diff --git a/terraform/environments/apex/backups.tf b/terraform/environments/apex/backups.tf index 6ce669d23ac..bfb2c531b81 100644 --- a/terraform/environments/apex/backups.tf +++ b/terraform/environments/apex/backups.tf @@ -57,7 +57,7 @@ resource "aws_backup_vault_policy" "apex" { } ############################################################################ -## This following is required for setting up hourly backup for production +## This following is required for setting up backup for production ############################################################################ @@ -72,14 +72,14 @@ resource "aws_backup_vault" "prod_apex" { resource "aws_backup_plan" "prod_apex" { count = local.environment == "production" ? 1 : 0 - name = "${local.application_name}-backup-hourly-retain-35-days" + name = "${local.application_name}-backup-retain-35-days" rule { - rule_name = "${local.application_name}-backup-hourly-retain-35-days" + rule_name = "${local.application_name}-backup-retain-35-days" target_vault_name = aws_backup_vault.prod_apex[0].name - # Backup hourly - schedule = "cron(0 * * * ? *)" + # Backup every 6 hours on the hour + schedule = "cron(0 0,6,12,18 * * ? *)" lifecycle { delete_after = 35 @@ -108,7 +108,7 @@ resource "aws_backup_selection" "prod_apex" { condition { string_equals { - key = "aws:ResourceTag/snapshot-with-hourly-35-day-retention" + key = "aws:ResourceTag/snapshot-35-day-retention" value = "yes" } # TODO tags required to be confirmed diff --git a/terraform/environments/apex/cloudwatch.tf b/terraform/environments/apex/cloudwatch.tf index 0b4c2bf76b8..b01a59d9595 100644 --- a/terraform/environments/apex/cloudwatch.tf +++ b/terraform/environments/apex/cloudwatch.tf @@ -51,7 +51,7 @@ resource "aws_cloudwatch_metric_alarm" "database_cpu" { resource "aws_cloudwatch_metric_alarm" "database_oracle_alerts" { alarm_name = "${local.application_name}-${local.environment}-oracle-alerts-log-errors" - alarm_description = "Errors Detected in Oracle Alerts Log." + alarm_description = "Errors Detected in Oracle Alerts Log, please check the log group ${aws_cloudwatch_log_group.database.name}" comparison_operator = "GreaterThanOrEqualToThreshold" evaluation_periods = "1" metric_name = aws_cloudwatch_log_metric_filter.database.name diff --git a/terraform/environments/apex/cloudwatch_agent_config.json b/terraform/environments/apex/cloudwatch_agent_config.json index d5257ddcdea..bc7374d583c 100644 --- a/terraform/environments/apex/cloudwatch_agent_config.json +++ b/terraform/environments/apex/cloudwatch_agent_config.json @@ -90,6 +90,11 @@ "file_path": "/home/oracle/logs/pmon_status_alert.log", "log_group_name": "APEX-EC2-database-pmon-status", "log_stream_name": "pmon-status-{instance_id}" + }, + { + "file_path": "/home/oracle/logs/alert_log_check.txt", + "log_group_name": "APEX-EC2-database-alert", + "log_stream_name": "alertlog-{instance_id}" } ] } diff --git a/terraform/environments/apex/ec2.tf b/terraform/environments/apex/ec2.tf index 85bdd2c5873..97367419197 100644 --- a/terraform/environments/apex/ec2.tf +++ b/terraform/environments/apex/ec2.tf @@ -25,15 +25,15 @@ resource "aws_instance" "apex_db_instance" { volume_type = "gp2" tags = merge( local.tags, - { "Name" = "${local.application_name}db-ec2-root" }, - local.backup_schedule_tags + { "Name" = "${local.application_name}db-ec2-root" } ) } tags = merge( local.tags, { "Name" = local.database_ec2_name }, - { "instance-scheduling" = "skip-scheduling" } + { "instance-scheduling" = "skip-scheduling" }, + local.backup_schedule_tags ) } @@ -176,8 +176,7 @@ resource "aws_ebs_volume" "u01-orahome" { } tags = merge( local.tags, - { "Name" = "${local.application_name}db-ec2-u01-orahome" }, - local.backup_schedule_tags + { "Name" = "${local.application_name}db-ec2-u01-orahome" } ) } resource "aws_volume_attachment" "u01-orahome" { @@ -198,8 +197,7 @@ resource "aws_ebs_volume" "u02-oradata" { } tags = merge( local.tags, - { "Name" = "${local.application_name}db-ec2-u02-oradata" }, - local.backup_schedule_tags + { "Name" = "${local.application_name}db-ec2-u02-oradata" } ) } @@ -223,8 +221,7 @@ resource "aws_ebs_volume" "u03-redo" { } tags = merge( local.tags, - { "Name" = "${local.application_name}db-ec2-u03-redo" }, - local.backup_schedule_tags + { "Name" = "${local.application_name}db-ec2-u03-redo" } ) } resource "aws_volume_attachment" "u03-redo" { @@ -245,8 +242,7 @@ resource "aws_ebs_volume" "u04-arch" { } tags = merge( local.tags, - { "Name" = "${local.application_name}db-ec2-u04-arch" }, - local.backup_schedule_tags + { "Name" = "${local.application_name}db-ec2-u04-arch" } ) } resource "aws_volume_attachment" "u04-arch" { @@ -318,4 +314,3 @@ resource "aws_cloudwatch_log_metric_filter" "pmon_status" { - diff --git a/terraform/environments/apex/efs.tf b/terraform/environments/apex/efs.tf index db68a98d009..e1b8de443a3 100644 --- a/terraform/environments/apex/efs.tf +++ b/terraform/environments/apex/efs.tf @@ -46,8 +46,7 @@ resource "aws_efs_file_system" "efs" { tags = merge( local.tags, - { "Name" = "mp-${local.application_name}-efs" }, - local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" } + { "Name" = "mp-${local.application_name}-efs" } ) lifecycle_policy { diff --git a/terraform/environments/apex/locals.tf b/terraform/environments/apex/locals.tf index 6de0178eed1..1e713522d1d 100644 --- a/terraform/environments/apex/locals.tf +++ b/terraform/environments/apex/locals.tf @@ -78,7 +78,7 @@ locals { app_db_password_name = "APP_APEX_DBPASSWORD_TAD" db_hostname = "db.${local.application_name}" - backup_schedule_tags = local.environment == "production" ? { "snapshot-with-hourly-35-day-retention" = "yes" } : { "snapshot-with-daily-7-day-retention" = "yes" } + backup_schedule_tags = local.environment == "production" ? { "snapshot-35-day-retention" = "yes" } : null database-instance-userdata = <, and subsequently we have developed from the code there. Below is the README.md taken form the MP module. - -A Terraform module that creates application loadbalancer (with loadbalancer security groups) in AWS with logging enabled, s3 to store logs and Athena DB to query logs. - -An s3 bucket name can be provided in the module by adding the `existing_bucket_name` variable and adding the bucket name. Otherwise, if no bucket exists one will be created and no variable needs to be set in the module. - -A locals for the loadbalancer security group is necessary to satisfy the `loadbalancer_ingress_rules` and `loadbalancer_egress_rules` variables and creates security group rules for the loadbalancer security group. Below is an example: - -```terraform -locals { - loadbalancer_ingress_rules = { - "lb_ingress" = { - description = "Loadbalancer ingress rule from CloudFront" - from_port = var.security_group_ingress_from_port - to_port = var.security_group_ingress_to_port - protocol = var.security_group_ingress_protocol - prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront.id] - # cidr_blocks = ["0.0.0.0/0"] - } - } - loadbalancer_egress_rules = { - "lb_egress" = { - description = "Loadbalancer egress rule" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] - security_groups = [] - } - } -``` - -Loadbalancer target groups and listeners need to be created separately. - -To run queries in Athena do the following: -Go to the Athena console and click on Saved Queries - -Click the new saved query that is named ``-create-table and Run it. You only have to do it once. - -Try a query like `select * from lb_logs limit 100;` - -## Usage - -```terraform - -module "alb" { - source = "./modules/alb" - providers = { - aws.bucket-replication = aws - aws.core-vpc = aws.core-vpc - aws.core-network-services = aws.core-network-services - aws.us-east-1 = aws.us-east-1 - } - - vpc_all = local.vpc_all - application_name = local.application_name - business_unit = var.networking[0].business-unit - public_subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id] - private_subnets = [data.aws_subnet.private_subnets_a.id, data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] - tags = local.tags - account_number = local.environment_management.account_ids[terraform.workspace] - environment = local.environment - region = "eu-west-2" - enable_deletion_protection = false - idle_timeout = 60 - force_destroy_bucket = true - security_group_ingress_from_port = 443 - security_group_ingress_to_port = 443 - security_group_ingress_protocol = "tcp" - moj_vpn_cidr_block = local.application_data.accounts[local.environment].moj_vpn_cidr - # existing_bucket_name = "" # An s3 bucket name can be provided in the module by adding the `existing_bucket_name` variable and adding the bucket name - - listener_protocol = "HTTPS" - listener_port = 443 - alb_ssl_policy = "ELBSecurityPolicy-TLS-1-2-2017-01" # TODO This enforces TLSv1.2. For general, use ELBSecurityPolicy-2016-08 instead - - services_zone_id = data.aws_route53_zone.network-services.zone_id - external_zone_id = data.aws_route53_zone.external.zone_id - acm_cert_domain_name = local.application_data.accounts[local.environment].acm_cert_domain_name - - target_group_deregistration_delay = 30 - target_group_protocol = "HTTP" - target_group_port = 80 - vpc_id = data.aws_vpc.shared.id - - healthcheck_interval = 15 - healthcheck_path = "/mlra/" - healthcheck_protocol = "HTTP" - healthcheck_timeout = 5 - healthcheck_healthy_threshold = 2 - healthcheck_unhealthy_threshold = 3 - - stickiness_enabled = true - stickiness_type = "lb_cookie" - stickiness_cookie_duration = 10800 - - # CloudFront settings, to be moved to application_variables.json if there are differences between environments - cloudfront_default_cache_behavior = { - smooth_streaming = false - allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] - cached_methods = ["HEAD", "GET"] - forwarded_values_query_string = true - forwarded_values_headers = ["Authorization", "CloudFront-Forwarded-Proto", "CloudFront-Is-Desktop-Viewer", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-SmartTV-Viewer", "CloudFront-Is-Tablet-Viewer", "CloudFront-Viewer-Country", "Host", "User-Agent"] - forwarded_values_cookies_forward = "whitelist" - forwarded_values_cookies_whitelisted_names = ["AWSALB", "JSESSIONID"] - viewer_protocol_policy = "https-only" - } - # Other cache behaviors are processed in the order in which they're listed in the CloudFront console or, if you're using the CloudFront API, the order in which they're listed in the DistributionConfig element for the distribution. - cloudfront_ordered_cache_behavior = { - "cache_behavior_0" = { - smooth_streaming = false - path_pattern = "*.png" - min_ttl = 0 - allowed_methods = ["GET", "HEAD"] - cached_methods = ["HEAD", "GET"] - forwarded_values_query_string = false - forwarded_values_headers = ["Host", "User-Agent"] - forwarded_values_cookies_forward = "none" - viewer_protocol_policy = "https-only" - }, - "cache_behavior_1" = { - smooth_streaming = false - path_pattern = "*.jpg" - min_ttl = 0 - allowed_methods = ["GET", "HEAD"] - cached_methods = ["HEAD", "GET"] - forwarded_values_query_string = false - forwarded_values_headers = ["Host", "User-Agent"] - forwarded_values_cookies_forward = "none" - viewer_protocol_policy = "https-only" - }, - "cache_behavior_2" = { - smooth_streaming = false - path_pattern = "*.gif" - min_ttl = 0 - allowed_methods = ["GET", "HEAD"] - cached_methods = ["HEAD", "GET"] - forwarded_values_query_string = false - forwarded_values_headers = ["Host", "User-Agent"] - forwarded_values_cookies_forward = "none" - viewer_protocol_policy = "https-only" - }, - "cache_behavior_3" = { - smooth_streaming = false - path_pattern = "*.css" - min_ttl = 0 - allowed_methods = ["GET", "HEAD"] - cached_methods = ["HEAD", "GET"] - forwarded_values_query_string = false - forwarded_values_headers = ["Host", "User-Agent"] - forwarded_values_cookies_forward = "none" - viewer_protocol_policy = "https-only" - }, - "cache_behavior_4" = { - smooth_streaming = false - path_pattern = "*.js" - min_ttl = 0 - allowed_methods = ["GET", "HEAD"] - cached_methods = ["HEAD", "GET"] - forwarded_values_query_string = false - forwarded_values_headers = ["Host", "User-Agent"] - forwarded_values_cookies_forward = "none" - viewer_protocol_policy = "https-only" - } - } - cloudfront_http_version = "http2" - cloudfront_enabled = true - cloudfront_origin_protocol_policy = "https-only" - cloudfront_origin_read_timeout = 60 - cloudfront_origin_keepalive_timeout = 60 - cloudfront_price_class = "PriceClass_100" - cloudfront_geo_restriction_type = "none" - cloudfront_geo_restriction_location = [] - cloudfront_is_ipv6_enabled = true - waf_default_action = "BLOCK" - -} - -``` - - - -## Requirements - -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.1 | -| [aws](#requirement_aws) | ~> 4.0 | - -## Providers - -| Name | Version | -| --------------------------------------------------------------- | ------- | -| [aws](#provider_aws) | ~> 4.0 | -| [template](#provider_template) | n/a | - -## Modules - -| Name | Source | Version | -| -------------------------------------------------------------- | ----------------------------------------------------------------------- | ------- | -| [s3-bucket](#module_s3-bucket) | github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket | v6.1.1 | - -## Resources - -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_athena_database.lb-access-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database) | resource | -| [aws_athena_named_query.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_named_query) | resource | -| [aws_athena_workgroup.lb-access-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup) | resource | -| [aws_lb.loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | -| [aws_security_group.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_elb_service_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | -| [aws_vpc.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | -| [template_file.lb-access-logs](https://registry.terraform.io/providers/hashicorp/template/latest/docs/data-sources/file) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | :------: | -| [account_number](#input_account_number) | Account number of current environment | `string` | n/a | yes | -| [application_name](#input_application_name) | Name of application | `string` | n/a | yes | -| [enable_deletion_protection](#input_enable_deletion_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. | `bool` | n/a | yes | -| [existing_bucket_name](#input_existing_bucket_name) | The name of the existing bucket name. If no bucket is provided one will be created for them. | `string` | `""` | no | -| [force_destroy_bucket](#input_force_destroy_bucket) | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | -| [idle_timeout](#input_idle_timeout) | The time in seconds that the connection is allowed to be idle. | `string` | n/a | yes | -| [loadbalancer_egress_rules](#input_loadbalancer_egress_rules) | Security group egress rules for the loadbalancer |
map(object({
description = string
from_port = number
to_port = number
protocol = string
security_groups = list(string)
cidr_blocks = list(string)
}))
| n/a | yes | -| [loadbalancer_ingress_rules](#input_loadbalancer_ingress_rules) | Security group ingress rules for the loadbalancer |
map(object({
description = string
from_port = number
to_port = number
protocol = string
security_groups = list(string)
cidr_blocks = list(string)
}))
| n/a | yes | -| [public_subnets](#input_public_subnets) | Public subnets | `list(string)` | n/a | yes | -| [region](#input_region) | AWS Region where resources are to be created | `string` | n/a | yes | -| [tags](#input_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes | -| [vpc_all](#input_vpc_all) | The full name of the VPC (including environment) used to create resources | `string` | n/a | yes | - -## Outputs - -| Name | Description | -| ----------------------------------------------------------------------------- | ----------- | -| [athena_db](#output_athena_db) | n/a | -| [load_balancer](#output_load_balancer) | n/a | -| [security_group](#output_security_group) | n/a | - - - -## Looking for issues? - -If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues). - - - -## Requirements - -| Name | Version | -| ------------------------------------------------------------------------ | -------- | -| [terraform](#requirement_terraform) | >= 