From f697d6e56a4e41d972495ee313ef33083a9a0cc3 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Thu, 17 Oct 2024 16:52:22 +0100 Subject: [PATCH 01/83] create mojap-derived-tables-replication bucket --- .../analytical-platform-compute/locals.tf | 40 +++++++++++++++++++ .../analytical-platform-compute/s3-buckets.tf | 37 ++++++++--------- 2 files changed, 59 insertions(+), 18 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index fa67f520ecf..a0ef296073e 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -26,4 +26,44 @@ locals { /* Environment Configuration */ environment_configuration = local.environment_configurations[local.environment] + /* S3 - APC bucket locals */ + apc_buckets = { + "mojap-derived-tables-replication" = { + force_destroy = true + object_lock_enabled = false + acl = "private" + versioning = { + status = "Disabled" + } + bucket = "mojap-derived-tables-replication-${local.environment}" + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = false + + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } + public_access_block = { + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + } + } + "mlflow_buckets" = { + bucket = "mojap-compute-${local.environment}-mlflow" + force_destroy = true + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.mlflow_s3_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } + } + } } diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 73777c5ffce..53ae28ab66c 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -1,23 +1,24 @@ -module "mlflow_bucket" { +module "apc_buckets" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" + for_each = local.apc_buckets + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" - bucket = "mojap-compute-${local.environment}-mlflow" - - force_destroy = true - - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = module.mlflow_s3_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } - - tags = local.tags + bucket = each.value.bucket + force_destroy = each.value.force_destroy + object_lock_enabled = try(each.value.object_lock_enabled, null) + tags = local.tags + server_side_encryption_configuration = each.value.server_side_encryption_configuration + attach_policy = can(each.value.policy) + policy = try(each.value.policy, null) + lifecycle_rule = try(each.value.lifecycle_rule, []) + versioning = try(each.value.versioning, null) + attach_public_policy = try(each.value.public_access_block, null) + block_public_acls = try(each.value.public_access_block.block_public_acls, true) + block_public_policy = try(each.value.public_access_block.block_public_policy, true) + ignore_public_acls = try(each.value.public_access_block.ignore_public_acls, true) + restrict_public_buckets = try(each.value.public_access_block.restrict_public_buckets, true) + acl = try(each.value.acl, null) } From e90d2aaed2533e248ffe98e06aa95018487b9127 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 10:54:52 +0100 Subject: [PATCH 02/83] update mlflow_bucket references --- .../environments/analytical-platform-compute/iam-policies.tf | 4 ++-- terraform/environments/analytical-platform-compute/locals.tf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 18b8314df6e..b7f9e77585f 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -123,7 +123,7 @@ data "aws_iam_policy_document" "mlflow" { effect = "Allow" actions = ["s3:ListBucket"] resources = [ - module.mlflow_bucket.s3_bucket_arn, + module.apc_buckets["mlflow_bucket"].s3_bucket_arn, "arn:aws:s3:::${local.environment_configuration.mlflow_s3_bucket_name}" ] } @@ -136,7 +136,7 @@ data "aws_iam_policy_document" "mlflow" { "s3:DeleteObject" ] resources = [ - "${module.mlflow_bucket.s3_bucket_arn}/*", + "${module.apc_buckets["mlflow_bucket"].s3_bucket_arn}/*", "arn:aws:s3:::${local.environment_configuration.mlflow_s3_bucket_name}/*" ] } diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index a0ef296073e..00aa2ac846a 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -52,8 +52,8 @@ locals { restrict_public_buckets = true } } - "mlflow_buckets" = { - bucket = "mojap-compute-${local.environment}-mlflow" + "mlflow_bucket" = { + bucket = "mojap-compute-${local.environment}-mlflow" force_destroy = true server_side_encryption_configuration = { rule = { From 5d866c33615e7d24ce638e2c976c3041ddbe46a2 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 11:07:55 +0100 Subject: [PATCH 03/83] added moved blocks --- .../analytical-platform-compute/s3-buckets.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 53ae28ab66c..4e1165ac1e7 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -22,3 +22,18 @@ module "apc_buckets" { restrict_public_buckets = try(each.value.public_access_block.restrict_public_buckets, true) acl = try(each.value.acl, null) } + +moved { + from = module.mlflow_bucket.aws_s3_bucket.this[0] + to = module.apc_buckets["mlflow_bucket"].aws_s3_bucket.this[0] +} + +moved { + from = module.mlflow_bucket.aws_s3_bucket_public_access_block.this[0] + to = module.apc_buckets["mlflow_bucket"].aws_s3_bucket_public_access_block.this[0] +} + +moved { + from = module.mlflow_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0] + to = module.apc_buckets["mlflow_bucket"].aws_s3_bucket_server_side_encryption_configuration.this[0] +} From 3612e6057842dd5f8cbd911098cb189837c923a1 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 11:17:31 +0100 Subject: [PATCH 04/83] fixed errors in tf plan --- .../environments/analytical-platform-compute/s3-buckets.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 4e1165ac1e7..19f19dcf8fa 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -8,14 +8,14 @@ module "apc_buckets" { bucket = each.value.bucket force_destroy = each.value.force_destroy - object_lock_enabled = try(each.value.object_lock_enabled, null) + object_lock_enabled = try(each.value.object_lock_enabled, false) tags = local.tags server_side_encryption_configuration = each.value.server_side_encryption_configuration attach_policy = can(each.value.policy) policy = try(each.value.policy, null) lifecycle_rule = try(each.value.lifecycle_rule, []) - versioning = try(each.value.versioning, null) - attach_public_policy = try(each.value.public_access_block, null) + versioning = try(each.value.versioning, {}) + attach_public_policy = try(each.value.public_access_block, true) block_public_acls = try(each.value.public_access_block.block_public_acls, true) block_public_policy = try(each.value.public_access_block.block_public_policy, true) ignore_public_acls = try(each.value.public_access_block.ignore_public_acls, true) From bbfe64629a3df1288ef5668fbdb968c45ad6f899 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 11:22:46 +0100 Subject: [PATCH 05/83] fixed errors in tf plan pt.2 --- .../environments/analytical-platform-compute/s3-buckets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 19f19dcf8fa..fd4a44744e8 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -15,7 +15,7 @@ module "apc_buckets" { policy = try(each.value.policy, null) lifecycle_rule = try(each.value.lifecycle_rule, []) versioning = try(each.value.versioning, {}) - attach_public_policy = try(each.value.public_access_block, true) + attach_public_policy = true block_public_acls = try(each.value.public_access_block.block_public_acls, true) block_public_policy = try(each.value.public_access_block.block_public_policy, true) ignore_public_acls = try(each.value.public_access_block.ignore_public_acls, true) From e7d0de1d2b5f79981425129c21eb824d521c252d Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 11:35:43 +0100 Subject: [PATCH 06/83] add logging bucket --- .../analytical-platform-compute/locals.tf | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index 00aa2ac846a..1c96adce371 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -51,6 +51,10 @@ locals { ignore_public_acls = true restrict_public_buckets = true } + logging = { + target_bucket = "apc-bucket-logs-${local.environment}" + target_prefix = "mojap-derived-tables-replication/" + } } "mlflow_bucket" = { bucket = "mojap-compute-${local.environment}-mlflow" @@ -65,5 +69,29 @@ locals { } } } + "apc_bucket_logs" = { + force_destroy = false + object_lock_enabled = false + acl = "private" + versioning = { + status = "Disabled" + } + bucket = "apc-bucket-logs-${local.environment}" + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = false + + apply_server_side_encryption_by_default = { + sse_algorithm = "AES256" + } + } + } + public_access_block = { + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + } + } } } From e006c4b910e0357a688005efa61b807513f3b669 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 14:31:21 +0100 Subject: [PATCH 07/83] refactor --- .../analytical-platform-compute/kms-keys.tf | 32 +++++ .../analytical-platform-compute/locals.tf | 69 ---------- .../analytical-platform-compute/s3-buckets.tf | 123 +++++++++++++----- 3 files changed, 125 insertions(+), 99 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 124bcb16bdd..7e40ae61904 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -275,6 +275,38 @@ module "mlflow_s3_kms" { tags = local.tags } +module "mojap_derived_tables_replication_s3_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.1" + + aliases = ["s3/mojap_derived_tables_replication"] + description = "mojap_derived_tables_replication S3 KMS key" + enable_default_policy = true + + deletion_window_in_days = 7 + + tags = local.tags +} + +module "apc_bucket_logs_s3_kms" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/kms/aws" + version = "3.1.1" + + aliases = ["s3/apc_bucket_logs"] + description = "apc_bucket_logs S3 KMS key" + enable_default_policy = true + + deletion_window_in_days = 7 + + tags = local.tags +} + module "common_secrets_manager_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index 1c96adce371..1002b3f1e05 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -25,73 +25,4 @@ locals { /* Environment Configuration */ environment_configuration = local.environment_configurations[local.environment] - - /* S3 - APC bucket locals */ - apc_buckets = { - "mojap-derived-tables-replication" = { - force_destroy = true - object_lock_enabled = false - acl = "private" - versioning = { - status = "Disabled" - } - bucket = "mojap-derived-tables-replication-${local.environment}" - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = false - - apply_server_side_encryption_by_default = { - sse_algorithm = "AES256" - } - } - } - public_access_block = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - logging = { - target_bucket = "apc-bucket-logs-${local.environment}" - target_prefix = "mojap-derived-tables-replication/" - } - } - "mlflow_bucket" = { - bucket = "mojap-compute-${local.environment}-mlflow" - force_destroy = true - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = module.mlflow_s3_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } - } - "apc_bucket_logs" = { - force_destroy = false - object_lock_enabled = false - acl = "private" - versioning = { - status = "Disabled" - } - bucket = "apc-bucket-logs-${local.environment}" - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = false - - apply_server_side_encryption_by_default = { - sse_algorithm = "AES256" - } - } - } - public_access_block = { - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - } - } - } } diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index fd4a44744e8..74962f3feef 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -1,39 +1,102 @@ -module "apc_buckets" { +module "mlflow_bucket" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - for_each = local.apc_buckets - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" - - bucket = each.value.bucket - force_destroy = each.value.force_destroy - object_lock_enabled = try(each.value.object_lock_enabled, false) - tags = local.tags - server_side_encryption_configuration = each.value.server_side_encryption_configuration - attach_policy = can(each.value.policy) - policy = try(each.value.policy, null) - lifecycle_rule = try(each.value.lifecycle_rule, []) - versioning = try(each.value.versioning, {}) - attach_public_policy = true - block_public_acls = try(each.value.public_access_block.block_public_acls, true) - block_public_policy = try(each.value.public_access_block.block_public_policy, true) - ignore_public_acls = try(each.value.public_access_block.ignore_public_acls, true) - restrict_public_buckets = try(each.value.public_access_block.restrict_public_buckets, true) - acl = try(each.value.acl, null) -} + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" + + bucket = "mojap-compute-${local.environment}-mlflow" + + force_destroy = true + + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.mlflow_s3_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } -moved { - from = module.mlflow_bucket.aws_s3_bucket.this[0] - to = module.apc_buckets["mlflow_bucket"].aws_s3_bucket.this[0] + tags = local.tags } -moved { - from = module.mlflow_bucket.aws_s3_bucket_public_access_block.this[0] - to = module.apc_buckets["mlflow_bucket"].aws_s3_bucket_public_access_block.this[0] +module "mojap_derived_tables_replication_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" + + bucket = "mojap-derived-tables-replication-${local.environment}" + + force_destroy = true + + object_lock_enabled = false + + acl = "private" + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + versioning = { + status = "Disabled" + } + + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.mojap_derived_tables_replication_s3_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } + + logging = { + target_bucket = "apc-bucket-logs-${local.environment}" + target_prefix = "mojap-derived-tables-replication/" + } + + tags = local.tags } -moved { - from = module.mlflow_bucket.aws_s3_bucket_server_side_encryption_configuration.this[0] - to = module.apc_buckets["mlflow_bucket"].aws_s3_bucket_server_side_encryption_configuration.this[0] +module "apc_bucket_logs" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions + + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" + + bucket = "apc-bucket-logs-${local.environment}" + + force_destroy = false + + object_lock_enabled = false + + acl = "private" + + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true + + versioning = { + status = "Disabled" + } + + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.apc_bucket_logs_s3_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } + + tags = local.tags } From 627d8241ef0fc0c2c9e7f0b3de11870c53b3357f Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 14:34:52 +0100 Subject: [PATCH 08/83] correct error in iam-policies.tf --- .../environments/analytical-platform-compute/iam-policies.tf | 4 ++-- terraform/environments/analytical-platform-compute/locals.tf | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index b7f9e77585f..18b8314df6e 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -123,7 +123,7 @@ data "aws_iam_policy_document" "mlflow" { effect = "Allow" actions = ["s3:ListBucket"] resources = [ - module.apc_buckets["mlflow_bucket"].s3_bucket_arn, + module.mlflow_bucket.s3_bucket_arn, "arn:aws:s3:::${local.environment_configuration.mlflow_s3_bucket_name}" ] } @@ -136,7 +136,7 @@ data "aws_iam_policy_document" "mlflow" { "s3:DeleteObject" ] resources = [ - "${module.apc_buckets["mlflow_bucket"].s3_bucket_arn}/*", + "${module.mlflow_bucket.s3_bucket_arn}/*", "arn:aws:s3:::${local.environment_configuration.mlflow_s3_bucket_name}/*" ] } diff --git a/terraform/environments/analytical-platform-compute/locals.tf b/terraform/environments/analytical-platform-compute/locals.tf index 1002b3f1e05..fa67f520ecf 100644 --- a/terraform/environments/analytical-platform-compute/locals.tf +++ b/terraform/environments/analytical-platform-compute/locals.tf @@ -25,4 +25,5 @@ locals { /* Environment Configuration */ environment_configuration = local.environment_configurations[local.environment] + } From fb436fe462f462b348d5123183bf86df776c9741 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 14:41:07 +0100 Subject: [PATCH 09/83] logging bucket reference --- .../environments/analytical-platform-compute/s3-buckets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 74962f3feef..e7949c7399b 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -57,7 +57,7 @@ module "mojap_derived_tables_replication_bucket" { } logging = { - target_bucket = "apc-bucket-logs-${local.environment}" + target_bucket = module.apc_bucket_logs.s3_bucket_id target_prefix = "mojap-derived-tables-replication/" } From e89f6a690bc12eb67c0ab413f70e55cc6334c049 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Fri, 18 Oct 2024 14:59:07 +0100 Subject: [PATCH 10/83] removed public access block inputs --- .../analytical-platform-compute/s3-buckets.tf | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index e7949c7399b..3adc667de65 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -37,11 +37,6 @@ module "mojap_derived_tables_replication_bucket" { acl = "private" - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - versioning = { status = "Disabled" } @@ -79,11 +74,6 @@ module "apc_bucket_logs" { acl = "private" - block_public_acls = true - block_public_policy = true - ignore_public_acls = true - restrict_public_buckets = true - versioning = { status = "Disabled" } From 4644aa69c8314313e20e03fd1b6deea9df1dfa6c Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Mon, 21 Oct 2024 11:11:23 +0100 Subject: [PATCH 11/83] added updates from review --- .../iam-policies.tf | 53 +++++++++++++++++++ .../analytical-platform-compute/kms-keys.tf | 2 + .../analytical-platform-compute/s3-buckets.tf | 2 + 3 files changed, 57 insertions(+) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 18b8314df6e..8d7f9d7afa9 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -280,3 +280,56 @@ module "analytical_platform_lake_formation_share_policy" { policy = data.aws_iam_policy_document.analytical_platform_share_policy.json } + +data "aws_iam_policy_document" "kms_key_policy" { + statement { + effect = "Allow" + + principals { + type = "Service" + identifiers = ["logging.s3.amazonaws.com"] + } + + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:DescribeKey" + ] + + resources = ["*"] + } +} + +data "aws_iam_policy_document" "s3_server_access_logs_policy" { + statement { + sid = "S3ServerAccessLogsPolicy" + effect = "Allow" + + principals { + type = "Service" + identifiers = ["logging.s3.amazonaws.com"] + } + + actions = [ + "s3:PutObject" + ] + + resources = [ + "arn:aws:s3:::apc-bucket-logs-${local.environment}/*" + ] + + condition { + test = "ArnLike" + variable = "aws:SourceArn" + values = ["arn:aws:s3:::apc-bucket-logs-${local.environment}"] + } + + condition { + test = "StringEquals" + variable = "aws:SourceAccount" + values = [data.aws_caller_identity.current.account_id] + } + } +} diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 7e40ae61904..acae6f297ea 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -305,6 +305,8 @@ module "apc_bucket_logs_s3_kms" { deletion_window_in_days = 7 tags = local.tags + + policy = data.aws_iam_policy_document.kms_key_policy.json } module "common_secrets_manager_kms" { diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 3adc667de65..644ad96025a 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -89,4 +89,6 @@ module "apc_bucket_logs" { } tags = local.tags + + policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json } From e7f0b7f2b7f9d613b924cb4915744fac25af4be2 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Mon, 21 Oct 2024 11:42:49 +0100 Subject: [PATCH 12/83] updated resources --- .../analytical-platform-compute/iam-policies.tf | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 8d7f9d7afa9..792c5d7c348 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -298,7 +298,7 @@ data "aws_iam_policy_document" "kms_key_policy" { "kms:DescribeKey" ] - resources = ["*"] + resources = [module.apc_bucket_logs_s3_kms.key_arn] } } @@ -317,15 +317,9 @@ data "aws_iam_policy_document" "s3_server_access_logs_policy" { ] resources = [ - "arn:aws:s3:::apc-bucket-logs-${local.environment}/*" + "${module.apc_bucket_logs.s3_bucket_arn}/*" ] - condition { - test = "ArnLike" - variable = "aws:SourceArn" - values = ["arn:aws:s3:::apc-bucket-logs-${local.environment}"] - } - condition { test = "StringEquals" variable = "aws:SourceAccount" From 639218cc3d450e045335ce08ba14b4cbf79698e9 Mon Sep 17 00:00:00 2001 From: Fani Foteva Date: Mon, 21 Oct 2024 15:55:17 +0100 Subject: [PATCH 13/83] update steve Key to EDW bastion Signed-off-by: Fani Foteva --- terraform/environments/edw/bastion_linux.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/edw/bastion_linux.json b/terraform/environments/edw/bastion_linux.json index 4c1fd6e1a2e..7cb732b7ac6 100644 --- a/terraform/environments/edw/bastion_linux.json +++ b/terraform/environments/edw/bastion_linux.json @@ -6,7 +6,7 @@ "saanchi": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMAY8Vb7XTq4gpyAO1s7HsNpwlteXkuTTa+UpRQtaHW1 saanchi.dubey@L0517", "wendy": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDENKJfNawEbz2pdXwXPUu1tKgJJmOJ0v6vjy5owJ43O9ghBWHA/v9Dpx/x2ONUS4uFQoANKWSI3pl07oCVodu/izn7cnM4CPmHfgNETpHQoJsEi11bUQbd43AAr4Lt2cv7re8TM4Q0scjIryXXhal8WGHbKw66g9a9OYzU/Zou0EChxZ+N3vYj0WPIB9mPuTh5UDn+rgyOho/yd68wZmy/oiuujZ3rWCf/Uyy1j0bV/zPqZ+Fxk7pSoFZ+7tOf8q6el3zLUrGnu+c9VOuNTpgRjX+tBjfBUNyP92apRdjRkjfXiO7cN/dfAVCAqBGV4EG2Doy0JCP2HqmnuJWJh+lW6eIOfRknFf6MCbscoaMKepKjTWgR+LXqCkGhfchKHsgpkS3BmIcIQmDmRHMDF+MDlZ6IG17ptMbJ80Lggdu91mTVz9eVUOI1zeIDUSWnHkBSg7rod/FrFjDC5VZ8H5YEpFMC0a4f0gXnTRkuRduuH8Iw44NjpXewSWYXasDPpDM= wendycalverly@L0520", "mohamed": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIkP6+D3iZMD5RpvuHrDfZV5Ke4HLRrD12xyrbRGpSGgOzrgJS4RZOe2gU0DTYtBymZGDN2koE0SDWwKSUrNDUPdWNvbgubaYJNYfvkqVRyRmTHx0pqrEHmecESM3b6Y8R1tcY2e8l4xEmy/I+8ADdOyxhi0b8iEZG8BTyDfjV/fXabtz/L7+Z9DnmwJc8b1dzg5aP2J3qlbBdqH1p2smJe8p6WFe5dVC6IP2TIAk96R0/tOPRD76kDx+Kj6dbcO/oPabGg7Fo5OZ95H3OGkzQOUH83BiWnYsSXrxwu5JR8qV+jMP4+dYO0O5J98vZjqMszyKqP0A5FA1rnEL75i4o7a/nalQ8brZzvstL72/CAPbxzhHPwG1yFnaiU9wfhyOqGpCNHSfOvYvSGr0U52QUVKdiAsy5eZTogN1TXhLoXQs1b30rRm6JjnkeQ1Jfj8LwIk1xGp2vjuxeZuE8fnTv5OsOcagslDTPMNW1LYnMecZp4bwPhbdhCi1JkEVYGrM= mohamed.nasr@MJ004347", - "steve": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCP8zh2MJzL9MY/H19YNk562OfF6PJI9/cxfihIldjxFN6CRKHX2MSAxFUt08jANIx2GV/KLYsgiKOu89EmFmjr1ySz0R7gydkh/zpiTSL1A6Pnb2AnMnXRo+BBS8h6y/3yXd6MUtS4jqeE2a0/VHCOX/pgPv3d/CQcJ4fCI3NjnM24YAPcGwpsMo71L09V9guJ6yao4uo6tdCcnXrDi10A4oLUml/Vcb5UfeDWMh81hVNnuZWq2rgY5V6fHdzuKfLmSVzoSeXxE6rHKjqx3JWSdAQMH4xW6+K5NiKGsUb2bNHzatLUkkazWGqo2uvBtDotbmqb6RXrAXS5y/uBJ+qZ29gKPA28zQoVkDlX208PW0SZsWovHo2lwTPwxTl8dMOzO5nxmwCe/b9RYTxFN07Sk7TC1hCdXAKgJueBkG1MRBs7Nwe+4NUkNHxfd6DjP3dJi0PwBdokL2iKlIoIIeVKFBBqmFJ52JeLA8bWqgYhk1h6Io7+QPyF0xrwXU+v4c= stephen.linden@MJ003791" + "steve": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDBoXZLWX9TSSvq3rFWANz0YHpPHqkMrhrxeIpAXOhMWQR0wE75a8rxOhfpClR2S1eRPnuwQ9FvMIZNp72DyawHF+ToGYV/iIhVNIqpGktVZCEOiizjhGRmWgX+0z1/VSFGbl1ocAoZxeUOrnbxtiy4u/zGjxgAGrmhbVDWcS9v9tBHHCGcvnpDryPT533aSzdgeI6fzAQLIu9lktMQE7DMfqtj+S4EUuLMYU3IIaqSUt2yKrTCYbCgb+RSVx0BrL3pg9VToneQDpExCsRh5QRyMheQ6ukAQ4NneV0gre/iS2MVopZwroQ408a4MF6noixgUeddOw+2okFj++S68hITiq99x2AyxppdkIQ85uiyVjobqsd/AH0QXaDnRwccefKkKL/ieHIpW6OlrpY77Wg/p8QJz6GsymcaQavIDy8OOgV8kltuRvpAv9CARVLJXgQNp9goJH5fN8unnPgXVUdtk4rP5N8fHRGV1j6/pf+U4Sw/QpnUXhsHLpVM0cD5vbk= stephen.linden@MJ003791" }, "preproduction": {}, "production": {} From 353f4fb23210b088176650ab2cd1dfa79d7c1430 Mon Sep 17 00:00:00 2001 From: Bill Buchan Date: Tue, 22 Oct 2024 09:33:19 +0100 Subject: [PATCH 14/83] Avoid noise from short latency spikes --- .../modules/components/dms/cloudwatch-alarms.