Merge pull request #6691 from ministryofjustice/main

update from main

terraform/environments/cdpt-ifs/application_variables.json

@@ -4,7 +4,7 @@
       "environment_name": "development",
       "container_port": 80,
       "client_id": "7ee6af8d-ea3c-4349-8765-644f2a1edf3b",
-      "ami_image_id": "ami-0bb2bf9a00240bf36",
+      "ami_image_id": "ami-084d79c0ad854f80b",
       "instance_type": "t3.xlarge",
       "app_count": 1,
       "ec2_desired_capacity": 1,

terraform/environments/cdpt-ifs/database.tf

@@ -10,7 +10,7 @@ resource "aws_db_instance" "database" {
   instance_class            = local.application_data.accounts[local.environment].db_instance_class
   identifier                = local.application_data.accounts[local.environment].db_instance_identifier
   username                  = local.application_data.accounts[local.environment].db_user
-  password                  = aws_secretsmanager_secret_version.db_password.secret_string
+  password                  = aws_secretsmanager_secret_version.dbase_password.secret_string
   vpc_security_group_ids    = [aws_security_group.db.id]
   depends_on                = [aws_security_group.db]
   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier

terraform/environments/cdpt-ifs/ecs.tf

@@ -133,7 +133,7 @@ resource "aws_ecs_task_definition" "ifs_task_definition" {
       secrets = [
         {
           name : "RDS_PASSWORD",
-          valueFrom : aws_secretsmanager_secret_version.db_password.arn
+          valueFrom : aws_secretsmanager_secret_version.dbase_password.arn
         }
       ],
     }

terraform/environments/cdpt-ifs/secrets.tf

@@ -1,13 +1,13 @@
-resource "aws_secretsmanager_secret" "db_password" {
-  name = "database_password"
+resource "aws_secretsmanager_secret" "dbase_password" {
+  name = "dbase_password"
 }
 
 resource "random_password" "password_long" {
   length  = 32
   special = false
 }
 
-resource "aws_secretsmanager_secret_version" "db_password" {
-  secret_id     = aws_secretsmanager_secret.db_password.id
+resource "aws_secretsmanager_secret_version" "dbase_password" {
+  secret_id     = aws_secretsmanager_secret.dbase_password.id
   secret_string = random_password.password_long.result
 }

terraform/environments/delius-core/locals_development.tf

@@ -104,7 +104,7 @@ locals {
       rds_engine_version          = "15"
       rds_instance_class          = "db.t3.small"
       rds_allocated_storage       = 30
-      rds_username                = "postgres"
+      rds_username                = "dbadmin"
       rds_port                    = 5432
       rds_license_model           = "postgresql-license"
       rds_deletion_protection     = false

terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf

@@ -138,6 +138,8 @@ resource "aws_iam_policy" "ec2_access_for_ansible" {
 #  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 #}
 
+# Policy document for both Oracle database DBA and application secrets
+
 data "aws_iam_policy_document" "db_access_to_secrets_manager" {
   statement {
     sid = "DbAccessToSecretsManager"
@@ -151,41 +153,20 @@ data "aws_iam_policy_document" "db_access_to_secrets_manager" {
     ]
     effect = "Allow"
     resources = [
-      aws_secretsmanager_secret.delius_core_dba_passwords.arn
-    ]
-  }
-}
-
-data "aws_iam_policy_document" "allow_access_to_delius_application_passwords" {
-  statement {
-    sid     = "DbAccessToDeliusSecretsManager"
-    actions = ["secretsmanager:GetSecretValue"]
-    effect  = "Allow"
-    resources = [
-      "arn:aws:secretsmanager:*:${local.delius_account_id}:secret:delius-core-${var.env_name}-oracle-db-application-passwords*"
+      aws_secretsmanager_secret.delius_core_dba_passwords.arn,
+      aws_secretsmanager_secret.delius_core_application_passwords.arn,
     ]
   }
 }
 