1.0.1 | -| [aws](#requirement_aws) | ~> 4.0 | - -## Providers - -| Name | Version | -| ------------------------------------------------ | ------- | -| [aws](#provider_aws) | ~> 4.0 | - -## Modules - -| Name | Source | Version | -| -------------------------------------------------------------- | ----------------------------------------------------------------------- | ------- | -| [s3-bucket](#module_s3-bucket) | github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket | v6.2.0 | - -## Resources - -| Name | Type | -| ------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | -| [aws_athena_database.lb-access-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_database) | resource | -| [aws_athena_named_query.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_named_query) | resource | -| [aws_athena_workgroup.lb-access-logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup) | resource | -| [aws_lb.loadbalancer](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb) | resource | -| [aws_security_group.lb](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource | -| [aws_elb_service_account.default](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source | -| [aws_iam_policy_document.bucket_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | -| [aws_vpc.shared](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | - -## Inputs - -| Name | Description | Type | Default | Required | -| --------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | :------: | -| [account_number](#input_account_number) | Account number of current environment | `string` | n/a | yes | -| [application_name](#input_application_name) | Name of application | `string` | n/a | yes | -| [enable_deletion_protection](#input_enable_deletion_protection) | If true, deletion of the load balancer will be disabled via the AWS API. This will prevent Terraform from deleting the load balancer. | `bool` | n/a | yes | -| [existing_bucket_name](#input_existing_bucket_name) | The name of the existing bucket name. If no bucket is provided one will be created for them. | `string` | `""` | no | -| [force_destroy_bucket](#input_force_destroy_bucket) | A boolean that indicates all objects (including any locked objects) should be deleted from the bucket so that the bucket can be destroyed without error. These objects are not recoverable. | `bool` | `false` | no | -| [idle_timeout](#input_idle_timeout) | The time in seconds that the connection is allowed to be idle. | `string` | n/a | yes | -| [internal_lb](#input_internal_lb) | A boolean that determines whether the load balancer is internal or internet-facing. | `bool` | `false` | no | -| [loadbalancer_egress_rules](#input_loadbalancer_egress_rules) | Security group egress rules for the loadbalancer |
map(object({
description = string
from_port = number
to_port = number
protocol = string
security_groups = list(string)
cidr_blocks = list(string)
}))
| n/a | yes | -| [loadbalancer_ingress_rules](#input_loadbalancer_ingress_rules) | Security group ingress rules for the loadbalancer |
map(object({
description = string
from_port = number
to_port = number
protocol = string
security_groups = list(string)
cidr_blocks = list(string)
}))
| n/a | yes | -| [public_subnets](#input_public_subnets) | Public subnets | `list(string)` | n/a | yes | -| [region](#input_region) | AWS Region where resources are to be created | `string` | n/a | yes | -| [tags](#input_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes | -| [vpc_all](#input_vpc_all) | The full name of the VPC (including environment) used to create resources | `string` | n/a | yes | - -## Outputs - -| Name | Description | -| ----------------------------------------------------------------------------- | ----------- | -| [athena_db](#output_athena_db) | n/a | -| [load_balancer](#output_load_balancer) | n/a | -| [security_group](#output_security_group) | n/a | - - +This `alb` local Terraform module is taken from the MP provided module - , and subsequently we have developed from the code there. \ No newline at end of file