Skip to content

Commit

Permalink
Ncr/dsos 2892/prod env comments (#7125)
Browse files Browse the repository at this point in the history 
* add comments and reorder resources

* improve comments
  • Loading branch information
@robertsweetman
robertsweetman authored Jul 17, 2024
1 parent f5a441f commit 5f65dab
Showing 1 changed file with 106 additions and 91 deletions.
197 changes: 106 additions & 91 deletions terraform/environments/nomis-combined-reporting/locals_production.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,104 +12,26 @@ locals {
}
}

acm_certificates = {
nomis_combined_reporting_wildcard_cert = {
cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm
domain_name = "modernisation-platform.service.justice.gov.uk"
subject_alternate_names = [
"reporting.nomis.service.justice.gov.uk",
"*.reporting.nomis.service.justice.gov.uk",
]
tags = {
description = "Wildcard certificate for the preproduction environment"
}
}
}

efs = {
pd-ncr-sap-share = {
access_points = {
root = {
posix_user = {
gid = 1201 # binstall
uid = 1201 # bobj
}
root_directory = {
path = "/"
creation_info = {
owner_gid = 1201 # binstall
owner_uid = 1201 # bobj
permissions = "0777"
}
}
}
}
file_system = {
availability_zone_name = "eu-west-2a"
lifecycle_policy = {
transition_to_ia = "AFTER_30_DAYS"
}
}
mount_targets = [{
subnet_name = "private"
availability_zones = ["eu-west-2a"]
security_groups = ["bip"]
}]
tags = {
backup = "false"
}
}
}

# please keep resources in alphabetical order
baseline_production = {

iam_policies = {
Ec2PDDatabasePolicy = {
description = "Permissions required for PROD Database EC2s"
statements = [
{
effect = "Allow"
actions = [
"ssm:GetParameter",
]
resources = [
"arn:aws:ssm:*:*:parameter/azure/*",
]
},
{
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
]
resources = [
"arn:aws:secretsmanager:*:*:secret:/oracle/database/*PD/*",
"arn:aws:secretsmanager:*:*:secret:/oracle/database/PD*/*",
]
}
]
}
Ec2PDReportingPolicy = {
description = "Permissions required for PD reporting EC2s"
statements = [
{
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
]
resources = [
"arn:aws:secretsmanager:*:*:secret:/ec2/ncr-bip/pd/*",
"arn:aws:secretsmanager:*:*:secret:/ec2/ncr-web/pd/*",
]
}
acm_certificates = {
nomis_combined_reporting_wildcard_cert = {
cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.acm
domain_name = "modernisation-platform.service.justice.gov.uk"
subject_alternate_names = [
"reporting.nomis.service.justice.gov.uk",
"*.reporting.nomis.service.justice.gov.uk",
]
tags = {
description = "Wildcard certificate for the production environment"
}
}
}

ec2_instances = {

# Comment out till needed for deployment
pd-ncr-cms-a = merge(local.bip_ec2_default, {
#cloudwatch_metric_alarms = local.bip_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.bip_ec2_default.config, {
Expand All @@ -131,6 +53,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-cms-b = merge(local.bip_ec2_default, {
#cloudwatch_metric_alarms = local.bip_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.bip_ec2_default.config, {
Expand Down Expand Up @@ -192,6 +115,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-client-a = merge(local.jumpserver_ec2_default, {
# cloudwatch_metric_alarms = local.client_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.jumpserver_ec2_default.config, {
Expand All @@ -211,6 +135,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-etl-1-a = merge(local.etl_ec2_default, {
# cloudwatch_metric_alarms = local.etl_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.etl_ec2_default.config, {
Expand All @@ -230,6 +155,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-etl-2-b = merge(local.etl_ec2_default, {
# cloudwatch_metric_alarms = local.etl_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.etl_ec2_default.config, {
Expand All @@ -249,6 +175,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-processing-1-a = merge(local.bip_ec2_default, {
# cloudwatch_metric_alarms = local.bip_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.bip_ec2_default.config, {
Expand All @@ -270,6 +197,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-processing-2-b = merge(local.bip_ec2_default, {
# cloudwatch_metric_alarms = local.bip_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.bip_ec2_default.config, {
Expand All @@ -291,6 +219,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-processing-3-c = merge(local.bip_ec2_default, {
# cloudwatch_metric_alarms = local.bip_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.bip_ec2_default.config, {
Expand All @@ -312,6 +241,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-processing-4-a = merge(local.bip_ec2_default, {
# cloudwatch_metric_alarms = local.bip_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.bip_ec2_default.config, {
Expand All @@ -333,6 +263,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-web-1-a = merge(local.web_ec2_default, {
# cloudwatch_metric_alarms = local.web_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.web_ec2_default.config, {
Expand All @@ -352,6 +283,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-web-2-b = merge(local.web_ec2_default, {
# cloudwatch_metric_alarms = local.web_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.web_ec2_default.config, {
Expand All @@ -371,6 +303,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-web-3-c = merge(local.web_ec2_default, {
# cloudwatch_metric_alarms = local.web_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.web_ec2_default.config, {
Expand All @@ -390,6 +323,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-web-4-a = merge(local.web_ec2_default, {
# cloudwatch_metric_alarms = local.web_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.web_ec2_default.config, {
Expand All @@ -409,6 +343,7 @@ locals {
})
})