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf index 76dce3f9f8b..9ef35655bdb 100644 --- a/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf +++ b/terraform/environments/delius-core/modules/components/dms/cloudwatch-alarms.tf @@ -70,8 +70,8 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_source" { statistic = "Average" metric_name = "CDCLatencySource" comparison_operator = "GreaterThanThreshold" - threshold = 10 - evaluation_periods = 2 + threshold = 15 + evaluation_periods = 3 period = 30 actions_enabled = true alarm_actions = [aws_sns_topic.dms_alerting.arn] @@ -92,8 +92,8 @@ resource "aws_cloudwatch_metric_alarm" "dms_cdc_latency_target" { statistic = "Average" metric_name = "CDCLatencyTarget" comparison_operator = "GreaterThanThreshold" - threshold = 10 - evaluation_periods = 2 + threshold = 15 + evaluation_periods = 3 period = 30 actions_enabled = true alarm_actions = [aws_sns_topic.dms_alerting.arn] From 569ecc4ec881ef6a5c04a844f9a8378688211225 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Tue, 22 Oct 2024 09:54:21 +0100 Subject: [PATCH 15/83] tweaks --- .../analytical-platform-compute/iam-policies.tf | 14 +++++++++++--- .../analytical-platform-compute/kms-keys.tf | 2 +- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 792c5d7c348..51c872c642f 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -281,7 +281,8 @@ module "analytical_platform_lake_formation_share_policy" { policy = data.aws_iam_policy_document.analytical_platform_share_policy.json } -data "aws_iam_policy_document" "kms_key_policy" { +data "aws_iam_policy_document" "apc_bucket_logs_kms_key_policy" { + #checkov:skip=CKV_AWS_356:resource "*" limited by condition statement { effect = "Allow" @@ -298,11 +299,18 @@ data "aws_iam_policy_document" "kms_key_policy" { "kms:DescribeKey" ] - resources = [module.apc_bucket_logs_s3_kms.key_arn] + resources = ["*"] + + condition { + test = "StringEquals" + variable = "kms:ViaService" + values = ["logging.s3.amazonaws.com"] + } } } data "aws_iam_policy_document" "s3_server_access_logs_policy" { + #checkov:skip=CKV_AWS_356:resource "*" limited by condition statement { sid = "S3ServerAccessLogsPolicy" effect = "Allow" @@ -317,7 +325,7 @@ data "aws_iam_policy_document" "s3_server_access_logs_policy" { ] resources = [ - "${module.apc_bucket_logs.s3_bucket_arn}/*" + "*" ] condition { diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index acae6f297ea..a345cb7441c 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -306,7 +306,7 @@ module "apc_bucket_logs_s3_kms" { tags = local.tags - policy = data.aws_iam_policy_document.kms_key_policy.json + policy = data.aws_iam_policy_document.apc_bucket_logs_kms_key_policy.json } module "common_secrets_manager_kms" { From 9403a91fc84b2d1b66fec4b80cecd8549d4f0cfe Mon Sep 17 00:00:00 2001 From: Ant Fitzroy <101649764+AntFMoJ@users.noreply.github.com> Date: Tue, 22 Oct 2024 10:21:22 +0100 Subject: [PATCH 16/83] Update terraform/environments/analytical-platform-compute/iam-policies.tf Co-authored-by: Tom Webber <80110358+tom-webber@users.noreply.github.com> --- .../environments/analytical-platform-compute/iam-policies.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 51c872c642f..c884b1af3c2 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -281,7 +281,7 @@ module "analytical_platform_lake_formation_share_policy" { policy = data.aws_iam_policy_document.analytical_platform_share_policy.json } -data "aws_iam_policy_document" "apc_bucket_logs_kms_key_policy" { +data "aws_iam_policy_document" "s3_access_logs_kms_key_policy" { #checkov:skip=CKV_AWS_356:resource "*" limited by condition statement { effect = "Allow" From a8f7c08085b2337a521c95b7f968bb22a906fb97 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Tue, 22 Oct 2024 10:39:08 +0100 Subject: [PATCH 17/83] refactor kms key policy --- .../iam-policies.tf | 28 ------------------ .../analytical-platform-compute/kms-keys.tf | 29 ++++++++++++++++++- 2 files changed, 28 insertions(+), 29 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index c884b1af3c2..9b2c0b5d94d 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -281,34 +281,6 @@ module "analytical_platform_lake_formation_share_policy" { policy = data.aws_iam_policy_document.analytical_platform_share_policy.json } -data "aws_iam_policy_document" "s3_access_logs_kms_key_policy" { - #checkov:skip=CKV_AWS_356:resource "*" limited by condition - statement { - effect = "Allow" - - principals { - type = "Service" - identifiers = ["logging.s3.amazonaws.com"] - } - - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext", - "kms:DescribeKey" - ] - - resources = ["*"] - - condition { - test = "StringEquals" - variable = "kms:ViaService" - values = ["logging.s3.amazonaws.com"] - } - } -} - data "aws_iam_policy_document" "s3_server_access_logs_policy" { #checkov:skip=CKV_AWS_356:resource "*" limited by condition statement { diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index a345cb7441c..22fdeffbfe2 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -306,7 +306,34 @@ module "apc_bucket_logs_s3_kms" { tags = local.tags - policy = data.aws_iam_policy_document.apc_bucket_logs_kms_key_policy.json + key_statements = [ + { + sid = "AllowLogging" + + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:DescribeKey" + ] + + resources = ["*"] + + effect = "Allow" + + principals = { + type = "Service" + identifiers = ["logging.s3.amazonaws.com"] + } + + conditions = { + test = "StringEquals" + variable = "kms:ViaService" + values = ["logging.s3.amazonaws.com"] + } + } + ] } module "common_secrets_manager_kms" { From 0703405bc3e67113773f1533c6c60cd831580b6e Mon Sep 17 00:00:00 2001 From: "Vincent.Cheung" Date: Tue, 22 Oct 2024 12:50:50 +0100 Subject: [PATCH 18/83] TM-593 Update minor changes to user data to take into account env change --- .../contract-work-administration/app_servers.tf | 7 +++---- .../application_variables.json | 4 ++-- .../contract-work-administration/concurrent_manager.tf | 7 +++---- .../environments/contract-work-administration/database.tf | 7 ++++--- .../scripts/disk-space-alert.sh | 2 +- 5 files changed, 13 insertions(+), 14 deletions(-) diff --git a/terraform/environments/contract-work-administration/app_servers.tf b/terraform/environments/contract-work-administration/app_servers.tf index bd44960778f..85f4b8e8659 100644 --- a/terraform/environments/contract-work-administration/app_servers.tf +++ b/terraform/environments/contract-work-administration/app_servers.tf @@ -62,7 +62,7 @@ do done echo "Updating /etc/rc.local file" -cat < etc/rc.local +cat < /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. @@ -116,9 +116,8 @@ sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/ ## Remove SSH key allowed echo "Removing old SSH key" -sed -i '/development-general$/d' /home/ec2-user/.ssh/authorized_keys -sed -i '/development-general$/d' /root/.ssh/authorized_keys -sed -i '/testimage$/d' /root/.ssh/authorized_keys +sed -i '/.*-general$/d' /home/ec2-user/.ssh/authorized_keys +sed -i '/.*-general$/d' /root/.ssh/authorized_keys ## Add custom metric script echo "Adding the custom metrics script for CloudWatch" diff --git a/terraform/environments/contract-work-administration/application_variables.json b/terraform/environments/contract-work-administration/application_variables.json index 3c8905b97d8..4f63f97bb9e 100644 --- a/terraform/environments/contract-work-administration/application_variables.json +++ b/terraform/environments/contract-work-administration/application_variables.json @@ -43,9 +43,9 @@ "database_diskspace_threshold": "95", "database_read_write_ops_threshold": "1100000", "database_oradata_queue_length_threshold": "3", - "old_mail_server_url": "mail.aws.dev.legalservices.gov.uk", + "old_mail_server_url": "mail.aws.tst.legalservices.gov.uk", "laa_mail_relay_url": "laa-mail.laa-development.modernisation-platform.service.justice.gov.uk", - "old_domain_name": "dev.legalservices.gov.uk", + "old_domain_name": "tst.legalservices.gov.uk", "app_disk_space_alert_threshold": "92", "lz_account_id": "013163512034" }, diff --git a/terraform/environments/contract-work-administration/concurrent_manager.tf b/terraform/environments/contract-work-administration/concurrent_manager.tf index 01144e6a2d0..8d0dd9a1490 100644 --- a/terraform/environments/contract-work-administration/concurrent_manager.tf +++ b/terraform/environments/contract-work-administration/concurrent_manager.tf @@ -63,7 +63,7 @@ do done echo "Updating /etc/rc.local file" -cat < etc/rc.local +cat < /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. @@ -116,9 +116,8 @@ sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/ ## Remove SSH key allowed echo "Removing old SSH key" -sed -i '/development-general$/d' /home/ec2-user/.ssh/authorized_keys -sed -i '/development-general$/d' /root/.ssh/authorized_keys -sed -i '/testimage$/d' /root/.ssh/authorized_keys +sed -i '/.*-general$/d' /home/ec2-user/.ssh/authorized_keys +sed -i '/.*-general$/d' /root/.ssh/authorized_keys ## Add custom metric script echo "Adding the custom metrics script for CloudWatch" diff --git a/terraform/environments/contract-work-administration/database.tf b/terraform/environments/contract-work-administration/database.tf index 86b42d9c381..95371a5d97d 100644 --- a/terraform/environments/contract-work-administration/database.tf +++ b/terraform/environments/contract-work-administration/database.tf @@ -113,7 +113,9 @@ chmod 744 /home/oracle/scripts/aws_ebs_backup.sh echo "Setting up cron jobs" su oracle -c "crontab -l > /home/oracle/oraclecrontab.txt" +sed -i '/disk_space.sh/d' /home/oracle/oraclecrontab.txt echo "00 02 * * * /home/oracle/scripts/aws_ebs_backup.sh > /tmp/aws_ebs_backup.log" >> /home/oracle/oraclecrontab.txt +echo "0,30 08-17 * * 1-5 /home/oracle/scripts/disk_space.sh ${upper(local.application_data.accounts[local.environment].env_short)} ${local.application_data.accounts[local.environment].app_disk_space_alert_threshold} >/tmp/disk_space.trc 2>&1" >> /home/oracle/oraclecrontab.txt chown oracle:oinstall /home/oracle/oraclecrontab.txt chmod 744 /home/oracle/oraclecrontab.txt @@ -124,9 +126,8 @@ ln -s /bin/mail /bin/mailx ## Remove SSH key allowed echo "Removing old SSH key" -sed -i '/development-general$/d' /home/ec2-user/.ssh/authorized_keys -sed -i '/development-general$/d' /root/.ssh/authorized_keys -sed -i '/testimage$/d' /root/.ssh/authorized_keys +sed -i '/.*-general$/d' /home/ec2-user/.ssh/authorized_keys +sed -i '/.*-general$/d' /root/.ssh/authorized_keys ## Add custom metric script echo "Adding the custom metrics script for CloudWatch" diff --git a/terraform/environments/contract-work-administration/scripts/disk-space-alert.sh b/terraform/environments/contract-work-administration/scripts/disk-space-alert.sh index 2d9f3ecdbae..a0e23b4f5b9 100644 --- a/terraform/environments/contract-work-administration/scripts/disk-space-alert.sh +++ b/terraform/environments/contract-work-administration/scripts/disk-space-alert.sh @@ -1,7 +1,7 @@ #!/bin/bash if [ $# -ne 2 ]; then - echo "1st parameter is ENV, 2nd parameter is % usage. 3rd parameter is the Slack URL to alert to" + echo "1st parameter is ENV, 2nd parameter is % usage" else From 48dc2814f8e7e8993409461ff8b30d36a43eb15f Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Tue, 22 Oct 2024 13:18:56 +0100 Subject: [PATCH 19/83] [TM-618] implementing keepalive solution --- .../corporate-information-system/locals.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/terraform/environments/corporate-information-system/locals.tf b/terraform/environments/corporate-information-system/locals.tf index 389df111a59..731a1f29488 100644 --- a/terraform/environments/corporate-information-system/locals.tf +++ b/terraform/environments/corporate-information-system/locals.tf @@ -14,6 +14,16 @@ sed -i 's/#ClientAliveInterval.*/ClientAliveInterval 1200/' /etc/ssh/sshd_config sed -i 's/#ClientAliveCountMax.*/ClientAliveCountMax 3/' /etc/ssh/sshd_config service sshd restart +# Add TCP keepalive time to sysctl.conf ---> keepalive solution +echo "net.ipv4.tcp_keepalive_time = 300" >> /etc/sysctl.conf +sysctl -p + +# Add SQLNET.EXPIRE_TIME to sqlnet.ora ---> keepalive solution +echo "SQLNET.EXPIRE_TIME = 5" >> /oracle/software/product/10.2.0/network/admin/sqlnet.ora + +# Modify tnsnames.ora to insert (ENABLE=broken) ---> keepalive solution +sed -i '/(DESCRIPTION =/a\\ (ENABLE=broken)' /oracle/software/product/10.2.0/network/admin/tnsnames.ora + # Changes to oracle files sed -i 's|cis.*legalservices.gov.uk:8080|${local.application_name_short}.${data.aws_route53_zone.external.name}:8080|' /home/batman/bin/dkj-shell-funcs sed -i 's|cis.*legalservices.gov.uk|${local.application_name_short}.${data.aws_route53_zone.external.name}|' /oracle/software/product/10.2.0/network/admin/listener.ora From a22a4c90abbca6d91be7350eb13ec16efcbea965 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Tue, 22 Oct 2024 14:17:11 +0100 Subject: [PATCH 20/83] ncr: TM-596: add second weblogic server for testing AWS version of combined reporting (#8374) --- terraform/environments/nomis/locals_preproduction.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/environments/nomis/locals_preproduction.tf b/terraform/environments/nomis/locals_preproduction.tf index 7e13a6b139d..da5b3cb1162 100644 --- a/terraform/environments/nomis/locals_preproduction.tf +++ b/terraform/environments/nomis/locals_preproduction.tf @@ -105,11 +105,11 @@ locals { }) }) - # NOT-ACTIVE (green deployment) + # NOT-ACTIVE (green deployment) - for testing Combined Reporting preprod-nomis-web-b = merge(local.ec2_autoscaling_groups.web, { autoscaling_group = merge(local.ec2_autoscaling_groups.web.autoscaling_group, { - desired_capacity = 0 - max_size = 0 + desired_capacity = 1 + max_size = 1 initial_lifecycle_hooks = { "ready-hook" = { @@ -133,7 +133,7 @@ locals { }) user_data_cloud_init = merge(local.ec2_autoscaling_groups.web.user_data_cloud_init, { args = merge(local.ec2_autoscaling_groups.web.user_data_cloud_init.args, { - branch = "ncr/TM-596/preprod-nomis-link-test" + branch = "main" }) }) tags = merge(local.ec2_autoscaling_groups.web.tags, { From 1af542bc23d55e1db8b3e2c2a944e6461eb850e5 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Tue, 22 Oct 2024 14:26:58 +0100 Subject: [PATCH 21/83] fix syntax error --- .../analytical-platform-compute/kms-keys.tf | 24 +++++++++++-------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 22fdeffbfe2..c16f8cd086e 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -322,16 +322,20 @@ module "apc_bucket_logs_s3_kms" { effect = "Allow" - principals = { - type = "Service" - identifiers = ["logging.s3.amazonaws.com"] - } - - conditions = { - test = "StringEquals" - variable = "kms:ViaService" - values = ["logging.s3.amazonaws.com"] - } + principals = [ + { + type = "Service" + identifiers = ["logging.s3.amazonaws.com"] + } + ] + + conditions = [ + { + test = "StringEquals" + variable = "kms:ViaService" + values = ["logging.s3.amazonaws.com"] + } + ] } ] } From 400ad20c39c385e724678976576b8bb739f5a8c5 Mon Sep 17 00:00:00 2001 From: "Vincent.Cheung" Date: Tue, 22 Oct 2024 15:01:04 +0100 Subject: [PATCH 22/83] TM-593 Remove back testimage and fix oracle script with env hardcoded --- .../environments/contract-work-administration/app_servers.tf | 3 ++- .../contract-work-administration/concurrent_manager.tf | 3 ++- .../environments/contract-work-administration/database.tf | 3 +++ 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/terraform/environments/contract-work-administration/app_servers.tf b/terraform/environments/contract-work-administration/app_servers.tf index 85f4b8e8659..79649677fc8 100644 --- a/terraform/environments/contract-work-administration/app_servers.tf +++ b/terraform/environments/contract-work-administration/app_servers.tf @@ -118,6 +118,7 @@ sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/ echo "Removing old SSH key" sed -i '/.*-general$/d' /home/ec2-user/.ssh/authorized_keys sed -i '/.*-general$/d' /root/.ssh/authorized_keys +sed -i '/testimage$/d' /root/.ssh/authorized_keys ## Add custom metric script echo "Adding the custom metrics script for CloudWatch" @@ -180,7 +181,7 @@ resource "aws_instance" "app1" { iam_instance_profile = aws_iam_instance_profile.cwa.id key_name = aws_key_pair.cwa.key_name user_data_base64 = base64encode(local.app_userdata) - user_data_replace_on_change = true + user_data_replace_on_change = false metadata_options { http_tokens = "optional" } diff --git a/terraform/environments/contract-work-administration/concurrent_manager.tf b/terraform/environments/contract-work-administration/concurrent_manager.tf index 8d0dd9a1490..5caaf4ee525 100644 --- a/terraform/environments/contract-work-administration/concurrent_manager.tf +++ b/terraform/environments/contract-work-administration/concurrent_manager.tf @@ -118,6 +118,7 @@ sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/ echo "Removing old SSH key" sed -i '/.*-general$/d' /home/ec2-user/.ssh/authorized_keys sed -i '/.*-general$/d' /root/.ssh/authorized_keys +sed -i '/testimage$/d' /root/.ssh/authorized_keys ## Add custom metric script echo "Adding the custom metrics script for CloudWatch" @@ -157,7 +158,7 @@ resource "aws_instance" "concurrent_manager" { iam_instance_profile = aws_iam_instance_profile.cwa.id key_name = aws_key_pair.cwa.key_name user_data_base64 = base64encode(local.cm_userdata) - user_data_replace_on_change = true + user_data_replace_on_change = false metadata_options { http_tokens = "optional" } diff --git a/terraform/environments/contract-work-administration/database.tf b/terraform/environments/contract-work-administration/database.tf index 95371a5d97d..2a2ba8d6731 100644 --- a/terraform/environments/contract-work-administration/database.tf +++ b/terraform/environments/contract-work-administration/database.tf @@ -117,6 +117,8 @@ sed -i '/disk_space.sh/d' /home/oracle/oraclecrontab.txt echo "00 02 * * * /home/oracle/scripts/aws_ebs_backup.sh > /tmp/aws_ebs_backup.log" >> /home/oracle/oraclecrontab.txt echo "0,30 08-17 * * 1-5 /home/oracle/scripts/disk_space.sh ${upper(local.application_data.accounts[local.environment].env_short)} ${local.application_data.accounts[local.environment].app_disk_space_alert_threshold} >/tmp/disk_space.trc 2>&1" >> /home/oracle/oraclecrontab.txt +sed '/^mail.*tablespace.warning$/c\mailx -s "\$ORACLE_SID on \$\{hostname\}: ${upper(local.application_data.accounts[local.environment].env_short)} CWA Tablespace Warning" $SLACK_ALERT_URL < /tmp/tablespace.warning' /home/oracle/scripts/tablespace1.sh + chown oracle:oinstall /home/oracle/oraclecrontab.txt chmod 744 /home/oracle/oraclecrontab.txt su oracle -c "crontab /home/oracle/oraclecrontab.txt" @@ -128,6 +130,7 @@ ln -s /bin/mail /bin/mailx echo "Removing old SSH key" sed -i '/.*-general$/d' /home/ec2-user/.ssh/authorized_keys sed -i '/.*-general$/d' /root/.ssh/authorized_keys +sed -i '/testimage$/d' /root/.ssh/authorized_keys ## Add custom metric script echo "Adding the custom metrics script for CloudWatch" From e92187f0d19db461bec460f9d0aaf8eec0780c70 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Tue, 22 Oct 2024 15:43:23 +0100 Subject: [PATCH 23/83] fix acl error --- .../environments/analytical-platform-compute/s3-buckets.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 644ad96025a..24320e755bc 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -35,8 +35,6 @@ module "mojap_derived_tables_replication_bucket" { object_lock_enabled = false - acl = "private" - versioning = { status = "Disabled" } @@ -72,8 +70,6 @@ module "apc_bucket_logs" { object_lock_enabled = false - acl = "private" - versioning = { status = "Disabled" } From 88b14c7c796b06b9a4483ed75683b334a6864c54 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Tue, 22 Oct 2024 15:55:45 +0100 Subject: [PATCH 24/83] Update instance.tf --- .../modules/components/oracle_db_instance/instance.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf index 79047bfa77d..0cfda5ae333 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf @@ -8,7 +8,7 @@ locals { metadata_endpoint_enabled = var.metadata_options.http_endpoint metadata_options_http_tokens = var.metadata_options.http_tokens monitoring = var.monitoring - ebs_block_device_inline = true + ebs_block_device_inline = false vpc_security_group_ids = var.security_group_ids private_dns_name_options = { enable_resource_name_dns_aaaa_record = false From 25ffc65b28d4c867b8e1e75eabdea40e68554b6c Mon Sep 17 00:00:00 2001 From: "Vincent.Cheung" Date: Tue, 22 Oct 2024 16:05:16 +0100 Subject: [PATCH 25/83] Fixing syntax with updating tablespace1.sh --- .../environments/contract-work-administration/database.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/contract-work-administration/database.tf b/terraform/environments/contract-work-administration/database.tf index 2a2ba8d6731..aec87ed93c0 100644 --- a/terraform/environments/contract-work-administration/database.tf +++ b/terraform/environments/contract-work-administration/database.tf @@ -99,6 +99,8 @@ echo "Adding disk space script" chmod 766 /home/oracle/scripts/disk_space.sh sed -i "s/SLACK_ALERT_URL/$SLACK_ALERT_URL/g" /home/oracle/scripts/disk_space.sh +sed -i "/^mail.*tablespace.warning$/c\mailx -s \"\$ORACLE_SID on \$\{hostname\}: ${upper(local.application_data.accounts[local.environment].env_short)} CWA Tablespace Warning\" $SLACK_ALERT_URL < /tmp/tablespace.warning" /home/oracle/scripts/tablespace1.sh + echo "Setting up AWS EBS backup" INSTANCE_ID=$(curl http://169.254.169.254/latest/meta-data/instance-id) cat < /home/oracle/scripts/aws_ebs_backup.sh @@ -117,8 +119,6 @@ sed -i '/disk_space.sh/d' /home/oracle/oraclecrontab.txt echo "00 02 * * * /home/oracle/scripts/aws_ebs_backup.sh > /tmp/aws_ebs_backup.log" >> /home/oracle/oraclecrontab.txt echo "0,30 08-17 * * 1-5 /home/oracle/scripts/disk_space.sh ${upper(local.application_data.accounts[local.environment].env_short)} ${local.application_data.accounts[local.environment].app_disk_space_alert_threshold} >/tmp/disk_space.trc 2>&1" >> /home/oracle/oraclecrontab.txt -sed '/^mail.