merging in latest changes from main

.github/workflows/code-scanning.yml

@@ -38,7 +38,7 @@ jobs:
         run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: tflint.sarif
   trivy:
@@ -63,7 +63,7 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: 'trivy-results.sarif'
   checkov:
@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@d5cf7815e6ec033e990dc1d66c346983339a912b # v12.2777.0
+        uses: bridgecrewio/checkov-action@5ec4b94cd3e2b97551965608a7413098ee737108 # v12.2780.0
         with:
           directory: ./
           framework: terraform
@@ -90,6 +90,6 @@ jobs:
           skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: ./checkov.sarif

.github/workflows/scorecards.yml

@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@530d4feaa9c62aaab2d250371e2061eb7a172363 # v3.25.9
+        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251 # v3.25.10
         with:
           sarif_file: results.sarif

terraform/environments/analytical-platform-compute/helm-charts-system.tf

@@ -4,7 +4,7 @@ resource "helm_release" "kyverno" {
   name       = "kyverno"
   repository = "https://kyverno.github.io/kyverno"
   chart      = "kyverno"
-  version    = "3.2.3"
+  version    = "3.2.4"
   namespace  = kubernetes_namespace.kyverno.metadata[0].name
   values = [
     templatefile(
@@ -68,7 +68,7 @@ resource "helm_release" "amazon_prometheus_proxy" {
   name       = "amazon-prometheus-proxy"
   repository = "https://prometheus-community.github.io/helm-charts"
   chart      = "kube-prometheus-stack"
-  version    = "59.1.0"
+  version    = "60.1.0"
   namespace  = kubernetes_namespace.aws_observability.metadata[0].name
   values = [
     templatefile(
@@ -116,7 +116,7 @@ resource "helm_release" "external_dns" {
   name       = "external-dns"
   repository = "https://kubernetes-sigs.github.io/external-dns"
   chart      = "external-dns"
-  version    = "1.14.4"
+  version    = "1.14.5"
   namespace  = kubernetes_namespace.external_dns.metadata[0].name
   values = [
     templatefile(
@@ -137,7 +137,7 @@ resource "helm_release" "cert_manager" {
   name       = "cert-manager"
   repository = "https://charts.jetstack.io"
   chart      = "cert-manager"
-  version    = "v1.14.5"
+  version    = "v1.15.0"
   namespace  = kubernetes_namespace.cert_manager.metadata[0].name
   values = [
     templatefile(

terraform/environments/analytical-platform-ingestion/environment-configuration.tf

@@ -25,8 +25,8 @@ locals {
       transfer_server_sftp_users = {}
       transfer_server_sftp_users_with_egress = {
         "essex-police" = {
-          ssh_key               = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBCv3JdWZ/2NGd8KKaeICIjqw5zwI2NtzQSWtvscfKZS [email protected].uk"
-          cidr_blocks           = ["213.121.161.124/32", "2.99.13.52/32", "78.150.12.143/32"]
+          ssh_key               = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCpNyYzfbqmy4QkViLRyASRqxrEK7G34o3Bc6Jdp8vK555/oBuAUXUxfavtenZnxuxdxsrBYBSCBFcU4+igeXN/nN2kVfaUlt1xBZBCRUaajinhmt+3CLbr8bWmHR/5vL/DhxHH+j/+gDH5A244XN/ybZQvCGX/ilgKiae8s0tiOZD2hmX0fhRTCohQFG/DIu06gqKIyxUQoHBoBJxjzaDvjqioJgqmD9893DN+Gx1KozmaQWHM+0f7iK1UFp8BkdeFBVkj8TOfx60o/EmAjWQ/U+WSHblaXo0nI+LQKZYkW52uTEnfSkbkyvs/vj8E8+vagwYi0noyTVmb5qReSuk1kyuqEP2ycKIaWKt+Z4LnwxHm7KO51SMMeBgpiFHaUTQWXZHYuU2aXVfFIgJkCtHdEjG7Qe2P8K5XU5rG+CrQ/Y9PxPrKQHk+2nox9dLfCWo2Eho1N85z9/rA7A0oNwsHkjWAl3k87lWdpg7y3VNLzqsMNF4M4HjpQV60MH73dUU= [email protected].uk"
+          cidr_blocks           = ["194.74.29.178/32"]
           egress_bucket         = module.bold_egress_bucket.s3_bucket_id
           egress_bucket_kms_key = module.s3_bold_egress_kms.key_arn
         }

