NCAS: Update IP addresses and remove security group setup scripts (#4851

) * Update IP addresses and remove security group setup scripts * Update PostgreSQL engine version to 14.10
ministryofjustice · Feb 5, 2024 · 570f2a9 · 570f2a9
1 parent 7020aca
commit 570f2a9
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 110 deletions.
diff --git a/terraform/environments/ncas/application_variables.json b/terraform/environments/ncas/application_variables.json
@@ -1,14 +1,13 @@
 {
   "accounts": {
     "development": {
-      "moj_ip": "81.134.202.29/32",
       "db_name": "ncas_db_dev",
       "identifier": "ncas-db-dev",
       "db_username": "dbadmin",
       "allocated_storage": "20",
       "storage_type": "gp2",
       "engine": "postgres",
-      "engine_version": "14.7",
+      "engine_version": "14.10",
       "instance_class": "db.t3.micro",
       "server_port_1": "80",
       "lb_listener_protocol_1": "HTTP",
@@ -22,14 +21,13 @@
       "tactical_products_db_secrets_arn": "8NFchF"
     },
     "preproduction": {
-      "moj_ip": "81.134.202.29/32",
       "db_name": "ncas_db_pre_prod",
       "identifier": "ncas-db-pre-prod",
       "db_username": "dbadmin",
       "allocated_storage": "20",
       "storage_type": "gp2",
       "engine": "postgres",
-      "engine_version": "14.7",
+      "engine_version": "14.10",
       "instance_class": "db.t3.micro",
       "server_port_1": "80",
       "lb_listener_protocol_1": "HTTP",
@@ -43,14 +41,13 @@
       "tactical_products_db_secrets_arn": "0De931"
     },
     "production": {
-      "moj_ip": "81.134.202.29/32",
       "db_name": "ncas_db_prod",
       "identifier": "ncas-db-prod",
       "db_username": "dbadmin",
       "allocated_storage": "20",
       "storage_type": "gp2",
       "engine": "postgres",
-      "engine_version": "14.7",
+      "engine_version": "14.10",
       "instance_class": "db.t3.micro",
       "server_port_1": "80",
       "lb_listener_protocol_1": "HTTP",

diff --git a/terraform/environments/ncas/load_balancer.tf b/terraform/environments/ncas/load_balancer.tf
@@ -4,11 +4,19 @@ resource "aws_security_group" "ncas_lb_sc" {
   vpc_id      = data.aws_vpc.shared.id
 
   ingress {
-    description = "allow access on HTTPS for the MOJ VPN"
+    description = "allow access on HTTPS for the Dom1 Cisco VPN"
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
-    cidr_blocks = [local.application_data.accounts[local.environment].moj_ip]
+    cidr_blocks = ["194.33.192.1/32"]
+  }
+
+  ingress {
+    description = "allow access on HTTPS for the Global Protect VPN"
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["35.176.93.186/32"]
   }
 
   // Allow all User IPs
@@ -32,7 +40,10 @@ resource "aws_security_group" "ncas_lb_sc" {
       "52.67.148.55/32",
       "194.33.192.0/25",
       "213.121.161.112/28",
-      "2.219.137.231/32"
+      "2.219.137.231/32",
+      "18.169.147.172/32",
+      "18.130.148.126/32",
+      "35.176.148.126/32"
     ]
   }
 

diff --git a/terraform/environments/ncas/migrate_db.sh b/terraform/environments/ncas/migrate_db.sh
diff --git a/terraform/environments/ncas/rds.tf b/terraform/environments/ncas/rds.tf
@@ -84,49 +84,6 @@ data "http" "myip" {
   url = "http://ipinfo.io/json"
 }
 
-resource "null_resource" "setup_db" {
-  count = local.is-development ? 0 : 1
-
-  depends_on = [aws_db_instance.ncas_db]
-
-  provisioner "local-exec" {
-    interpreter = ["bash", "-c"]
-    command     = "chmod +x ./migrate_db.sh; ./migrate_db.sh"
-
-    environment = {
-      SOURCE_DB_HOSTNAME = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_HOSTNAME"]
-      SOURCE_DB_NAME     = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_NAME"]
-      SOURCE_DB_USERNAME = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_USERNAME"]
-      SOURCE_DB_PASSWORD = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SOURCE_DB_PASSWORD"]
-      DB_HOSTNAME        = aws_db_instance.ncas_db.address
-      DB_NAME            = aws_db_instance.ncas_db.db_name
-      NCAS_DB_USERNAME   = local.application_data.accounts[local.environment].db_username
-      NCAS_DB_PASSWORD   = random_password.password.result
-    }
-  }
-  triggers = {
-    always_run = "${timestamp()}"
-  }
-}
-
-// executes a local script to set up the security group for the source RDS instance.
-resource "null_resource" "setup_source_rds_security_group" {
-  provisioner "local-exec" {
-    interpreter = ["bash", "-c"]
-    command     = "chmod +x ./setup-security-group-${local.environment}.sh; ./setup-security-group-${local.environment}.sh"
-
-    environment = {
-      RDS_SECURITY_GROUP            = aws_security_group.modernisation_ncas_access.id
-      RDS_SOURCE_ACCOUNT_ACCESS_KEY = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["ACCESS_KEY"]
-      RDS_SOURCE_ACCOUNT_SECRET_KEY = jsondecode(data.aws_secretsmanager_secret_version.get_tactical_products_rds_credentials.secret_string)["SECRET_KEY"]
-      RDS_SOURCE_ACCOUNT_REGION     = "eu-west-2"
-    }
-  }
-  triggers = {
-    always_run = "${timestamp()}"
-  }
-}
-
 // Sets up empty database for Development environment
 resource "null_resource" "setup_dev_db" {
   count = local.is-development ? 1 : 0

diff --git a/terraform/environments/ncas/setup-security-group-development.sh b/terraform/environments/ncas/setup-security-group-development.sh
diff --git a/terraform/environments/ncas/setup-security-group-preproduction.sh b/terraform/environments/ncas/setup-security-group-preproduction.sh
diff --git a/terraform/environments/ncas/setup-security-group-production.sh b/terraform/environments/ncas/setup-security-group-production.sh