*tablespace.warning$/c\mailx -s "\$ORACLE_SID on \$\{hostname\}: ${upper(local.application_data.accounts[local.environment].env_short)} CWA Tablespace Warning" $SLACK_ALERT_URL < /tmp/tablespace.warning' /home/oracle/scripts/tablespace1.sh - chown oracle:oinstall /home/oracle/oraclecrontab.txt chmod 744 /home/oracle/oraclecrontab.txt su oracle -c "crontab /home/oracle/oraclecrontab.txt" From 178ca7bdd1a6109ac916e52b47ffebd73fb1bc49 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Tue, 22 Oct 2024 16:06:37 +0100 Subject: [PATCH 26/83] remove buckets --- .../analytical-platform-compute/s3-buckets.tf | 98 +++++++++---------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 24320e755bc..56a0e237d43 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -22,69 +22,69 @@ module "mlflow_bucket" { tags = local.tags } -module "mojap_derived_tables_replication_bucket" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions +# module "mojap_derived_tables_replication_bucket" { +# #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions +# #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" +# source = "terraform-aws-modules/s3-bucket/aws" +# version = "4.2.1" - bucket = "mojap-derived-tables-replication-${local.environment}" +# bucket = "mojap-derived-tables-replication-${local.environment}" - force_destroy = true +# force_destroy = true - object_lock_enabled = false +# object_lock_enabled = false - versioning = { - status = "Disabled" - } +# versioning = { +# status = "Disabled" +# } - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = module.mojap_derived_tables_replication_s3_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } +# server_side_encryption_configuration = { +# rule = { +# bucket_key_enabled = true +# apply_server_side_encryption_by_default = { +# kms_master_key_id = module.mojap_derived_tables_replication_s3_kms.key_arn +# sse_algorithm = "aws:kms" +# } +# } +# } - logging = { - target_bucket = module.apc_bucket_logs.s3_bucket_id - target_prefix = "mojap-derived-tables-replication/" - } +# logging = { +# target_bucket = module.apc_bucket_logs.s3_bucket_id +# target_prefix = "mojap-derived-tables-replication/" +# } - tags = local.tags -} +# tags = local.tags +# } -module "apc_bucket_logs" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - #checkov:skip=CKV_TF_2:Module registry does not support tags for versions +# module "apc_bucket_logs" { +# #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions +# #checkov:skip=CKV_TF_2:Module registry does not support tags for versions - source = "terraform-aws-modules/s3-bucket/aws" - version = "4.2.1" +# source = "terraform-aws-modules/s3-bucket/aws" +# version = "4.2.1" - bucket = "apc-bucket-logs-${local.environment}" +# bucket = "apc-bucket-logs-${local.environment}" - force_destroy = false +# force_destroy = false - object_lock_enabled = false +# object_lock_enabled = false - versioning = { - status = "Disabled" - } +# versioning = { +# status = "Disabled" +# } - server_side_encryption_configuration = { - rule = { - bucket_key_enabled = true - apply_server_side_encryption_by_default = { - kms_master_key_id = module.apc_bucket_logs_s3_kms.key_arn - sse_algorithm = "aws:kms" - } - } - } +# server_side_encryption_configuration = { +# rule = { +# bucket_key_enabled = true +# apply_server_side_encryption_by_default = { +# kms_master_key_id = module.apc_bucket_logs_s3_kms.key_arn +# sse_algorithm = "aws:kms" +# } +# } +# } - tags = local.tags +# tags = local.tags - policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json -} +# policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json +# } From f50afbe5207888164fe5765c17d3f2da2589176a Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Tue, 22 Oct 2024 16:15:27 +0100 Subject: [PATCH 27/83] Tribunals: migrate nginx records to use new load balancer (#8377) --- terraform/environments/tribunals/dns-delegate-route53.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/tribunals/dns-delegate-route53.tf b/terraform/environments/tribunals/dns-delegate-route53.tf index b2a6dad22e8..eb64f64ea4e 100644 --- a/terraform/environments/tribunals/dns-delegate-route53.tf +++ b/terraform/environments/tribunals/dns-delegate-route53.tf @@ -111,8 +111,8 @@ resource "aws_route53_record" "nginx_instances" { type = "A" alias { - name = "tribunals-nginx-1184258455.eu-west-1.elb.amazonaws.com." - zone_id = "Z32O12XQLNTSW2" + name = module.nginx_load_balancer[0].nginx_lb_arn + zone_id = module.nginx_load_balancer[0].nginx_lb_zone_id evaluate_target_health = false } } From f0549fca6547e1196cc249d8429bd0665fa8e7d3 Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Tue, 22 Oct 2024 16:17:38 +0100 Subject: [PATCH 28/83] put buckets back --- .../analytical-platform-compute/s3-buckets.tf | 98 +++++++++---------- 1 file changed, 49 insertions(+), 49 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 56a0e237d43..24320e755bc 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -22,69 +22,69 @@ module "mlflow_bucket" { tags = local.tags } -# module "mojap_derived_tables_replication_bucket" { -# #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions -# #checkov:skip=CKV_TF_2:Module registry does not support tags for versions +module "mojap_derived_tables_replication_bucket" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions -# source = "terraform-aws-modules/s3-bucket/aws" -# version = "4.2.1" + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" -# bucket = "mojap-derived-tables-replication-${local.environment}" + bucket = "mojap-derived-tables-replication-${local.environment}" -# force_destroy = true + force_destroy = true -# object_lock_enabled = false + object_lock_enabled = false -# versioning = { -# status = "Disabled" -# } + versioning = { + status = "Disabled" + } -# server_side_encryption_configuration = { -# rule = { -# bucket_key_enabled = true -# apply_server_side_encryption_by_default = { -# kms_master_key_id = module.mojap_derived_tables_replication_s3_kms.key_arn -# sse_algorithm = "aws:kms" -# } -# } -# } + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.mojap_derived_tables_replication_s3_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } -# logging = { -# target_bucket = module.apc_bucket_logs.s3_bucket_id -# target_prefix = "mojap-derived-tables-replication/" -# } + logging = { + target_bucket = module.apc_bucket_logs.s3_bucket_id + target_prefix = "mojap-derived-tables-replication/" + } -# tags = local.tags -# } + tags = local.tags +} -# module "apc_bucket_logs" { -# #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions -# #checkov:skip=CKV_TF_2:Module registry does not support tags for versions +module "apc_bucket_logs" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + #checkov:skip=CKV_TF_2:Module registry does not support tags for versions -# source = "terraform-aws-modules/s3-bucket/aws" -# version = "4.2.1" + source = "terraform-aws-modules/s3-bucket/aws" + version = "4.2.1" -# bucket = "apc-bucket-logs-${local.environment}" + bucket = "apc-bucket-logs-${local.environment}" -# force_destroy = false + force_destroy = false -# object_lock_enabled = false + object_lock_enabled = false -# versioning = { -# status = "Disabled" -# } + versioning = { + status = "Disabled" + } -# server_side_encryption_configuration = { -# rule = { -# bucket_key_enabled = true -# apply_server_side_encryption_by_default = { -# kms_master_key_id = module.apc_bucket_logs_s3_kms.key_arn -# sse_algorithm = "aws:kms" -# } -# } -# } + server_side_encryption_configuration = { + rule = { + bucket_key_enabled = true + apply_server_side_encryption_by_default = { + kms_master_key_id = module.apc_bucket_logs_s3_kms.key_arn + sse_algorithm = "aws:kms" + } + } + } -# tags = local.tags + tags = local.tags -# policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json -# } + policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json +} From 65f8bf300018703382288aa7f0919675319858c6 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Tue, 22 Oct 2024 16:44:12 +0100 Subject: [PATCH 29/83] Tribunals: update consumer credit appeals nginx to https, delete sftp secret (#8378) --- .../consumercreditappeals.tribunals.gov.uk | 3 ++- terraform/environments/tribunals/secrets.tf | 14 -------------- 2 files changed, 2 insertions(+), 15 deletions(-) diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/consumercreditappeals.tribunals.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/consumercreditappeals.tribunals.gov.uk index af258b50a7b..36c3ce40855 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/consumercreditappeals.tribunals.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/consumercreditappeals.tribunals.gov.uk @@ -26,6 +26,7 @@ server { listen 80; + listen 443; server_name consumercreditappeals.tribunals.gov.uk; @@ -33,7 +34,7 @@ server { return 301 https://www.gov.uk/courts-tribunals/upper-tribunal-tax-and-chancery-chamber; } location ~* ^/decisions.htm { - return 301 http://consumercreditappeals.decisions.tribunals.gov.uk; + return 301 https://consumercreditappeals.decisions.tribunals.gov.uk; } } diff --git a/terraform/environments/tribunals/secrets.tf b/terraform/environments/tribunals/secrets.tf index 5f11d09b83b..29fbe552abd 100644 --- a/terraform/environments/tribunals/secrets.tf +++ b/terraform/environments/tribunals/secrets.tf @@ -99,17 +99,3 @@ data "aws_secretsmanager_secret_version" "tribunals_admin_site_credentials_secre depends_on = [aws_secretsmanager_secret_version.tribunals_admin_site_credentials_current] secret_id = data.aws_secretsmanager_secret.tribunals_admin_site_secret.id } - -resource "aws_secretsmanager_secret" "sftp_private_key" { - name = "private-key-sftp-upload" - recovery_window_in_days = 0 -} - -resource "aws_secretsmanager_secret_version" "sftp_private_key" { - secret_id = aws_secretsmanager_secret.sftp_private_key.id - secret_string = < Date: Tue, 22 Oct 2024 16:51:28 +0100 Subject: [PATCH 30/83] optional for now --- terraform/environments/delius-core/locals_development.tf | 1 + terraform/environments/delius-core/locals_preproduction.tf | 1 + terraform/environments/delius-core/locals_stage.tf | 7 +++++-- terraform/environments/delius-core/locals_test.tf | 3 +++ .../modules/components/oracle_db_instance/variables.tf | 6 ++++++ .../delius-core/modules/delius_environment/database.tf | 3 +++ 6 files changed, 19 insertions(+), 2 deletions(-) diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 5ad2a0cb6be..10a8153751f 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -38,6 +38,7 @@ locals { instance_policies = { "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access } + inline_ebs = false primary_instance_count = 1 standby_count = 2 ebs_volumes = { diff --git a/terraform/environments/delius-core/locals_preproduction.tf b/terraform/environments/delius-core/locals_preproduction.tf index 8d9b665ab47..1966ec6d8ce 100644 --- a/terraform/environments/delius-core/locals_preproduction.tf +++ b/terraform/environments/delius-core/locals_preproduction.tf @@ -37,6 +37,7 @@ locals { instance_policies = { "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access } + inline_ebs = true primary_instance_count = 0 standby_count = 0 ebs_volumes = { diff --git a/terraform/environments/delius-core/locals_stage.tf b/terraform/environments/delius-core/locals_stage.tf index 2391ee007dd..c37f4d20748 100644 --- a/terraform/environments/delius-core/locals_stage.tf +++ b/terraform/environments/delius-core/locals_stage.tf @@ -32,8 +32,11 @@ locals { db_config_stage = { - instance_type = "r7i.2xlarge" - ami_name_regex = "^delius_core_ol_8_5_oracle_db_19c_patch_2024-06-04T11-24-58.162Z" + instance_type = "r7i.2xlarge" + ami_name_regex = "^delius_core_ol_8_5_oracle_db_19c_patch_2024-06-04T11-24-58.162Z" + + inline_ebs = true + primary_instance_count = 1 standby_count = 0 diff --git a/terraform/environments/delius-core/locals_test.tf b/terraform/environments/delius-core/locals_test.tf index ff6a4f689da..b032c40d6ce 100644 --- a/terraform/environments/delius-core/locals_test.tf +++ b/terraform/environments/delius-core/locals_test.tf @@ -38,6 +38,9 @@ locals { instance_policies = { "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access } + + inline_ebs = true + primary_instance_count = 1 standby_count = 0 ebs_volumes = { diff --git a/terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf index 038e936f731..846034d9346 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf @@ -176,3 +176,9 @@ variable "sns_topic_arn" { description = "The ARN of the SNS topic" type = string } + +variable "inline_ebs" { + default = true + type = bool + description = "Whether to create EBS volumes inline with the instance" +} diff --git a/terraform/environments/delius-core/modules/delius_environment/database.tf b/terraform/environments/delius-core/modules/delius_environment/database.tf index c2d83ed639e..84d7a8cab9f 100644 --- a/terraform/environments/delius-core/modules/delius_environment/database.tf +++ b/terraform/environments/delius-core/modules/delius_environment/database.tf @@ -49,6 +49,7 @@ module "oracle_db_primary" { ebs_volumes = var.db_config.ebs_volumes ebs_volume_config = var.db_config.ebs_volume_config + inline_ebs = var.db_config.inline_ebs env_name = var.env_name environment_config = var.environment_config @@ -101,6 +102,8 @@ module "oracle_db_standby" { ebs_volumes = var.db_config.ebs_volumes ebs_volume_config = var.db_config.ebs_volume_config + inline_ebs = var.db_config.inline_ebs + env_name = var.env_name environment_config = var.environment_config subnet_id = var.account_config.ordered_private_subnet_ids[(count.index + length(module.oracle_db_primary)) % 3] From d7c35d8502c02afe1fa816882ce0723c1d27cca3 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Tue, 22 Oct 2024 16:55:46 +0100 Subject: [PATCH 31/83] Update locals_development.tf --- terraform/environments/delius-core/locals_development.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 10a8153751f..08bf1de8b1c 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -43,7 +43,7 @@ locals { standby_count = 2 ebs_volumes = { "/dev/sdb" = { label = "app", size = 200 } # /u01 - "/dev/sdc" = { label = "app", size = 100 } # /u02 + "/dev/sdc" = { label = "app", size = 200 } # /u02 "/dev/sde" = { label = "data" } # DATA "/dev/sdf" = { label = "flash" } # FLASH "/dev/sds" = { label = "swap" } From 7e8c4f0670b9d9c8e0e1c661e37431b64e6de0b4 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Tue, 22 Oct 2024 17:00:02 +0100 Subject: [PATCH 32/83] revert temp size change for testing --- terraform/environments/delius-core/locals_development.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 08bf1de8b1c..10a8153751f 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -43,7 +43,7 @@ locals { standby_count = 2 ebs_volumes = { "/dev/sdb" = { label = "app", size = 200 } # /u01 - "/dev/sdc" = { label = "app", size = 200 } # /u02 + "/dev/sdc" = { label = "app", size = 100 } # /u02 "/dev/sde" = { label = "data" } # DATA "/dev/sdf" = { label = "flash" } # FLASH "/dev/sds" = { label = "swap" } From 58afa96b7f96832cfed74a07a037df950ef3e9ca Mon Sep 17 00:00:00 2001 From: Vladimirs Kovalovs Date: Tue, 22 Oct 2024 17:20:13 +0100 Subject: [PATCH 33/83] [TM-618] changed metadata_options http_tokens to required --- terraform/environments/corporate-information-system/ec2.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/corporate-information-system/ec2.tf b/terraform/environments/corporate-information-system/ec2.tf index 15b466a576a..6d9547aa1cf 100644 --- a/terraform/environments/corporate-information-system/ec2.tf +++ b/terraform/environments/corporate-information-system/ec2.tf @@ -27,7 +27,7 @@ resource "aws_instance" "cis_db_instance" { } metadata_options { - http_tokens = "optional" + http_tokens = "required" } tags = merge( From fa1ee89ca6dd8e05564328f2d25c22bb59b03b5b Mon Sep 17 00:00:00 2001 From: George Taylor Date: Sun, 13 Oct 2024 15:54:02 +0100 Subject: [PATCH 34/83] feat: first attempt at event bridge/state machine triggered lambda --- .gitignore | 4 +- .../delius-core/locals_development.tf | 4 ++ .../fargate_graceful_retirement.tf | 6 ++ .../eventbridge.tf | 21 ++++++ .../files/calculate_wait_time.py | 21 ++++++ .../files/ecs_restart.py | 43 ++++++++++++ .../fargate_graceful_retirement/lambda.tf | 64 ++++++++++++++++++ .../required_providers.tf | 9 +++ .../step_functions.tf | 66 +++++++++++++++++++ .../fargate_graceful_retirement/variables.tf | 4 ++ 10 files changed, 241 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf create mode 100644 terraform/modules/fargate_graceful_retirement/eventbridge.tf create mode 100644 terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py create mode 100644 terraform/modules/fargate_graceful_retirement/files/ecs_restart.py create mode 100644 terraform/modules/fargate_graceful_retirement/lambda.tf create mode 100644 terraform/modules/fargate_graceful_retirement/required_providers.tf create mode 100644 terraform/modules/fargate_graceful_retirement/step_functions.tf create mode 100644 terraform/modules/fargate_graceful_retirement/variables.tf diff --git a/.gitignore b/.gitignore index def069f7547..c24ca2e3009 100644 --- a/.gitignore +++ b/.gitignore @@ -22,4 +22,6 @@ out/ .tfsec/ # vim -**/*.swp \ No newline at end of file +**/*.swp + +terraform/modules/fargate_graceful_retirement/**/*.zip diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 10a8153751f..51f9cff084c 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -15,6 +15,10 @@ locals { ec2_user_ssh_key = file("${path.module}/files/.ssh/dev/ec2-user.pub") homepage_path = "/" has_mis_environment = true + fargate_graceful_retirement = { + enabled = true + restart_time = "04:00" + } } ldap_config_dev = { diff --git a/terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf b/terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf new file mode 100644 index 00000000000..ff442389ee8 --- /dev/null +++ b/terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf @@ -0,0 +1,6 @@ +module "fargate_graceful_retirement" { + count = var.environment_config.fargate_graceful_retirement.enabled ? 1 : 0 + source = "../../../../modules/fargate_graceful_retirement" + restart_time = var.environment_config.fargate_graceful_retirement.restart_time +} + diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf new file mode 100644 index 00000000000..5e1eb007f7a --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -0,0 +1,21 @@ +resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { + name = "ecs_task_retirement_rule" + description = "Rule to catch AWS ECS Task Patching Retirement events" + event_pattern = jsonencode({ + "source": ["aws.health"], + "detail-type": ["AWS Health Event"], + "detail": { + "eventTypeCode": ["AWS_ECS_TASK_PATCHING_RETIREMENT"] + } + }) +} + +resource "aws_cloudwatch_event_target" "ecs_restarts_target" { + rule = aws_cloudwatch_event_rule.ecs_restart_rule.name + arn = aws_lambda_function.ecs_restart_handler.arn +} + +resource "aws_cloudwatch_event_target" "step_function_target" { + rule = aws_cloudwatch_event_rule.ecs_restart_rule.name + arn = aws_sfn_state_machine.ecs_restarts_state_machine.arn +} diff --git a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py new file mode 100644 index 00000000000..5df11c703a9 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py @@ -0,0 +1,21 @@ +import json +import datetime + +def lambda_handler(event, context): + # Extract current event time + current_time_str = event.get('time', '') + + # Parse the event time into a datetime object + event_time = datetime.datetime.strptime(current_time_str, '%Y-%m-%dT%H:%M:%SZ') + + # Define the desired restart time (as a string, e.g., "14:30:00" for 2:30 PM) + restart_time_str = event.get('restart_time', '14:30:00') + + # Combine the event date with the desired time + restart_time = datetime.datetime.combine(event_time.date(), datetime.time.fromisoformat(restart_time_str)) + + # Return the calculated timestamp + return { + 'statusCode': 200, + 'timestamp': restart_time.isoformat() + 'Z' # Add 'Z' for UTC time + } diff --git a/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py b/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py new file mode 100644 index 00000000000..82e35c73809 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py @@ -0,0 +1,43 @@ +import json +import boto3 + +def lambda_handler(event, context): + print("Event received:", json.dumps(event)) + + try: + ecs_client = boto3.client('ecs') + + affected_entities = event['detail']['affectedEntities'] + + for entity in affected_entities: + entity_value = entity.get('entityValue') + if entity_value is not None: + cluster_name = entity_value.split('|')[0] + service_name = entity_value.split('|')[1] + print("Cluster name:", cluster_name) + print("Service name:", service_name) + + print("Forcing new deployment for service:", service_name) + + response = ecs_client.update_service( + cluster=cluster_name, + service=service_name, + forceNewDeployment=True + ) + + print("Update service response:", json.dumps(response)) + else: + print("No entity value found in the event") + + return { + 'statusCode': 200, + 'body': json.dumps('Handled ECS Task Patching Retirement') + } + + except Exception as e: + print("Error updating service:", e) + return { + 'statusCode': 500, + 'body': json.dumps('Error updating service') + } + diff --git a/terraform/modules/fargate_graceful_retirement/lambda.tf b/terraform/modules/fargate_graceful_retirement/lambda.tf new file mode 100644 index 00000000000..47c059a1968 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/lambda.tf @@ -0,0 +1,64 @@ +data "archive_file" "lambda_function_ecs_restart_payload" { + type = "zip" + source_dir = "${path.module}/files" + output_path = "${path.module}/files/ecs_restart.zip" + excludes = ["ecs_restart.zip", "calculate_wait_time.zip", "calculate_wait_time.py"] +} + +resource "aws_iam_role" "lambda_execution_role" { + name = "lambda_execution_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "lambda.amazonaws.com" + } + }, + ] + }) + + managed_policy_arns = [ + "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", + ] +} + +resource "aws_lambda_function" "ecs_restart_handler" { + function_name = "ecs_restart_handler" + runtime = "python3.12" + handler = "lambda_function.lambda_handler" + role = aws_iam_role.lambda_execution_role.arn + + filename = data.archive_file.lambda_function_ecs_restart_payload.output_path + + source_code_hash = data.archive_file.lambda_function_ecs_restart_payload.output_base64sha256 +} + +resource "aws_lambda_permission" "allow_eventbridge_lambda" { + statement_id = "AllowExecutionFromEventBridge" + action = "lambda:InvokeFunction" + function_name = aws_lambda_function.ecs_restart_handler.function_name + principal = "events.amazonaws.com" + source_arn = aws_cloudwatch_event_rule.ecs_restart_rule.arn +} + + +resource "aws_lambda_function" "calculate_wait_time" { + function_name = "calculate_wait_time" + runtime = "python3.12" + handler = "lambda_function.lambda_handler" + role = aws_iam_role.lambda_execution_role.arn + + filename = data.archive_file.lambda_function_calculate_wait_time_payload.output_path + source_code_hash = data.archive_file.lambda_function_calculate_wait_time_payload.output_base64sha256 +} + +data "archive_file" "lambda_function_calculate_wait_time_payload" { + type = "zip" + source_dir = "${path.module}/files" + output_path = "${path.module}/files/calculate_wait_time.zip" + excludes = ["calculate_wait_time.zip", "lambda.zip", "ecs_restart.py"] +} diff --git a/terraform/modules/fargate_graceful_retirement/required_providers.tf b/terraform/modules/fargate_graceful_retirement/required_providers.tf new file mode 100644 index 00000000000..f288605c066 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/required_providers.tf @@ -0,0 +1,9 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + } + required_version = "~> 1.5" +} diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf new file mode 100644 index 00000000000..cb8e6215f78 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -0,0 +1,66 @@ +resource "aws_iam_role" "step_function_role" { + name = "step_function_execution_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = "sts:AssumeRole" + Effect = "Allow" + Principal = { + Service = "states.amazonaws.com" + } + }, + ] + }) +} + +resource "aws_iam_role_policy" "step_function_policy" { + name = "step_function_policy" + role = aws_iam_role.step_function_role.id + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Effect = "Allow" + Action = "lambda:InvokeFunction", + Resource = aws_lambda_function.ecs_restart_handler.arn, + }, + ] + }) +} +resource "aws_sfn_state_machine" "ecs_restart_state_machine" { + name = "ecs_restart_state_machine" + role_arn = aws_iam_role.step_function_role.arn + + definition = jsonencode({ + Comment: "State Machine to handle ECS Task Patching Retirement", + StartAt: "CalculateWaitTimestamp", + States: { + CalculateWaitTimestamp: { + Type: "Task", + Resource: "arn:aws:lambda:${aws_lambda_function.calculate_wait_time.arn}", + Parameters: { + "time.