From a80628fb3daba65028a39928e26c59e1cdbf050c Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 1 Feb 2024 13:58:38 +0000 Subject: [PATCH 01/27] add-ecs-cluster --- terraform/environments/cdpt-ifs/ecs.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 terraform/environments/cdpt-ifs/ecs.tf diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf new file mode 100644 index 00000000000..84cfc0e7e63 --- /dev/null +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -0,0 +1,10 @@ + +resource "aws_ecs_cluster" "ecs_cluster" { + name = "${local.application_name}-ecs-cluster" + + setting { + name = "containerInsights" + value = "enabled" + } +} + From 6a5e44a7fd161572a9377dbbfe0e739af07f6abb Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Fri, 2 Feb 2024 10:49:22 +0000 Subject: [PATCH 02/27] task definition --- .../cdpt-ifs/application_variables.json | 4 +- terraform/environments/cdpt-ifs/ecs.tf | 60 +++++++++++++++++++ terraform/environments/cdpt-ifs/locals.tf | 2 + 3 files changed, 65 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index 6b52bfe9b30..893128e6a1f 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -1,7 +1,9 @@ { "accounts": { "development": { - "example_var": "dev-data" + "environment_name": "development", + "container_port": 80, + "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba" }, "test": { "example_var": "test-data" diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 84cfc0e7e63..643a0d07779 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -1,3 +1,63 @@ +data "aws_ecs_task_definition" "task_definition" { + task_definition = aws_ecs_task_definition.ifs_task_definition.family + depends_on = [aws_ecs_task_definition.ifs_task_definition] +} + +resource "aws_ecs_task_definition" "ifs_task_definition" { + family = "ifsFamily" + requires_compatibilities = ["EC2"] + network_mode = "awsvpc" + execution_role_arn = aws_iam_role.app_execution.arn + task_role_arn = aws_iam_role.app_task.arn + container_definitions = jsonencode([ + { + name = "${local.application_name}-container" + image = "${local.ecr_url}:${local.application_data.accounts[local.environment].environment_name}" + cpu = 1024 + memory = 1024 + essential = true + portMappings = [ + { + containerPort = local.application_data.accounts[local.environment].container_port + protocol = "tcp" + } + ] + logConfiguration = { + logDriver = "awslogs", + options = { + awslogs-group = "${local.application_name}-ecs", + awslogs-region = "eu-west-2", + awslogs-stream-prefix = local.application_name + } + } + environment = [ +# { +# name = "RDS_HOSTNAME" +# value = "${aws_db_instance.database.address}" +# }, +# { +# name = "RDS_USERNAME" +# value = "${aws_db_instance.database.username}" +# }, +# { +# name = "DB_NAME" +# value = "${local.application_data.accounts[local.environment].db_name}" +# }, + { + name = "CLIENT_ID" + value = "${local.application_data.accounts[local.environment].client_id}" + } + ] +# secrets = [ +# { +# name : "RDS_PASSWORD", +# valueFrom : aws_secretsmanager_secret_version.db_password.arn +# } +# ] + } + ]) +} + resource "aws_ecs_cluster" "ecs_cluster" { name = "${local.application_name}-ecs-cluster" diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index a7454414911..1c108bc3dc0 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -1 +1,3 @@ #### This file can be used to store locals specific to the member account #### + +ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo" \ No newline at end of file From 234fac798ba6b17f9c3129f78597312c9bcc19ec Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Fri, 2 Feb 2024 10:53:18 +0000 Subject: [PATCH 03/27] missing locals --- terraform/environments/cdpt-ifs/locals.tf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index 1c108bc3dc0..31524dbafe7 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -1,3 +1,6 @@ #### This file can be used to store locals specific to the member account #### +locals { -ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo" \ No newline at end of file +ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo" + +} \ No newline at end of file From 2ebb6ebbc72c80abdbad41b85f18de2bfcf955f3 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Fri, 2 Feb 2024 10:56:43 +0000 Subject: [PATCH 04/27] add iam role app_task --- terraform/environments/cdpt-ifs/ecs.tf | 27 ++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 643a0d07779..2dd8682eeee 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -68,3 +68,30 @@ resource "aws_ecs_cluster" "ecs_cluster" { } } +resource "aws_iam_role" "app_task" { + name = "task-${var.networking[0].application}" + + assume_role_policy = < Date: Fri, 2 Feb 2024 10:59:07 +0000 Subject: [PATCH 05/27] add iam role app_execution --- terraform/environments/cdpt-ifs/ecs.tf | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 2dd8682eeee..339caf541da 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -95,3 +95,27 @@ EOF ) } +resource "aws_iam_role_policy" "app_execution" { + name = "execution-${var.networking[0].application}" + role = aws_iam_role.app_execution.