Skip to content

Commit

Permalink
DSOS-2927: permissions for letsencrypt acme v2 (#7597)
Browse files Browse the repository at this point in the history 
* add tags and policy for PlanetFM for LetsEncrypt certs

* undo last change

* update tag

* remove cert-cn tag, putting code in config management instead

* add azure DNS zones for backward compat
  • Loading branch information
@drobinson-moj
drobinson-moj authored Aug 23, 2024
1 parent 7fc0b86 commit 2c65757
Show file tree
Hide file tree
Showing 4 changed files with 91 additions and 45 deletions.
29 changes: 0 additions & 29 deletions terraform/environments/hmpps-domain-services/locals_preproduction.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,9 +88,6 @@ locals {
pp-rds-1-a = merge(local.ec2_instances.rds, {
config = merge(local.ec2_instances.rds.config, {
availability_zone = "eu-west-2a"
instance_profile_policies = concat(local.ec2_instances.rds.config.instance_profile_policies, [
"Ec2PpRdsPolicy",
])
})
tags = merge(local.ec2_instances.rds.tags, {
description = "Remote Desktop Services for azure.hmpp.root domain"
Expand All @@ -99,32 +96,6 @@ locals {
})
}

iam_policies = {
Ec2PpRdsPolicy = {
description = "Permissions required for POSH-ACME Route53 Plugin"
statements = [
{
effect = "Allow"
actions = [
"route53:ListHostedZones",
]
resources = ["*"]
},
{
effect = "Allow"
actions = [
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
]
resources = [
"arn:aws:route53:::hostedzone/*",
]
},
]
}
}

lbs = {
public = merge(local.lbs.public, {
instance_target_groups = {
Expand Down
1 change: 1 addition & 0 deletions terraform/environments/planetfm/locals_ec2_instances.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ locals {
backup = "false"
component = "web"
os-type = "Windows"
server-type = "PlanetFMWeb"
update-ssm-agent = "patchgroup1"
}
}
Expand Down
39 changes: 35 additions & 4 deletions terraform/environments/planetfm/locals_preproduction.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,6 @@ locals {
})
tags = merge(local.ec2_instances.db.tags, {
ami = "pp-cafm-db-a"
app-config-status = "pending"
description = "SQL Server"
instance-scheduling = "skip-scheduling"
pre-migration = "PPFDW0030"
Expand All @@ -106,6 +105,9 @@ locals {
config = merge(local.ec2_instances.web.config, {
ami_name = "pp-cafm-w-4-b"
availability_zone = "eu-west-2b"
instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
"Ec2PpWebPolicy",
])
})
ebs_volumes = {
"/dev/sda1" = { type = "gp3", size = 128 } # root volume
Expand All @@ -126,14 +128,17 @@ locals {
config = merge(local.ec2_instances.web.config, {
ami_name = "pp-cafm-w-5-a"
availability_zone = "eu-west-2a"
instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
"Ec2PpWebPolicy",
])
})
ebs_volumes = {
"/dev/sda1" = { type = "gp3", size = 128 } # root volume
}
instance = merge(local.ec2_instances.web.instance, {
disable_api_termination = true
instance_type = "t3.large"
})
ebs_volumes = {
"/dev/sda1" = { type = "gp3", size = 128 } # root volume
}
tags = merge(local.ec2_instances.web.tags, {
ami = "pp-cafm-w-5-a"
description = "Migrated server PPFWW0005 Web Portal Server"
Expand All @@ -143,6 +148,32 @@ locals {
})
}

iam_policies = {
Ec2PpWebPolicy = {
description = "Permissions required for POSH-ACME Route53 Plugin"
statements = [
{
effect = "Allow"
actions = [
"route53:ListHostedZones",
]
resources = ["*"]
},
{
effect = "Allow"
actions = [
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
]
resources = [
"arn:aws:route53:::hostedzone/*",
]
},
]
}
}

lbs = {
private = merge(local.lbs.private, {
instance_target_groups = {
Expand Down
67 changes: 55 additions & 12 deletions terraform/environments/planetfm/locals_production.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,11 +160,10 @@ locals {
instance_type = "r6i.4xlarge"
})
tags = merge(local.ec2_instances.db.tags, {
app-config-status = "pending"
ami = "pd-cafm-db-a"
description = "SQL Server"
pre-migration = "PDFDW0030"
update-ssm-agent = "patchgroup1"
ami = "pd-cafm-db-a"
description = "SQL Server"
pre-migration = "PDFDW0030"
update-ssm-agent = "patchgroup1"
})
})