terraform/environments/apex/cloudwatch.tf

@@ -53,15 +53,15 @@ resource "aws_cloudwatch_metric_alarm" "database_oracle_alerts" {
   alarm_name          = "${local.application_name}-${local.environment}-oracle-alerts-log-errors"
   alarm_description   = "Errors Detected in Oracle Alerts Log."
   comparison_operator = "GreaterThanOrEqualToThreshold"
-  evaluation_periods = "1"
-  metric_name        = aws_cloudwatch_log_metric_filter.database.name
-  namespace          = aws_cloudwatch_log_metric_filter.database.metric_transformation[0].namespace
-  period             = "60"
-  statistic          = "Sum"
-  threshold          = local.application_data.accounts[local.environment].database_oracle_alerts_alarm_threshold
-  alarm_actions      = [aws_sns_topic.apex.arn]
-  ok_actions         = [aws_sns_topic.apex.arn]
-  treat_missing_data = "notBreaching"
+  evaluation_periods  = "1"
+  metric_name         = aws_cloudwatch_log_metric_filter.database.name
+  namespace           = aws_cloudwatch_log_metric_filter.database.metric_transformation[0].namespace
+  period              = "60"
+  statistic           = "Sum"
+  threshold           = local.application_data.accounts[local.environment].database_oracle_alerts_alarm_threshold
+  alarm_actions       = [aws_sns_topic.apex.arn]
+  ok_actions          = [aws_sns_topic.apex.arn]
+  treat_missing_data  = "notBreaching"
   tags = merge(
     local.tags,
     {
@@ -75,15 +75,15 @@ resource "aws_cloudwatch_metric_alarm" "database_pmon_status" {
   alarm_name          = "${local.application_name}-${local.environment}-oracle-alerts-pmon-status"
   alarm_description   = "Database Down indicator found in the pmon logs"
   comparison_operator = "GreaterThanOrEqualToThreshold"
-  evaluation_periods = "1"
-  metric_name        = aws_cloudwatch_log_metric_filter.pmon_status.name
-  namespace          = aws_cloudwatch_log_metric_filter.pmon_status.metric_transformation[0].namespace
-  period             = "60"
-  statistic          = "Sum"
-  threshold          = local.application_data.accounts[local.environment].database_pmon_status_alarm_threshold
-  alarm_actions      = [aws_sns_topic.apex.arn]
-  ok_actions         = [aws_sns_topic.apex.arn]
-  treat_missing_data = "notBreaching"
+  evaluation_periods  = "1"
+  metric_name         = aws_cloudwatch_log_metric_filter.pmon_status.name
+  namespace           = aws_cloudwatch_log_metric_filter.pmon_status.metric_transformation[0].namespace
+  period              = "60"
+  statistic           = "Sum"
+  threshold           = local.application_data.accounts[local.environment].database_pmon_status_alarm_threshold
+  alarm_actions       = [aws_sns_topic.apex.arn]
+  ok_actions          = [aws_sns_topic.apex.arn]
+  treat_missing_data  = "notBreaching"
   tags = merge(
     local.tags,
     {
@@ -249,7 +249,7 @@ resource "aws_cloudwatch_metric_alarm" "alb_unhealthy_hosts" {
   comparison_operator = "GreaterThanThreshold"
   dimensions = {
     LoadBalancer = module.alb.load_balancer_arn_suffix
-    TargetGroup = module.alb.target_group_arn_suffix
+    TargetGroup  = module.alb.target_group_arn_suffix
   }
   evaluation_periods = "5"
   metric_name        = "UnHealthyHostCount"
@@ -301,16 +301,16 @@ resource "aws_cloudwatch_metric_alarm" "alb_target_5xx" {
   dimensions = {
     LoadBalancer = module.alb.load_balancer_arn_suffix
   }
-  evaluation_periods = "5"
+  evaluation_periods  = "5"
   datapoints_to_alarm = "2"
-  metric_name        = "HTTPCode_Target_5XX_Count"
-  namespace          = "AWS/ApplicationELB"
-  period             = "60"
-  statistic          = "Sum"
-  threshold          = local.application_data.accounts[local.environment].alb_target_5xx_alarm_threshold
-  alarm_actions      = [aws_sns_topic.apex.arn]
-  ok_actions         = [aws_sns_topic.apex.arn]
-  treat_missing_data = "notBreaching"
+  metric_name         = "HTTPCode_Target_5XX_Count"
+  namespace           = "AWS/ApplicationELB"
+  period              = "60"
+  statistic           = "Sum"
+  threshold           = local.application_data.accounts[local.environment].alb_target_5xx_alarm_threshold
+  alarm_actions       = [aws_sns_topic.apex.arn]
+  ok_actions          = [aws_sns_topic.apex.arn]
+  treat_missing_data  = "notBreaching"
   tags = merge(
     local.tags,
     {
@@ -402,12 +402,12 @@ data "template_file" "dashboard" {
   template = file("${path.module}/dashboard.tpl")
 
