Merge pull request #9041 from ministryofjustice/Update_101224_3

Update_101224_3
ministryofjustice · Dec 10, 2024 · 38ae17e · 38ae17e
2 parents fefafa2 + e3180e8
commit 38ae17e
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 13 deletions.
diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf
@@ -1204,16 +1204,6 @@ resource "aws_iam_policy" "iam_policy_for_lambda_cloudwatch_get_metric_data_dev"
           "arn:aws:ssm:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:parameter/klayers-account"
         ]
       },
-      {
-        "Sid" : "EC2Policy",
-        "Effect" : "Allow",
-        "Action" : [
-          "ec2:DescribeInstances"
-        ],
-        "Resource" : [
-          "arn:aws:ec2:eu-west-2:${local.environment_management.account_ids["ppud-development"]}:*"
-        ]
-      },
       {
         "Sid" : "LogPolicy",
         "Effect" : "Allow",
@@ -1277,6 +1267,13 @@ resource "aws_iam_policy_attachment" "attach_lambda_cloudwatch_full_access_dev"
   policy_arn = "arn:aws:iam::aws:policy/CloudWatchFullAccessV2"
 }
 
+resource "aws_iam_policy_attachment" "attach_lambda_ec2_read_only_access_dev" {
+  count      = local.is-development == true ? 1 : 0
+  name       = "lambda-ec2-read-only-access-iam-attachment"
+  roles      = [aws_iam_role.lambda_role_cloudwatch_get_metric_data_dev[0].id]
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
+}
+
 #resource "aws_iam_policy_attachment" "attach_ses_full_access" {
 #  count      = local.is-development == true ? 1 : 0
 #  name       = "ses-full-access-iam-attachment"

diff --git a/terraform/environments/ppud/instances.tf b/terraform/environments/ppud/instances.tf
@@ -91,7 +91,7 @@ resource "aws_instance" "s609693lo6vw102" {
   instance_type          = "m5.large"
   source_dest_check      = false
   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
-  vpc_security_group_ids = [aws_security_group.Secondary-DOC-Server[0].id]
+  vpc_security_group_ids = [aws_security_group.Live-DOC-Server[0].id]
   subnet_id              = data.aws_subnet.private_subnets_c.id
 
   metadata_options {
@@ -116,7 +116,7 @@ resource "aws_instance" "s609693lo6vw103" {
   instance_type          = "m5.large"
   source_dest_check      = false
   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
-  vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
+  vpc_security_group_ids = [aws_security_group.Archive-DOC-Server[0].id]
   subnet_id              = data.aws_subnet.private_subnets_b.id
 
   metadata_options {
@@ -599,7 +599,7 @@ resource "aws_instance" "s618358rgvw022" {
   instance_type          = "m5.xlarge"
   source_dest_check      = false
   iam_instance_profile   = aws_iam_instance_profile.ec2_profile.id
-  vpc_security_group_ids = [aws_security_group.Primary-DOC-Server[0].id]
+  vpc_security_group_ids = [aws_security_group.Archive-DOC-Server[0].id]
   subnet_id              = data.aws_subnet.private_subnets_b.id
 
   metadata_options {

diff --git a/terraform/environments/ppud/security_group.tf b/terraform/environments/ppud/security_group.tf
@@ -339,6 +339,7 @@ resource "aws_security_group_rule" "Dev-Servers-Standard-Egress-2" {
 # Production
 
 resource "aws_security_group" "Primary-DOC-Server" {
+  # checkov:skip=CKV2_AWS_5: "Temporarily unattached to any EC2 instances"
   count       = local.is-preproduction == false ? 1 : 0
   vpc_id      = data.aws_vpc.shared.id
   name        = "Primary-DOC-Server"