diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index 6b52bfe9b30..673e8abf6bc 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -1,7 +1,15 @@ { "accounts": { "development": { - "example_var": "dev-data" + "environment_name": "development", + "container_port": 80, + "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba", + "ami_image_id": "ami-06cdd5b44c17085ed", + "instance_type": "t3.micro", + "app_count": 1, + "ec2_desired_capacity": 1, + "ec2_max_size": 2, + "ec2_min_size": 1 }, "test": { "example_var": "test-data" diff --git a/terraform/environments/cdpt-ifs/bastion_linux.json b/terraform/environments/cdpt-ifs/bastion_linux.json new file mode 100644 index 00000000000..f97bec0e4f8 --- /dev/null +++ b/terraform/environments/cdpt-ifs/bastion_linux.json @@ -0,0 +1,13 @@ +{ + "keys": { + "development": { + "acurtis": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7Z+QprFiensJ1Kw08i9shm5lfritcI3/71nrDu2S3H alistair.curtis@digital.justice.gov.uk" + }, + "preproduction": { + "acurtis": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7Z+QprFiensJ1Kw08i9shm5lfritcI3/71nrDu2S3H alistair.curtis@digital.justice.gov.uk" + }, + "production": { + "acurtis": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7Z+QprFiensJ1Kw08i9shm5lfritcI3/71nrDu2S3H alistair.curtis@digital.justice.gov.uk" + } + } +} \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/bastion_linux.tf b/terraform/environments/cdpt-ifs/bastion_linux.tf new file mode 100644 index 00000000000..588ece74247 --- /dev/null +++ b/terraform/environments/cdpt-ifs/bastion_linux.tf @@ -0,0 +1,38 @@ +locals { + public_key_data = jsondecode(file("./bastion_linux.json")) +} + +module "bastion_linux" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0" + + providers = { + aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts + aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant + } + + # s3 - used for logs and user ssh public keys + bucket_name = "bastion" + bucket_versioning = true + bucket_force_destroy = true + # public keys + public_key_data = local.public_key_data.keys[local.environment] + # logs + log_auto_clean = "Enabled" + log_standard_ia_days = 30 # days before moving to IA storage + log_glacier_days = 60 # days before moving to Glacier + log_expiry_days = 180 # days before log expiration + # bastion + allow_ssh_commands = false + + app_name = var.networking[0].application + business_unit = local.vpc_name + subnet_set = local.subnet_set + environment = local.environment + region = "eu-west-2" + + extra_user_data_content = "yum install -y openldap-clients" + + # Tags + tags_common = local.tags + tags_prefix = terraform.workspace +} diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf new file mode 100644 index 00000000000..3842b0e9ac4 --- /dev/null +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -0,0 +1,520 @@ +data "aws_ecs_task_definition" "task_definition" { + task_definition = aws_ecs_task_definition.ifs_task_definition.family + depends_on = [aws_ecs_task_definition.ifs_task_definition] +} + +resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards + name = "${local.application_name}-ec2-instance-policy" + + policy = < { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + domain_name_main = [for k, v in local.domain_types : v.name if k == "modernisation-platform.service.justice.gov.uk"] + domain_name_sub = [for k, v in local.domain_types : v.name if k != "modernisation-platform.service.justice.gov.uk"] + domain_record_main = [for k, v in local.domain_types : v.record if k == "modernisation-platform.service.justice.gov.uk"] + domain_record_sub = [for k, v in local.domain_types : v.record if k != "modernisation-platform.service.justice.gov.uk"] + domain_type_main = [for k, v in local.domain_types : v.type if k == "modernisation-platform.service.justice.gov.uk"] + domain_type_sub = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"] + +ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo" + +user_data = base64encode(templatefile("user_data.txt", { + cluster_name = "${local.application_name}-ecs-cluster" + })) + +} \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf new file mode 100644 index 00000000000..cb6bc2c468f --- /dev/null +++ b/terraform/environments/cdpt-ifs/route53.tf @@ -0,0 +1,65 @@ +// DEV + PRE-PRODUCTION DNS CONFIGURATION + +// ACM Public Certificate +resource "aws_acm_certificate" "external" { + domain_name = "modernisation-platform.service.justice.gov.uk" + validation_method = "DNS" + + subject_alternative_names = ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + tags = { + Environment = local.environment + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate_validation" "external" { + certificate_arn = aws_acm_certificate.external.arn + validation_record_fqdns = [local.domain_name_main[0], local.domain_name_sub[0]] +} + +// Route53 DNS records for certificate validation +resource "aws_route53_record" "external_validation" { + provider = aws.core-network-services + + allow_overwrite = true + name = local.domain_name_main[0] + records = local.domain_record_main + ttl = 60 + type = local.domain_type_main[0] + zone_id = data.aws_route53_zone.network-services.zone_id +} + +resource "aws_route53_record" "external_validation_subdomain" { + provider = aws.core-vpc + + allow_overwrite = true + name = local.domain_name_sub[0] + records = local.domain_record_sub + ttl = 60 + type = local.domain_type_sub[0] + zone_id = data.aws_route53_zone.external.zone_id +} + +// Route53 DNS record for directing traffic to the service +resource "aws_route53_record" "external" { + provider = aws.core-vpc + + zone_id = data.aws_route53_zone.external.zone_id + name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + + alias { + name = aws_lb.ifs_lb.dns_name + zone_id = aws_lb.ifs_lb.zone_id + evaluate_target_health = true + } +} + + +// PRODUCTION DNS CONFIGURATION + +// ACM Public Certificate + diff --git a/terraform/environments/cdpt-ifs/user_data.txt b/terraform/environments/cdpt-ifs/user_data.txt new file mode 100644 index 00000000000..6c9e085a925 --- /dev/null +++ b/terraform/environments/cdpt-ifs/user_data.txt @@ -0,0 +1,11 @@ + +Import-Module ECSTools +[Environment]::SetEnvironmentVariable("ECS_CONTAINER_START_TIMEOUT", "15m", [System.EnvironmentVariableTarget]::Machine) +[Environment]::SetEnvironmentVariable("ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE", "true", "Machine") +[Environment]::SetEnvironmentVariable("ECS_ENABLE_TASK_IAM_ROLE", "true", "Machine") + +Initialize-ECSAgent –Cluster ${cluster_name} -EnableTaskIAMRole -LoggingDrivers '["json-file","awslogs"]' -EnableTaskENI + +Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) + +