Merge branch 'main' of github.com:ministryofjustice/modernisation-pla…

…tform-environments into feature/DSOS-2654/ec2-alterations

terraform/environments/electronic-monitoring-data/server_backups.tf

@@ -131,8 +131,12 @@ data "aws_iam_policy_document" "rds_data_store_access" {
     effect = "Allow"
     actions = [
       "s3:GetObject",
+      "s3:ListBucket",
+    ]
+    resources = [
+        aws_s3_bucket.data_store.arn,
+        "${aws_s3_bucket.data_store.arn}/*",
     ]
-    resources = ["${aws_s3_bucket.data_store.arn}/*"]
   }
 }
 

terraform/environments/hmpps-oem/locals_production.tf

@@ -19,16 +19,19 @@ locals {
     }
 
     baseline_ec2_instances = {
-      # prod-oem-a = merge(local.oem_ec2_default, {
-      #   config = merge(local.oem_ec2_default.config, {
-      #     availability_zone = "eu-west-2a"
-      #   })
-      #   user_data_cloud_init = merge(local.oem_ec2_default.user_data_cloud_init, {
-      #     args = merge(local.oem_ec2_default.user_data_cloud_init.args, {
-      #       branch = "085f630e04fcfe3b521d0f7f698188df849ccb7e" # 2023-10-06
-      #     })
-      #   })
-      # })
+      prod-oem-a = merge(local.oem_ec2_default, {
+        config = merge(local.oem_ec2_default.config, {
+          availability_zone = "eu-west-2a"
+        })
+        user_data_cloud_init = merge(local.oem_ec2_default.user_data_cloud_init, {
+          args = merge(local.oem_ec2_default.user_data_cloud_init.args, {
+            branch = "main"
+          })
+        })
+        # tags = merge(local.oem_ec2_default.tags, {
+        #   oracle-sids = "EMREP PRCVCAT"
+        # })
+      })
     }
 
     baseline_route53_zones = {

terraform/environments/ppud/disable_cpu_alarm/disable_cpu_alarm.py

@@ -0,0 +1,6 @@
+import boto3
+region = 'eu-west-2'
+cloudwatch = boto3.client('cloudwatch', region_name=region)
+
+def lambda_handler(event):
+    cloudwatch.disable_alarm_actions(AlarmNames=['CPU-High-i-029d2b17679dab982'])

terraform/environments/ppud/enable_cpu_alarm/enable_cpu_alarm.py

@@ -0,0 +1,6 @@
+import boto3
+region = 'eu-west-2'
+cloudwatch = boto3.client('cloudwatch', region_name=region)
+
+def lambda_handler(event):
+    cloudwatch.enable_alarm_actions(AlarmNames=['CPU-High-i-029d2b17679dab982'])

terraform/environments/ppud/lambda.tf

@@ -40,7 +40,6 @@ resource "aws_lambda_function" "terraform_lambda_func_start" {
   depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
 }
 