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "ecr:*", + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams", + "secretsmanager:GetSecretValue" + ], + "Resource": "*", + "Effect": "Allow" + } + ] + } + EOF +} From 50be78db3fa79f7e9d74e55af283406b10102377 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Fri, 2 Feb 2024 11:41:13 +0000 Subject: [PATCH 06/27] add iam role_policy app_execution --- terraform/environments/cdpt-ifs/ecs.tf | 50 ++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 339caf541da..1abfdff53df 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -95,6 +95,56 @@ EOF ) } +resource "aws_iam_role_policy" "app_task" { + name = "task-${var.networking[0].application}" + role = aws_iam_role.app_task.id + + policy = <<-EOF + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:PutLogEvents", + "ecr:*", + "iam:*", + "ec2:*" + ], + "Resource": "*" + } + ] + } + EOF +} + +resource "aws_iam_role" "app_execution" { + name = "execution-${var.networking[0].application}" + + assume_role_policy = < Date: Fri, 2 Feb 2024 12:01:28 +0000 Subject: [PATCH 07/27] ec2 instance role & policy --- terraform/environments/cdpt-ifs/ecs.tf | 68 ++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 1abfdff53df..8aeb5348ce9 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -3,6 +3,74 @@ data "aws_ecs_task_definition" "task_definition" { depends_on = [aws_ecs_task_definition.ifs_task_definition] } +resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards + name = "${local.application_name}-ec2-instance-policy" + + policy = < Date: Fri, 2 Feb 2024 12:09:48 +0000 Subject: [PATCH 08/27] ec2 instance profile --- terraform/environments/cdpt-ifs/ecs.tf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 8aeb5348ce9..c17e9fb4d85 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -237,3 +237,12 @@ resource "aws_iam_role_policy" "app_execution" { } EOF } + + iam_instance_profile { + name = aws_iam_instance_profile.ec2_instance_profile.name + } + + resource "aws_iam_instance_profile" "ec2_instance_profile" { + name = "${local.application_name}-ec2-instance-profile" + role = aws_iam_role.ec2_instance_role.name +} From 243dc3f0a82dfee056a1e0308ebab7292b98358c Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Fri, 2 Feb 2024 12:33:55 +0000 Subject: [PATCH 09/27] ec2 launch template --- .../cdpt-ifs/application_variables.json | 4 +- terraform/environments/cdpt-ifs/ecs.tf | 121 ++++++++++++++++++ 2 files changed, 124 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index 893128e6a1f..77c41d6bc51 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -3,7 +3,9 @@ "development": { "environment_name": "development", "container_port": 80, - "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba" + "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba", + "ami_image_id": "ami-06cdd5b44c17085ed", + "instance_type": "t3.micro" }, "test": { "example_var": "test-data" diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index c17e9fb4d85..79c78a17f4b 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -238,10 +238,131 @@ resource "aws_iam_role_policy" "app_execution" { EOF } +# EC2 launch template - settings to use for new EC2s added to the group +# Note - when updating this you will need to manually terminate the EC2s +# so that the autoscaling group creates new ones using the new launch template + +resource "aws_launch_template" "ec2-launch-template" { + name_prefix = "${local.application_name}-ec2-launch-template" + image_id = local.application_data.accounts[local.environment].ami_image_id + instance_type = local.application_data.accounts[local.environment].instance_type + key_name = "${local.application_name}-ec2" + ebs_optimized = true + + monitoring { + enabled = true + } + + metadata_options { + http_endpoint = "enabled" + http_tokens = "optional" + } + iam_instance_profile { name = aws_iam_instance_profile.ec2_instance_profile.name } + network_interfaces { + associate_public_ip_address = false + security_groups = [aws_security_group.cluster_ec2.id]#, aws_security_group.db.id] + } + + block_device_mappings { + device_name = "/dev/xvda" + ebs { + delete_on_termination = true + encrypted = true + volume_size = 30 + volume_type = "gp2" + iops = 0 + } + } + + user_data = local.user_data + + tag_specifications { + resource_type = "instance" + tags = merge(tomap({ + "Name" = "${local.application_name}-ecs-cluster" + }), local.tags) + } + + tag_specifications { + resource_type = "volume" + tags = merge(tomap({ + "Name" = "${local.application_name}-ecs-cluster" + }), local.tags) + } + + tags = merge(tomap({ + "Name" = "${local.application_name}-ecs-cluster-template" + }), local.tags) +} + +resource "aws_security_group" "cluster_ec2" { + name = "${local.application_name}-cluster-ec2-security-group" + description = "controls access to the cluster ec2 instance" + vpc_id = data.aws_vpc.shared.id + +#ingress { +# description = "allow access on HTTP from load balancer" +# from_port = 80 +# to_port = 80 +# protocol = "tcp" +# cidr_blocks = ["0.0.0.0/0"] +# security_groups = [aws_security_group.chaps_lb_sc.id] +#} + +# ingress { +# description = "Allow RDP ingress" +# from_port = 3389 +# to_port = 3389 +# protocol = "tcp" +# security_groups = [module.bastion_linux.bastion_security_group] +# } + +# egress { +# description = "Cluster EC2 loadbalancer egress rule" +# from_port = 0 +# to_port = 0 +# protocol = "-1" +# cidr_blocks = ["0.0.0.0/0"] +# security_groups = [] +# } + + tags = merge( + local.tags, + { + Name = "${local.application_name}-cluster-ec2-security-group" + } + ) +} + +resource "aws_iam_instance_profile" "ec2_instance_profile" { + name = "${local.application_name}-ec2-instance-profile" + role = aws_iam_role.ec2_instance_role.name +} + +resource "aws_iam_role" "ec2_instance_role" { + name = "${local.application_name}-ec2-instance-role" + + assume_role_policy = < Date: Fri, 2 Feb 2024 12:36:44 +0000 Subject: [PATCH 10/27] remove duplicate resource --- terraform/environments/cdpt-ifs/ecs.tf | 5 ----- terraform/environments/cdpt-ifs/locals.tf | 4 ++++ 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 79c78a17f4b..58df4803c02 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -361,9 +361,4 @@ resource "aws_iam_role" "ec2_instance_role" { ] } EOF -} - - resource "aws_iam_instance_profile" "ec2_instance_profile" { - name = "${local.application_name}-ec2-instance-profile" - role = aws_iam_role.ec2_instance_role.name } diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index 31524dbafe7..54c0f70718a 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -3,4 +3,8 @@ locals { ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo" +user_data = base64encode(templatefile("user_data.txt", { + cluster_name = "${local.application_name}-ecs-cluster" + })) + } \ No newline at end of file From 97335b15ecf4d3a8eef377e9bb88b43264d60246 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Fri, 2 Feb 2024 12:40:26 +0000 Subject: [PATCH 11/27] remove duplicate resource --- terraform/environments/cdpt-ifs/ecs.tf | 20 -------------------- 1 file changed, 20 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 58df4803c02..95fba375a80 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -342,23 +342,3 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" { name = "${local.application_name}-ec2-instance-profile" role = aws_iam_role.ec2_instance_role.name } - -resource "aws_iam_role" "ec2_instance_role" { - name = "${local.application_name}-ec2-instance-role" - - assume_role_policy = < Date: Fri, 2 Feb 2024 12:47:47 +0000 Subject: [PATCH 12/27] add user_data.txt --- terraform/environments/cdpt-ifs/user_data.txt | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 terraform/environments/cdpt-ifs/user_data.txt diff --git a/terraform/environments/cdpt-ifs/user_data.txt b/terraform/environments/cdpt-ifs/user_data.txt new file mode 100644 index 00000000000..6c9e085a925 --- /dev/null +++ b/terraform/environments/cdpt-ifs/user_data.txt @@ -0,0 +1,11 @@ + +Import-Module ECSTools +[Environment]::SetEnvironmentVariable("ECS_CONTAINER_START_TIMEOUT", "15m", [System.EnvironmentVariableTarget]::Machine) +[Environment]::SetEnvironmentVariable("ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE", "true", "Machine") +[Environment]::SetEnvironmentVariable("ECS_ENABLE_TASK_IAM_ROLE", "true", "Machine") + +Initialize-ECSAgent –Cluster ${cluster_name} -EnableTaskIAMRole -LoggingDrivers '["json-file","awslogs"]' -EnableTaskENI + +Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')) + + From 5476742dcc6cc15e4cfd0458729f3884df921d62 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Mon, 5 Feb 2024 08:30:50 +0000 Subject: [PATCH 13/27] corrects indentation app_var.json --- .../environments/cdpt-ifs/application_variables.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index 77c41d6bc51..dcf3c7dea53 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -2,10 +2,10 @@ "accounts": { "development": { "environment_name": "development", - "container_port": 80, - "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba", - "ami_image_id": "ami-06cdd5b44c17085ed", - "instance_type": "t3.micro" + "container_port": 80, + "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba", + "ami_image_id": "ami-06cdd5b44c17085ed", + "instance_type": "t3.micro" }, "test": { "example_var": "test-data" From 8d80f6eae828ebf3a014d031ae57fd59147af243 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 12:31:49 +0000 Subject: [PATCH 14/27] add load balancer, ecs service and security groups --- terraform/environments/cdpt-ifs/ecs.tf | 66 ++++++++++++++++ .../environments/cdpt-ifs/loadbalancer.tf | 64 +++++++++++++++ .../cdpt-ifs/task-definition.json | 77 +++++++++++++++++++ 3 files changed, 207 insertions(+) create mode 100644 terraform/environments/cdpt-ifs/loadbalancer.tf create mode 100644 terraform/environments/cdpt-ifs/task-definition.json diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 95fba375a80..39264028bee 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -342,3 +342,69 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" { name = "${local.application_name}-ec2-instance-profile" role = aws_iam_role.ec2_instance_role.name } + +resource "aws_ecs_service" "ecs_service" { + depends_on = [ + aws_lb_listener.https_listener + ] + + name = var.networking[0].application + cluster = aws_ecs_cluster.ecs_cluster.id + task_definition = aws_ecs_task_definition.ifs_task_definition.arn + desired_count = local.application_data.accounts[local.environment].app_count + health_check_grace_period_seconds = 60 + + capacity_provider_strategy { + capacity_provider = aws_ecs_capacity_provider.ifs.name + weight = 1 + } + + ordered_placement_strategy { + field = "attribute:ecs.availability-zone" + type = "spread" + } + + load_balancer { + target_group_arn = aws_lb_target_group.ifs_target_group.arn + container_name = "${local.application_name}-container" + container_port = local.application_data.accounts[local.environment].container_port + } + + network_configuration { + subnets = data.aws_subnets.shared-private.ids + security_groups = [aws_security_group.ecs_service.id] + } + + tags = merge( + local.tags, + { + Name = "${local.application_name}" + } + ) +} + +resource "aws_ecs_capacity_provider" "ifs" { + name = "${local.application_name}-ecs-capacity-provider" + + auto_scaling_group_provider { + auto_scaling_group_arn = aws_autoscaling_group.cluster-scaling-group.arn + + managed_scaling { + status = "ENABLED" + target_capacity = 100 + } + } + + tags = merge( + local.tags, + { + Name = "${local.application_name}-ecs-capacity-provider" + } + ) +} + +resource "aws_ecs_cluster_capacity_providers" "cdpt-ifs" { + cluster_name = aws_ecs_cluster.ecs_cluster.name + + capacity_providers = [aws_ecs_capacity_provider.ifs.name] +} \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf new file mode 100644 index 00000000000..6d948b3b1b2 --- /dev/null +++ b/terraform/environments/cdpt-ifs/loadbalancer.tf @@ -0,0 +1,64 @@ +resource "aws_security_group" "ifs_lb_sc" { + name = "load balancer security group" + description = "control access to the load balancer" + vpc_id = data.aws_vpc.shared.id + + ingress { + description = "allow access on HTTPS" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + description = "Open all outbound ports" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_lb" "ifs_lb" { + name = "ifs-load-balancer" + load_balancer_type = "application" + security_groups = [aws_security_group.ifs_lb_sc.id] + subnets = data.aws_subnets.shared-public.ids +} + +resource "aws_lb_target_group" "ifs_target_group" { + name = "ifs-target-group" + port = 80 + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + target_type = "ip" + deregistration_delay = 30 + + stickiness { + type = "lb_cookie" + } + + health_check { + healthy_threshold = "2" + interval = "30" + unhealthy_threshold = "5" + matcher = "200-499" + timeout = "10" + } +} + +resource "aws_lb_listener" "https_listener" { + #checkov:skip=CKV_AWS_103 + depends_on = [aws_acm_certificate_validation.external] + + load_balancer_arn = aws_lb.ifs_lb.arn + port = 443 + protocol = "HTTPS" + certificate_arn = aws_acm_certificate.external.arn + + default_action { + target_group_arn = aws_lb_target_group.ifs_target_group.id + type = "forward" + } +} diff --git a/terraform/environments/cdpt-ifs/task-definition.json b/terraform/environments/cdpt-ifs/task-definition.json new file mode 100644 index 00000000000..c1006a47b37 --- /dev/null +++ b/terraform/environments/cdpt-ifs/task-definition.json @@ -0,0 +1,77 @@ +{ + "taskDefinitionArn": "arn:aws:ecs:eu-west-2:224131490563:task-definition/ifsFamily:1", + "containerDefinitions": [ + { + "name": "cdpt-ifs-container", + "image": "374269020027.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo:development", + "cpu": 1024, + "memory": 1024, + "portMappings": [ + { + "containerPort": 80, + "hostPort": 80, + "protocol": "tcp" + } + ], + "essential": true, + "environment": [ + { + "name": "CLIENT_ID", + "value": "838aa730-5f66-46df-9ff7-07eea29035ba" + } + ], + "mountPoints": [], + "volumesFrom": [], + "logConfiguration": { + "logDriver": "awslogs", + "options": { + "awslogs-group": "cdpt-ifs-ecs", + "awslogs-region": "eu-west-2", + "awslogs-stream-prefix": "cdpt-ifs" + } + } + } + ], + "family": "ifsFamily", + "taskRoleArn": "arn:aws:iam::224131490563:role/task-cdpt-ifs", + "executionRoleArn": "arn:aws:iam::224131490563:role/execution-cdpt-ifs", + "networkMode": "awsvpc", + "revision": 1, + "volumes": [], + "status": "ACTIVE", + "requiresAttributes": [ + { + "name": "com.amazonaws.ecs.capability.logging-driver.awslogs" + }, + { + "name": "ecs.capability.execution-role-awslogs" + }, + { + "name": "com.amazonaws.ecs.capability.ecr-auth" + }, + { + "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19" + }, + { + "name": "com.amazonaws.ecs.capability.task-iam-role" + }, + { + "name": "ecs.capability.execution-role-ecr-pull" + }, + { + "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18" + }, + { + "name": "ecs.capability.task-eni" + } + ], + "placementConstraints": [], + "compatibilities": [ + "EC2" + ], + "requiresCompatibilities": [ + "EC2" + ], + "registeredAt": "2024-02-02T11:54:52.757000+00:00", + "registeredBy": "arn:aws:sts::224131490563:assumed-role/MemberInfrastructureAccess/aws-go-sdk-1706874890119872393" +} From 3a74c3bd9b266b33703953ebe9ba7aa3a16a65f9 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 12:41:23 +0000 Subject: [PATCH 15/27] add certificate_validation --- terraform/environments/cdpt-ifs/route53.tf | 65 ++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 terraform/environments/cdpt-ifs/route53.tf diff --git a/terraform/environments/cdpt-ifs/route53.tf b/terraform/environments/cdpt-ifs/route53.tf new file mode 100644 index 00000000000..cb6bc2c468f --- /dev/null +++ b/terraform/environments/cdpt-ifs/route53.tf @@ -0,0 +1,65 @@ +// DEV + PRE-PRODUCTION DNS CONFIGURATION + +// ACM Public Certificate +resource "aws_acm_certificate" "external" { + domain_name = "modernisation-platform.service.justice.gov.uk" + validation_method = "DNS" + + subject_alternative_names = ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + tags = { + Environment = local.environment + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate_validation" "external" { + certificate_arn = aws_acm_certificate.external.arn + validation_record_fqdns = [local.domain_name_main[0], local.domain_name_sub[0]] +} + +// Route53 DNS records for certificate validation +resource "aws_route53_record" "external_validation" { + provider = aws.core-network-services + + allow_overwrite = true + name = local.domain_name_main[0] + records = local.domain_record_main + ttl = 60 + type = local.domain_type_main[0] + zone_id = data.aws_route53_zone.network-services.zone_id +} + +resource "aws_route53_record" "external_validation_subdomain" { + provider = aws.core-vpc + + allow_overwrite = true + name = local.domain_name_sub[0] + records = local.domain_record_sub + ttl = 60 + type = local.domain_type_sub[0] + zone_id = data.aws_route53_zone.external.zone_id +} + +// Route53 DNS record for directing traffic to the service +resource "aws_route53_record" "external" { + provider = aws.core-vpc + + zone_id = data.aws_route53_zone.external.zone_id + name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + + alias { + name = aws_lb.ifs_lb.dns_name + zone_id = aws_lb.ifs_lb.zone_id + evaluate_target_health = true + } +} + + +// PRODUCTION DNS CONFIGURATION + +// ACM Public Certificate + From f10bc12bd50522e4bd5420a3cdde5ac15dcd869b Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 12:50:01 +0000 Subject: [PATCH 16/27] add autoscaling group and locals.domain_names --- terraform/environments/cdpt-ifs/ecs.tf | 32 ++++++++++++++++++++++- terraform/environments/cdpt-ifs/locals.tf | 15 ++++++++++- 2 files changed, 45 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 39264028bee..8670b8e0d41 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -407,4 +407,34 @@ resource "aws_ecs_cluster_capacity_providers" "cdpt-ifs" { cluster_name = aws_ecs_cluster.ecs_cluster.name capacity_providers = [aws_ecs_capacity_provider.ifs.name] -} \ No newline at end of file +} + +resource "aws_autoscaling_group" "cluster-scaling-group" { + vpc_zone_identifier = sort(data.aws_subnets.shared-private.ids) + name = "${local.application_name}-cluster-scaling-group" + desired_capacity = local.application_data.accounts[local.environment].ec2_desired_capacity + max_size = local.application_data.accounts[local.environment].ec2_max_size + min_size = local.application_data.accounts[local.environment].ec2_min_size + health_check_grace_period = 60 + + launch_template { + id = aws_launch_template.ec2-launch-template.id + version = "$Latest" + } + + tag { + key = "Name" + value = "${local.application_name}-cluster-scaling-group" + propagate_at_launch = true + } + + dynamic "tag" { + for_each = local.tags + + content { + key = tag.key + value = tag.value + propagate_at_launch = true + } + } +} diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf index 54c0f70718a..8d9234c26cd 100644 --- a/terraform/environments/cdpt-ifs/locals.tf +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -1,6 +1,19 @@ -#### This file can be used to store locals specific to the member account #### locals { +domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + domain_name_main = [for k, v in local.domain_types : v.name if k == "modernisation-platform.service.justice.gov.uk"] + domain_name_sub = [for k, v in local.domain_types : v.name if k != "modernisation-platform.service.justice.gov.uk"] + domain_record_main = [for k, v in local.domain_types : v.record if k == "modernisation-platform.service.justice.gov.uk"] + domain_record_sub = [for k, v in local.domain_types : v.record if k != "modernisation-platform.service.justice.gov.uk"] + domain_type_main = [for k, v in local.domain_types : v.type if k == "modernisation-platform.service.justice.gov.uk"] + domain_type_sub = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"] + ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo" user_data = base64encode(templatefile("user_data.txt", { From 867436a62869f3e5ab1dc61aa42d071be15e82b0 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 