Merge branch 'main' into chaps-remove-ps-commands

.github/CODEOWNERS

@@ -13,7 +13,7 @@
 /terraform/environments/dacp @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
 /terraform/environments/data-and-insights-wepi @ministryofjustice/data-and-insights-hub @ministryofjustice/modernisation-platform
 /terraform/environments/data-platform-apps-and-tools @ministryofjustice/data-platform-apps-and-tools-airflow-users @ministryofjustice/data-platform-apps-and-tools-development-sandbox @ministryofjustice/data-platform-apps-and-tools-production-developer @ministryofjustice/data-platform-audit-and-security @ministryofjustice/modernisation-platform
-/terraform/environments/data-platform-compute @ministryofjustice/data-platform-core-infra @ministryofjustice/data-tech-archs @ministryofjustice/modernisation-platform
+/terraform/environments/data-platform-compute @ministryofjustice/modernisation-platform
 /terraform/environments/data-platform @ministryofjustice/data-platform-audit-and-security @ministryofjustice/data-platform-development-sandbox @ministryofjustice/data-platform-preproduction-developer @ministryofjustice/data-platform-production-developer @ministryofjustice/data-platform-test-developer @ministryofjustice/modernisation-platform
 /terraform/environments/delius-core @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/unilink @ministryofjustice/modernisation-platform
 /terraform/environments/delius-iaps @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/modernisation-platform

.github/workflows/code-scanning.yml

@@ -78,7 +78,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@9b1af391781eab736f64da4c5eed232913722450 # v12.2630.0
+        uses: bridgecrewio/checkov-action@bb9886fa037e5ff8680b1352ec4672183d418ab7 # v12.2631.0
         with:
           directory: ./
           framework: terraform

terraform/environments/corporate-staff-rostering/locals_preproduction.tf

@@ -9,6 +9,61 @@ locals {
         custom_kms_key = module.environment.kms_keys["general"].arn
         iam_policies   = module.baseline_presets.s3_iam_policies
       }
+      nlb-logs-bucket = {
+        sse_algorithm = "AES256"
+        iam_policies  = module.baseline_presets.s3_iam_policies
+        bucket_policy_v2 = [
+          {
+            effect = "Allow"
+            actions = [
+              "s3:PutObject"
+            ]
+            principals = {
+              identifiers = ["delivery.logs.amazonaws.com"]
+              type        = "Service"
+            }
+            conditions = [
+              {
+                test     = "StringEquals"
+                variable = "s3:x-amz-acl"
+                values   = ["bucket-owner-full-control"]
+              },
+              {
+                test     = "StringEquals"
+                variable = "aws:SourceAccount"
+                values   = [module.environment.account_id]
+              },
+              {
+                test     = "ArnLike"
+                variable = "aws:SourceArn"
+                values   = ["arn:aws:logs:${module.environment.region}:${module.environment.account_id}:*"]
+              }
+            ]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "s3:GetBucketAcl"
+            ]
+            principals = {
+              identifiers = ["delivery.logs.amazonaws.com"]
+              type        = "Service"
+            }
+            conditions = [
+              {
+                test     = "StringEquals"
+                variable = "aws:SourceAccount"
+                values   = [module.environment.account_id]
+              },
+              {
+                test     = "ArnLike"
+                variable = "aws:SourceArn"
+                values   = ["arn:aws:logs:${module.environment.region}:${module.environment.account_id}:*"]
+              }
+            ]
+          }
+        ]
+      }
     }
 