$": "$.time", # Pass the event time from the input + "restart_time": "${var.restart_time}" + }, + ResultPath: "$.waitTimestamp", # Store the result in $.waitTimestamp + Next: "WaitUntilRestartTime" + }, + WaitUntilRestartTime: { + Type: "Wait", + TimestampPath: "$.waitTimestamp.timestamp", # Use the computed timestamp + Next: "InvokeLambdaFunction" + }, + InvokeLambdaFunction: { + Type: "Task", + Resource: "arn:aws:states:::lambda:invoke", + Parameters: { + "FunctionName": "${aws_lambda_function.ecs_restart_handler.arn}", + "Payload.$": "$" + }, + End: true + } + } + }) +} diff --git a/terraform/modules/fargate_graceful_retirement/variables.tf b/terraform/modules/fargate_graceful_retirement/variables.tf new file mode 100644 index 00000000000..7ac0c1e55d1 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/variables.tf @@ -0,0 +1,4 @@ +variable "restart_time" { + description = "The time to wait until invoking the Lambda function (in RFC3339 format, e.g., 2023-11-13T14:30:00Z)" + type = string +} From 2e7d0386152dc6eb08c75fd77724d7f4952c8da2 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Sun, 13 Oct 2024 16:16:39 +0100 Subject: [PATCH 35/83] fix: interpolation only string --- .../modules/fargate_graceful_retirement/step_functions.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index cb8e6215f78..d59e575d54f 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -42,7 +42,7 @@ resource "aws_sfn_state_machine" "ecs_restart_state_machine" { Resource: "arn:aws:lambda:${aws_lambda_function.calculate_wait_time.arn}", Parameters: { "time.$": "$.time", # Pass the event time from the input - "restart_time": "${var.restart_time}" + "restart_time": var.restart_time }, ResultPath: "$.waitTimestamp", # Store the result in $.waitTimestamp Next: "WaitUntilRestartTime" @@ -56,7 +56,7 @@ resource "aws_sfn_state_machine" "ecs_restart_state_machine" { Type: "Task", Resource: "arn:aws:states:::lambda:invoke", Parameters: { - "FunctionName": "${aws_lambda_function.ecs_restart_handler.arn}", + "FunctionName": aws_lambda_function.ecs_restart_handler.arn, "Payload.$": "$" }, End: true From 4df8265e36daa65a1b63675175ccac61d7cd23e1 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Sun, 13 Oct 2024 16:17:29 +0100 Subject: [PATCH 36/83] fix: typo in arn ref for event target --- terraform/modules/fargate_graceful_retirement/eventbridge.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 5e1eb007f7a..9119710fb72 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -17,5 +17,5 @@ resource "aws_cloudwatch_event_target" "ecs_restarts_target" { resource "aws_cloudwatch_event_target" "step_function_target" { rule = aws_cloudwatch_event_rule.ecs_restart_rule.name - arn = aws_sfn_state_machine.ecs_restarts_state_machine.arn + arn = aws_sfn_state_machine.ecs_restart_state_machine.arn } From 223dcb195105faca3f47fcd30cf79ff0935e80d6 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Sun, 13 Oct 2024 16:20:04 +0100 Subject: [PATCH 37/83] Update ecs_restart.py --- .../fargate_graceful_retirement/files/ecs_restart.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py b/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py index 82e35c73809..7fda52b3e4d 100644 --- a/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py +++ b/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py @@ -5,13 +5,18 @@ def lambda_handler(event, context): print("Event received:", json.dumps(event)) try: + # Create an ECS client using boto3 ecs_client = boto3.client('ecs') + # Extract the affected entities from the event affected_entities = event['detail']['affectedEntities'] + # Iterate over each affected entity for entity in affected_entities: + # Get the entity value entity_value = entity.get('entityValue') if entity_value is not None: + # Extract cluster name and service name from the entity value cluster_name = entity_value.split('|')[0] service_name = entity_value.split('|')[1] print("Cluster name:", cluster_name) @@ -19,6 +24,7 @@ def lambda_handler(event, context): print("Forcing new deployment for service:", service_name) + # Force a new deployment for the specified service in the specified cluster response = ecs_client.update_service( cluster=cluster_name, service=service_name, @@ -40,4 +46,3 @@ def lambda_handler(event, context): 'statusCode': 500, 'body': json.dumps('Error updating service') } - From 9e34e2799b8ae79831f1b43b4ded2b6b33d42177 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 14 Oct 2024 12:16:04 +0100 Subject: [PATCH 38/83] Update eventbridge.tf --- .../fargate_graceful_retirement/eventbridge.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 9119710fb72..721f8599909 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -2,20 +2,20 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { name = "ecs_task_retirement_rule" description = "Rule to catch AWS ECS Task Patching Retirement events" event_pattern = jsonencode({ - "source": ["aws.health"], - "detail-type": ["AWS Health Event"], - "detail": { - "eventTypeCode": ["AWS_ECS_TASK_PATCHING_RETIREMENT"] + "source" : ["aws.health"], + "detail-type" : ["AWS Health Event"], + "detail" : { + "eventTypeCode" : ["AWS_ECS_TASK_PATCHING_RETIREMENT"] } }) } resource "aws_cloudwatch_event_target" "ecs_restarts_target" { - rule = aws_cloudwatch_event_rule.ecs_restart_rule.name - arn = aws_lambda_function.ecs_restart_handler.arn + rule = aws_cloudwatch_event_rule.ecs_restart_rule.name + arn = aws_lambda_function.ecs_restart_handler.arn } resource "aws_cloudwatch_event_target" "step_function_target" { - rule = aws_cloudwatch_event_rule.ecs_restart_rule.name - arn = aws_sfn_state_machine.ecs_restart_state_machine.arn + rule = aws_cloudwatch_event_rule.ecs_restart_rule.name + arn = aws_sfn_state_machine.ecs_restart_state_machine.arn } From 6246de6b41a5fdb2796abfca72bc5a5b95cc599d Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 14 Oct 2024 14:56:52 +0100 Subject: [PATCH 39/83] Update eventbridge.tf --- .../modules/fargate_graceful_retirement/eventbridge.tf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 721f8599909..65913b961b1 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -10,10 +10,10 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { }) } -resource "aws_cloudwatch_event_target" "ecs_restarts_target" { - rule = aws_cloudwatch_event_rule.ecs_restart_rule.name - arn = aws_lambda_function.ecs_restart_handler.arn -} +# resource "aws_cloudwatch_event_target" "ecs_restarts_target" { +# rule = aws_cloudwatch_event_rule.ecs_restart_rule.name +# arn = aws_lambda_function.ecs_restart_handler.arn +# } resource "aws_cloudwatch_event_target" "step_function_target" { rule = aws_cloudwatch_event_rule.ecs_restart_rule.name From 9be70d94cee4d9ea16c6cba99c48f95015019ff1 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 16:59:32 +0100 Subject: [PATCH 40/83] Update eventbridge.tf --- terraform/modules/fargate_graceful_retirement/eventbridge.tf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 65913b961b1..7ddbbe2e752 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -10,11 +10,6 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { }) } -# resource "aws_cloudwatch_event_target" "ecs_restarts_target" { -# rule = aws_cloudwatch_event_rule.ecs_restart_rule.name -# arn = aws_lambda_function.ecs_restart_handler.arn -# } - resource "aws_cloudwatch_event_target" "step_function_target" { rule = aws_cloudwatch_event_rule.ecs_restart_rule.name arn = aws_sfn_state_machine.ecs_restart_state_machine.arn From 0499509c17613c1d9c8746a1fcbb80f454b1a72e Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 22:28:40 +0100 Subject: [PATCH 41/83] typo --- .../step_functions.tf | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index d59e575d54f..66ab002702e 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -5,8 +5,8 @@ resource "aws_iam_role" "step_function_role" { Version = "2012-10-17" Statement = [ { - Action = "sts:AssumeRole" - Effect = "Allow" + Action = "sts:AssumeRole" + Effect = "Allow" Principal = { Service = "states.amazonaws.com" } @@ -16,8 +16,8 @@ resource "aws_iam_role" "step_function_role" { } resource "aws_iam_role_policy" "step_function_policy" { - name = "step_function_policy" - role = aws_iam_role.step_function_role.id + name = "step_function_policy" + role = aws_iam_role.step_function_role.id policy = jsonencode({ Version = "2012-10-17" Statement = [ @@ -33,33 +33,33 @@ resource "aws_sfn_state_machine" "ecs_restart_state_machine" { name = "ecs_restart_state_machine" role_arn = aws_iam_role.step_function_role.arn - definition = jsonencode({ - Comment: "State Machine to handle ECS Task Patching Retirement", - StartAt: "CalculateWaitTimestamp", - States: { - CalculateWaitTimestamp: { - Type: "Task", - Resource: "arn:aws:lambda:${aws_lambda_function.calculate_wait_time.arn}", - Parameters: { - "time.$": "$.time", # Pass the event time from the input - "restart_time": var.restart_time + definition = jsonencode({ + Comment : "State Machine to handle ECS Task Patching Retirement", + StartAt : "CalculateWaitTimestamp", + States : { + CalculateWaitTimestamp : { + Type : "Task", + Resource : aws_lambda_function.calculate_wait_time.arn, + Parameters : { + "time.$" : "$.time", # Pass the event time from the input + "restart_time" : var.restart_time }, - ResultPath: "$.waitTimestamp", # Store the result in $.waitTimestamp - Next: "WaitUntilRestartTime" + ResultPath : "$.waitTimestamp", # Store the result in $.waitTimestamp + Next : "WaitUntilRestartTime" }, - WaitUntilRestartTime: { - Type: "Wait", - TimestampPath: "$.waitTimestamp.timestamp", # Use the computed timestamp - Next: "InvokeLambdaFunction" + WaitUntilRestartTime : { + Type : "Wait", + TimestampPath : "$.waitTimestamp.timestamp", # Use the computed timestamp + Next : "InvokeLambdaFunction" }, - InvokeLambdaFunction: { - Type: "Task", - Resource: "arn:aws:states:::lambda:invoke", - Parameters: { - "FunctionName": aws_lambda_function.ecs_restart_handler.arn, - "Payload.$": "$" + InvokeLambdaFunction : { + Type : "Task", + Resource : "arn:aws:states:::lambda:invoke", + Parameters : { + "FunctionName" : aws_lambda_function.ecs_restart_handler.arn, + "Payload.$" : "$" }, - End: true + End : true } } }) From 476bd6596b87f00fe901f52a2e6eade34da98d7f Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 22:39:18 +0100 Subject: [PATCH 42/83] Update eventbridge.tf --- terraform/modules/fargate_graceful_retirement/eventbridge.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 7ddbbe2e752..a5a61eb9d25 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -11,6 +11,7 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { } resource "aws_cloudwatch_event_target" "step_function_target" { - rule = aws_cloudwatch_event_rule.ecs_restart_rule.name - arn = aws_sfn_state_machine.ecs_restart_state_machine.arn + rule = aws_cloudwatch_event_rule.ecs_restart_rule.name + arn = aws_sfn_state_machine.ecs_restart_state_machine.arn + role_arn = aws_iam_role.step_function_role.arn } From 777aae3d07dc4ef165b16fca206a6ff1c33ff788 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 23:22:46 +0100 Subject: [PATCH 43/83] rename lambdas --- .../lambda_function.py.py} | 8 ++++---- .../lambda_function.py.py} | 0 .../fargate_graceful_retirement/lambda.tf | 16 ++++++++-------- .../step_functions.tf | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) rename terraform/modules/fargate_graceful_retirement/files/{calculate_wait_time.py => calculate_wait_time/lambda_function.py.py} (97%) rename terraform/modules/fargate_graceful_retirement/files/{ecs_restart.py => ecs_restart/lambda_function.py.py} (100%) diff --git a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py.py similarity index 97% rename from terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py rename to terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py.py index 5df11c703a9..bca575e5ca9 100644 --- a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time.py +++ b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py.py @@ -4,16 +4,16 @@ def lambda_handler(event, context): # Extract current event time current_time_str = event.get('time', '') - + # Parse the event time into a datetime object event_time = datetime.datetime.strptime(current_time_str, '%Y-%m-%dT%H:%M:%SZ') - + # Define the desired restart time (as a string, e.g., "14:30:00" for 2:30 PM) restart_time_str = event.get('restart_time', '14:30:00') - + # Combine the event date with the desired time restart_time = datetime.datetime.combine(event_time.date(), datetime.time.fromisoformat(restart_time_str)) - + # Return the calculated timestamp return { 'statusCode': 200, diff --git a/terraform/modules/fargate_graceful_retirement/files/ecs_restart.py b/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py.py similarity index 100% rename from terraform/modules/fargate_graceful_retirement/files/ecs_restart.py rename to terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py.py diff --git a/terraform/modules/fargate_graceful_retirement/lambda.tf b/terraform/modules/fargate_graceful_retirement/lambda.tf index 47c059a1968..34e36ec819a 100644 --- a/terraform/modules/fargate_graceful_retirement/lambda.tf +++ b/terraform/modules/fargate_graceful_retirement/lambda.tf @@ -1,8 +1,8 @@ data "archive_file" "lambda_function_ecs_restart_payload" { type = "zip" - source_dir = "${path.module}/files" + source_dir = "${path.module}/files/ecs_restart" output_path = "${path.module}/files/ecs_restart.zip" - excludes = ["ecs_restart.zip", "calculate_wait_time.zip", "calculate_wait_time.py"] + excludes = ["ecs_restart.zip", "calculate_wait_time.zip"] } resource "aws_iam_role" "lambda_execution_role" { @@ -12,8 +12,8 @@ resource "aws_iam_role" "lambda_execution_role" { Version = "2012-10-17" Statement = [ { - Action = "sts:AssumeRole" - Effect = "Allow" + Action = "sts:AssumeRole" + Effect = "Allow" Principal = { Service = "lambda.amazonaws.com" } @@ -32,7 +32,7 @@ resource "aws_lambda_function" "ecs_restart_handler" { handler = "lambda_function.lambda_handler" role = aws_iam_role.lambda_execution_role.arn - filename = data.archive_file.lambda_function_ecs_restart_payload.output_path + filename = data.archive_file.lambda_function_ecs_restart_payload.output_path source_code_hash = data.archive_file.lambda_function_ecs_restart_payload.output_base64sha256 } @@ -52,13 +52,13 @@ resource "aws_lambda_function" "calculate_wait_time" { handler = "lambda_function.lambda_handler" role = aws_iam_role.lambda_execution_role.arn - filename = data.archive_file.lambda_function_calculate_wait_time_payload.output_path + filename = data.archive_file.lambda_function_calculate_wait_time_payload.output_path source_code_hash = data.archive_file.lambda_function_calculate_wait_time_payload.output_base64sha256 } data "archive_file" "lambda_function_calculate_wait_time_payload" { type = "zip" - source_dir = "${path.module}/files" + source_dir = "${path.module}/files/calculate_wait_time" output_path = "${path.module}/files/calculate_wait_time.zip" - excludes = ["calculate_wait_time.zip", "lambda.zip", "ecs_restart.py"] + excludes = ["calculate_wait_time.zip", "ecs_restart.zip"] } diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index 66ab002702e..ce3def405c5 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -24,7 +24,7 @@ resource "aws_iam_role_policy" "step_function_policy" { { Effect = "Allow" Action = "lambda:InvokeFunction", - Resource = aws_lambda_function.ecs_restart_handler.arn, + Resource = [aws_lambda_function.ecs_restart_handler.arn, aws_lambda_function.calculate_wait_time.arn] }, ] }) From f521b2124b7e762a0fea4031ff50438a50377222 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 23:28:36 +0100 Subject: [PATCH 44/83] typo --- .gitignore | 2 +- .../{lambda_function.py.py => lambda_function.py} | 0 .../ecs_restart/{lambda_function.py.py => lambda_function.py} | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/{lambda_function.py.py => lambda_function.py} (100%) rename terraform/modules/fargate_graceful_retirement/files/ecs_restart/{lambda_function.py.py => lambda_function.py} (100%) diff --git a/.gitignore b/.gitignore index c24ca2e3009..fe49cb52038 100644 --- a/.gitignore +++ b/.gitignore @@ -24,4 +24,4 @@ out/ # vim **/*.swp -terraform/modules/fargate_graceful_retirement/**/*.zip +terraform/modules/**/*.zip diff --git a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py.py b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py similarity index 100% rename from terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py.py rename to terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py diff --git a/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py.py b/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py similarity index 100% rename from terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py.py rename to terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py From 2e07528bc34f60be83cf6c0066458196b1ec4bd1 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 23:45:50 +0100 Subject: [PATCH 45/83] refactor lambda --- .../calculate_wait_time/lambda_function.py | 36 ++++++++++++++----- .../step_functions.tf | 1 + .../fargate_graceful_retirement/variables.tf | 10 ++++++ 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py index bca575e5ca9..478eef6e874 100644 --- a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py +++ b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py @@ -1,21 +1,39 @@ import json import datetime - def lambda_handler(event, context): # Extract current event time - current_time_str = event.get('time', '') + current_time_str = event.get('time', None) + + # If the event time is not available, return an error + if current_time_str is None: + return { + 'statusCode': 400, + 'error': 'Start time not available' + } + + # Parse the event time into a datetime object (example"2023-08-16T23:18:51Z") + time = datetime.datetime.strptime(current_time_str, '%Y-%m-%dT%H:%M:%SZ') + + # Define the desired restart time (as a string) + restart_time_str = event.get('restart_time', '22:00') + restart_day_of_the_week = event.get('restart_day_of_week', 'WEDNESDAY') + + # get the next occurrence of the desired day of the week + days_of_week = ['MONDAY', 'TUESDAY', 'WEDNESDAY', 'THURSDAY', 'FRIDAY', 'SATURDAY', 'SUNDAY'] + current_day_of_week = days_of_week[time.weekday()] - # Parse the event time into a datetime object - event_time = datetime.datetime.strptime(current_time_str, '%Y-%m-%dT%H:%M:%SZ') + # get the number of days until the next desired day of the week + days_until_restart = (days_of_week.index(restart_day_of_the_week) - days_of_week.index(current_day_of_week)) % 7 - # Define the desired restart time (as a string, e.g., "14:30:00" for 2:30 PM) - restart_time_str = event.get('restart_time', '14:30:00') + # get the desired restart time as a datetime object + restart_time = datetime.datetime.strptime(restart_time_str, '%H:%M') - # Combine the event date with the desired time - restart_time = datetime.datetime.combine(event_time.date(), datetime.time.fromisoformat(restart_time_str)) + # add the number of days until the next desired day of the week + restart_time = datetime.datetime.combine(start_time.date(), restart_time.time()) + restart_time += datetime.timedelta(days=days_until_restart) # Return the calculated timestamp return { 'statusCode': 200, - 'timestamp': restart_time.isoformat() + 'Z' # Add 'Z' for UTC time + 'timestamp': restart_time.isoformat() + 'Z' # Assuming UTC } diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index ce3def405c5..445c9da7380 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -43,6 +43,7 @@ resource "aws_sfn_state_machine" "ecs_restart_state_machine" { Parameters : { "time.$" : "$.time", # Pass the event time from the input "restart_time" : var.restart_time + "restart_day_of_the_week" : var.restart_day_of_the_week }, ResultPath : "$.waitTimestamp", # Store the result in $.waitTimestamp Next : "WaitUntilRestartTime" diff --git a/terraform/modules/fargate_graceful_retirement/variables.tf b/terraform/modules/fargate_graceful_retirement/variables.tf index 7ac0c1e55d1..bfefdfc331c 100644 --- a/terraform/modules/fargate_graceful_retirement/variables.tf +++ b/terraform/modules/fargate_graceful_retirement/variables.tf @@ -2,3 +2,13 @@ variable "restart_time" { description = "The time to wait until invoking the Lambda function (in RFC3339 format, e.g., 2023-11-13T14:30:00Z)" type = string } + +variable "restart_day_of_the_week" { + description = "The day of the week to restart the ECS task (e.g., MONDAY)" + type = string + default = "WEDNESDAY" + validation { + condition = can(regex("^(MONDAY|TUESDAY|WEDNESDAY|THURSDAY|FRIDAY|SATURDAY|SUNDAY)$", var.restart_day_of_the_week)) + error_message = "The restart_day_of_the_week must be one of MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY" + } +} From 5e675bde4aa57771db84173147b7496b971b6dc3 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 23:45:50 +0100 Subject: [PATCH 46/83] refactor lambda --- terraform/modules/fargate_graceful_retirement/step_functions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index 445c9da7380..37392e824e9 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -41,7 +41,7 @@ resource "aws_sfn_state_machine" "ecs_restart_state_machine" { Type : "Task", Resource : aws_lambda_function.calculate_wait_time.arn, Parameters : { - "time.