws_vpc_endpoint" "ec2" { +# vpc_id = data.aws_vpc.shared.id +# service_name = "com.amazonaws.eu-west-2.ec2" +# vpc_endpoint_type = "Interface" +# subnet_ids = data.aws_subnets.shared-private.ids +# tags = merge(tomap({ +# "Name" = lower(format("ec2-%s-endpoint", local.application_name)), +# "hostname" = "${local.application_name}-app", +# }), local.tags) -} -resource "aws_vpc_endpoint" "ssm_messages" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.ssmmessages" - vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.shared-private.ids - tags = merge(tomap({ - "Name" = lower(format("ssm-messages-%s-endpoint", local.application_name)), - "hostname" = "${local.application_name}-app", - }), local.tags) +# } +# resource "aws_vpc_endpoint" "ssm_messages" { +# vpc_id = data.aws_vpc.shared.id +# service_name = "com.amazonaws.eu-west-2.ssmmessages" +# vpc_endpoint_type = "Interface" +# subnet_ids = data.aws_subnets.shared-private.ids +# tags = merge(tomap({ +# "Name" = lower(format("ssm-messages-%s-endpoint", local.application_name)), +# "hostname" = "${local.application_name}-app", +# }), local.tags) -} +# } -resource "aws_vpc_endpoint" "kms" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.kms" - vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.shared-private.ids - tags = merge(tomap({ - "Name" = lower(format("kms-%s-endpoint", local.application_name)), - "hostname" = "${local.application_name}-app", - }), local.tags) +# resource "aws_vpc_endpoint" "kms" { +# vpc_id = data.aws_vpc.shared.id +# service_name = "com.amazonaws.eu-west-2.kms" +# vpc_endpoint_type = "Interface" +# subnet_ids = data.aws_subnets.shared-private.ids +# tags = merge(tomap({ +# "Name" = lower(format("kms-%s-endpoint", local.application_name)), +# "hostname" = "${local.application_name}-app", +# }), local.tags) -} +# } -resource "aws_vpc_endpoint" "logs" { - vpc_id = data.aws_vpc.shared.id - service_name = "com.amazonaws.eu-west-2.logs" - vpc_endpoint_type = "Interface" - subnet_ids = data.aws_subnets.shared-private.ids - tags = merge(tomap({ - "Name" = lower(format("logs-%s-endpoint", local.application_name)), - "hostname" = "${local.application_name}-app", - }), local.tags) -} +# resource "aws_vpc_endpoint" "logs" { +# vpc_id = data.aws_vpc.shared.id +# service_name = "com.amazonaws.eu-west-2.logs" +# vpc_endpoint_type = "Interface" +# subnet_ids = data.aws_subnets.shared-private.ids +# tags = merge(tomap({ +# "Name" = lower(format("logs-%s-endpoint", local.application_name)), +# "hostname" = "${local.application_name}-app", +# }), local.tags) +# }