     baseline_secretsmanager_secrets = {

terraform/environments/corporate-staff-rostering/locals_production.tf

@@ -12,6 +12,61 @@ locals {
         ]
         iam_policies = module.baseline_presets.s3_iam_policies
       }
+      nlb-logs-bucket = {
+        sse_algorithm = "AES256"
+        iam_policies  = module.baseline_presets.s3_iam_policies
+        bucket_policy_v2 = [
+          {
+            effect = "Allow"
+            actions = [
+              "s3:PutObject"
+            ]
+            principals = {
+              identifiers = ["delivery.logs.amazonaws.com"]
+              type        = "Service"
+            }
+            conditions = [
+              {
+                test     = "StringEquals"
+                variable = "s3:x-amz-acl"
+                values   = ["bucket-owner-full-control"]
+              },
+              {
+                test     = "StringEquals"
+                variable = "aws:SourceAccount"
+                values   = [module.environment.account_id]
+              },
+              {
+                test     = "ArnLike"
+                variable = "aws:SourceArn"
+                values   = ["arn:aws:logs:${module.environment.region}:${module.environment.account_id}:*"]
+              }
+            ]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "s3:GetBucketAcl"
+            ]
+            principals = {
+              identifiers = ["delivery.logs.amazonaws.com"]
+              type        = "Service"
+            }
+            conditions = [
+              {
+                test     = "StringEquals"
+                variable = "aws:SourceAccount"
+                values   = [module.environment.account_id]
+              },
+              {
+                test     = "ArnLike"
+                variable = "aws:SourceArn"
+                values   = ["arn:aws:logs:${module.environment.region}:${module.environment.account_id}:*"]
+              }
+            ]
+          }
+        ]
+      }
     }
 
     baseline_secretsmanager_secrets = {

terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf

@@ -129,8 +129,9 @@ resource "aws_s3_bucket_public_access_block" "oracledb_backups_inventory" {
   restrict_public_buckets = true # Block public and cross-account access to buckets and objects through any public bucket or access point policies
 }
 
-data "template_file" "oracledb_backups_inventory_policy_file" {
-  template = templatefile("${path.module}/policies/oracledb_backups_inventory.json",
+resource "aws_s3_bucket_policy" "oracledb_backups_inventory_policy" {
+  bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
+  policy = templatefile("${path.module}/policies/oracledb_backups_inventory.json",
     {
       backup_s3bucket_arn    = module.s3_bucket_oracledb_backups.bucket.arn,
       inventory_s3bucket_arn = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn,
@@ -139,11 +140,6 @@ data "template_file" "oracledb_backups_inventory_policy_file" {
   )
 }
 
-resource "aws_s3_bucket_policy" "oracledb_backups_inventory_policy" {
-  bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
-  policy = data.template_file.oracledb_backups_inventory_policy_file.rendered
-}
-
 resource "aws_s3_bucket_inventory" "oracledb_backuppieces" {
   bucket = module.s3_bucket_oracledb_backups.bucket.id
   name   = "${var.env_name}-oracle-database-backuppieces"

terraform/environments/equip/main.tf

@@ -397,18 +397,18 @@ module "win2019_SQL_multiple" {
 
 ################################################################################
 
-data "aws_ami" "windows_2012_std_ami" {
-  owners      = ["amazon"]
-  most_recent = true
-  filter {
-    name   = "name"
-    values = ["Windows_Server-2012-R2_RTM-English-64Bit-Base*"]
-  }
-  filter {
-    name   = "virtualization-type"
-    values = ["hvm"]
-  }
-}
+#data "aws_ami" "windows_2012_std_ami" {
+#  owners      = ["amazon"]
+#  most_recent = true
+#  filter {
+#    name   = "name"
+#    values = ["Windows_Server-2012-R2_RTM-English-64Bit-Base*"]
+#  }
+#  filter {
+#    name   = "virtualization-type"
+#    values = ["hvm"]
+#  }
+#}
 