   vars = {
-    aws_region                  = "eu-west-2"
-    alb_elb_5xx_alarm           = aws_cloudwatch_metric_alarm.alb_elb_5xx.arn
-    alb_elb_4xx_alarm           = aws_cloudwatch_metric_alarm.alb_elb_4xx.arn
-    alb_response_time_alarm     = aws_cloudwatch_metric_alarm.alb_response_time.arn
-    ecs_cpu_alarm               = aws_cloudwatch_metric_alarm.ecs_cpu.arn
-    ecs_memory_alarm            = aws_cloudwatch_metric_alarm.ecs_memory.arn
+    aws_region              = "eu-west-2"
+    alb_elb_5xx_alarm       = aws_cloudwatch_metric_alarm.alb_elb_5xx.arn
+    alb_elb_4xx_alarm       = aws_cloudwatch_metric_alarm.alb_elb_4xx.arn
+    alb_response_time_alarm = aws_cloudwatch_metric_alarm.alb_response_time.arn
+    ecs_cpu_alarm           = aws_cloudwatch_metric_alarm.ecs_cpu.arn
+    ecs_memory_alarm        = aws_cloudwatch_metric_alarm.ecs_memory.arn
 
   }
 }

terraform/environments/apex/ec2.tf

@@ -269,9 +269,9 @@ resource "aws_cloudwatch_log_metric_filter" "database" {
   log_group_name = aws_cloudwatch_log_group.database.name
 
   metric_transformation {
-    name      = "${upper(local.application_name)}-LogMetricOracleAlerts"
-    namespace = "LogsMetricFilters"
-    value     = "1"
+    name          = "${upper(local.application_name)}-LogMetricOracleAlerts"
+    namespace     = "LogsMetricFilters"
+    value         = "1"
     default_value = 0
   }
 }
@@ -294,9 +294,9 @@ resource "aws_cloudwatch_log_metric_filter" "pmon_status" {
   log_group_name = aws_cloudwatch_log_group.pmon_status.name
 
   metric_transformation {
-    name      = "${upper(local.application_name)}-LogMetricPMONStatus"
-    namespace = "LogsMetricFilters"
-    value     = "1"
+    name          = "${upper(local.application_name)}-LogMetricPMONStatus"
+    namespace     = "LogsMetricFilters"
+    value         = "1"
     default_value = 0
   }
 }

terraform/environments/apex/kms.tf

@@ -2,7 +2,7 @@
 # KMS keys for CloudWatch Log Groups
 ######################################
 resource "aws_kms_key" "cloudwatch_logs_key" {
-  description             = "KMS key to be used for encrypting the CloudWatch logs in the Log Groups"
+  description         = "KMS key to be used for encrypting the CloudWatch logs in the Log Groups"
   enable_key_rotation = true
   tags                = local.tags
 }
@@ -29,18 +29,18 @@ resource "aws_kms_key_policy" "cloudwatch_logs_policy" {
       },
       {
         Action = [
-            "kms:Encrypt*",
-            "kms:Decrypt*",
-            "kms:ReEncrypt*",
-            "kms:GenerateDataKey*",
-            "kms:Describe*"            
+          "kms:Encrypt*",
+          "kms:Decrypt*",
+          "kms:ReEncrypt*",
+          "kms:GenerateDataKey*",
+          "kms:Describe*"
         ]
         Effect = "Allow"
         Principal = {
-            Service = "logs.eu-west-2.amazonaws.com"
+          Service = "logs.eu-west-2.amazonaws.com"
         }
         Resource = "*"
-        Sid = "Enable log service Permissions"
+        Sid      = "Enable log service Permissions"
       }
     ]
     Version = "2012-10-17"

terraform/environments/apex/modules/ecs/main.tf

@@ -457,7 +457,7 @@ resource "aws_cloudwatch_log_group" "cloudwatch_group" {
   #checkov:skip=CKV_AWS_158:Temporarily skip KMS encryption check while logging solution is being updated
   name              = "${var.app_name}-ecs-container-logs"
   retention_in_days = 90
-  kms_key_id = var.log_group_kms_key
+  kms_key_id        = var.log_group_kms_key
   tags = merge(
     var.tags_common,
     {
@@ -474,7 +474,7 @@ resource "aws_cloudwatch_log_group" "cloudwatch_group" {
 resource "aws_cloudwatch_log_group" "ec2" {
   name              = "${var.app_name}-ecs-ec2-logs"
   retention_in_days = 90
-  kms_key_id = var.log_group_kms_key
+  kms_key_id        = var.log_group_kms_key
   tags = merge(
     var.tags_common,
     {

terraform/environments/apex/sns.tf

@@ -1,5 +1,5 @@
 locals {
-    pagerduty_integration_key_name = local.environment == "production" ? "laa_apex_prod_alarms" : "laa_apex_nonprod_alarms"
+  pagerduty_integration_key_name = local.environment == "production" ? "laa_apex_prod_alarms" : "laa_apex_nonprod_alarms"
 }
 