$" : "$.time", # Pass the event time from the input + "start_time.$" : "$.detail.startTime", # Pass the event time from the input "restart_time" : var.restart_time "restart_day_of_the_week" : var.restart_day_of_the_week }, From 0cecb975ed4bbf14f138816dc9db91943f0fc834 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 16 Oct 2024 23:56:58 +0100 Subject: [PATCH 47/83] Update step_functions.tf --- terraform/modules/fargate_graceful_retirement/step_functions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index 37392e824e9..445c9da7380 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -41,7 +41,7 @@ resource "aws_sfn_state_machine" "ecs_restart_state_machine" { Type : "Task", Resource : aws_lambda_function.calculate_wait_time.arn, Parameters : { - "start_time.$" : "$.detail.startTime", # Pass the event time from the input + "time.$" : "$.time", # Pass the event time from the input "restart_time" : var.restart_time "restart_day_of_the_week" : var.restart_day_of_the_week }, From 0cd7e7b32103313f77e85198fac704a70f59a630 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 17 Oct 2024 00:03:22 +0100 Subject: [PATCH 48/83] Update lambda_function.py --- .../files/calculate_wait_time/lambda_function.py | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py index 478eef6e874..1055fa92aae 100644 --- a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py +++ b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py @@ -18,18 +18,21 @@ def lambda_handler(event, context): restart_time_str = event.get('restart_time', '22:00') restart_day_of_the_week = event.get('restart_day_of_week', 'WEDNESDAY') - # get the next occurrence of the desired day of the week + # get the next occurrence of the desired day of the week but after the current day days_of_week = ['MONDAY', 'TUESDAY', 'WEDNESDAY', 'THURSDAY', 'FRIDAY', 'SATURDAY', 'SUNDAY'] - current_day_of_week = days_of_week[time.weekday()] + current_day_of_the_week = days_of_week[time.weekday()] - # get the number of days until the next desired day of the week - days_until_restart = (days_of_week.index(restart_day_of_the_week) - days_of_week.index(current_day_of_week)) % 7 + if current_day_of_the_week == restart_day_of_the_week: + days_until_restart = 7 + else: + # get the number of days until the next desired day of the week + days_until_restart = (days_of_week.index(restart_day_of_the_week) - days_of_week.index(current_day_of_the_week)) % 7 # get the desired restart time as a datetime object restart_time = datetime.datetime.strptime(restart_time_str, '%H:%M') # add the number of days until the next desired day of the week - restart_time = datetime.datetime.combine(start_time.date(), restart_time.time()) + restart_time = datetime.datetime.combine(time.date(), restart_time.time()) restart_time += datetime.timedelta(days=days_until_restart) # Return the calculated timestamp From f8ddeab090a888420ef6563555c69b5b781d7a1d Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 17 Oct 2024 00:28:02 +0100 Subject: [PATCH 49/83] add ecs policy for lambda --- .../fargate_graceful_retirement/data.tf | 2 ++ .../fargate_graceful_retirement/lambda.tf | 25 ++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) create mode 100644 terraform/modules/fargate_graceful_retirement/data.tf diff --git a/terraform/modules/fargate_graceful_retirement/data.tf b/terraform/modules/fargate_graceful_retirement/data.tf new file mode 100644 index 00000000000..038d1e221a8 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/data.tf @@ -0,0 +1,2 @@ +data "aws_caller_identity" "current" {} +data "aws_region" "current" {} diff --git a/terraform/modules/fargate_graceful_retirement/lambda.tf b/terraform/modules/fargate_graceful_retirement/lambda.tf index 34e36ec819a..beabaee2423 100644 --- a/terraform/modules/fargate_graceful_retirement/lambda.tf +++ b/terraform/modules/fargate_graceful_retirement/lambda.tf @@ -26,6 +26,29 @@ resource "aws_iam_role" "lambda_execution_role" { ] } +data "aws_iam_policy_document" "lambda_ecs" { + statement { + actions = [ + "ecs:UpdateService", + "ecs:DescribeServices", + "ecs:ListServices" + ] + resources = ["arn:aws:ecs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:service/*"] + } +} + +resource "aws_iam_policy" "lambda_ecs" { + name = "lambda_ecs_policy" + description = "IAM policy for Lambda to interact with ECS" + policy = data.aws_iam_policy_document.lambda_ecs.json +} + +resource "aws_iam_role_policy_attachment" "lambda_ecs" { + policy_arn = aws_iam_policy.lambda_ecs.arn + role = aws_iam_role.lambda_execution_role.name +} + + resource "aws_lambda_function" "ecs_restart_handler" { function_name = "ecs_restart_handler" runtime = "python3.12" @@ -37,7 +60,7 @@ resource "aws_lambda_function" "ecs_restart_handler" { source_code_hash = data.archive_file.lambda_function_ecs_restart_payload.output_base64sha256 } -resource "aws_lambda_permission" "allow_eventbridge_lambda" { +resource "aws_lambda_permission" "allow_eventbridge" { statement_id = "AllowExecutionFromEventBridge" action = "lambda:InvokeFunction" function_name = aws_lambda_function.ecs_restart_handler.function_name From f10faee97fec89103384b8442720bc63ec81aac7 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 17 Oct 2024 00:44:42 +0100 Subject: [PATCH 50/83] add debug logging --- .../files/calculate_wait_time/lambda_function.py | 14 ++++++++++++++ .../files/ecs_restart/lambda_function.py | 10 ++++++---- .../modules/fargate_graceful_retirement/lambda.tf | 13 ++++++++++++- .../fargate_graceful_retirement/variables.tf | 6 ++++++ 4 files changed, 38 insertions(+), 5 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py index 1055fa92aae..93e71a1b7b9 100644 --- a/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py +++ b/terraform/modules/fargate_graceful_retirement/files/calculate_wait_time/lambda_function.py @@ -13,21 +13,32 @@ def lambda_handler(event, context): # Parse the event time into a datetime object (example"2023-08-16T23:18:51Z") time = datetime.datetime.strptime(current_time_str, '%Y-%m-%dT%H:%M:%SZ') + if os.environ.get('DEBUG_LOGGING', False): + print("[DEBUG] time from event:", time) # Define the desired restart time (as a string) restart_time_str = event.get('restart_time', '22:00') restart_day_of_the_week = event.get('restart_day_of_week', 'WEDNESDAY') + if os.environ.get('DEBUG_LOGGING', False): + print("[DEBUG] Restart time:", restart_time_str) + print("[DEBUG] Restart day of the week:", restart_day_of_the_week) + # get the next occurrence of the desired day of the week but after the current day days_of_week = ['MONDAY', 'TUESDAY', 'WEDNESDAY', 'THURSDAY', 'FRIDAY', 'SATURDAY', 'SUNDAY'] current_day_of_the_week = days_of_week[time.weekday()] if current_day_of_the_week == restart_day_of_the_week: days_until_restart = 7 + if os.environ.get('DEBUG_LOGGING', False): + print("[DEBUG] Restart day is today, restarting next week instead.") else: # get the number of days until the next desired day of the week days_until_restart = (days_of_week.index(restart_day_of_the_week) - days_of_week.index(current_day_of_the_week)) % 7 + if os.environ.get('DEBUG_LOGGING', False): + print("[DEBUG] Days until restart:", days_until_restart) + # get the desired restart time as a datetime object restart_time = datetime.datetime.strptime(restart_time_str, '%H:%M') @@ -35,6 +46,9 @@ def lambda_handler(event, context): restart_time = datetime.datetime.combine(time.date(), restart_time.time()) restart_time += datetime.timedelta(days=days_until_restart) + if os.environ.get('DEBUG_LOGGING', False): + print("[DEBUG] Restart time:", restart_time) + # Return the calculated timestamp return { 'statusCode': 200, diff --git a/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py b/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py index 7fda52b3e4d..4e490ba8023 100644 --- a/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py +++ b/terraform/modules/fargate_graceful_retirement/files/ecs_restart/lambda_function.py @@ -1,5 +1,6 @@ import json import boto3 +import os def lambda_handler(event, context): print("Event received:", json.dumps(event)) @@ -22,22 +23,23 @@ def lambda_handler(event, context): print("Cluster name:", cluster_name) print("Service name:", service_name) - print("Forcing new deployment for service:", service_name) - + print("Forcing new deployment for service:", service_name) + # Force a new deployment for the specified service in the specified cluster response = ecs_client.update_service( cluster=cluster_name, service=service_name, forceNewDeployment=True ) - - print("Update service response:", json.dumps(response)) + if os.environ.get('DEBUG_LOGGING', False): + print("[DEBUG] Update service response:", response) else: print("No entity value found in the event") return { 'statusCode': 200, 'body': json.dumps('Handled ECS Task Patching Retirement') + 'restarted_services': affected_entities } except Exception as e: diff --git a/terraform/modules/fargate_graceful_retirement/lambda.tf b/terraform/modules/fargate_graceful_retirement/lambda.tf index beabaee2423..5a5cbba6100 100644 --- a/terraform/modules/fargate_graceful_retirement/lambda.tf +++ b/terraform/modules/fargate_graceful_retirement/lambda.tf @@ -55,8 +55,13 @@ resource "aws_lambda_function" "ecs_restart_handler" { handler = "lambda_function.lambda_handler" role = aws_iam_role.lambda_execution_role.arn - filename = data.archive_file.lambda_function_ecs_restart_payload.output_path + environment { + variables = { + DEBUG_LOGGING = var.debug_logging + } + } + filename = data.archive_file.lambda_function_ecs_restart_payload.output_path source_code_hash = data.archive_file.lambda_function_ecs_restart_payload.output_base64sha256 } @@ -75,6 +80,12 @@ resource "aws_lambda_function" "calculate_wait_time" { handler = "lambda_function.lambda_handler" role = aws_iam_role.lambda_execution_role.arn + environment { + variables = { + DEBUG_LOGGING = var.debug_logging + } + } + filename = data.archive_file.lambda_function_calculate_wait_time_payload.output_path source_code_hash = data.archive_file.lambda_function_calculate_wait_time_payload.output_base64sha256 } diff --git a/terraform/modules/fargate_graceful_retirement/variables.tf b/terraform/modules/fargate_graceful_retirement/variables.tf index bfefdfc331c..1bbf4a77df0 100644 --- a/terraform/modules/fargate_graceful_retirement/variables.tf +++ b/terraform/modules/fargate_graceful_retirement/variables.tf @@ -12,3 +12,9 @@ variable "restart_day_of_the_week" { error_message = "The restart_day_of_the_week must be one of MONDAY, TUESDAY, WEDNESDAY, THURSDAY, FRIDAY, SATURDAY, or SUNDAY" } } + +variable "debug_logging" { + description = "Enable debug logging" + type = bool + default = false +} From a3baae540a356464016aa27445341cf56428202b Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 17 Oct 2024 00:57:08 +0100 Subject: [PATCH 51/83] docs --- .../fargate_graceful_retirement/README.md | 87 +++++++++++++++++++ .../fargate_graceful_retirement/variables.tf | 5 +- 2 files changed, 90 insertions(+), 2 deletions(-) create mode 100644 terraform/modules/fargate_graceful_retirement/README.md diff --git a/terraform/modules/fargate_graceful_retirement/README.md b/terraform/modules/fargate_graceful_retirement/README.md new file mode 100644 index 00000000000..2db1e7e6226 --- /dev/null +++ b/terraform/modules/fargate_graceful_retirement/README.md @@ -0,0 +1,87 @@ +# Fargate Patching/Retirement graceful replacement module + +## Description + +This module allows users to automate the graceful replacement of Fargate tasks in an ECS cluster when AWS +sends a health event for AWS_ECS_TASK_PATCHING_RETIREMENT. + +Usually these come in the form of an email notification from AWS and the result is that tasks are +terminated and replaced with new tasks approximately 7 days after receiving the notification. + +The issue with this is that the tasks are terminated without any warning and even though it respects the service +minimum and maximum, it can cause issues with the service if the tasks are not replaced gracefully. + +This module automates the restart process at a time of your choosing, allowing you schedule the restarts outside of +business hours. + +It creates an eventbridge rule with triggers a step function state machine when the event is received. +The state machine calls a lambda which calulates next occurance of the restart time +and then uses the wait state to wait until that time before calling another lambda to perform the AWS +reccomended steps to gracefully replace the tasks. + +This is functionally equivalent to the manual steps outlined in the AWS documentation here: +https://docs.aws.amazon.com/AmazonECS/latest/developerguide/prepare-task-retirement.html#prepare-task-retirement-change-time + +## Usage + +```hcl +module "fargate_graceful_retirement" { + source = "../../../../modules/fargate_graceful_retirement" + restart_time = "02:00" # Time in 24 hour format eg 2AM + restart_day_of_the_week = "THURSDAY" # Day of the week to restart the tasks +} +``` + + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | ~> 1.5 | +| [aws](#requirement\_aws) | ~> 5.0 | + +## Providers + +| Name | Version | +|------|---------| +| [archive](#provider\_archive) | n/a | +| [aws](#provider\_aws) | ~> 5.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_rule.ecs_restart_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_event_target.step_function_target](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_target) | resource | +| [aws_iam_policy.lambda_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource | +| [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.step_function_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role_policy.step_function_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource | +| [aws_iam_role_policy_attachment.lambda_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource | +| [aws_lambda_function.calculate_wait_time](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.ecs_restart_handler](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_permission.allow_eventbridge](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource | +| [aws_sfn_state_machine.ecs_restart_state_machine](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sfn_state_machine) | resource | +| [archive_file.lambda_function_calculate_wait_time_payload](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [archive_file.lambda_function_ecs_restart_payload](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_policy_document.lambda_ecs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [debug\_logging](#input\_debug\_logging) | Enable debug logging | `bool` | `false` | no | +| [restart\_day\_of\_the\_week](#input\_restart\_day\_of\_the\_week) | The day of the week to restart the ECS task | `string` | `"WEDNESDAY"` | no | +| [restart\_time](#input\_restart\_time) | The time at which to restart the ECS task | `string` | `"22:00"` | no | + +## Outputs + +No outputs. + diff --git a/terraform/modules/fargate_graceful_retirement/variables.tf b/terraform/modules/fargate_graceful_retirement/variables.tf index 1bbf4a77df0..e3a3c3e9c68 100644 --- a/terraform/modules/fargate_graceful_retirement/variables.tf +++ b/terraform/modules/fargate_graceful_retirement/variables.tf @@ -1,10 +1,11 @@ variable "restart_time" { - description = "The time to wait until invoking the Lambda function (in RFC3339 format, e.g., 2023-11-13T14:30:00Z)" + description = "The time at which to restart the ECS task" type = string + default = "22:00" } variable "restart_day_of_the_week" { - description = "The day of the week to restart the ECS task (e.g., MONDAY)" + description = "The day of the week to restart the ECS task" type = string default = "WEDNESDAY" validation { From df705b066ec92b3201e903b012e513a8ddfd7534 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 17 Oct 2024 01:05:01 +0100 Subject: [PATCH 52/83] move to account level and just dev for now --- .../environments/delius-core/fargate_graceful_retirement.tf | 6 ++++++ .../delius_environment/fargate_graceful_retirement.tf | 6 ------ 2 files changed, 6 insertions(+), 6 deletions(-) create mode 100644 terraform/environments/delius-core/fargate_graceful_retirement.tf delete mode 100644 terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf diff --git a/terraform/environments/delius-core/fargate_graceful_retirement.tf b/terraform/environments/delius-core/fargate_graceful_retirement.tf new file mode 100644 index 00000000000..a0054d7d2ce --- /dev/null +++ b/terraform/environments/delius-core/fargate_graceful_retirement.tf @@ -0,0 +1,6 @@ +module "fargate_graceful_retirement" { + count = local.environment == "development" ? 1 : 0 + source = "../../modules/fargate_graceful_retirement" + restart_time = "22:00" + restart_day_of_the_week = "WEDNESDAY" +} diff --git a/terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf b/terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf deleted file mode 100644 index ff442389ee8..00000000000 --- a/terraform/environments/delius-core/modules/delius_environment/fargate_graceful_retirement.tf +++ /dev/null @@ -1,6 +0,0 @@ -module "fargate_graceful_retirement" { - count = var.environment_config.fargate_graceful_retirement.enabled ? 1 : 0 - source = "../../../../modules/fargate_graceful_retirement" - restart_time = var.environment_config.fargate_graceful_retirement.restart_time -} - From 5890dc72bf7316bab479b09ce0f9d4d335ca9a56 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Sun, 20 Oct 2024 23:15:44 +0100 Subject: [PATCH 53/83] enable logging --- .../delius-core/fargate_graceful_retirement.tf | 1 + .../environments/delius-core/locals_development.tf | 4 ---- .../fargate_graceful_retirement/eventbridge.tf | 1 - .../fargate_graceful_retirement/step_functions.tf | 11 +++++++++++ 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/terraform/environments/delius-core/fargate_graceful_retirement.tf b/terraform/environments/delius-core/fargate_graceful_retirement.tf index a0054d7d2ce..41ab31c395f 100644 --- a/terraform/environments/delius-core/fargate_graceful_retirement.tf +++ b/terraform/environments/delius-core/fargate_graceful_retirement.tf @@ -3,4 +3,5 @@ module "fargate_graceful_retirement" { source = "../../modules/fargate_graceful_retirement" restart_time = "22:00" restart_day_of_the_week = "WEDNESDAY" + debug_logging = true } diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf index 51f9cff084c..10a8153751f 100644 --- a/terraform/environments/delius-core/locals_development.tf +++ b/terraform/environments/delius-core/locals_development.tf @@ -15,10 +15,6 @@ locals { ec2_user_ssh_key = file("${path.module}/files/.ssh/dev/ec2-user.pub") homepage_path = "/" has_mis_environment = true - fargate_graceful_retirement = { - enabled = true - restart_time = "04:00" - } } ldap_config_dev = { diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index a5a61eb9d25..2082bfc8f26 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -3,7 +3,6 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { description = "Rule to catch AWS ECS Task Patching Retirement events" event_pattern = jsonencode({ "source" : ["aws.health"], - "detail-type" : ["AWS Health Event"], "detail" : { "eventTypeCode" : ["AWS_ECS_TASK_PATCHING_RETIREMENT"] } diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index 445c9da7380..cd86dd74298 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -29,10 +29,21 @@ resource "aws_iam_role_policy" "step_function_policy" { ] }) } + +resource "aws_cloudwatch_log_group" "log_group_for_sfn" { + name = "/aws/states/ecs_restart_state_machine" +} + resource "aws_sfn_state_machine" "ecs_restart_state_machine" { name = "ecs_restart_state_machine" role_arn = aws_iam_role.step_function_role.arn + logging_configuration { + log_destination = "${aws_cloudwatch_log_group.log_group_for_sfn.arn}:*" + include_execution_data = var.debug_logging ? true : false + level = var.debug_logging ? "ALL" : "ERROR" + } + definition = jsonencode({ Comment : "State Machine to handle ECS Task Patching Retirement", StartAt : "CalculateWaitTimestamp", From a8d3b3e8200b31aa91e048c6d324066f1b8798a6 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 21 Oct 2024 17:32:39 +0100 Subject: [PATCH 54/83] Update step_functions.tf --- .../fargate_graceful_retirement/eventbridge.tf | 17 ++++++++++------- .../step_functions.tf | 10 ++++++++++ 2 files changed, 20 insertions(+), 7 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 2082bfc8f26..52bbb4bb80c 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -1,12 +1,15 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { - name = "ecs_task_retirement_rule" + name = "ecs_task_retirement_rul" description = "Rule to catch AWS ECS Task Patching Retirement events" - event_pattern = jsonencode({ - "source" : ["aws.health"], - "detail" : { - "eventTypeCode" : ["AWS_ECS_TASK_PATCHING_RETIREMENT"] - } - }) + + event_pattern = < Date: Mon, 21 Oct 2024 17:49:32 +0100 Subject: [PATCH 55/83] Update eventbridge.tf --- .../fargate_graceful_retirement/eventbridge.tf | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 52bbb4bb80c..aea48ad73f7 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -2,14 +2,12 @@ resource "aws_cloudwatch_event_rule" "ecs_restart_rule" { name = "ecs_task_retirement_rul" description = "Rule to catch AWS ECS Task Patching Retirement events" - event_pattern = < Date: Mon, 21 Oct 2024 17:56:20 +0100 Subject: [PATCH 56/83] Update eventbridge.tf --- .../eventbridge.tf | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index aea48ad73f7..5d083053eda 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -15,3 +15,62 @@ resource "aws_cloudwatch_event_target" "step_function_target" { arn = aws_sfn_state_machine.ecs_restart_state_machine.arn role_arn = aws_iam_role.step_function_role.arn } + + +# test rule for all aws health events +resource "aws_cloudwatch_event_rule" "all_health_events" { + name = "all_health_events" + description = "Rule to catch all AWS Health events" + + event_pattern = jsonencode({ + "source" : ["aws.health"] + }) +} + +resource "aws_cloudwatch_log_group" "all_health_events" { + name = "/aws/health/all_health_events" +} + +# create IAM role for CloudWatch Logs +resource "aws_iam_role" "cloudwatch_logs_role" { + name = "cloudwatch_logs_role" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Principal = { + Service = "events.amazonaws.com" + }, + Action = "sts:AssumeRole" + } + ] + }) +} + +resource "aws_iam_role_policy" "cloudwatch_logs_policy" { + name = "cloudwatch_logs_policy" + role = aws_iam_role.cloudwatch_logs_role.id + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Effect = "Allow", + Action = [ + "logs:CreateLogStream", + "logs:PutLogEvents" + ], + Resource = "*" + } + ] + }) +} + +# log all health events to cloudwatch logs +resource "aws_cloudwatch_event_target" "log_all_health_events" { + rule = aws_cloudwatch_event_rule.all_health_events.name + arn = aws_cloudwatch_log_group.all_health_events.arn + role_arn = aws_iam_role.cloudwatch_logs_role.arn +} From a3858a62e7ec4843cea051460996c8a93a82fcf9 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 21 Oct 2024 18:01:08 +0100 Subject: [PATCH 57/83] Update step_functions.tf --- .../modules/fargate_graceful_retirement/step_functions.tf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index de12dd24b70..f5bfe2663cd 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -40,6 +40,11 @@ resource "aws_iam_role_policy" "step_function_policy" { }) } +resource "aws_iam_role_policy_attachment" "step_function_policy_attachment" { + policy_arn = aws_iam_role_policy.step_function_policy.arn + role = aws_iam_role.step_function_role.name +} + resource "aws_cloudwatch_log_group" "log_group_for_sfn" { name = "/aws/states/ecs_restart_state_machine" } From 527f49378cd33d65815932021132863c624e8de1 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 21 Oct 2024 18:04:28 +0100 Subject: [PATCH 58/83] Update step_functions.tf --- .../modules/fargate_graceful_retirement/step_functions.