12:52:10 +0000 Subject: [PATCH 17/27] add ecs service security group --- terraform/environments/cdpt-ifs/ecs.tf | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 8670b8e0d41..7a2b5548314 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -438,3 +438,24 @@ resource "aws_autoscaling_group" "cluster-scaling-group" { } } } + + +resource "aws_security_group" "ecs_service" { + name_prefix = "ecs-service-sg-" + vpc_id = data.aws_vpc.shared.id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + description = "Allow traffic on port 80 from load balancer" + security_groups = [aws_security_group.ifs_lb_sc.id] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} From 188aae19596cc3ac8090b37b033fe5101ebb61df Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 12:55:17 +0000 Subject: [PATCH 18/27] add ec2 capacity --- terraform/environments/cdpt-ifs/application_variables.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index dcf3c7dea53..ce0931b0bfc 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -5,7 +5,10 @@ "container_port": 80, "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba", "ami_image_id": "ami-06cdd5b44c17085ed", - "instance_type": "t3.micro" + "instance_type": "t3.micro", + "ec2_desired_capacity": 1, + "ec2_max_size": 2, + "ec2_min_size": 1 }, "test": { "example_var": "test-data" From 18ceaff93f80aedff5815f606bc6f43be17b793a Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 12:59:34 +0000 Subject: [PATCH 19/27] add app_count --- terraform/environments/cdpt-ifs/application_variables.json | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json index ce0931b0bfc..673e8abf6bc 100644 --- a/terraform/environments/cdpt-ifs/application_variables.json +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -6,6 +6,7 @@ "client_id": "838aa730-5f66-46df-9ff7-07eea29035ba", "ami_image_id": "ami-06cdd5b44c17085ed", "instance_type": "t3.micro", + "app_count": 1, "ec2_desired_capacity": 1, "ec2_max_size": 2, "ec2_min_size": 1 From 91e470186c9b0c3f5242791aed79e6146651f79c Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 14:00:01 +0000 Subject: [PATCH 20/27] add key pair --- terraform/environments/cdpt-ifs/MyKeyPair.pem | 0 terraform/environments/cdpt-ifs/ecs.tf | 5 +++++ 2 files changed, 5 insertions(+) create mode 100644 terraform/environments/cdpt-ifs/MyKeyPair.pem diff --git a/terraform/environments/cdpt-ifs/MyKeyPair.pem b/terraform/environments/cdpt-ifs/MyKeyPair.pem new file mode 100644 index 00000000000..e69de29bb2d diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 7a2b5548314..f12206409b3 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -439,6 +439,11 @@ resource "aws_autoscaling_group" "cluster-scaling-group" { } } +resource "aws_key_pair" "ec2-user" { + key_name = "${local.application_name}-ec2" + public_key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwVil3c3Nh/F6S1IzMFUMhykwj1SwQEXVvNghpUW5Ncm82ibJqtVccgCFW96HoHO7Bv8jt5O+TrfENlNI6yywASKEiJRDNUpBBK/UCqXQrYJ0KTvJ7FHegQjrxBOM/Lo3o3IniB2lNTe8hijBMrdaeKivWjB2YKTJxLFdUdLFjBop5uH0gL5Or6+P5/CyKmkIftn3Wazyq4Oe3mYQhB9Gr45/T8/UZCPnWWZ/p7AB3hH5jVO3BqHsB0t3YqJrbCV3Uo85xM62BBBV0AcWXNADY2f4A+6zcUX6j6BIfgAmYP3EQCZBxFq0BgxurF7xIh7CIjl4iIMQJ0sz3uoyLdh9f alistair.curtis@MJ004521" + tags = local.tags + } resource "aws_security_group" "ecs_service" { name_prefix = "ecs-service-sg-" From a8b9ce5319e066dc48ab3fdeb1a40ddaf7d1eba2 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Tue, 6 Feb 2024 14:51:46 +0000 Subject: [PATCH 21/27] remove secrets --- terraform/environments/cdpt-ifs/MyKeyPair.pem | 0 .../cdpt-ifs/task-definition.json | 77 ------------------- 2 files changed, 77 deletions(-) delete mode 100644 terraform/environments/cdpt-ifs/MyKeyPair.pem delete mode 100644 terraform/environments/cdpt-ifs/task-definition.json diff --git a/terraform/environments/cdpt-ifs/MyKeyPair.pem b/terraform/environments/cdpt-ifs/MyKeyPair.pem deleted file mode 100644 index e69de29bb2d..00000000000 diff --git a/terraform/environments/cdpt-ifs/task-definition.json b/terraform/environments/cdpt-ifs/task-definition.json deleted file mode 100644 index c1006a47b37..00000000000 --- a/terraform/environments/cdpt-ifs/task-definition.json +++ /dev/null @@ -1,77 +0,0 @@ -{ - "taskDefinitionArn": "arn:aws:ecs:eu-west-2:224131490563:task-definition/ifsFamily:1", - "containerDefinitions": [ - { - "name": "cdpt-ifs-container", - "image": "374269020027.dkr.ecr.eu-west-2.amazonaws.com/cdpt-ifs-ecr-repo:development", - "cpu": 1024, - "memory": 1024, - "portMappings": [ - { - "containerPort": 80, - "hostPort": 80, - "protocol": "tcp" - } - ], - "essential": true, - "environment": [ - { - "name": "CLIENT_ID", - "value": "838aa730-5f66-46df-9ff7-07eea29035ba" - } - ], - "mountPoints": [], - "volumesFrom": [], - "logConfiguration": { - "logDriver": "awslogs", - "options": { - "awslogs-group": "cdpt-ifs-ecs", - "awslogs-region": "eu-west-2", - "awslogs-stream-prefix": "cdpt-ifs" - } - } - } - ], - "family": "ifsFamily", - "taskRoleArn": "arn:aws:iam::224131490563:role/task-cdpt-ifs", - "executionRoleArn": "arn:aws:iam::224131490563:role/execution-cdpt-ifs", - "networkMode": "awsvpc", - "revision": 