Config s3 bucket for nextcloud container + changes along the way (#6245)

ministryofjustice · May 29, 2024 · 0f9a7cf · 0f9a7cf
1 parent 763e362
commit 0f9a7cf
Show file tree

Hide file tree

Showing 12 changed files with 530 additions and 12 deletions.
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/ecs.tf
@@ -27,6 +27,7 @@ module "ecs_policies" {
   env_name     = var.env_name
   service_name = var.name
   tags         = var.tags
+  extra_task_role_policies = var.extra_task_role_policies
 }
 
 module "ecs_service" {

diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/locals.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/locals.tf
@@ -44,7 +44,8 @@ locals {
   } : {}
 
   rds_secrets = var.rds_password_secret_variable != "" ? {
-    (var.rds_password_secret_variable) = "${aws_db_instance.this[0].master_user_secret[0].secret_arn}:password:AWSCURRENT"
+    (var.rds_password_secret_variable) = "${aws_db_instance.this[0].master_user_secret[0].secret_arn}:password::"
+    (var.rds_user_secret_variable) = "${aws_db_instance.this[0].master_user_secret[0].secret_arn}:username::"
   } : {}
 
   elasticache_env_vars = var.elasticache_endpoint_environment_variable != "" ? {

diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/outputs.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/outputs.tf
@@ -9,3 +9,24 @@ output "service_security_group_id" {
 output "rds_password_secret_arn" {
   value = var.create_rds ? "${aws_db_instance.this[0].master_user_secret[0].secret_arn}:password:AWSCURRENT" : null
 }
+
+output "task_role_arn" {
+  value = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
+}
+
+output "elasticache_endpoint" {
+  value = var.create_elasticache ? aws_elasticache_cluster.this[0].cache_nodes[0].address : null  
+}
+
+output "elasticache_port" {
+  value = var.create_elasticache ? aws_elasticache_cluster.this[0].port : null
+}
+
+
+output "rds_endpoint" {
+  value = var.create_rds ? aws_db_instance.this[0].address : null
+}
+
+output "rds_port" {
+  value = var.create_rds ? aws_db_instance.this[0].port : null
+}
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/variables.tf
@@ -51,7 +51,13 @@ variable "rds_endpoint_environment_variable" {
 }
 
 variable "rds_password_secret_variable" {
-  description = "Secret variable to store the rds secretsmanager arn"
+  description = "Secret variable to store the rds secretsmanager arn password"
+  type        = string
+  default     = ""
+}
+
+variable "rds_user_secret_variable" {
+  description = "Secret variable to store the rds secretsmanager arn username"
   type        = string
   default     = ""
 }
@@ -520,3 +526,9 @@ variable "frontend_lb_arn_suffix" {
   description = "Used by alarms"
   type        = string
 }
+
+variable "extra_task_role_policies" {
+  description = "A map of data \"aws_iam_policy_document\" objects, keyed by name, to attach to the task role"
+  type        = map(any)
+  default     = {}
+}
diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/alb.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/alb.tf
@@ -19,3 +19,13 @@ resource "aws_alb_listener" "nextcloud_https" {
     target_group_arn = module.nextcloud_service.target_group_arn
   }
 }
+
+resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_global_protect_allowlist" {
+  for_each          = toset(local.all_ingress_ips)
+  security_group_id = aws_security_group.nextcloud_alb_sg.id
+  description       = "Access into alb over https"
+  from_port         = "443"
+  to_port           = "443"
+  ip_protocol       = "tcp"
+  cidr_ipv4         = each.key # Global Protect VPN
+}
diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/ecs_service.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/ecs_service.tf
@@ -10,7 +10,7 @@ module "nextcloud_service" {
 
   target_group_protocol_version = "HTTP1"
 
-  container_image = "nextcloud:latest"
+  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-nextcloud:latest"
   container_port_config = [
     {
       containerPort = "80"
@@ -59,21 +59,25 @@ module "nextcloud_service" {
   alb_listener_rule_paths            = ["/"]
   microservice_lb_https_listener_arn = aws_alb_listener.nextcloud_https.arn
   microservice_lb                    = aws_alb.nextcloud
-  name                               = "nextcloud-poc"
+  name                               = "nextcloud"
+
+  extra_task_role_policies = {
+    "S3_BUCKET_CONFIG" = data.aws_iam_policy_document.s3_bucket_config
+  }
 
   create_rds               = true
   rds_engine               = "mariadb"
-  rds_engine_version       = "10.6"
+  rds_engine_version       = "10.5"
   rds_instance_class       = "db.t3.small"
   rds_allocated_storage    = 500
   rds_username             = "misnextcloud"
   rds_port                 = 3306
-  rds_parameter_group_name = "default.mariadb10.6"
+  rds_parameter_group_name = "default.mariadb10.5"
   rds_license_model        = "general-public-license"
-  snapshot_identifier      = "rds-090524-shared-key"
+  snapshot_identifier      = "nextcloud-dev-db-final-532c"
 
-  rds_allow_major_version_upgrade = false
-  rds_apply_immediately           = false
+  rds_allow_major_version_upgrade = true
+  rds_apply_immediately           = true
 
   create_elasticache               = true
   elasticache_engine               = "redis"
@@ -86,16 +90,17 @@ module "nextcloud_service" {
   db_ingress_security_groups = [aws_security_group.cluster.id]
 
   rds_endpoint_environment_variable         = "MYSQL_HOST"
+  rds_password_secret_variable = "MYSQL_PASSWORD"
+  rds_user_secret_variable     = "MYSQL_USER"
   elasticache_endpoint_environment_variable = "REDIS_HOST"
 
   container_vars_default = {
     MYSQL_DATABASE            = "nextcloud"
-    MYSQL_USER                = "dbadmin"
-    MYSQL_PASSWORD            = "password"
     REDIS_PORT                = "6379"
     REDIS_PASSWORD            = "password"
     NEXTCLOUD_ADMIN_USER      = "admin"
     NEXTCLOUD_TRUSTED_DOMAINS = aws_route53_record.nextcloud_external.fqdn
+    S3_BUCKET_CONFIG  = module.s3_bucket_config.bucket.id
   }
   container_vars_env_specific = {}
 