-data "aws_iam_policy_document" "combined_policy_documents" {
-  source_policy_documents = flatten([
-    data.aws_iam_policy_document.db_access_to_secrets_manager.json,
-    data.aws_iam_policy_document.allow_access_to_delius_application_passwords.json
-  ])
-}
+# Policy to allow access to both Oracle database DBA and application secrets
 
 resource "aws_iam_policy" "db_access_to_secrets_manager" {
   name   = "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-secrets-manager-access"
-  policy = data.aws_iam_policy_document.combined_policy_documents.json
+  policy = data.aws_iam_policy_document.db_access_to_secrets_manager.json
 }
 
 
-#resource "aws_iam_role_policy_attachment" "db_access_to_secrets_manager" {
-#  role       = aws_iam_role.db_ec2_instance_iam_role.name
-#  policy_arn = aws_iam_policy.db_access_to_secrets_manager.arn
-#}
-
-
 data "aws_iam_policy_document" "instance_ssm" {
   statement {
     sid    = "SSMManagedSSM"

terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf

@@ -17,6 +17,8 @@ locals {
 
   delius_account_id = var.platform_vars.environment_management.account_ids[join("-", ["delius-core", var.account_info.mp_environment])]
 
+  has_mis_environment = lookup(var.environment_config, "has_mis_environment", false)
+
   oracle_statistics_map = {
     "dev" = {
       #       "target_account_id"  = var.platform_vars.environment_management.account_ids["delius-core-test"]
@@ -65,5 +67,4 @@ locals {
 
   oracle_backup_bucket_prefix = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-backups"
 
-
 }

terraform/environments/delius-core/modules/components/oracle_db_shared/secrets.tf

@@ -1,3 +1,5 @@
+# Oracle Database DBA Secret
+
 resource "aws_secretsmanager_secret" "delius_core_dba_passwords" {
   name        = local.dba_secret_name
   description = "DBA Users Credentials"
@@ -22,3 +24,34 @@ resource "aws_secretsmanager_secret_policy" "delius_core_dba_passwords" {
   secret_arn = aws_secretsmanager_secret.delius_core_dba_passwords.arn
   policy     = data.aws_iam_policy_document.delius_core_dba_passwords.json
 }
+
+# Oracle Database Application Secret
+
+resource "aws_secretsmanager_secret" "delius_core_application_passwords" {
+  name        = local.application_secret_name
+  description = "Application Users Credentials"
+  kms_key_id  = var.account_config.kms_keys.general_shared
+  tags        = var.tags
+}
+
+# Allow Access To Delius Core Application Secret From MIS Primary EC2 Instance Role
+
+data "aws_iam_policy_document" "delius_core_application_passwords" {
+  count = local.has_mis_environment && var.account_info.application_name == "delius-core" ? 1 : 0
+  statement {
+    sid    = "MisAWSAccountToReadTheSecret"
+    effect = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"]
+    }
+    actions   = ["secretsmanager:GetSecretValue"]
+    resources = [aws_secretsmanager_secret.delius_core_application_passwords.arn]
+  }
+}
+
+resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords" {
+  count = local.has_mis_environment && var.account_info.application_name == "delius-core" ? 1 : 0
+  secret_arn = aws_secretsmanager_secret.delius_core_application_passwords.arn
+  policy     = data.aws_iam_policy_document.delius_core_application_passwords[count.index].json
+}