 
 locals {
@@ -593,3 +593,183 @@ module "win2012_STD_multiple" {
     { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }
   )
 }
+
+data "aws_ami" "windows_2022_std_ami" {
+  owners      = ["amazon"]
+  most_recent = true
+  filter {
+    name   = "name"
+    values = ["Windows_Server-2022-English-Full-Base*"]
+  }
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+}
+
+
+locals {
+  win2022_STD_instances = {
+    COR-A-EQP04 = {
+      instance_type          = "t3a.xlarge"
+      subnet_id              = data.aws_subnet.private_subnets_a.id
+      vpc_security_group_ids = [aws_security_group.aws_equip_security_group.id, aws_security_group.all_internal_groups.id]
+      root_block_device = [
+        {
+          encrypted   = true
+          volume_type = "gp3"
+          volume_size = 90
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP04-root-block" }
+          )
+        }
+      ]
+      ebs_block_device = [
+        {
+          device_name = "/dev/sdg"
+          volume_type = "gp3"
+          volume_size = 500
+          encrypted   = true
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP04-ebs-block-1" }
+          )
+        }
+      ]
+      ebs_block_device = [
+        {
+          device_name = "/dev/sdh"
+          volume_type = "gp3"
+          volume_size = 500
+          encrypted   = true
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP04-ebs-block-2" }
+          )
+        }
+      ]
+      tags = merge(local.tags,
+        { Name = "${local.name}-COR-A-EQP04"
+        Role = "Nimbus Application Services" }
+      )
+    }
+    COR-A-EQP05 = {
+      instance_type          = "t3a.xlarge"
+      subnet_id              = data.aws_subnet.private_subnets_a.id
+      vpc_security_group_ids = [aws_security_group.aws_equip_security_group.id, aws_security_group.all_internal_groups.id]
+      root_block_device = [
+        {
+          encrypted   = true
+          volume_type = "gp3"
+          volume_size = 90
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP05-root-block" }
+          )
+        }
+      ]
+      ebs_block_device = [
+        {
+          device_name = "/dev/sdf"
+          volume_type = "gp3"
+          volume_size = 500
+          encrypted   = true
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP05-ebs-block-1" }
+          )
+        }
+      ]
+      ebs_block_device = [
+        {
+          device_name = "/dev/sdg"
+          volume_type = "gp3"
+          volume_size = 500
+          encrypted   = true
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP05-ebs-block-2" }
+          )
+        }
+      ]
+      tags = merge(local.tags,
+        { Name = "${local.name}-COR-A-EQP05"
+        Role = "Nimbus Application Services" }
+      )
+    }
+    COR-A-EQP06 = {
+      instance_type          = "t3a.xlarge"
+      subnet_id              = data.aws_subnet.private_subnets_c.id
+      vpc_security_group_ids = [aws_security_group.aws_equip_security_group.id, aws_security_group.all_internal_groups.id]
+      root_block_device = [
+        {
+          encrypted   = true
+          volume_type = "gp3"
+          volume_size = 90
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP06-root-block" }
+          )
+        }
+      ]
+      ebs_block_device = [
+        {
+          device_name = "/dev/sdf"
+          volume_type = "gp3"
+          volume_size = 500
+          encrypted   = true
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP06-ebs-block-1" }
+          )
+        }
+      ]
+      ebs_block_device = [
+        {
+          device_name = "/dev/sdg"
+          volume_type = "gp3"
+          volume_size = 500
+          encrypted   = true
+          kms_key_id  = aws_kms_key.this.arn
+          tags = merge(local.tags,
+            { Name = "${local.name}-COR-A-EQP06-ebs-block-2" }
+          )
+        }
+      ]
+      tags = merge(local.tags,
+        { Name = "${local.name}-COR-A-EQP06"
+        Role = "Nimbus Application Services" }
+      )
+    }
+  }
+}
+
+
+module "win2022_STD_multiple" {
+  source = "./ec2-instance-module"
+
+
+  for_each = local.win2022_STD_instances
+
+  name                   = "${local.name}-${each.key}"
+  ami                    = data.aws_ami.windows_2022_std_ami.image_id
+  instance_type          = each.value.instance_type
+  vpc_security_group_ids = each.value.vpc_security_group_ids
+  subnet_id              = each.value.subnet_id
+  monitoring             = true
+  ebs_optimized          = true
+  key_name               = aws_key_pair.windowskey.key_name
+  user_data              = data.template_file.windows-userdata.rendered
+  iam_instance_profile   = aws_iam_instance_profile.instance-profile-moj.name
+
+  enable_volume_tags = false
+  root_block_device  = lookup(each.value, "root_block_device", [])
+  ebs_block_device   = lookup(each.value, "ebs_block_device", [])
+
+  tags = merge(each.value.tags, local.tags, {
+    Environment = "development"
+    terraform_managed = "true" },
+    { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }
+  )
+}