@@ -117,6 +122,8 @@ module "nextcloud_service" {
     aws.core-network-services = aws.core-network-services
   }
 
+  ignore_changes_service_task_definition = false
+
 }
 
 resource "aws_secretsmanager_secret" "nextcloud_admin_password" {
@@ -132,3 +139,14 @@ resource "random_password" "nextcloud_admin_password" {
   length  = 32
   special = true
 }
+
+
+data "aws_iam_policy_document" "s3_bucket_config" {
+  statement {
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject"
+    ]
+    resources = [module.s3_bucket_config.bucket.arn]
+  }
+}
diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/efs.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/efs.tf
@@ -1,5 +1,5 @@
 module "nextcloud_efs" {
-  for_each = toset(["html", "custom_apps", "config", "data", "themes"])
+  for_each = toset(["html", "custom_apps", "data", "themes"])
 
   source = "../../../../delius-core/modules/helpers/efs"
 

diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/ip.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/ip.tf
@@ -0,0 +1,3 @@
+module "ip_addresses" {
+  source = "../../../../../modules/ip_addresses"
+}
diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/locals.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/locals.tf
@@ -13,4 +13,21 @@ locals {
   domain_type_main   = [for k, v in local.domain_types : v.type if k == "modernisation-platform.service.justice.gov.uk"]
   domain_type_sub    = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"]
 
+  globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha
+  unilink_ips = [
+    "194.75.210.216/29", # Unilink AOVPN
+    "83.98.63.176/29",   # Unilink AOVPN
+    "78.33.10.50/31",    # Unilink AOVPN
+    "78.33.10.52/30",    # Unilink AOVPN
+    "78.33.10.56/30",    # Unilink AOVPN
+    "78.33.10.60/32",    # Unilink AOVPN
+    "78.33.32.99/32",    # Unilink AOVPN
+    "78.33.32.100/30",   # Unilink AOVPN
+    "78.33.32.104/30",   # Unilink AOVPN
+    "78.33.32.108/32",   # Unilink AOVPN
+    "217.138.45.109/32", # Unilink AOVPN
+    "217.138.45.110/32", # Unilink AOVPN
+  ]
+  all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips)
+
 }
diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/s3.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/s3.tf
@@ -0,0 +1,110 @@
+module "s3_bucket_config" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0"
+
+  providers = {
+    aws.bucket-replication = aws
+  }
+
+  bucket_prefix     = "${var.env_name}-config"
+  versioning_enabled = true
+  sse_algorithm      = "AES256"
+  # Useful guide - https://aws.amazon.com/blogs/storage/how-to-use-aws-datasync-to-migrate-data-between-amazon-s3-buckets/
+  bucket_policy_v2 = [{
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetObject"
+    ]
+    principals = {
+      type = "AWS"
+      identifiers = [
+          module.nextcloud_service.task_role_arn,
+      ]
+    }
+  }]
+
+  ownership_controls = "BucketOwnerEnforced" # Disable all S3 bucket ACL
+
+  lifecycle_rule = [
+    {
+      id      = "main"
+      enabled = "Enabled"
+      prefix  = ""
+
+      tags = {
+        rule      = "log"
+        autoclean = "true"
+      }
+
+      noncurrent_version_transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        days = 730
+      }
+    }
+  ]
+
+  tags = var.tags
+}
+
+
+resource "random_password" "nextcloud_password_salt" {
+  length = 16
+}
+
+resource "aws_ssm_parameter" "nextcloud_secret" {
+  name  = "/${var.env_name}/nextcloud/secret"
+  type  = "SecureString"
+  value = "replace_me"
+  lifecycle {
+    ignore_changes = [ 
+      value
+     ]
+  }
+}
+
+data "aws_ssm_parameter" "nextcloud_secret" {
+  name = aws_ssm_parameter.nextcloud_secret.name
+}
+
+resource "aws_s3_object" "config" {
+  bucket = module.s3_bucket_config.bucket.id
+  key    = "config.json"
+  content = templatefile("${path.module}/templates/nextcloud-conf.json.tftpl",
+    {
+      nextcloud_passwordsalt = random_password.nextcloud_password_salt.result,
+      nextcloud_secret = data.aws_ssm_parameter.nextcloud_secret.value,
+      nextcloud_id = "nextcloud",
+      redis = {
+        host = module.nextcloud_service.elasticache_endpoint
+        port = module.nextcloud_service.elasticache_port
+      },
+      mail = {
+        server = "replace"
+        from_address = "replace"
+        domain = "replace"
+      }
+      nextcloud_s01ldap_agent_password = "replace"
+      fileshare_user_base = "replace"
+      standard_user_base = "replace"
+      fs_group_prefix = "replace"
+      ldap_host = "ldap.dev.delius-core.hmpps-development.modernisation-platform.internal"
+      pwm_url = "pwm.dev.delius-core.hmpps-development.modernisation-platform.service.justice.gov.uk"
+
+      fileshare_base_groups = "replace"
+      fileshare_user_base = "replace"
+      standard_user_base = "replace"
+
+      ldap_user = "cn=admin,ou=Users,dc=moj,dc=com"
+      nextcloud_s01ldap_agent_password = "replace"
+    }
+  )
+}