terraform/environments/delius-core/modules/delius_environment/database.tf

@@ -122,54 +122,4 @@ module "oracle_db_standby" {
   providers = {
     aws.core-vpc = aws.core-vpc
   }
-}
-
-resource "aws_secretsmanager_secret" "delius_core_application_passwords_secret" {
-  count = local.has_mis_environment ? 1 : 0
-
-  name        = local.application_secret_name
-  description = "Application Users Credentials"
-  kms_key_id  = var.account_config.kms_keys.general_shared
-  tags        = var.tags
-}
-
-data "aws_iam_policy_document" "delius_core_application_passwords_policy_doc" {
-
-  count = local.has_mis_environment ? 1 : 0
-  statement {
-    sid    = "MisAWSAccountToReadTheSecret"
-    effect = "Allow"
-    principals {
-      type        = "AWS"
-      identifiers = ["arn:aws:iam::${local.mis_account_id}:role/instance-role-delius-mis-${var.env_name}-mis-db-1"]
-    }
-    actions   = ["secretsmanager:GetSecretValue"]
-    resources = [aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn]
-  }
-}
-
-resource "aws_secretsmanager_secret_policy" "delius_core_application_passwords_pol" {
-  count = local.has_mis_environment ? 1 : 0
-
-  secret_arn = aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn
-  policy     = data.aws_iam_policy_document.delius_core_application_passwords_policy_doc[count.index].json
-}
-
-data "aws_iam_policy_document" "db_access_to_secrets_manager" {
-  count = local.has_mis_environment ? 1 : 0
-  statement {
-    sid = "DbAccessToSecretsManager"
-    actions = [
-      "secretsmanager:Describe*",
-      "secretsmanager:Get*",
-      "secretsmanager:ListSecret*",
-      "secretsmanager:Put*",
-      "secretsmanager:RestoreSecret",
-      "secretsmanager:Update*"
-    ]
-    effect = "Allow"
-    resources = [
-      aws_secretsmanager_secret.delius_core_application_passwords_secret[count.index].arn
-    ]
-  }
-}
+}

terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf

@@ -46,7 +46,7 @@ module "gdpr_api_service" {
   rds_backup_retention_period = var.delius_microservice_configs.gdpr_api.rds_backup_retention_period
   rds_backup_window           = var.delius_microservice_configs.gdpr_api.rds_backup_window
   rds_deletion_protection     = var.delius_microservice_configs.gdpr_api.rds_deletion_protection
-  snapshot_identifier         = var.delius_microservice_configs.gdpr_api.snapshot_identifier
+  snapshot_identifier         = data.aws_ssm_parameter.gdpr_api_snapshot_identifier.value
   rds_skip_final_snapshot     = var.delius_microservice_configs.gdpr_api.rds_skip_final_snapshot
 
   container_vars_default = {
@@ -80,3 +80,20 @@ module "gdpr_api_service" {
   frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
   enable_platform_backups = var.enable_platform_backups
 }
+
+#######################
+#   GDPR API Params   #
+#######################
+
+resource "aws_ssm_parameter" "gpdr_api_snapshot_identifier" {
+  name  = "/delius-core-${var.env_name}/gdpr-api/snapshot_id"
+  type  = "String"
+  value = "DEFAULT"
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
+data "aws_ssm_parameter" "gdpr_api_snapshot_identifier" {
+  name = aws_ssm_parameter.gpdr_api_snapshot_identifier.name
+}

terraform/environments/delius-core/modules/delius_environment/locals.tf

@@ -42,5 +42,4 @@ locals {
   application_secret_name = "${local.secret_prefix}-application-passwords"
   mis_account_id          = var.platform_vars.environment_management.account_ids[join("-", ["delius-mis", var.account_info.mp_environment])]
 
-  has_mis_environment = lookup(var.environment_config, "has_mis_environment", false)
 }

terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf

@@ -36,7 +36,7 @@ module "merge_api_service" {
   rds_username                = var.delius_microservice_configs.merge_api.rds_username
   rds_license_model           = var.delius_microservice_configs.merge_api.rds_license_model
   rds_deletion_protection     = var.delius_microservice_configs.merge_api.rds_deletion_protection
-  snapshot_identifier         = var.delius_microservice_configs.merge_api.snapshot_identifier
+  snapshot_identifier         = data.aws_ssm_parameter.merge_api_snapshot_identifier.value
   rds_skip_final_snapshot     = var.delius_microservice_configs.merge_api.rds_skip_final_snapshot
   maintenance_window          = var.delius_microservice_configs.merge_api.maintenance_window
   rds_backup_retention_period = var.delius_microservice_configs.merge_api.rds_backup_retention_period
@@ -79,3 +79,20 @@ module "merge_api_service" {
   frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
   enable_platform_backups = var.enable_platform_backups
 }
+
+#######################
+#   Merge API Params  #
+#######################
+
+resource "aws_ssm_parameter" "merge_api_snapshot_identifier" {
+  name  = "/delius-core-${var.env_name}/merge-api/snapshot_id"
+  type  = "String"
+  value = "DEFAULT"
+  lifecycle {
+    ignore_changes = [value]
+  }
+}
+
+data "aws_ssm_parameter" "merge_api_snapshot_identifier" {
+  name = aws_ssm_parameter.merge_api_snapshot_identifier.name
+}