# Comment out till needed for deployment
pd-ncr-web-admin-a = merge(local.web_ec2_default, {
# cloudwatch_metric_alarms = local.web_cloudwatch_metric_alarms # comment in when commissioned
config = merge(local.web_ec2_default.config, {
Expand All @@ -429,6 +364,86 @@ locals {
})
}

# Comment out till needed for deployment
efs = {
pd-ncr-sap-share = {
access_points = {
root = {
posix_user = {
gid = 1201 # binstall
uid = 1201 # bobj
}
root_directory = {
path = "/"
creation_info = {
owner_gid = 1201 # binstall
owner_uid = 1201 # bobj
permissions = "0777"
}
}
}
}
file_system = {
availability_zone_name = "eu-west-2a"
lifecycle_policy = {
transition_to_ia = "AFTER_30_DAYS"
}
}
mount_targets = [{
subnet_name = "private"
availability_zones = ["eu-west-2a"]
security_groups = ["bip"]
}]
tags = {
backup = "false"
}
}
}

iam_policies = {
Ec2PDDatabasePolicy = {
description = "Permissions required for PROD Database EC2s"
statements = [
{
effect = "Allow"
actions = [
"ssm:GetParameter",
]
resources = [
"arn:aws:ssm:*:*:parameter/azure/*",
]
},
{
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
]
resources = [
"arn:aws:secretsmanager:*:*:secret:/oracle/database/*PD/*",
"arn:aws:secretsmanager:*:*:secret:/oracle/database/PD*/*",
]
}
]
}
Ec2PDReportingPolicy = {
description = "Permissions required for PD reporting EC2s"
statements = [
{
effect = "Allow"
actions = [
"secretsmanager:GetSecretValue",
"secretsmanager:PutSecretValue",
]
resources = [
"arn:aws:secretsmanager:*:*:secret:/ec2/ncr-bip/pd/*",
"arn:aws:secretsmanager:*:*:secret:/ec2/ncr-web/pd/*",
]
}
]
}
}

# lbs = {
# private = {
# enable_cross_zone_load_balancing = true
Expand Down Expand Up @@ -539,8 +554,8 @@ locals {
secretsmanager_secrets = {
"/ec2/ncr-bip/pd" = local.bip_secretsmanager_secrets
"/ec2/ncr-web/pd" = local.web_secretsmanager_secrets
"/oracle/database/PDBIPSYS" = local.database_secretsmanager_secrets
"/oracle/database/PDBIPAUD" = local.database_secretsmanager_secrets
"/oracle/database/PDBIPSYS" = local.database_secretsmanager_secrets # Azure Live System DB
"/oracle/database/PDBIPAUD" = local.database_secretsmanager_secrets # Azure Live Audit DB
"/oracle/database/PDBISYS" = local.database_secretsmanager_secrets
"/oracle/database/PDBIAUD" = local.database_secretsmanager_secrets
}
Expand Down

0 comments on commit 5f65dab

Please sign in to comment.