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index f5bfe2663cd..3e533b5e88e 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -15,9 +15,8 @@ resource "aws_iam_role" "step_function_role" { }) } -resource "aws_iam_role_policy" "step_function_policy" { +resource "aws_iam_policy" "step_function_policy" { name = "step_function_policy" - role = aws_iam_role.step_function_role.id policy = jsonencode({ Version = "2012-10-17" Statement = [ @@ -41,7 +40,7 @@ resource "aws_iam_role_policy" "step_function_policy" { } resource "aws_iam_role_policy_attachment" "step_function_policy_attachment" { - policy_arn = aws_iam_role_policy.step_function_policy.arn + policy_arn = aws_iam_policy.step_function_policy.arn role = aws_iam_role.step_function_role.name } From 89f94947fa15d89fe4c65a5d8811e9e6c8872c64 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 21 Oct 2024 18:13:54 +0100 Subject: [PATCH 59/83] Update step_functions.tf --- .../modules/fargate_graceful_retirement/step_functions.tf | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/step_functions.tf b/terraform/modules/fargate_graceful_retirement/step_functions.tf index 3e533b5e88e..704751375b6 100644 --- a/terraform/modules/fargate_graceful_retirement/step_functions.tf +++ b/terraform/modules/fargate_graceful_retirement/step_functions.tf @@ -28,12 +28,7 @@ resource "aws_iam_policy" "step_function_policy" { { Effect = "Allow" Action = "logs:*", - Resource = aws_cloudwatch_log_group.log_group_for_sfn.arn - }, - { - Effect = "Allow" - Action = "logs:*", - Resource = "${aws_cloudwatch_log_group.log_group_for_sfn.arn}:*" + Resource = "*" } ] }) From 660fa55c747179fa097b5caada7384872b02c274 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 21 Oct 2024 18:27:35 +0100 Subject: [PATCH 60/83] Update eventbridge.tf --- .../eventbridge.tf | 81 +++++++++++-------- 1 file changed, 46 insertions(+), 35 deletions(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index 5d083053eda..df087bdcc66 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -31,46 +31,57 @@ resource "aws_cloudwatch_log_group" "all_health_events" { name = "/aws/health/all_health_events" } -# create IAM role for CloudWatch Logs -resource "aws_iam_role" "cloudwatch_logs_role" { - name = "cloudwatch_logs_role" +data "aws_iam_policy_document" "all_health_events" { + statement { + effect = "Allow" + actions = [ + "logs:CreateLogStream" + ] - assume_role_policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Principal = { - Service = "events.amazonaws.com" - }, - Action = "sts:AssumeRole" - } + resources = [ + "${aws_cloudwatch_log_group.all_health_events.arn}:*" ] - }) -} -resource "aws_iam_role_policy" "cloudwatch_logs_policy" { - name = "cloudwatch_logs_policy" - role = aws_iam_role.cloudwatch_logs_role.id + principals { + type = "Service" + identifiers = [ + "events.amazonaws.com", + "delivery.logs.amazonaws.com" + ] + } + } + statement { + effect = "Allow" + actions = [ + "logs:PutLogEvents" + ] - policy = jsonencode({ - Version = "2012-10-17", - Statement = [ - { - Effect = "Allow", - Action = [ - "logs:CreateLogStream", - "logs:PutLogEvents" - ], - Resource = "*" - } + resources = [ + "${aws_cloudwatch_log_group.all_health_events.arn}:*:*" ] - }) + + principals { + type = "Service" + identifiers = [ + "events.amazonaws.com", + "delivery.logs.amazonaws.com" + ] + } + + condition { + test = "ArnEquals" + values = [aws_cloudwatch_event_rule.all_health_events.arn] + variable = "aws:SourceArn" + } + } +} + +resource "aws_cloudwatch_log_resource_policy" "all_health_events" { + policy_document = data.aws_iam_policy_document.example_log_policy.json + policy_name = "all-health-events-log-publishing-policy" } -# log all health events to cloudwatch logs -resource "aws_cloudwatch_event_target" "log_all_health_events" { - rule = aws_cloudwatch_event_rule.all_health_events.name - arn = aws_cloudwatch_log_group.all_health_events.arn - role_arn = aws_iam_role.cloudwatch_logs_role.arn +resource "aws_cloudwatch_event_target" "all_health_events" { + rule = aws_cloudwatch_event_rule.all_health_events.name + arn = aws_cloudwatch_log_group.all_health_events.arn } From cf62de89f5103a18d8ffe4294a63c055cd1dccdd Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 21 Oct 2024 18:29:29 +0100 Subject: [PATCH 61/83] Update eventbridge.tf --- terraform/modules/fargate_graceful_retirement/eventbridge.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/modules/fargate_graceful_retirement/eventbridge.tf b/terraform/modules/fargate_graceful_retirement/eventbridge.tf index df087bdcc66..a8f7d3acd6a 100644 --- a/terraform/modules/fargate_graceful_retirement/eventbridge.tf +++ b/terraform/modules/fargate_graceful_retirement/eventbridge.tf @@ -77,7 +77,7 @@ data "aws_iam_policy_document" "all_health_events" { } resource "aws_cloudwatch_log_resource_policy" "all_health_events" { - policy_document = data.aws_iam_policy_document.example_log_policy.json + policy_document = data.aws_iam_policy_document.all_health_events.json policy_name = "all-health-events-log-publishing-policy" } From 136f916052556780dcafd9f5f111ec35d847d14d Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 23 Oct 2024 07:46:18 +0100 Subject: [PATCH 62/83] Update_231024_1 --- terraform/environments/ppud/s3.tf | 4 ---- terraform/environments/ppud/sns.tf | 4 ++-- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/terraform/environments/ppud/s3.tf b/terraform/environments/ppud/s3.tf index 12aa86f0513..2e354939b83 100644 --- a/terraform/environments/ppud/s3.tf +++ b/terraform/environments/ppud/s3.tf @@ -564,9 +564,6 @@ resource "aws_s3_bucket_public_access_block" "moj-log-files-uat" { restrict_public_buckets = true } -# Removed S3 bucket notification pending AWS ticket resolution - -/* resource "aws_s3_bucket_notification" "moj-log-files-uat" { count = local.is-preproduction == true ? 1 : 0 bucket = aws_s3_bucket.moj-log-files-uat[0].id @@ -577,7 +574,6 @@ resource "aws_s3_bucket_notification" "moj-log-files-uat" { filter_prefix = "alb-logs/" } } -*/ resource "aws_s3_bucket_lifecycle_configuration" "moj-log-files-uat" { count = local.is-preproduction == true ? 1 : 0 diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index b20363fd3e4..f5d69cafd7f 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -84,13 +84,13 @@ resource "aws_sns_topic_policy" "sns_uat_policy" { "Service" : "s3.amazonaws.com" }, "Action" : "SNS:Publish", - "Resource" : "aws_sns_topic.cw_uat_alerts[0].arn" + "Resource" : "aws_sns_topic.cw_uat_alerts[0].arn", "Condition" : { "ArnLike" : { "aws:SourceArn" : "arn:aws:s3:::moj-log-files-uat" }, "StringEquals" : { - "AWS:SourceAccount" : "172753231260" + "AWS:SourceOwner" : "data.aws_caller_identity.current.account_id" } } } From b42386d51205a6d849a9247c143ee2b7f34645f6 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 23 Oct 2024 08:41:44 +0100 Subject: [PATCH 63/83] Update_231024_2 --- .../environments/ppud/certificate_mgmt.tf | 6 +++--- terraform/environments/ppud/lambda.tf | 20 +++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/terraform/environments/ppud/certificate_mgmt.tf b/terraform/environments/ppud/certificate_mgmt.tf index 31b5f1e355b..d7a3fae1819 100644 --- a/terraform/environments/ppud/certificate_mgmt.tf +++ b/terraform/environments/ppud/certificate_mgmt.tf @@ -24,7 +24,7 @@ resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_dev" { runtime = "python3.8" timeout = 30 reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_dev] environment { variables = { @@ -102,7 +102,7 @@ resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_uat" { runtime = "python3.8" timeout = 30 reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat] environment { variables = { @@ -180,7 +180,7 @@ resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_prod" { runtime = "python3.8" timeout = 30 reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod] environment { variables = { diff --git a/terraform/environments/ppud/lambda.tf b/terraform/environments/ppud/lambda.tf index 7bf61bde89c..a4ef6d33804 100644 --- a/terraform/environments/ppud/lambda.tf +++ b/terraform/environments/ppud/lambda.tf @@ -30,7 +30,7 @@ resource "aws_lambda_function" "terraform_lambda_func_stop" { runtime = "python3.9" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_prod[0].arn } @@ -49,7 +49,7 @@ resource "aws_lambda_function" "terraform_lambda_func_start" { runtime = "python3.9" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_prod[0].arn } @@ -200,7 +200,7 @@ resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" { runtime = "python3.12" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_prod[0].arn } @@ -221,7 +221,7 @@ resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" { runtime = "python3.12" depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_prod[0].arn } @@ -254,7 +254,7 @@ resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" timeout = 300 depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_dev[0].arn } @@ -296,7 +296,7 @@ resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" timeout = 300 depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_uat[0].arn } @@ -338,7 +338,7 @@ resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod timeout = 300 depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_prod[0].arn } @@ -380,7 +380,7 @@ resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" timeout = 300 depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_dev[0].arn } @@ -422,7 +422,7 @@ resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" timeout = 300 depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_uat[0].arn } @@ -464,7 +464,7 @@ resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod timeout = 300 depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] reserved_concurrent_executions = 5 - code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" +# code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" dead_letter_config { target_arn = aws_sqs_queue.lambda_queue_prod[0].arn } From e8542191714ac4ed58f77e1a9ac8b94b2f55ec79 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 23 Oct 2024 09:07:06 +0100 Subject: [PATCH 64/83] Update_231024_3 --- terraform/environments/ppud/iam.tf | 11 +---------- terraform/environments/ppud/s3.tf | 5 ++++- 2 files changed, 5 insertions(+), 11 deletions(-) diff --git a/terraform/environments/ppud/iam.tf b/terraform/environments/ppud/iam.tf index 5143325d6b9..c3b3fda31d2 100644 --- a/terraform/environments/ppud/iam.tf +++ b/terraform/environments/ppud/iam.tf @@ -251,16 +251,7 @@ resource "aws_iam_policy" "iam_policy_for_lambda_alarm_suppression" { "cloudwatch:EnableAlarmActions" ], "Resource": [ - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-014bce95a85aaeede", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-00cbccc46d25e77c6", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-0dba6054c0f5f7a11", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-0b5ef7cb90938fb82", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-04bbb6312b86648be", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-00413756d2dfcf6d2", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-080498c4c9d25e6bd", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-i-029d2b17679dab982", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-70%-i-029d2b17679dab982", - "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:CPU-High-90%-i-029d2b17679dab982" + "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:*" ] }, { diff --git a/terraform/environments/ppud/s3.tf b/terraform/environments/ppud/s3.tf index 2e354939b83..586436a911f 100644 --- a/terraform/environments/ppud/s3.tf +++ b/terraform/environments/ppud/s3.tf @@ -564,16 +564,19 @@ resource "aws_s3_bucket_public_access_block" "moj-log-files-uat" { restrict_public_buckets = true } +# Disabled S3 bucket notification pending further testing. + +/* resource "aws_s3_bucket_notification" "moj-log-files-uat" { count = local.is-preproduction == true ? 1 : 0 bucket = aws_s3_bucket.moj-log-files-uat[0].id - topic { topic_arn = aws_sns_topic.cw_uat_alerts[0].arn events = ["s3:ObjectCreated:*"] filter_prefix = "alb-logs/" } } +*/ resource "aws_s3_bucket_lifecycle_configuration" "moj-log-files-uat" { count = local.is-preproduction == true ? 1 : 0 From 90bf6889fb51b513c7feba55cae7ab329984e79a Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Wed, 23 Oct 2024 09:15:36 +0100 Subject: [PATCH 65/83] renaming and refactoring --- .../analytical-platform-compute/iam-policies.tf | 16 ++++------------ .../analytical-platform-compute/kms-keys.tf | 6 +++--- .../analytical-platform-compute/s3-buckets.tf | 6 +++--- 3 files changed, 10 insertions(+), 18 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf index 9b2c0b5d94d..f123f30634e 100644 --- a/terraform/environments/analytical-platform-compute/iam-policies.tf +++ b/terraform/environments/analytical-platform-compute/iam-policies.tf @@ -284,22 +284,14 @@ module "analytical_platform_lake_formation_share_policy" { data "aws_iam_policy_document" "s3_server_access_logs_policy" { #checkov:skip=CKV_AWS_356:resource "*" limited by condition statement { - sid = "S3ServerAccessLogsPolicy" - effect = "Allow" - + sid = "S3ServerAccessLogsPolicy" + effect = "Allow" + actions = ["s3:PutObject"] + resources = ["*"] principals { type = "Service" identifiers = ["logging.s3.amazonaws.com"] } - - actions = [ - "s3:PutObject" - ] - - resources = [ - "*" - ] - condition { test = "StringEquals" variable = "aws:SourceAccount" diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index c16f8cd086e..71efe01d71a 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -282,7 +282,7 @@ module "mojap_derived_tables_replication_s3_kms" { source = "terraform-aws-modules/kms/aws" version = "3.1.1" - aliases = ["s3/mojap_derived_tables_replication"] + aliases = ["s3/mojap-derived-tables-replication"] description = "mojap_derived_tables_replication S3 KMS key" enable_default_policy = true @@ -298,8 +298,8 @@ module "apc_bucket_logs_s3_kms" { source = "terraform-aws-modules/kms/aws" version = "3.1.1" - aliases = ["s3/apc_bucket_logs"] - description = "apc_bucket_logs S3 KMS key" + aliases = ["s3/mojap-compute-logs"] + description = "mojap-compute-logs S3 KMS key" enable_default_policy = true deletion_window_in_days = 7 diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 24320e755bc..77c90518863 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -29,7 +29,7 @@ module "mojap_derived_tables_replication_bucket" { source = "terraform-aws-modules/s3-bucket/aws" version = "4.2.1" - bucket = "mojap-derived-tables-replication-${local.environment}" + bucket = "mojap-compute-${local.environment}-derived-tables-replication" force_destroy = true @@ -57,14 +57,14 @@ module "mojap_derived_tables_replication_bucket" { tags = local.tags } -module "apc_bucket_logs" { +module "mojap_compute_logs_bucket" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions source = "terraform-aws-modules/s3-bucket/aws" version = "4.2.1" - bucket = "apc-bucket-logs-${local.environment}" + bucket = "mojap-compute-${local.environment}-logs" force_destroy = false From 117ad0b01fd80a5e2cc853646982297591922fbd Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Wed, 23 Oct 2024 09:23:06 +0100 Subject: [PATCH 66/83] renaming module --- terraform/environments/analytical-platform-compute/kms-keys.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 71efe01d71a..72e6cd4879b 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -291,7 +291,7 @@ module "mojap_derived_tables_replication_s3_kms" { tags = local.tags } -module "apc_bucket_logs_s3_kms" { +module "mojap_compute_logs_s3_kms" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions #checkov:skip=CKV_TF_2:Module registry does not support tags for versions From 2cfd73b1dfdf6c20b2bcbb9ec8b7f90dbf8bb1ca Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Wed, 23 Oct 2024 09:46:14 +0100 Subject: [PATCH 67/83] correct module references --- .../environments/analytical-platform-compute/s3-buckets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index 77c90518863..bba6b51bb7a 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -50,7 +50,7 @@ module "mojap_derived_tables_replication_bucket" { } logging = { - target_bucket = module.apc_bucket_logs.s3_bucket_id + target_bucket = module.mojap_compute_logs_bucket.s3_bucket_id target_prefix = "mojap-derived-tables-replication/" } @@ -78,7 +78,7 @@ module "mojap_compute_logs_bucket" { rule = { bucket_key_enabled = true apply_server_side_encryption_by_default = { - kms_master_key_id = module.apc_bucket_logs_s3_kms.key_arn + kms_master_key_id = module.mojap_compute_logs_s3_kms.key_arn sse_algorithm = "aws:kms" } } From 70620c007ba96fdc81d2020cbf229afc54820a13 Mon Sep 17 00:00:00 2001 From: Mark Roberts Date: Wed, 23 Oct 2024 10:08:50 +0100 Subject: [PATCH 68/83] Example with resources hashed out --- .../environments/example/certificates.tf | 50 +- terraform/environments/example/clean.sh | 8 +- terraform/environments/example/data.tf | 4 + .../environments/example/ec2_bastion_linux.tf | 61 +- .../environments/example/identity_store.tf | 4 + .../environments/example/loadbalancer.tf | 624 +++++++++--------- .../environments/example/platform_versions.tf | 4 + terraform/environments/example/shield.tf | 63 +- 8 files changed, 425 insertions(+), 393 deletions(-) diff --git a/terraform/environments/example/certificates.tf b/terraform/environments/example/certificates.tf index 31864376d43..b5c33dc9414 100644 --- a/terraform/environments/example/certificates.tf +++ b/terraform/environments/example/certificates.tf @@ -60,32 +60,32 @@ # # Build loadbalancer #tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public. -resource "aws_lb" "certificate_example_lb" { - #checkov:skip=CKV2_AWS_28:Ensure public facing ALB are protected by WAF - name = "certificate-example-loadbalancer" - load_balancer_type = "application" - subnets = data.aws_subnets.shared-public.ids - #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection - enable_deletion_protection = false - # allow 60*4 seconds before 504 gateway timeout for long-running DB operations - idle_timeout = 240 - drop_invalid_header_fields = true +# resource "aws_lb" "certificate_example_lb" { +# #checkov:skip=CKV2_AWS_28:Ensure public facing ALB are protected by WAF +# name = "certificate-example-loadbalancer" +# load_balancer_type = "application" +# subnets = data.aws_subnets.shared-public.ids +# #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection +# enable_deletion_protection = false +# # allow 60*4 seconds before 504 gateway timeout for long-running DB operations +# idle_timeout = 240 +# drop_invalid_header_fields = true - security_groups = [aws_security_group.certificate_example_load_balancer_sg.id] +# security_groups = [aws_security_group.certificate_example_load_balancer_sg.id] - access_logs { - bucket = module.s3-bucket-lb.bucket.id - prefix = "test-lb" - enabled = true - } +# access_logs { +# bucket = module.s3-bucket-lb.bucket.id +# prefix = "test-lb" +# enabled = true +# } - tags = { Name = "${local.application_name}-external-loadbalancer" } - depends_on = [aws_security_group.certificate_example_load_balancer_sg] -} +# tags = { Name = "${local.application_name}-external-loadbalancer" } +# depends_on = [aws_security_group.certificate_example_load_balancer_sg] +# } -resource "aws_security_group" "certificate_example_load_balancer_sg" { - name = "certificate-example-lb-sg" - description = "controls access to load balancer" - vpc_id = data.aws_vpc.shared.id - tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } -} \ No newline at end of file +# resource "aws_security_group" "certificate_example_load_balancer_sg" { +# name = "certificate-example-lb-sg" +# description = "controls access to load balancer" +# vpc_id = data.aws_vpc.shared.id +# tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } +# } \ No newline at end of file diff --git a/terraform/environments/example/clean.sh b/terraform/environments/example/clean.sh index d1084783297..111733e8ced 100755 --- a/terraform/environments/example/clean.sh +++ b/terraform/environments/example/clean.sh @@ -1,4 +1,8 @@ rm -Rf .terraform rm .terraform.lock.hcl -terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::946070829339:role/modernisation-account-terraform-state-member-access\"} -terraform workspace select example-development \ No newline at end of file +echo "Account Number: $1" +terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::$1:role/modernisation-account-terraform-state-member-access\"} +terraform workspace list +echo "Please select your workspace:" +read workspace +terraform workspace select "$workspace" diff --git a/terraform/environments/example/data.tf b/terraform/environments/example/data.tf index fb01c43c501..67a57156522 100644 --- a/terraform/environments/example/data.tf +++ b/terraform/environments/example/data.tf @@ -1,3 +1,7 @@ +########################################################################################### +#------------------------Comment out file if not required---------------------------------- +########################################################################################### + #### This file can be used to store data specific to the member account #### #For macie code diff --git a/terraform/environments/example/ec2_bastion_linux.tf