From 2c6575744efe16ab9e32dfe822f5833984747fc3 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 23 Aug 2024 11:13:10 +0100 Subject: [PATCH] DSOS-2927: permissions for letsencrypt acme v2 (#7597) * add tags and policy for PlanetFM for LetsEncrypt certs * undo last change * update tag * remove cert-cn tag, putting code in config management instead * add azure DNS zones for backward compat --- .../locals_preproduction.tf | 29 -------- .../planetfm/locals_ec2_instances.tf | 1 + .../planetfm/locals_preproduction.tf | 39 +++++++++-- .../planetfm/locals_production.tf | 67 +++++++++++++++---- 4 files changed, 91 insertions(+), 45 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf index 326e8fd6bdd..8a38912d500 100644 --- a/terraform/environments/hmpps-domain-services/locals_preproduction.tf +++ b/terraform/environments/hmpps-domain-services/locals_preproduction.tf @@ -88,9 +88,6 @@ locals { pp-rds-1-a = merge(local.ec2_instances.rds, { config = merge(local.ec2_instances.rds.config, { availability_zone = "eu-west-2a" - instance_profile_policies = concat(local.ec2_instances.rds.config.instance_profile_policies, [ - "Ec2PpRdsPolicy", - ]) }) tags = merge(local.ec2_instances.rds.tags, { description = "Remote Desktop Services for azure.hmpp.root domain" @@ -99,32 +96,6 @@ locals { }) } - iam_policies = { - Ec2PpRdsPolicy = { - description = "Permissions required for POSH-ACME Route53 Plugin" - statements = [ - { - effect = "Allow" - actions = [ - "route53:ListHostedZones", - ] - resources = ["*"] - }, - { - effect = "Allow" - actions = [ - "route53:GetHostedZone", - "route53:ListResourceRecordSets", - "route53:ChangeResourceRecordSets" - ] - resources = [ - "arn:aws:route53:::hostedzone/*", - ] - }, - ] - } - } - lbs = { public = merge(local.lbs.public, { instance_target_groups = { diff --git a/terraform/environments/planetfm/locals_ec2_instances.tf b/terraform/environments/planetfm/locals_ec2_instances.tf index 62cdf802363..ca133d60f4d 100644 --- a/terraform/environments/planetfm/locals_ec2_instances.tf +++ b/terraform/environments/planetfm/locals_ec2_instances.tf @@ -123,6 +123,7 @@ locals { backup = "false" component = "web" os-type = "Windows" + server-type = "PlanetFMWeb" update-ssm-agent = "patchgroup1" } } diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index fa5a0659a99..d395d8665cd 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -94,7 +94,6 @@ locals { }) tags = merge(local.ec2_instances.db.tags, { ami = "pp-cafm-db-a" - app-config-status = "pending" description = "SQL Server" instance-scheduling = "skip-scheduling" pre-migration = "PPFDW0030" @@ -106,6 +105,9 @@ locals { config = merge(local.ec2_instances.web.config, { ami_name = "pp-cafm-w-4-b" availability_zone = "eu-west-2b" + instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [ + "Ec2PpWebPolicy", + ]) }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume @@ -126,14 +128,17 @@ locals { config = merge(local.ec2_instances.web.config, { ami_name = "pp-cafm-w-5-a" availability_zone = "eu-west-2a" + instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [ + "Ec2PpWebPolicy", + ]) }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 128 } # root volume + } instance = merge(local.ec2_instances.web.instance, { disable_api_termination = true instance_type = "t3.large" }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 128 } # root volume - } tags = merge(local.ec2_instances.web.tags, { ami = "pp-cafm-w-5-a" description = "Migrated server PPFWW0005 Web Portal Server" @@ -143,6 +148,32 @@ locals { }) } + iam_policies = { + Ec2PpWebPolicy = { + description = "Permissions required for POSH-ACME Route53 Plugin" + statements = [ + { + effect = "Allow" + actions = [ + "route53:ListHostedZones", + ] + resources = ["*"] + }, + { + effect = "Allow" + actions = [ + "route53:GetHostedZone", + "route53:ListResourceRecordSets", + "route53:ChangeResourceRecordSets" + ] + resources = [ + "arn:aws:route53:::hostedzone/*", + ] + }, + ] + } + } + lbs = { private = merge(local.lbs.private, { instance_target_groups = { diff --git a/terraform/environments/planetfm/locals_production.tf b/terraform/environments/planetfm/locals_production.tf index 556a764308d..a8aa73adbde 100644 --- a/terraform/environments/planetfm/locals_production.tf +++ b/terraform/environments/planetfm/locals_production.tf @@ -160,11 +160,10 @@ locals { instance_type = "r6i.4xlarge" }) tags = merge(local.ec2_instances.db.tags, { - app-config-status = "pending" - ami = "pd-cafm-db-a" - description = "SQL Server" - pre-migration = "PDFDW0030" - update-ssm-agent = "patchgroup1" + ami = "pd-cafm-db-a" + description = "SQL Server" + pre-migration = "PDFDW0030" + update-ssm-agent = "patchgroup1" }) }) @@ -193,11 +192,10 @@ locals { instance_type = "r6i.4xlarge" }) tags = merge(local.ec2_instances.db.tags, { - app-config-status = "pending" - ami = "pd-cafm-db-b" - description = "SQL resilient Server" - pre-migration = "PDFDW0031" - update-ssm-agent = "patchgroup2" + ami = "pd-cafm-db-b" + description = "SQL resilient Server" + pre-migration = "PDFDW0031" + update-ssm-agent = "patchgroup2" }) }) @@ -210,6 +208,9 @@ locals { config = merge(local.ec2_instances.web.config, { ami_name = "pd-cafm-w-36-b" availability_zone = "eu-west-2b" + instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [ + "Ec2PdWebPolicy", + ]) }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume @@ -235,6 +236,9 @@ locals { config = merge(local.ec2_instances.web.config, { ami_name = "pd-cafm-w-37-a" availability_zone = "eu-west-2a" + instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [ + "Ec2PdWebPolicy", + ]) }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume @@ -245,9 +249,9 @@ locals { instance_type = "t3.xlarge" }) tags = { - pre-migration = "PFWW00037" - description = "CAFM Assessment Management" ami = "pd-cafm-w-37-a" + description = "CAFM Assessment Management" + pre-migration = "PFWW00037" update-ssm-agent = "patchgroup1" } }) @@ -260,6 +264,9 @@ locals { config = merge(local.ec2_instances.web.config, { ami_name = "pd-cafm-w-38-b" availability_zone = "eu-west-2b" + instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [ + "Ec2PdWebPolicy", + ]) }) ebs_volumes = { "/dev/sda1" = { type = "gp3", size = 128 } # root volume @@ -278,6 +285,32 @@ locals { }) } + iam_policies = { + Ec2PdWebPolicy = { + description = "Permissions required for POSH-ACME Route53 Plugin" + statements = [ + { + effect = "Allow" + actions = [ + "route53:ListHostedZones", + ] + resources = ["*"] + }, + { + effect = "Allow" + actions = [ + "route53:GetHostedZone", + "route53:ListResourceRecordSets", + "route53:ChangeResourceRecordSets" + ] + resources = [ + "arn:aws:route53:::hostedzone/*", + ] + }, + ] + } + } + lbs = { private = merge(local.lbs.private, { access_logs_lifecycle_rule = [module.baseline_presets.s3_lifecycle_rules.general_purpose_one_year] @@ -349,6 +382,16 @@ locals { } route53_zones = { + "cafmtrainweb.az.justice.gov.uk" = { + lb_alias_records = [ + { name = "", type = "A", lbs_map_key = "private" }, + ] + } + "cafmwebx2.az.justice.gov.uk" = { + records = [ + { name = "", type = "A", ttl = 300, records = ["10.40.15.201"] }, + ] + } "planetfm.service.justice.gov.uk" = { records = [ { name = "_a6a2b9e651b91ed3f1e906b4f1c3c317", type = "CNAME", ttl = 86400, records = ["_c4257165635a7b495df6c4fbd986c09f.mhbtsbpdnt.acm-validations.aws"] },