terraform/environments/digital-prison-reporting/data.tf

@@ -29,6 +29,21 @@ data "aws_secretsmanager_secret_version" "datamart" {
   depends_on = [aws_secretsmanager_secret.redshift]
 }
 
+# Operational DataStore Secrets for use in DataHub
+data "aws_secretsmanager_secret" "operational_datastore" {
+  count = (local.environment == "development" ? 1 : 0)
+  name  = aws_secretsmanager_secret.operational_datastore[0].id
+
+  depends_on = [aws_secretsmanager_secret_version.operational_datastore[0]]
+}
+
+data "aws_secretsmanager_secret_version" "operational_datastore" {
+  count     = (local.environment == "development" ? 1 : 0)
+  secret_id = data.aws_secretsmanager_secret.operational_datastore[0].id
+
+  depends_on = [aws_secretsmanager_secret.operational_datastore[0]]
+}
+
 
 # AWS _IAM_ Policy
 data "aws_iam_policy" "rds_full_access" {

terraform/environments/digital-prison-reporting/locals.tf

@@ -323,6 +323,12 @@ locals {
     port     = "5432"
   }
 
+  # Operational DataStore Secrets PlaceHolder
+  operational_datastore_secrets_placeholder = {
+    username = "placeholder"
+    password = "placeholder"
+  }
+
   # biprws Secrets Placeholder
   enable_biprws_secrets = local.application_data.accounts[local.environment].biprws.enable
   biprws_secrets_placeholder = {

terraform/environments/digital-prison-reporting/operational_datastore.tf

@@ -0,0 +1,45 @@
+resource "aws_glue_connection" "glue_operational_datastore_connection" {
+  count           = (local.environment == "development" ? 1 : 0)
+  name            = "${local.project}-operational-datastore-connection"
+  connection_type = "JDBC"
+
+  connection_properties = {
+    # This will be replaced by the details for the real Operational Data Store
+    JDBC_CONNECTION_URL = "jdbc:postgresql://dpr2-834-instance-1.cja8lnnvvipo.eu-west-2.rds.amazonaws.com:5432/postgres"
+    SECRET_ID           = data.aws_secretsmanager_secret.operational_datastore[0].name
+  }
+
+  physical_connection_requirements {
+    availability_zone = data.aws_subnet.private_subnets_a.availability_zone
+    security_group_id_list = [aws_security_group.glue_operational_datastore_connection_sg[0].id]
+    subnet_id         = data.aws_subnet.private_subnets_a.id
+  }
+}
+
+resource aws_security_group "glue_operational_datastore_connection_sg" {
+  count       = (local.environment == "development" ? 1 : 0)
+  name        = "${local.project}-operational-datastore-connection_sg"
+  description = "Security group to allow glue access to Operational Datastore via JDBC Connection"
+  vpc_id      = data.aws_vpc.shared.id
+
+  # This SG is attached to the Glue connection and should also be attached to the Operational Datastore RDS
+  # See https://docs.aws.amazon.com/glue/latest/dg/setup-vpc-for-glue-access.html
+
+  # A self-referencing inbound rule for all TCP ports to enable AWS Glue to communicate between its components
+  ingress {
+    from_port = 0
+    to_port   = 65535
+    protocol  = "TCP"
+    self      = true
+    description = "Security Group can Ingress to itself on all ports - required for Glue to communicate with itself"
+  }
+
+  # Allow all traffic out
+  egress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+    description = "Allow all traffic out from this Security Group"
+  }
+}