b/terraform/environments/example/ec2_bastion_linux.tf index aca36eb6dc2..f650ad4a7df 100644 --- a/terraform/environments/example/ec2_bastion_linux.tf +++ b/terraform/environments/example/ec2_bastion_linux.tf @@ -1,35 +1,38 @@ +########################################################################################### +#------------------------Comment out file if not required---------------------------------- +########################################################################################### # # tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning -module "bastion_linux" { - source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1 +# module "bastion_linux" { +# source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1 - providers = { - aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts - aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant - } - # s3 - used for logs and user ssh public keys - bucket_name = "bastion-example" - # public keys - public_key_data = local.public_key_data.keys[local.environment] - # logs - log_auto_clean = "Enabled" - log_standard_ia_days = 30 # days before moving to IA storage - log_glacier_days = 60 # days before moving to Glacier - log_expiry_days = 180 # days before log expiration - # bastion - allow_ssh_commands = false - app_name = var.networking[0].application - business_unit = local.vpc_name - subnet_set = local.subnet_set - environment = local.environment - region = "eu-west-2" +# providers = { +# aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts +# aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant +# } +# # s3 - used for logs and user ssh public keys +# bucket_name = "bastion-example" +# # public keys +# public_key_data = local.public_key_data.keys[local.environment] +# # logs +# log_auto_clean = "Enabled" +# log_standard_ia_days = 30 # days before moving to IA storage +# log_glacier_days = 60 # days before moving to Glacier +# log_expiry_days = 180 # days before log expiration +# # bastion +# allow_ssh_commands = false +# app_name = var.networking[0].application +# business_unit = local.vpc_name +# subnet_set = local.subnet_set +# environment = local.environment +# region = "eu-west-2" - # Tags - tags_common = local.tags - tags_prefix = terraform.workspace -} +# # Tags +# tags_common = local.tags +# tags_prefix = terraform.workspace +# } -locals { - public_key_data = jsondecode(file("./bastion_linux.json")) -} +# locals { +# public_key_data = jsondecode(file("./bastion_linux.json")) +# } diff --git a/terraform/environments/example/identity_store.tf b/terraform/environments/example/identity_store.tf index 3d4a2cea32c..41b683f4fb9 100644 --- a/terraform/environments/example/identity_store.tf +++ b/terraform/environments/example/identity_store.tf @@ -1,3 +1,7 @@ +########################################################################################### +#------------------------Comment out file if not required---------------------------------- +########################################################################################### + # data "aws_ssoadmin_instances" "example" { # provider = aws.sso-readonly # } diff --git a/terraform/environments/example/loadbalancer.tf b/terraform/environments/example/loadbalancer.tf index 3450069ae43..82c248b9f26 100644 --- a/terraform/environments/example/loadbalancer.tf +++ b/terraform/environments/example/loadbalancer.tf @@ -4,167 +4,167 @@ # Build loadbalancer security group -resource "aws_security_group" "example_load_balancer_sg" { - name = "example-lb-sg" - description = "controls access to load balancer" - vpc_id = data.aws_vpc.shared.id - tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } - - # Set up the ingress and egress parts of the security group -} -resource "aws_security_group_rule" "ingress_traffic_lb" { - for_each = local.application_data.example_ec2_sg_rules - description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) - from_port = each.value.from_port - protocol = each.value.protocol - security_group_id = aws_security_group.example_load_balancer_sg.id - to_port = each.value.to_port - type = "ingress" - cidr_blocks = [data.aws_vpc.shared.cidr_block] -} -resource "aws_security_group_rule" "egress_traffic_lb" { - for_each = local.application_data.example_ec2_sg_rules - description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) - from_port = each.value.from_port - protocol = each.value.protocol - security_group_id = aws_security_group.example_load_balancer_sg.id - to_port = each.value.to_port - type = "egress" - source_security_group_id = aws_security_group.example_load_balancer_sg.id -} - -# # Build loadbalancer -#tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public. -resource "aws_lb" "external" { - name = "${local.application_name}-loadbalancer" - load_balancer_type = "application" - subnets = data.aws_subnets.shared-public.ids - #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection - enable_deletion_protection = false - # allow 60*4 seconds before 504 gateway timeout for long-running DB operations - idle_timeout = 240 - drop_invalid_header_fields = true - - security_groups = [aws_security_group.example_load_balancer_sg.id] - - access_logs { - bucket = module.s3-bucket-lb.bucket.id - prefix = "test-lb" - enabled = true - } - - tags = { Name = "${local.application_name}-external-loadbalancer" } - depends_on = [aws_security_group.example_load_balancer_sg] -} -# Create the target group -resource "aws_lb_target_group" "target_group" { - #checkov:skip=CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol" - name = "${local.application_name}-tg-${local.environment}" - port = local.application_data.accounts[local.environment].server_port - protocol = "HTTP" - vpc_id = data.aws_vpc.shared.id - target_type = "instance" - deregistration_delay = 30 - - stickiness { - type = "lb_cookie" - } - #checkov:skip=CKV_AWS_261: "health_check defined below, but not picked up" - health_check { - healthy_threshold = "5" - interval = "120" - protocol = "HTTP" - unhealthy_threshold = "2" - matcher = "200-499" - timeout = "5" - } - - tags = { Name = "${local.application_name}-tg-${local.environment}" } - lifecycle { - create_before_destroy = true - } -} +# resource "aws_security_group" "example_load_balancer_sg" { +# name = "example-lb-sg" +# description = "controls access to load balancer" +# vpc_id = data.aws_vpc.shared.id +# tags = { Name = lower(format("lb-sg-%s-%s-example", local.application_name, local.environment)) } + +# # Set up the ingress and egress parts of the security group +# } +# resource "aws_security_group_rule" "ingress_traffic_lb" { +# for_each = local.application_data.example_ec2_sg_rules +# description = format("Traffic for %s %d", each.value.protocol, each.value.from_port) +# from_port = each.value.from_port +# protocol = each.value.protocol +# security_group_id = aws_security_group.example_load_balancer_sg.id +# to_port = each.value.to_port +# type = "ingress" +# cidr_blocks = [data.aws_vpc.shared.cidr_block] +# } +# resource "aws_security_group_rule" "egress_traffic_lb" { +# for_each = local.application_data.example_ec2_sg_rules +# description = format("Outbound traffic for %s %d", each.value.protocol, each.value.from_port) +# from_port = each.value.from_port +# protocol = each.value.protocol +# security_group_id = aws_security_group.example_load_balancer_sg.id +# to_port = each.value.to_port +# type = "egress" +# source_security_group_id = aws_security_group.example_load_balancer_sg.id +# } + +# # # Build loadbalancer +# #tfsec:ignore:aws-elb-alb-not-public as the external lb needs to be public. +# resource "aws_lb" "external" { +# name = "${local.application_name}-loadbalancer" +# load_balancer_type = "application" +# subnets = data.aws_subnets.shared-public.ids +# #checkov:skip=CKV_AWS_150:Short-lived example environment, hence no need for deletion protection +# enable_deletion_protection = false +# # allow 60*4 seconds before 504 gateway timeout for long-running DB operations +# idle_timeout = 240 +# drop_invalid_header_fields = true + +# security_groups = [aws_security_group.example_load_balancer_sg.id] + +# access_logs { +# bucket = module.s3-bucket-lb.bucket.id +# prefix = "test-lb" +# enabled = true +# } + +# tags = { Name = "${local.application_name}-external-loadbalancer" } +# depends_on = [aws_security_group.example_load_balancer_sg] +# } +# # # Create the target group +# resource "aws_lb_target_group" "target_group" { +# #checkov:skip=CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol" +# name = "${local.application_name}-tg-${local.environment}" +# port = local.application_data.accounts[local.environment].server_port +# protocol = "HTTP" +# vpc_id = data.aws_vpc.shared.id +# target_type = "instance" +# deregistration_delay = 30 + +# stickiness { +# type = "lb_cookie" +# } +# #checkov:skip=CKV_AWS_261: "health_check defined below, but not picked up" +# health_check { +# healthy_threshold = "5" +# interval = "120" +# protocol = "HTTP" +# unhealthy_threshold = "2" +# matcher = "200-499" +# timeout = "5" +# } + +# tags = { Name = "${local.application_name}-tg-${local.environment}" } +# lifecycle { +# create_before_destroy = true +# } +# } # Link target group to the EC2 instance on port 80 -resource "aws_lb_target_group_attachment" "develop" { - target_group_arn = aws_lb_target_group.target_group.arn - target_id = aws_instance.lb_example_instance.id - port = 80 -} +# resource "aws_lb_target_group_attachment" "develop" { +# target_group_arn = aws_lb_target_group.target_group.arn +# target_id = aws_instance.lb_example_instance.id +# port = 80 +# } # Load balancer listener -resource "aws_lb_listener" "external" { - load_balancer_arn = aws_lb.external.arn - port = local.application_data.accounts[local.environment].server_port - protocol = local.application_data.accounts[local.environment].lb_listener_protocol - #checkov:skip=CKV_AWS_2: "protocol for lb set in application_variables" - ssl_policy = local.application_data.accounts[local.environment].lb_listener_protocol == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06" - #checkov:skip=CKV_AWS_103: "ssl_policy for lb set in application_variables" - - default_action { - type = "forward" - target_group_arn = aws_lb_target_group.target_group.arn - } -} - -# # This will build on the core-vpc development account under platforms-development.modernisation-platform.service.justice.gov.uk, and route traffic back to example LB -resource "aws_route53_record" "example" { - provider = aws.core-vpc - zone_id = data.aws_route53_zone.external.zone_id - name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" - type = "A" - - alias { - name = aws_lb.external.dns_name - zone_id = aws_lb.external.zone_id - evaluate_target_health = true - } -} +# resource "aws_lb_listener" "external" { +# load_balancer_arn = aws_lb.external.arn +# port = local.application_data.accounts[local.environment].server_port +# protocol = local.application_data.accounts[local.environment].lb_listener_protocol +# #checkov:skip=CKV_AWS_2: "protocol for lb set in application_variables" +# ssl_policy = local.application_data.accounts[local.environment].lb_listener_protocol == "HTTP" ? "" : "ELBSecurityPolicy-TLS13-1-2-2021-06" +# #checkov:skip=CKV_AWS_103: "ssl_policy for lb set in application_variables" + +# default_action { +# type = "forward" +# target_group_arn = aws_lb_target_group.target_group.arn +# } +# } + +# # # This will build on the core-vpc development account under platforms-development.modernisation-platform.service.justice.gov.uk, and route traffic back to example LB +# resource "aws_route53_record" "example" { +# provider = aws.core-vpc +# zone_id = data.aws_route53_zone.external.zone_id +# name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" +# type = "A" + +# alias { +# name = aws_lb.external.dns_name +# zone_id = aws_lb.external.zone_id +# evaluate_target_health = true +# } +# } # Creation of a WAFv2 -resource "aws_wafv2_web_acl" "external" { - #checkov:skip=CKV2_AWS_31:Logging example commented out below, example is sound but no logging configuration for it to build. - name = "example-web-acl" - scope = "REGIONAL" - - default_action { - allow {} - } - - rule { - name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" - priority = 1 - - override_action { - none {} - } - - statement { - managed_rule_group_statement { - name = "AWSManagedRulesKnownBadInputsRuleSet" - vendor_name = "AWS" - } - } - - visibility_config { - cloudwatch_metrics_enabled = false - metric_name = "friendly-rule-metric-name" - sampled_requests_enabled = false - } - } - - visibility_config { - cloudwatch_metrics_enabled = false - metric_name = "my-web-acl" - sampled_requests_enabled = false - } -} - -# Association code for WAFv2 to the LB -resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" { - resource_arn = aws_lb.external.arn - web_acl_arn = aws_wafv2_web_acl.external.arn -} +# resource "aws_wafv2_web_acl" "external" { +# #checkov:skip=CKV2_AWS_31:Logging example commented out below, example is sound but no logging configuration for it to build. +# name = "example-web-acl" +# scope = "REGIONAL" + +# default_action { +# allow {} +# } + +# rule { +# name = "AWS-AWSManagedRulesKnownBadInputsRuleSet" +# priority = 1 + +# override_action { +# none {} +# } + +# statement { +# managed_rule_group_statement { +# name = "AWSManagedRulesKnownBadInputsRuleSet" +# vendor_name = "AWS" +# } +# } + +# visibility_config { +# cloudwatch_metrics_enabled = false +# metric_name = "friendly-rule-metric-name" +# sampled_requests_enabled = false +# } +# } + +# visibility_config { +# cloudwatch_metrics_enabled = false +# metric_name = "my-web-acl" +# sampled_requests_enabled = false +# } +# } + +# # Association code for WAFv2 to the LB +# resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" { +# resource_arn = aws_lb.external.arn +# web_acl_arn = aws_wafv2_web_acl.external.arn +# } # Logging for WAF, it's commented out because it wouldn't build, however it's a basic example. @@ -183,165 +183,165 @@ resource "aws_wafv2_web_acl_association" "web_acl_association_my_lb" { ################################################################################# ######################### S3 Bucket required for logs ########################## ################################################################################# -module "s3-bucket-lb" { - #tfsec:ignore:aws-s3-enable-versioning - source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239" #v7.1.0 - - bucket_prefix = "s3-bucket-example-lb" - versioning_enabled = false - bucket_policy = [data.aws_iam_policy_document.bucket_policy_lb.json] - - # Enable bucket to be destroyed when not empty - force_destroy = true - # Refer to the below section "Replication" before enabling replication - replication_enabled = false - # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true - replication_region = "eu-west-2" - # replication_role_arn = module.s3-bucket-replication-role.role.arn - providers = { - # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the - # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation - # Platform team to add a new provider for the additional Region. - aws.bucket-replication = aws - } - - lifecycle_rule = [ - { - id = "main" - enabled = "Enabled" - prefix = "" - - tags = { - rule = "log" - autoclean = "true" - } - - transition = [ - { - days = 90 - storage_class = "STANDARD_IA" - }, { - days = 365 - storage_class = "GLACIER" - } - ] - - expiration = { - days = 730 - } - - noncurrent_version_transition = [ - { - days = 90 - storage_class = "STANDARD_IA" - }, { - days = 365 - storage_class = "GLACIER" - } - ] - - noncurrent_version_expiration = { - days = 730 - } - } - ] - - tags = { Name = lower(format("s3-bucket-%s-%s-example", local.application_name, local.environment)) } -} - -data "aws_iam_policy_document" "bucket_policy_lb" { - statement { - effect = "Allow" - actions = [ - "s3:PutObject" - ] - resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] - principals { - type = "AWS" - identifiers = [data.aws_elb_service_account.default_lb.arn] - } - } - statement { - sid = "AWSLogDeliveryWrite" - - principals { - type = "Service" - identifiers = ["delivery.logs.amazonaws.com"] - } - - actions = [ - "s3:PutObject" - ] - - resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] - - condition { - test = "StringEquals" - variable = "s3:x-amz-acl" - - values = [ - "bucket-owner-full-control" - ] - } - } - - statement { - sid = "AWSLogDeliveryAclCheck" - - principals { - type = "Service" - identifiers = ["delivery.logs.amazonaws.com"] - } - - actions = [ - "s3:GetBucketAcl" - ] - - resources = [ - module.s3-bucket-lb.bucket.arn - ] - } -} - -data "aws_iam_policy_document" "s3-access-policy-lb" { - version = "2012-10-17" - statement { - sid = "" - effect = "Allow" - actions = [ - "sts:AssumeRole", - ] - principals { - type = "Service" - identifiers = [ - "rds.amazonaws.com", - "ec2.amazonaws.com", - ] - } - } -} - -data "aws_elb_service_account" "default_lb" {} +# module "s3-bucket-lb" { +# #tfsec:ignore:aws-s3-enable-versioning +# source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239" #v7.1.0 + +# bucket_prefix = "s3-bucket-example-lb" +# versioning_enabled = false +# bucket_policy = [data.aws_iam_policy_document.bucket_policy_lb.json] + +# # Enable bucket to be destroyed when not empty +# force_destroy = true +# # Refer to the below section "Replication" before enabling replication +# replication_enabled = false +# # Below three variables and providers configuration are only relevant if 'replication_enabled' is set to true +# replication_region = "eu-west-2" +# # replication_role_arn = module.s3-bucket-replication-role.role.arn +# providers = { +# # Here we use the default provider Region for replication. Destination buckets can be within the same Region as the +# # source bucket. On the other hand, if you need to enable cross-region replication, please contact the Modernisation +# # Platform team to add a new provider for the additional Region. +# aws.bucket-replication = aws +# } + +# lifecycle_rule = [ +# { +# id = "main" +# enabled = "Enabled" +# prefix = "" + +# tags = { +# rule = "log" +# autoclean = "true" +# } + +# transition = [ +# { +# days = 90 +# storage_class = "STANDARD_IA" +# }, { +# days = 365 +# storage_class = "GLACIER" +# } +# ] + +# expiration = { +# days = 730 +# } + +# noncurrent_version_transition = [ +# { +# days = 90 +# storage_class = "STANDARD_IA" +# }, { +# days = 365 +# storage_class = "GLACIER" +# } +# ] + +# noncurrent_version_expiration = { +# days = 730 +# } +# } +# ] + +# tags = { Name = lower(format("s3-bucket-%s-%s-example", local.application_name, local.environment)) } +# } + +# data "aws_iam_policy_document" "bucket_policy_lb" { +# statement { +# effect = "Allow" +# actions = [ +# "s3:PutObject" +# ] +# resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] +# principals { +# type = "AWS" +# identifiers = [data.aws_elb_service_account.default_lb.arn] +# } +# } +# statement { +# sid = "AWSLogDeliveryWrite" + +# principals { +# type = "Service" +# identifiers = ["delivery.logs.amazonaws.com"] +# } + +# actions = [ +# "s3:PutObject" +# ] + +# resources = ["${module.s3-bucket-lb.bucket.arn}/test-lb/AWSLogs/*"] + +# condition { +# test = "StringEquals" +# variable = "s3:x-amz-acl" + +# values = [ +# "bucket-owner-full-control" +# ] +# } +# } + +# statement { +# sid = "AWSLogDeliveryAclCheck" + +# principals { +# type = "Service" +# identifiers = ["delivery.logs.amazonaws.com"] +# } + +# actions = [ +# "s3:GetBucketAcl" +# ] + +# resources = [ +# module.s3-bucket-lb.bucket.arn +# ] +# } +# } + +# data "aws_iam_policy_document" "s3-access-policy-lb" { +# version = "2012-10-17" +# statement { +# sid = "" +# effect = "Allow" +# actions = [ +# "sts:AssumeRole", +# ] +# principals { +# type = "Service" +# identifiers = [ +# "rds.amazonaws.com", +# "ec2.amazonaws.com", +# ] +# } +# } +# } + +# data "aws_elb_service_account" "default_lb" {} ################################################################################# #################### EC2 build for load balancer targets. ####################### ################################################################################# -resource "aws_instance" "lb_example_instance" { - #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." - #checkov:skip=CKV_AWS_8: "Encryption not required for example instance" - # Specify the instance type and ami to be used (this is the Amazon free tier option) - instance_type = local.application_data.accounts[local.environment].instance_type - ami = local.application_data.accounts[local.environment].ami_image_id - vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id] - subnet_id = data.aws_subnet.private_subnets_a.id - monitoring = true - ebs_optimized = true - - metadata_options { - http_endpoint = "enabled" - http_tokens = "required" - } - tags = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) } - depends_on = [aws_security_group.example_load_balancer_sg] -} \ No newline at end of file +# resource "aws_instance" "lb_example_instance" { +# #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." +# #checkov:skip=CKV_AWS_8: "Encryption not required for example instance" +# # Specify the instance type and ami to be used (this is the Amazon free tier option) +# instance_type = local.application_data.accounts[local.environment].instance_type +# ami = local.application_data.accounts[local.environment].ami_image_id +# vpc_security_group_ids = [aws_security_group.example_load_balancer_sg.id] +# subnet_id = data.aws_subnet.private_subnets_a.id +# monitoring = true +# ebs_optimized = true + +# metadata_options { +# http_endpoint = "enabled" +# http_tokens = "required" +# } +# tags = { Name = lower(format("ec2-%s-%s-example", local.application_name, local.environment)) } +# depends_on = [aws_security_group.example_load_balancer_sg] +# } \ No newline at end of file diff --git a/terraform/environments/example/platform_versions.tf b/terraform/environments/example/platform_versions.tf index 63e0b5996b8..0805808572b 100644 --- a/terraform/environments/example/platform_versions.tf +++ b/terraform/environments/example/platform_versions.tf @@ -8,6 +8,10 @@ terraform { version = "~> 3.0" source = "hashicorp/http" } + external = { + source = "hashicorp/external" + version = "~> 2.3.0" # Use the latest version or specify your desired version + } cloudinit = { source = "hashicorp/cloudinit" version = "~> 2.3.0" # Use the latest version or specify your desired version diff --git a/terraform/environments/example/shield.tf b/terraform/environments/example/shield.tf index 284068d80a0..c08d550bee0 100644 --- a/terraform/environments/example/shield.tf +++ b/terraform/environments/example/shield.tf @@ -1,26 +1,39 @@ +# ########################################################################################## +# # ------------------------Comment out file if not required---------------------------------- +# ########################################################################################## -module "shield" { - source = "../../modules/shield_advanced" - providers = { - aws.modernisation-platform = aws.modernisation-platform - } - application_name = local.application_name - excluded_protections = local.application_data.accounts[local.environment].excluded_protections - resources = { - certificate_lb = { - arn = aws_lb.certificate_example_lb.arn - } - public_lb = { - action = "count", - arn = aws_lb.external.arn - } - } - waf_acl_rules = { - example = { - "action" = "count", - "name" = "example-count-rule", - "priority" = 0, - "threshold" = "1000" - } - } -} +# If you are getting errors with this code it might because there are protections that have not been disabled. login to the example account +# and go to the protected resources on the aws shield and remove any that have errors. once you have finished with what you are doing and are +# hashing out both the import and the resource you will need to remove the shield from the state file before running an apply. + + +# import { +# id = "c6f3ba81-c457-40f6-bd1f-30e777f60c27/FMManagedWebACLV2-shield_advanced_auto_remediate-1652297838425/REGIONAL" +# to = module.shield.aws_wafv2_web_acl.main +# } + +# module "shield" { +# source = "../../modules/shield_advanced" +# providers = { +# aws.modernisation-platform = aws.modernisation-platform +# } +# application_name = local.application_name +# excluded_protections = local.application_data.accounts[local.environment].excluded_protections +# resources = { +# certificate_lb = { +# arn = aws_lb.certificate_example_lb.arn +# } +# public_lb = { +# action = "count", +# arn = aws_lb.external.arn +# } +# } +# waf_acl_rules = { +# example = { +# "action" = "count", +# "name" = "example-count-rule", +# "priority" = 0, +# "threshold" = "1000" +# } +# } +# } From 58b72a0e5c04b110c8998ae7fe6652dfaa42f948 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Wed, 23 Oct 2024 10:12:19 +0100 Subject: [PATCH 69/83] Tribunals: fix cicap nginx redirect (#8409) --- .../modules/nginx_ec2_pair/sites-available/cicap.gov.uk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk index 61b921301b4..0c3d328ea24 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/criminal-injuries-compensation-tribunal; } location ~* ^/Public { - return 301 https://cicap.decisions.tribunals.gov.uk/$request_uri; + return 301 https://cicap.decisions.tribunals.gov.uk/$request_uri/publicsearch.aspx; } location ~* ^/images { return 301 https://cicap.decisions.tribunals.gov.uk/$request_uri; From d3cf7264aabdbbd0d76c26156ea5acd9fc7f4261 Mon Sep 17 00:00:00 2001 From: Mark Roberts Date: Wed, 23 Oct 2024 10:13:14 +0100 Subject: [PATCH 70/83] removed my script --- terraform/environments/{example => }/clean.