Merge branch 'main' of https://github.com/ministryofjustice/modernisa…

…tion-platform-environments into ELM-3031_generate_partitioned_rowhash_values

.devcontainer/README.md

@@ -1,36 +1,37 @@
 # Dev Container
 
+> [!NOTE]
 > This is a community supported feature
 
-To assist in the development of `modernisation-platform-environments`, the community have built a [dev container](https://containers.dev/) with the required tooling
+To assist with working on this repository, the community has configured a [dev container](https://containers.dev/) with the required tooling.
 
-## Prerequisites
+You can run this locally, or with [GitHub Codespaces](https://docs.github.com/en/codespaces/overview).
 
-- GitHub Codespaces
+## Locally
 
-or
+> [!WARNING]  
+> This has only been tested on macOS
+
+### Prerequisites
 
 - Docker
 
 - Visual Studio Code
 
   - Dev Containers Extention
 
-## Running
-
-### GitHub Codespaces
-
-Launch from GitHub
+To launch locally, ensure the prerequisites are met, and then click the button below
 
-### Locally
+[![Open in Dev Container](https://raw.githubusercontent.com/ministryofjustice/.devcontainer/refs/heads/main/contrib/badge.svg)](https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/ministryofjustice/modernisation-platform-environments)
 
-1. Ensure prerequisites are met
+## GitHub Codespaces
 
-1. Clone repository
+> [!IMPORTANT]  
+> GitHub Codespaces are not currently paid for by the Ministry of Justice and are subject to the quotas [here](https://docs.github.com/en/billing/managing-billing-for-your-products/managing-billing-for-github-codespaces/about-billing-for-github-codespaces#monthly-included-storage-and-core-hours-for-personal-accounts)
 
-1. Open repository in Visual Studio Code
+To launch a GitHub Codespace, click the button below
 
-1. Reopen in container
+[![Open in Codespace](https://github.com/codespaces/badge.svg)](https://codespaces.new/ministryofjustice/modernisation-platform-environments)
 
 ## Tools
 

.github/workflows/code-scanning.yml

@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@cc23a656ff707900310d6870ca2b4289fa070396 # v12.2917.0
+        uses: bridgecrewio/checkov-action@05decb42b761b4c4ce4927c084165bb4705bbcef # v12.2918.0
         with:
           directory: ./
           framework: terraform

.github/workflows/format-code.yml

@@ -40,7 +40,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter/flavors/terraform@d8c95fc6f2237031fb9e9322b0f97100168afa6e #v8.2.0
+        uses: oxsecurity/megalinter/flavors/terraform@1fc052d03c7a43c78fe0fee19c9d648b749e0c01 #v8.3.0
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/#shared-variables

terraform/environments/analytical-platform-compute/kms-keys.tf

@@ -275,6 +275,22 @@ module "mlflow_s3_kms" {
   tags = local.tags
 }
 
+module "mojap_compute_athena_s3_kms_eu_west_2" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
+
+  source  = "terraform-aws-modules/kms/aws"
+  version = "3.1.1"
+
+  aliases               = ["s3/mojap-compute-athena-query-results-eu-west-2"]
+  description           = "Mojap Athena query bucket S3 KMS key for eu-west-2"
+  enable_default_policy = true
+
+  deletion_window_in_days = 7
+
+  tags = local.tags
+}
+
 module "mojap_compute_logs_s3_kms_eu_west_2" {
   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions

terraform/environments/analytical-platform-compute/s3-buckets.tf

@@ -136,28 +136,61 @@ module "mojap_compute_logs_bucket_eu_west_1" {
   )
 }
 
-moved {
-  from = module.mojap_compute_logs_bucket.aws_s3_bucket.this[0]
-  to   = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket.this[0]
-}
-moved {
-  from = module.mojap_compute_logs_bucket.aws_s3_bucket_policy.this[0]
-  to   = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_policy.this[0]
-}
-moved {
-  from = module.mojap_compute_logs_bucket.aws_s3_bucket_public_access_block.this[0]
-  to   = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_public_access_block.this[0]
-}
-moved {
-  from = module.mojap_compute_logs_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0]
-  to   = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_server_side_encryption_configuration.this[0]
-}
-moved {
-  from = module.mojap_compute_logs_bucket.aws_s3_bucket_versioning.this[0]
-  to   = module.mojap_compute_logs_bucket_eu_west_2.aws_s3_bucket_versioning.this[0]
+
+data "aws_iam_policy_document" "athena_query_results_policy_eu_west_2" {
+  #checkov:skip=CKV_AWS_356:resource "*" limited by condition
+  statement {
+    sid     = "DenyInsecureTransport"
+    effect  = "Deny"
+    actions = ["s3:*"]
+    resources = [
+      "arn:aws:s3:::mojap-compute-${local.environment}-athena-query-results-eu-west-2/*",
+      "arn:aws:s3:::mojap-compute-${local.environment}-athena-query-results-eu-west-2"
+    ]
+    principals {
+      type        = "*"
+      identifiers = ["*"]
+    }
+    condition {
+      test     = "Bool"
+      variable = "aws:SecureTransport"
+      values   = ["false"]
+    }
+  }
 }
 
-moved {
-  from = aws_iam_policy_document.s3_server_access_logs_policy
-  to   = aws_iam_policy_document.s3_server_access_logs_eu_west_2_policy
+module "mojap_compute_athena_query_results_bucket_eu_west_2" {
+  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
+  #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
+
+  source  = "terraform-aws-modules/s3-bucket/aws"
+  version = "4.2.2"
+
+  bucket = "mojap-compute-${local.environment}-athena-query-results-eu-west-2"
+
+  force_destroy = true
+
+  attach_policy = true
+  policy        = data.aws_iam_policy_document.athena_query_results_policy_eu_west_2.json
+
+  object_lock_enabled = false
+
+  versioning = {
+    status = "Disabled"
+  }
+
+  server_side_encryption_configuration = {
+    rule = {
+      bucket_key_enabled = true
+      apply_server_side_encryption_by_default = {
+        kms_master_key_id = module.mojap_compute_athena_s3_kms_eu_west_2.key_arn
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+
+  tags = merge(
+    local.tags,
+    { "backup" = "false" }
+  )
 }

terraform/environments/analytical-platform-ingestion/environment-configuration.tf

@@ -92,20 +92,6 @@ locals {
           egress_bucket         = module.bold_egress_bucket.s3_bucket_id
           egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn
         }
-        "darren-brooke" = {
-          ssh_key               = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAxeaj85/JshqYMQ1B97TtHyy81oF3L33s89NWCIiHSM/Hql6aFfxCCivsN4Y1OZic8S5drgxe7MdETaWeEKfaWIMgqESGOw5yhCuNSEvt896cc0hSU8/ZwUZrTzYfiCAwqBQHI13JBAP7VcWBR6v6CYQL8JB7lSEvq7vY2BJJ4N9HchlXBHvxHHOu7Y6+ta7BrODvCc0zLHWANE65U4DmZpXmwHHsBao4cOUIlrBIDIAGtXAJB/L+cByH2OPMsRPhUe2UMfTgRHCJdekics/7DzrR+hhZRnHM9du52TFT89eAKpQGpp0wEkFoYKntXesGFr1R/uhRtqzanzBggXIv db@ubuntu"
-          cidr_blocks           = ["54.37.241.156/30"]
-          egress_bucket         = module.ext_2024_egress_bucket.s3_bucket_id
-          egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn
-
-        }
-        "aaron-willetts" = {
-          ssh_key               = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAtHz+QozotArRIjRcmD4GDdiQLtXPTX+GGAXqpeqpBZ aaron@kali"
-          cidr_blocks           = ["167.71.136.237/32"]
-          egress_bucket         = module.ext_2024_egress_bucket.s3_bucket_id
-          egress_bucket_kms_key = module.s3_ext_2024_egress_kms.key_arn
-
-        }
       }
 