1, - "volumes": [], - "status": "ACTIVE", - "requiresAttributes": [ - { - "name": "com.amazonaws.ecs.capability.logging-driver.awslogs" - }, - { - "name": "ecs.capability.execution-role-awslogs" - }, - { - "name": "com.amazonaws.ecs.capability.ecr-auth" - }, - { - "name": "com.amazonaws.ecs.capability.docker-remote-api.1.19" - }, - { - "name": "com.amazonaws.ecs.capability.task-iam-role" - }, - { - "name": "ecs.capability.execution-role-ecr-pull" - }, - { - "name": "com.amazonaws.ecs.capability.docker-remote-api.1.18" - }, - { - "name": "ecs.capability.task-eni" - } - ], - "placementConstraints": [], - "compatibilities": [ - "EC2" - ], - "requiresCompatibilities": [ - "EC2" - ], - "registeredAt": "2024-02-02T11:54:52.757000+00:00", - "registeredBy": "arn:aws:sts::224131490563:assumed-role/MemberInfrastructureAccess/aws-go-sdk-1706874890119872393" -} From 3210e40e73ff58fbabf9c464e7f1766a7f7e9e93 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Wed, 7 Feb 2024 15:05:48 +0000 Subject: [PATCH 22/27] add ingress rules for EC2 launch template --- terraform/environments/cdpt-ifs/ecs.tf | 56 ++++++++++++-------------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index f12206409b3..f9dfaa21828 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -304,31 +304,31 @@ resource "aws_security_group" "cluster_ec2" { description = "controls access to the cluster ec2 instance" vpc_id = data.aws_vpc.shared.id -#ingress { -# description = "allow access on HTTP from load balancer" -# from_port = 80 -# to_port = 80 -# protocol = "tcp" -# cidr_blocks = ["0.0.0.0/0"] -# security_groups = [aws_security_group.chaps_lb_sc.id] -#} - -# ingress { -# description = "Allow RDP ingress" -# from_port = 3389 -# to_port = 3389 -# protocol = "tcp" -# security_groups = [module.bastion_linux.bastion_security_group] -# } - -# egress { -# description = "Cluster EC2 loadbalancer egress rule" -# from_port = 0 -# to_port = 0 -# protocol = "-1" -# cidr_blocks = ["0.0.0.0/0"] -# security_groups = [] -# } +ingress { + description = "allow access on HTTP from load balancer" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + security_groups = [aws_security_group.chaps_lb_sc.id] + } + + ingress { + description = "Allow RDP ingress" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + security_groups = [module.bastion_linux.bastion_security_group] + } + + egress { + description = "Cluster EC2 loadbalancer egress rule" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + security_groups = [] + } tags = merge( local.tags, @@ -344,16 +344,12 @@ resource "aws_iam_instance_profile" "ec2_instance_profile" { } resource "aws_ecs_service" "ecs_service" { - depends_on = [ - aws_lb_listener.https_listener - ] - + depends_on = [aws_lb_listener.https_listener] name = var.networking[0].application cluster = aws_ecs_cluster.ecs_cluster.id task_definition = aws_ecs_task_definition.ifs_task_definition.arn desired_count = local.application_data.accounts[local.environment].app_count health_check_grace_period_seconds = 60 - capacity_provider_strategy { capacity_provider = aws_ecs_capacity_provider.ifs.name weight = 1 From 3e21ba9948bacba018384260f27eeb5f7d74a381 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Wed, 7 Feb 2024 15:09:41 +0000 Subject: [PATCH 23/27] correct typo --- terraform/environments/cdpt-ifs/ecs.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index f9dfaa21828..e8feee17e42 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -310,16 +310,16 @@ ingress { to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_groups = [aws_security_group.chaps_lb_sc.id] + security_groups = [aws_security_group.ifs_lb_sc.id] } - ingress { - description = "Allow RDP ingress" - from_port = 3389 - to_port = 3389 - protocol = "tcp" - security_groups = [module.bastion_linux.bastion_security_group] - } +# ingress { +# description = "Allow RDP ingress" +# from_port = 3389 +# to_port = 3389 +# protocol = "tcp" +# security_groups = [module.bastion_linux.bastion_security_group] +# } egress { description = "Cluster EC2 loadbalancer egress rule" From 5bc9418be55818f598a74e8d8dc01f4a7185bb48 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Wed, 7 Feb 2024 16:13:47 +0000 Subject: [PATCH 24/27] add cloudwatch logging --- terraform/environments/cdpt-ifs/ecs.tf | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index e8feee17e42..6a69510e20b 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -460,3 +460,56 @@ resource "aws_security_group" "ecs_service" { cidr_blocks = ["0.0.0.0/0"] } } + +# AWS EventBridge rule +resource "aws_cloudwatch_event_rule" "ecs_events" { + name = "ecs-events" + description = "Capture all ECS events" + + event_pattern = jsonencode({ + "source" : ["aws.ecs"], + "detail" : { + "clusterArn" : [aws_ecs_cluster.ecs_cluster.arn] + } + }) +} + +# AWS EventBridge target +resource "aws_cloudwatch_event_target" "logs" { + depends_on = [aws_cloudwatch_log_group.deployment_logs] + rule = aws_cloudwatch_event_rule.ecs_events.name + target_id = "send-to-cloudwatch" + arn = aws_cloudwatch_log_group.deployment_logs.arn +} + +resource "aws_cloudwatch_log_resource_policy" "ecs_logging_policy" { + policy_document = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Sid" : "TrustEventsToStoreLogEvent", + "Effect" : "Allow", + "Principal" : { + "Service" : ["events.amazonaws.com", "delivery.logs.amazonaws.com"] + }, + "Action" : [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + "Resource" : "arn:aws:logs:eu-west-2:${data.aws_caller_identity.current.account_id}:log-group:/aws/events/*:*" + } + ] + }) + policy_name = "TrustEventsToStoreLogEvents" +} + +# Set up CloudWatch group and log stream and retain logs for 30 days +resource "aws_cloudwatch_log_group" "cloudwatch_group" { + name = "${local.application_name}-ecs" + retention_in_days = 30 +} + +resource "aws_cloudwatch_log_stream" "cloudwatch_stream" { + name = "${local.application_name}-log-stream" + log_group_name = aws_cloudwatch_log_group.cloudwatch_group.name +} From 507dfdda3a2f03de67ef762e48784e31294825c3 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Wed, 7 Feb 2024 16:22:05 +0000 Subject: [PATCH 25/27] add deployment logs --- terraform/environments/cdpt-ifs/ecs.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/environments/cdpt-ifs/ecs.tf b/terraform/environments/cdpt-ifs/ecs.tf index 6a69510e20b..3842b0e9ac4 100644 --- a/terraform/environments/cdpt-ifs/ecs.tf +++ b/terraform/environments/cdpt-ifs/ecs.tf @@ -46,6 +46,11 @@ resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-polic EOF } +resource "aws_cloudwatch_log_group" "deployment_logs" { + name = "/aws/events/deploymentLogs" + retention_in_days = "7" +} + resource "aws_iam_role_policy_attachment" "attach_ec2_policy" { role = aws_iam_role.ec2_instance_role.name policy_arn = aws_iam_policy.ec2_instance_policy.arn From 725881b249ab162d6930574b0c7e061a08895a08 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 8 Feb 2024 14:21:33 +0000 Subject: [PATCH 26/27] bastion and ssh keys --- terraform/environments/cdpt-ifs/bastion.json | 13 +++++++ .../environments/cdpt-ifs/bastion_linux.tf | 38 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 terraform/environments/cdpt-ifs/bastion.json create mode 100644 terraform/environments/cdpt-ifs/bastion_linux.tf diff --git a/terraform/environments/cdpt-ifs/bastion.json b/terraform/environments/cdpt-ifs/bastion.json new file mode 100644 index 00000000000..f97bec0e4f8 --- /dev/null +++ b/terraform/environments/cdpt-ifs/bastion.json @@ -0,0 +1,13 @@ +{ + "keys": { + "development": { + "acurtis": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7Z+QprFiensJ1Kw08i9shm5lfritcI3/71nrDu2S3H alistair.curtis@digital.justice.gov.uk" + }, + "preproduction": { + "acurtis": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7Z+QprFiensJ1Kw08i9shm5lfritcI3/71nrDu2S3H alistair.curtis@digital.justice.gov.uk" + }, + "production": { + "acurtis": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7Z+QprFiensJ1Kw08i9shm5lfritcI3/71nrDu2S3H alistair.curtis@digital.justice.gov.uk" + } + } +} \ No newline at end of file diff --git a/terraform/environments/cdpt-ifs/bastion_linux.tf b/terraform/environments/cdpt-ifs/bastion_linux.tf new file mode 100644 index 00000000000..588ece74247 --- /dev/null +++ b/terraform/environments/cdpt-ifs/bastion_linux.tf @@ -0,0 +1,38 @@ +locals { + public_key_data = jsondecode(file("./bastion_linux.json")) +} + +module "bastion_linux" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.0.0" + + providers = { + aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts + aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant + } + + # s3 - used for logs and user ssh public keys + bucket_name = "bastion" + bucket_versioning = true + bucket_force_destroy = true + # public keys + public_key_data = local.public_key_data.keys[local.environment] + # logs + log_auto_clean = "Enabled" + log_standard_ia_days = 30 # days before moving to IA storage + log_glacier_days = 60 # days before moving to Glacier + log_expiry_days = 180 # days before log expiration + # bastion + allow_ssh_commands = false + + app_name = var.networking[0].application + business_unit = local.vpc_name + subnet_set = local.subnet_set + environment = local.environment + region = "eu-west-2" + + extra_user_data_content = "yum install -y openldap-clients" + + # Tags + tags_common = local.tags + tags_prefix = terraform.workspace +} From 359435a7dadb8b84349d0bfe85f8d9c75cdeb967 Mon Sep 17 00:00:00 2001 From: Alistair Curtis Date: Thu, 8 Feb 2024 16:57:02 +0000 Subject: [PATCH 27/27] correct path for bastion_linux.json --- .../environments/cdpt-ifs/{bastion.json => bastion_linux.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename terraform/environments/cdpt-ifs/{bastion.json => bastion_linux.json} (100%) diff --git a/terraform/environments/cdpt-ifs/bastion.json b/terraform/environments/cdpt-ifs/bastion_linux.json similarity index 100% rename from terraform/environments/cdpt-ifs/bastion.json rename to terraform/environments/cdpt-ifs/bastion_linux.json