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename terraform/environments/{example => }/clean.sh (100%) diff --git a/terraform/environments/example/clean.sh b/terraform/environments/clean.sh similarity index 100% rename from terraform/environments/example/clean.sh rename to terraform/environments/clean.sh From c2644f9acd433f6259a19f5147a73724d3c61986 Mon Sep 17 00:00:00 2001 From: Mark Roberts Date: Wed, 23 Oct 2024 10:19:39 +0100 Subject: [PATCH 71/83] removed clean.sh completely --- terraform/environments/clean.sh | 8 -------- 1 file changed, 8 deletions(-) delete mode 100755 terraform/environments/clean.sh diff --git a/terraform/environments/clean.sh b/terraform/environments/clean.sh deleted file mode 100755 index 111733e8ced..00000000000 --- a/terraform/environments/clean.sh +++ /dev/null @@ -1,8 +0,0 @@ -rm -Rf .terraform -rm .terraform.lock.hcl -echo "Account Number: $1" -terraform init -backend-config=assume_role={role_arn=\"arn:aws:iam::$1:role/modernisation-account-terraform-state-member-access\"} -terraform workspace list -echo "Please select your workspace:" -read workspace -terraform workspace select "$workspace" From a9ef39f7a1e5d3955819e862f6a120c649f13cdc Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Wed, 23 Oct 2024 10:34:12 +0100 Subject: [PATCH 72/83] Tribunals: fix cicap nginx redirect v2 (#8411) --- .../modules/nginx_ec2_pair/sites-available/cicap.gov.uk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk index 0c3d328ea24..cc12f6af299 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/cicap.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/criminal-injuries-compensation-tribunal; } location ~* ^/Public { - return 301 https://cicap.decisions.tribunals.gov.uk/$request_uri/publicsearch.aspx; + return 301 https://cicap.decisions.tribunals.gov.uk/Public/publicsearch.aspx; } location ~* ^/images { return 301 https://cicap.decisions.tribunals.gov.uk/$request_uri; From 6ddb745c5b19e6437af91832b8fa2391dfa14764 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 23 Oct 2024 10:53:02 +0100 Subject: [PATCH 73/83] Update_231024_4 --- terraform/environments/ppud/lambda_scripts/disable_cpu_alarm.py | 2 +- terraform/environments/ppud/lambda_scripts/enable_cpu_alarm.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ppud/lambda_scripts/disable_cpu_alarm.py b/terraform/environments/ppud/lambda_scripts/disable_cpu_alarm.py index 530fe7bba37..b6163622549 100644 --- a/terraform/environments/ppud/lambda_scripts/disable_cpu_alarm.py +++ b/terraform/environments/ppud/lambda_scripts/disable_cpu_alarm.py @@ -3,5 +3,5 @@ def lambda_handler(event, context): response = client.disable_alarm_actions( - AlarmNames=['CPU-High-i-014bce95a85aaeede','CPU-High-i-00cbccc46d25e77c6','CPU-High-i-0dba6054c0f5f7a11','CPU-High-i-0b5ef7cb90938fb82','CPU-High-i-04bbb6312b86648be','CPU-High-i-00413756d2dfcf6d2','CPU-High-i-080498c4c9d25e6bd','CPU-High-i-029d2b17679dab982','CPU-High-70%-i-029d2b17679dab982','CPU-High-90%-i-029d2b17679dab982'] + AlarmNames=['CPU-Utilisation-High-i-014bce95a85aaeede','CPU-Utilisation-High-i-00cbccc46d25e77c6','CPU-Utilisation-High-i-0dba6054c0f5f7a11','CPU-Utilisation-High-i-0b5ef7cb90938fb82','CPU-Utilisation-High-i-04bbb6312b86648be','CPU-Utilisation-High-i-00413756d2dfcf6d2','CPU-Utilisation-High-i-080498c4c9d25e6bd','CPU-High-i-029d2b17679dab982','CPU-High-70%-i-029d2b17679dab982','CPU-High-90%-i-029d2b17679dab982'] ) \ No newline at end of file diff --git a/terraform/environments/ppud/lambda_scripts/enable_cpu_alarm.py b/terraform/environments/ppud/lambda_scripts/enable_cpu_alarm.py index b9814fe95fe..e9947ed528a 100644 --- a/terraform/environments/ppud/lambda_scripts/enable_cpu_alarm.py +++ b/terraform/environments/ppud/lambda_scripts/enable_cpu_alarm.py @@ -3,5 +3,5 @@ def lambda_handler(event, context): response = client.enable_alarm_actions( - AlarmNames=['CPU-High-i-014bce95a85aaeede','CPU-High-i-00cbccc46d25e77c6','CPU-High-i-0dba6054c0f5f7a11','CPU-High-i-0b5ef7cb90938fb82','CPU-High-i-04bbb6312b86648be','CPU-High-i-00413756d2dfcf6d2','CPU-High-i-080498c4c9d25e6bd','CPU-High-i-029d2b17679dab982','CPU-High-70%-i-029d2b17679dab982','CPU-High-90%-i-029d2b17679dab982'] + AlarmNames=['CPU-Utilisation-High-i-014bce95a85aaeede','CPU-Utilisation-High-i-00cbccc46d25e77c6','CPU-Utilisation-High-i-0dba6054c0f5f7a11','CPU-Utilisation-High-i-0b5ef7cb90938fb82','CPU-Utilisation-High-i-04bbb6312b86648be','CPU-Utilisation-High-i-00413756d2dfcf6d2','CPU-Utilisation-High-i-080498c4c9d25e6bd','CPU-High-i-029d2b17679dab982','CPU-High-70%-i-029d2b17679dab982','CPU-High-90%-i-029d2b17679dab982'] ) \ No newline at end of file From c0f37464732ea3e7847c0df9086c08f77d1689c9 Mon Sep 17 00:00:00 2001 From: Ant Fitzroy <101649764+AntFMoJ@users.noreply.github.com> Date: Wed, 23 Oct 2024 11:42:01 +0100 Subject: [PATCH 74/83] Update terraform/environments/analytical-platform-compute/kms-keys.tf Co-authored-by: Jacob Woffenden --- terraform/environments/analytical-platform-compute/kms-keys.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 72e6cd4879b..9b37d8c86b6 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -283,7 +283,7 @@ module "mojap_derived_tables_replication_s3_kms" { version = "3.1.1" aliases = ["s3/mojap-derived-tables-replication"] - description = "mojap_derived_tables_replication S3 KMS key" + description = "mojap-derived-tables-replication S3 KMS key" enable_default_policy = true deletion_window_in_days = 7 From 30550e0ac213b7250d86a8bb1d55d9cf1a600262 Mon Sep 17 00:00:00 2001 From: Ant Fitzroy <101649764+AntFMoJ@users.noreply.github.com> Date: Wed, 23 Oct 2024 11:42:24 +0100 Subject: [PATCH 75/83] Update terraform/environments/analytical-platform-compute/kms-keys.tf Co-authored-by: Jacob Woffenden --- .../environments/analytical-platform-compute/kms-keys.tf | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/kms-keys.tf b/terraform/environments/analytical-platform-compute/kms-keys.tf index 9b37d8c86b6..e6b1a944f09 100644 --- a/terraform/environments/analytical-platform-compute/kms-keys.tf +++ b/terraform/environments/analytical-platform-compute/kms-keys.tf @@ -308,8 +308,8 @@ module "mojap_compute_logs_s3_kms" { key_statements = [ { - sid = "AllowLogging" - + sid = "AllowS3Logging" + effect = "Allow" actions = [ "kms:Encrypt", "kms:Decrypt", @@ -317,18 +317,13 @@ module "mojap_compute_logs_s3_kms" { "kms:GenerateDataKeyWithoutPlaintext", "kms:DescribeKey" ] - resources = ["*"] - - effect = "Allow" - principals = [ { type = "Service" identifiers = ["logging.s3.amazonaws.com"] } ] - conditions = [ { test = "StringEquals" From 2f426035de4247ac7143a3a37acf73b560c169ad Mon Sep 17 00:00:00 2001 From: Anthony Fitzroy Date: Wed, 23 Oct 2024 11:47:33 +0100 Subject: [PATCH 76/83] tidy up --- .../environments/analytical-platform-compute/s3-buckets.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/analytical-platform-compute/s3-buckets.tf b/terraform/environments/analytical-platform-compute/s3-buckets.tf index bba6b51bb7a..621807a73cc 100644 --- a/terraform/environments/analytical-platform-compute/s3-buckets.tf +++ b/terraform/environments/analytical-platform-compute/s3-buckets.tf @@ -68,6 +68,8 @@ module "mojap_compute_logs_bucket" { force_destroy = false + policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json + object_lock_enabled = false versioning = { @@ -85,6 +87,4 @@ module "mojap_compute_logs_bucket" { } tags = local.tags - - policy = data.aws_iam_policy_document.s3_server_access_logs_policy.json } From db7a7be5573710996902ff346e4e30ef4e1721e1 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Wed, 23 Oct 2024 12:01:06 +0100 Subject: [PATCH 77/83] Tribunals: Update nginx s3 config bucket to detect config changes (#8414) --- .../environments/tribunals/modules/nginx_ec2_pair/main.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/main.tf b/terraform/environments/tribunals/modules/nginx_ec2_pair/main.tf index d9977c3a288..618e580418c 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/main.tf +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/main.tf @@ -99,12 +99,16 @@ resource "aws_s3_object" "sites_available" { bucket = aws_s3_bucket.nginx_config.id key = "sites-available/${each.value}" source = "${path.module}/sites-available/${each.value}" + # Use md5 to detect changes in the sites-available folder + etag = filemd5("${path.module}/sites-available/${each.value}") } resource "aws_s3_object" "nginx_conf" { bucket = aws_s3_bucket.nginx_config.id key = "nginx.conf" source = "${path.module}/nginx-conf/nginx.conf" + # Use md5 to detect changes in the nginx.conf file + etag = filemd5("${path.module}/nginx-conf/nginx.conf") } resource "aws_iam_role_policy_attachment" "s3_policy_attachment" { From dcf096e4158af6b58f889bbdad6261a9cd69ab09 Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 23 Oct 2024 12:03:38 +0100 Subject: [PATCH 78/83] Update_231024_5 --- terraform/environments/ppud/s3.tf | 6 +---- terraform/environments/ppud/sns.tf | 43 ++++++++++++++++++++---------- 2 files changed, 30 insertions(+), 19 deletions(-) diff --git a/terraform/environments/ppud/s3.tf b/terraform/environments/ppud/s3.tf index 586436a911f..6a3db2e2d09 100644 --- a/terraform/environments/ppud/s3.tf +++ b/terraform/environments/ppud/s3.tf @@ -564,19 +564,15 @@ resource "aws_s3_bucket_public_access_block" "moj-log-files-uat" { restrict_public_buckets = true } -# Disabled S3 bucket notification pending further testing. - -/* resource "aws_s3_bucket_notification" "moj-log-files-uat" { count = local.is-preproduction == true ? 1 : 0 bucket = aws_s3_bucket.moj-log-files-uat[0].id topic { - topic_arn = aws_sns_topic.cw_uat_alerts[0].arn + topic_arn = aws_sns_topic.s3_bucket_notifications_uat[0].arn events = ["s3:ObjectCreated:*"] filter_prefix = "alb-logs/" } } -*/ resource "aws_s3_bucket_lifecycle_configuration" "moj-log-files-uat" { count = local.is-preproduction == true ? 1 : 0 diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index f5d69cafd7f..f0695b5d17c 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -31,14 +31,6 @@ resource "aws_sns_topic" "cw_uat_alerts" { name = "ppud-uat-cw-alerts" } -/* -resource "aws_sns_topic_policy" "sns_uat_policy" { - count = local.is-preproduction == true ? 1 : 0 - arn = aws_sns_topic.cw_uat_alerts[0].arn - policy = data.aws_iam_policy_document.sns_topic_policy_uat_ec2cw[0].json -} -*/ - resource "aws_sns_topic_subscription" "cw_uat_subscription" { count = local.is-preproduction == true ? 1 : 0 topic_arn = aws_sns_topic.cw_uat_alerts[0].arn @@ -76,21 +68,44 @@ resource "aws_sns_topic_policy" "sns_uat_policy" { "AWS:SourceOwner" : "data.aws_caller_identity.current.account_id" } } - }, + } + ] + }) +} + +# Pre-production - S3 Bucket Notification + +resource "aws_sns_topic" "s3_bucket_notifications_uat" { + # checkov:skip=CKV_AWS_26: "SNS topic encryption is not required as no sensitive data is processed through it" + count = local.is-preproduction == true ? 1 : 0 + name = "s3_bucket_notifications_uat" +} + +resource "aws_sns_topic_subscription" "s3_bucket_notifications_uat_subscription" { + count = local.is-preproduction == true ? 1 : 0 + topic_arn = aws_sns_topic.s3_bucket_notifications_uat[0].arn + protocol = "email" + endpoint = "PPUDAlerts@colt.net" +} + +resource "aws_sns_topic_policy" "s3_bucket_notifications_uat_policy" { + count = local.is-preproduction == true ? 1 : 0 + arn = aws_sns_topic.s3_bucket_notifications_uat[0].arn + + policy = jsonencode({ + Version = "2012-10-17", + Statement = [ { - "Sid" : "S3-to-Publish-SNS", + "Sid" : "s3_bucket_notifications_uat", "Effect" : "Allow", "Principal" : { "Service" : "s3.amazonaws.com" }, "Action" : "SNS:Publish", - "Resource" : "aws_sns_topic.cw_uat_alerts[0].arn", + "Resource" : "aws_sns_topic.s3_bucket_notifications_uat[0].arn", "Condition" : { "ArnLike" : { "aws:SourceArn" : "arn:aws:s3:::moj-log-files-uat" - }, - "StringEquals" : { - "AWS:SourceOwner" : "data.aws_caller_identity.current.account_id" } } } From 5734d944ef599b7861432ba8ad14c5aa5c18a58f Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:22:25 +0100 Subject: [PATCH 79/83] :wrench: Refactor for_each (#8416) --- .../modules/grafana/team/main.tf | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/terraform/environments/observability-platform/modules/grafana/team/main.tf b/terraform/environments/observability-platform/modules/grafana/team/main.tf index ccdc31cc897..9aa4f77e2a9 100644 --- a/terraform/environments/observability-platform/modules/grafana/team/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/team/main.tf @@ -56,17 +56,23 @@ resource "grafana_data_source_permission" "xray" { } data "grafana_data_source" "athena" { - for_each = { - for name, config in var.aws_accounts : name => config if config.athena_enabled - } - - name = "${each.key}-athena" + for_each = toset(flatten( + [ + for account_name, account_data in var.aws_accounts : + account_data.athena_enabled == true && try(account_data.athena_config, null) != null ? keys(account_data.athena_config) : [] + ] + )) + + name = each.key } resource "grafana_data_source_permission" "athena" { - for_each = { - for name, config in var.aws_accounts : name => config if config.athena_enabled - } + for_each = toset(flatten( + [ + for account_name, account_data in var.aws_accounts : + account_data.athena_enabled == true && try(account_data.athena_config, null) != null ? keys(account_data.athena_config) : [] + ] + )) datasource_uid = trimprefix(data.grafana_data_source.athena[each.key].id, "1:") From 9f4678abda5afebc5a5da24f92b76c2203848c3e Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 23 Oct 2024 12:35:12 +0100 Subject: [PATCH 80/83] Update_231024_6 --- terraform/environments/ppud/sns.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ppud/sns.tf b/terraform/environments/ppud/sns.tf index f0695b5d17c..99788296c0e 100644 --- a/terraform/environments/ppud/sns.tf +++ b/terraform/environments/ppud/sns.tf @@ -94,9 +94,10 @@ resource "aws_sns_topic_policy" "s3_bucket_notifications_uat_policy" { policy = jsonencode({ Version = "2012-10-17", + ID = "s3_bucket_notifications_uat", Statement = [ { - "Sid" : "s3_bucket_notifications_uat", + "Sid" : "s3_bucket_notifications_uat_iam_policy", "Effect" : "Allow", "Principal" : { "Service" : "s3.amazonaws.com" From 9b96a8b8323882c7726aacb6ee4f7915c78492ec Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 23 Oct 2024 12:47:35 +0100 Subject: [PATCH 81/83] =?UTF-8?q?=F0=9F=A7=AA=20Testing=20resource=20type?= =?UTF-8?q?=20(#8419)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../modules/grafana/athena-source/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf b/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf index 178162769af..43cee84d100 100644 --- a/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf @@ -8,7 +8,7 @@ data "grafana_data_source" "this" { } resource "grafana_data_source" "this" { - type = "athena" + type = "Amazon Athena" name = "${var.athena_workgroup}-${var.athena_database}" json_data_encoded = jsonencode({ defaultRegion = "eu-west-2" From 3b1f3c3ad2362d8893f1fdc88431e71efe99ce62 Mon Sep 17 00:00:00 2001 From: Mateusz Kolakowski Date: Wed, 23 Oct 2024 12:59:15 +0100 Subject: [PATCH 82/83] Tribunals: update nginx redirect links (#8420) --- .../modules/nginx_ec2_pair/sites-available/ahmlr.gov.uk | 2 +- .../nginx_ec2_pair/sites-available/carestandardstribunal.gov.uk | 2 +- .../nginx_ec2_pair/sites-available/employmentappeals.gov.uk | 2 +- .../nginx_ec2_pair/sites-available/informationtribunal.gov.uk | 2 +- .../modules/nginx_ec2_pair/sites-available/osscsc.gov.uk | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/ahmlr.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/ahmlr.gov.uk index 387fca89b3d..6bfd693dcfe 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/ahmlr.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/ahmlr.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/apply-land-registration-tribunal/overview; } location ~* ^/public { - return 301 https://landregistrationdivision.decisions.tribunals.gov.uk/$request_uri; + return 301 https://landregistrationdivision.decisions.tribunals.gov.uk/public/Search30May.aspx; } location ~* ^/Admin { return 301 https://landregistrationdivision.decisions.tribunals.gov.uk/$request_uri; diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/carestandardstribunal.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/carestandardstribunal.gov.uk index de57468cc87..29c9add877f 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/carestandardstribunal.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/carestandardstribunal.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/guidance/appeal-to-the-care-standards-tribunal; } location ~* ^/Public { - return 301 https://carestandards.decisions.tribunals.gov.uk/$request_uri; + return 301 https://carestandards.decisions.tribunals.gov.uk/Public/recentDecisions.aspx; } location ~* ^/images { return 301 https://carestandards.decisions.tribunals.gov.uk/$request_uri; diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/employmentappeals.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/employmentappeals.gov.uk index 2d0dcdfae49..2849de51aaa 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/employmentappeals.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/employmentappeals.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/courts-tribunals/employment-appeal-tribunal; } location ~* ^/Public { - return 301 https://employmentappeals.decisions.tribunals.gov.uk/$request_uri; + return 301 https://employmentappeals.decisions.tribunals.gov.uk/Public/Search.aspx; } location ~* ^/images { return 301 https://employmentappeals.decisions.tribunals.gov.uk/$request_uri; diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/informationtribunal.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/informationtribunal.gov.uk index f666c9bc609..d7bc760eef0 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/informationtribunal.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/informationtribunal.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/guidance/information-rights-appeal-against-the-commissioners-decision; } location ~* ^/Public { - return 301 https://informationrights.decisions.tribunals.gov.uk/$request_uri; + return 301 https://informationrights.decisions.tribunals.gov.uk/Public/search.aspx; } location ~* ^/images { return 301 https://informationrights.decisions.tribunals.gov.uk/$request_uri; diff --git a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/osscsc.gov.uk b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/osscsc.gov.uk index 170ee4c9afa..058ceacd320 100644 --- a/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/osscsc.gov.uk +++ b/terraform/environments/tribunals/modules/nginx_ec2_pair/sites-available/osscsc.gov.uk @@ -34,7 +34,7 @@ server { return 301 https://www.gov.uk/courts-tribunals/upper-tribunal-administrative-appeals-chamber; } location ~* ^/aspx { - return 301 https://administrativeappeals.decisions.tribunals.gov.uk/$request_uri; + return 301 https://administrativeappeals.decisions.tribunals.gov.uk/Aspx/default.aspx; } location ~* ^/Decisions { return 301 https://administrativeappeals.decisions.tribunals.gov.uk/$request_uri; From 2d7d057c72e389bacdda1ab33660c7503e96ba14 Mon Sep 17 00:00:00 2001 From: Gary <26419401+Gary-H9@users.noreply.github.com> Date: Wed, 23 Oct 2024 13:08:09 +0100 Subject: [PATCH 83/83] :wrench: Correct data source (#8421) --- .../modules/grafana/athena-source/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf b/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf index 43cee84d100..e725f26c5de 100644 --- a/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/athena-source/main.tf @@ -8,7 +8,7 @@ data "grafana_data_source" "this" { } resource "grafana_data_source" "this" { - type = "Amazon Athena" + type = "grafana-athena-datasource" name = "${var.athena_workgroup}-${var.athena_database}" json_data_encoded = jsonencode({ defaultRegion = "eu-west-2"