 # SNS topic for monitoring to send alarms to

terraform/environments/ccms-ebs-upgrade/iam.tf

@@ -244,3 +244,35 @@ resource "aws_iam_role_policy_attachment" "access_to_lz_buckets_policy" {
   role       = aws_iam_role.role_stsassume_oracle_base.name
   policy_arn = aws_iam_policy.access_to_lz_buckets.arn
 }
+
+# Allow EC2 operations.
+resource "aws_iam_policy" "ec2_operations_policy" {
+  name        = "ec2_operations-${local.environment}"
+  description = "Allows EC2 operations."
+
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "EC2Operations",
+          "Effect" : "Allow",
+          "Action" : [
+            "ec2:Describe*",
+            "ec2:CreateSnapshot",
+            "ec2:CreateSnapshots",
+            "ec2:DeleteSnapshot",
+            "ec2:CreateTags",
+            "ec2:DeleteTags"
+          ],
+          "Resource" : "*"
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_operations_policy_att" {
+  role       = aws_iam_role.role_stsassume_oracle_base.name
+  policy_arn = aws_iam_policy.ec2_operations_policy.arn
+}

terraform/environments/ccms-ebs/ccms-iam.tf

@@ -245,6 +245,38 @@ resource "aws_iam_role_policy_attachment" "access_to_lz_buckets_policy" {
   policy_arn = aws_iam_policy.access_to_lz_buckets.arn
 }
 
+# Allow EC2 operations.
+resource "aws_iam_policy" "ec2_operations_policy" {
+  name        = "ec2_operations-${local.environment}"
+  description = "Allows EC2 operations."
+
+  policy = jsonencode(
+    {
+      "Version" : "2012-10-17",
+      "Statement" : [
+        {
+          "Sid" : "EC2Operations",
+          "Effect" : "Allow",
+          "Action" : [
+            "ec2:Describe*",
+            "ec2:CreateSnapshot",
+            "ec2:CreateSnapshots",
+            "ec2:DeleteSnapshot",
+            "ec2:CreateTags",
+            "ec2:DeleteTags"
+          ],
+          "Resource" : "*"
+        }
+      ]
+    }
+  )
+}
+
+resource "aws_iam_role_policy_attachment" "ec2_operations_policy_att" {
+  role       = aws_iam_role.role_stsassume_oracle_base.name
+  policy_arn = aws_iam_policy.ec2_operations_policy.arn
+}
+
 #Moved member infrastructure IAM resources from MP repo
 
 #tfsec:ignore:aws-iam-no-user-attached-policies

terraform/environments/cdpt-ifs/database.tf

@@ -3,16 +3,16 @@
 #----------------------------------------------------------------------------
 
 resource "aws_db_instance" "database" {
-  allocated_storage      = local.application_data.accounts[local.environment].db_allocated_storage
-  storage_type           = "gp2"
-  engine                 = "sqlserver-web"
-  engine_version         = "14.00.3381.3.v1"
-  instance_class         = local.application_data.accounts[local.environment].db_instance_class
-  identifier             = local.application_data.accounts[local.environment].db_instance_identifier
-  username               = local.application_data.accounts[local.environment].db_user
-  password               = aws_secretsmanager_secret_version.db_password.secret_string
-  vpc_security_group_ids = [aws_security_group.db.id]
-  depends_on             = [aws_security_group.db]
+  allocated_storage         = local.application_data.accounts[local.environment].db_allocated_storage
+  storage_type              = "gp2"
+  engine                    = "sqlserver-web"
+  engine_version            = "14.00.3381.3.v1"
+  instance_class            = local.application_data.accounts[local.environment].db_instance_class
+  identifier                = local.application_data.accounts[local.environment].db_instance_identifier
+  username                  = local.application_data.accounts[local.environment].db_user
+  password                  = aws_secretsmanager_secret_version.db_password.secret_string
+  vpc_security_group_ids    = [aws_security_group.db.id]
+  depends_on                = [aws_security_group.db]
   snapshot_identifier       = local.application_data.accounts[local.environment].db_snapshot_identifier
   db_subnet_group_name      = aws_db_subnet_group.db.id
   final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}"

terraform/environments/corporate-staff-rostering/locals.tf

@@ -21,6 +21,7 @@ locals {
   baseline_presets_all_environments = {
     options = {
       cloudwatch_dashboard_default_widget_groups = [
+        "network_lb",
         "ec2",
         "ec2_linux",
         "ec2_instance_linux",