-
 ########################################
 # EventBridge rules to Lambda functions
 ########################################
@@ -90,4 +89,104 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_start" {
   function_name = aws_lambda_function.terraform_lambda_func_start[0].function_name
   principal     = "events.amazonaws.com"
   source_arn    = aws_cloudwatch_event_rule.start_instance[0].arn
+}
+
+#####################################
+# Create a ZIP of Python Application
+#####################################
+
+data "archive_file" "zip_the_disable_alarm_code" {
+  count       = local.is-production == true ? 1 : 0
+  type        = "zip"
+  source_file  = "${path.module}/disable_cpu_alarm/disable_cpu_alarm.py"
+  output_path = "${path.module}/disable_cpu_alarm/disable_cpu_alarm.zip"
+}
+
+data "archive_file" "zip_the_enable_alarm_code" {
+  count       = local.is-production == true ? 1 : 0
+  type        = "zip"
+  source_file  = "${path.module}/enable_cpu_alarm/enable_cpu_alarm.py"
+  output_path = "${path.module}/enable_cpu_alarm/enable_cpu_alarm.zip"
+}
+
+########################################
+# EventBridge rules to Lambda functions
+########################################
+
+# Eventbridge Rule to Disable_CPU_Alarm
+
+resource "aws_cloudwatch_event_rule" "disable_cpu_alarm" {
+  count               = local.is-production == true ? 1 : 0
+  name                = "disable_cpu_alarm"
+  description         = "Runs Weekly every Saturday at 00:00am GMT"
+  schedule_expression = "cron(0 0 ? * SAT *)" # Time Zone is in UTC
+}
+
+resource "aws_cloudwatch_event_target" "trigger_lambda_disable_cpu_alarm" {
+  count     = local.is-production == true ? 1 : 0
+  rule      = aws_cloudwatch_event_rule.disable_cpu_alarm[0].name
+  target_id = "disable_cpu_alarm"
+  arn       = aws_lambda_function.terraform_lambda_disable_cpu_alarm[0].arn
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch_to_disable_cpu_alarm" {
+  count         = local.is-production == true ? 1 : 0
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.terraform_lambda_disable_cpu_alarm[0].function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.disable_cpu_alarm[0].arn
+}
+
+# Eventbridge Rule to Enable_CPU_Alarm
+
+resource "aws_cloudwatch_event_rule" "enable_cpu_alarm" {
+  count               = local.is-production == true ? 1 : 0
+  name                = "enable_cpu_alarm"
+  description         = "Runs Weekly every Sunday at 08:00pm GMT"
+  schedule_expression = "cron(0 20 ? * SUN *)" # Time Zone is in UTC
+}
+
+resource "aws_cloudwatch_event_target" "trigger_lambda_enable_cpu_alarm" {
+  count     = local.is-production == true ? 1 : 0
+  rule      = aws_cloudwatch_event_rule.enable_cpu_alarm[0].name
+  target_id = "enable_cpu_alarm"
+  arn       = aws_lambda_function.terraform_lambda_enable_cpu_alarm[0].arn
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch_to_enable_cpu_alarm" {
+  count         = local.is-production == true ? 1 : 0
+  statement_id  = "AllowExecutionFromCloudWatch"
+  action        = "lambda:InvokeFunction"
+  function_name = aws_lambda_function.terraform_lambda_enable_cpu_alarm[0].function_name
+  principal     = "events.amazonaws.com"
+  source_arn    = aws_cloudwatch_event_rule.enable_cpu_alarm[0].arn
+}
+
+################################################
+# Lambda Function to Disable and Enable CPU Alarms
+#################################################
+
+# Disable CPU Alarm
+
+resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
+  count         = local.is-production == true ? 1 : 0
+  filename      = "${path.module}/disable_alarm/disable_cpu_alarm.zip"
+  function_name = "disable_cpu_alarm_function"
+  role          = aws_iam_role.lambda_role[0].arn
+  handler       = "disable_cpu_alarm.lambda_handler"
+  runtime       = "python3.12"
+  depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
+}
+
+# Enable CPU Alarm
+
+resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
+  count         = local.is-production == true ? 1 : 0
+  filename      = "${path.module}/enable_alarm/enable_cpu_alarm.zip"
+  function_name = "enable_cpu_alarm_function"
+  role          = aws_iam_role.lambda_role[0].arn
+  handler       = "enable_cpu_alarm.lambda_handler"
+  runtime       = "python3.12"
+  depends_on    = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role]
 }

terraform/modules/baseline/bastion_linux.tf

@@ -12,8 +12,6 @@ module "bastion_linux" {
 
   # s3 - used for logs and user ssh public keys
   bucket_name          = var.bastion_linux.bucket_name
-  bucket_versioning    = var.bastion_linux.bucket_versioning
-  bucket_force_destroy = var.bastion_linux.bucket_force_destroy
 
   # public keys
   public_key_data = var.bastion_linux.public_key_data

terraform/modules/baseline/variables.tf

@@ -69,8 +69,6 @@ variable "bastion_linux" {
     public_key_data         = map(string)
     allow_ssh_commands      = optional(bool, true)
     bucket_name             = optional(string, "bastion")
-    bucket_versioning       = optional(bool, true)
-    bucket_force_destroy    = optional(bool, true)
     log_auto_clean          = optional(string, "Enabled")
     log_standard_ia_days    = optional(number, 30)
     log_glacier_days        = optional(number, 60)