Expand Down Expand Up @@ -193,11 +192,10 @@ locals {
instance_type = "r6i.4xlarge"
})
tags = merge(local.ec2_instances.db.tags, {
app-config-status = "pending"
ami = "pd-cafm-db-b"
description = "SQL resilient Server"
pre-migration = "PDFDW0031"
update-ssm-agent = "patchgroup2"
ami = "pd-cafm-db-b"
description = "SQL resilient Server"
pre-migration = "PDFDW0031"
update-ssm-agent = "patchgroup2"
})
})

Expand All @@ -210,6 +208,9 @@ locals {
config = merge(local.ec2_instances.web.config, {
ami_name = "pd-cafm-w-36-b"
availability_zone = "eu-west-2b"
instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
"Ec2PdWebPolicy",
])
})
ebs_volumes = {
"/dev/sda1" = { type = "gp3", size = 128 } # root volume
Expand All @@ -235,6 +236,9 @@ locals {
config = merge(local.ec2_instances.web.config, {
ami_name = "pd-cafm-w-37-a"
availability_zone = "eu-west-2a"
instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
"Ec2PdWebPolicy",
])
})
ebs_volumes = {
"/dev/sda1" = { type = "gp3", size = 128 } # root volume
Expand All @@ -245,9 +249,9 @@ locals {
instance_type = "t3.xlarge"
})
tags = {
pre-migration = "PFWW00037"
description = "CAFM Assessment Management"
ami = "pd-cafm-w-37-a"
description = "CAFM Assessment Management"
pre-migration = "PFWW00037"
update-ssm-agent = "patchgroup1"
}
})
Expand All @@ -260,6 +264,9 @@ locals {
config = merge(local.ec2_instances.web.config, {
ami_name = "pd-cafm-w-38-b"
availability_zone = "eu-west-2b"
instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
"Ec2PdWebPolicy",
])
})
ebs_volumes = {
"/dev/sda1" = { type = "gp3", size = 128 } # root volume
Expand All @@ -278,6 +285,32 @@ locals {
})
}

iam_policies = {
Ec2PdWebPolicy = {
description = "Permissions required for POSH-ACME Route53 Plugin"
statements = [
{
effect = "Allow"
actions = [
"route53:ListHostedZones",
]
resources = ["*"]
},
{
effect = "Allow"
actions = [
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets"
]
resources = [
"arn:aws:route53:::hostedzone/*",
]
},
]
}
}

lbs = {
private = merge(local.lbs.private, {
access_logs_lifecycle_rule = [module.baseline_presets.s3_lifecycle_rules.general_purpose_one_year]
Expand Down Expand Up @@ -349,6 +382,16 @@ locals {
}

route53_zones = {
"cafmtrainweb.az.justice.gov.uk" = {
lb_alias_records = [
{ name = "", type = "A", lbs_map_key = "private" },
]
}
"cafmwebx2.az.justice.gov.uk" = {
records = [
{ name = "", type = "A", ttl = 300, records = ["10.40.15.201"] },
]
}
"planetfm.service.justice.gov.uk" = {
records = [
{ name = "_a6a2b9e651b91ed3f1e906b4f1c3c317", type = "CNAME", ttl = 86400, records = ["_c4257165635a7b495df6c4fbd986c09f.mhbtsbpdnt.acm-validations.aws"] },
Expand Down

0 comments on commit 2c65757

Please sign in to comment.