       /* DataSync */

terraform/environments/corporate-information-system/iam.tf

@@ -74,44 +74,44 @@ resource "aws_iam_role_policy" "cis_s3fs_policy" {
     Version = "2012-10-17"
     Statement = [
       {
-        "Action": [
-            "s3:*"
+        "Action" : [
+          "s3:*"
         ],
-        "Resource": [
-            "arn:aws:s3:::laa-software-bucket2",
-            "arn:aws:s3:::laa-software-bucket2/*",
-            "arn:aws:s3:::laa-software-library",
-            "arn:aws:s3:::laa-software-library/*",
-            "arn:aws:s3:::laa-cis-inbound-production",
-            "arn:aws:s3:::laa-cis-inbound-production/*",
-            "arn:aws:s3:::laa-cis-outbound-production",
-            "arn:aws:s3:::laa-cis-outbound-production/*",
-            "arn:aws:s3:::laa-ccms-outbound-production",
-            "arn:aws:s3:::laa-ccms-outbound-production/*",
-            "arn:aws:s3:::laa-ccms-inbound-production",
-            "arn:aws:s3:::laa-ccms-inbound-production/*"
+        "Resource" : [
+          "arn:aws:s3:::laa-software-bucket2",
+          "arn:aws:s3:::laa-software-bucket2/*",
+          "arn:aws:s3:::laa-software-library",
+          "arn:aws:s3:::laa-software-library/*",
+          "arn:aws:s3:::laa-cis-inbound-production",
+          "arn:aws:s3:::laa-cis-inbound-production/*",
+          "arn:aws:s3:::laa-cis-outbound-production",
+          "arn:aws:s3:::laa-cis-outbound-production/*",
+          "arn:aws:s3:::laa-ccms-outbound-production",
+          "arn:aws:s3:::laa-ccms-outbound-production/*",
+          "arn:aws:s3:::laa-ccms-inbound-production",
+          "arn:aws:s3:::laa-ccms-inbound-production/*"
         ],
-        "Effect": "Allow"
-        },
-        {
-          "Action": [
-              "logs:CreateLogGroup",
-              "logs:CreateLogStream",
-              "logs:DescribeLogStreams",
-              "logs:PutRetentionPolicy",
-              "logs:PutLogEvents",
-              "ec2:DescribeInstances"
-          ],
-          "Resource": "*",
-          "Effect": "Allow"
-        },
-        {
-          "Action": [
-              "ec2:CreateTags"
-          ],
-          "Resource": "*",
-          "Effect": "Allow"
-        }
+        "Effect" : "Allow"
+      },
+      {
+        "Action" : [
+          "logs:CreateLogGroup",
+          "logs:CreateLogStream",
+          "logs:DescribeLogStreams",
+          "logs:PutRetentionPolicy",
+          "logs:PutLogEvents",
+          "ec2:DescribeInstances"
+        ],
+        "Resource" : "*",
+        "Effect" : "Allow"
+      },
+      {
+        "Action" : [
+          "ec2:CreateTags"
+        ],
+        "Resource" : "*",
+        "Effect" : "Allow"
+      }
     ]
   })
 }

terraform/environments/corporate-staff-rostering/locals.tf

@@ -26,6 +26,7 @@ locals {
         "ec2_linux",
         "ec2_instance_linux",
         "ec2_instance_oracle_db_with_backup",
+        "ssm_command",
       ]
       cloudwatch_metric_alarms_default_actions    = ["pagerduty"]
       cloudwatch_metric_oam_links_ssm_parameters  = ["hmpps-oem-${local.environment}"]
@@ -45,6 +46,7 @@ locals {
       enable_s3_db_backup_bucket                  = true
       enable_s3_shared_bucket                     = true
       enable_s3_software_bucket                   = true
+      enable_ssm_command_monitoring               = true
       s3_iam_policies                             = ["EC2S3BucketWriteAndDeleteAccessPolicy"]
       software_bucket_name                        = "csr-software"
     }