Merge pull request #7757 from ministryofjustice/CDI-214-UAT-CICA-Ranges

🛂 Add uat to security group
ministryofjustice · Sep 13, 2024 · ac6fb62 · ac6fb62
2 parents eb70661 + 06d60de
commit ac6fb62
Show file tree

Hide file tree

Showing 6 changed files with 115 additions and 66 deletions.
diff --git a/terraform/environments/cica-tariff/bastion_linux.json b/terraform/environments/cica-tariff/bastion_linux.json
@@ -0,0 +1,9 @@
+{
+  "keys": {
+    "development": {
+      "ed": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJa3flPvFH6LHw9VLhoAFFZl+ETpm5VO+X7qRkYyw1pU"
+    },
+    "preproduction": {},
+    "production": {}
+  }
+}
diff --git a/terraform/environments/cica-tariff/ec2_bastion_linux.tf b/terraform/environments/cica-tariff/ec2_bastion_linux.tf
@@ -0,0 +1,34 @@
+# tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
+module "bastion_linux" {
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" #v4.2.1
+
+  providers = {
+    aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
+    aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
+  }
+  # s3 - used for logs and user ssh public keys
+  bucket_name = "tariff-bastion"
+  # public keys
+  public_key_data = local.public_key_data.keys[local.environment]
+  # logs
+  log_auto_clean       = "Enabled"
+  log_standard_ia_days = 30  # days before moving to IA storage
+  log_glacier_days     = 60  # days before moving to Glacier
+  log_expiry_days      = 180 # days before log expiration
+  # bastion
+  allow_ssh_commands = true
+  app_name           = var.networking[0].application
+  business_unit      = local.vpc_name
+  subnet_set         = local.subnet_set
+  environment        = local.environment
+  region             = "eu-west-2"
+
+  # Tags
+  tags_common = local.tags
+  tags_prefix = terraform.workspace
+}
+
+
+locals {
+  public_key_data = jsondecode(file("./bastion_linux.json"))
+}
diff --git a/terraform/environments/cica-tariff/locals.tf b/terraform/environments/cica-tariff/locals.tf
@@ -3,8 +3,10 @@ locals {
   pubkey = {
     "development" = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3Fq4UnSs9jsFRxG7WV/2g4C4gTaG+7J5p5oi3Eup27MMoNBGTQV64ZETq8Gzx0Dx9R5xnj/y1DT350om2cdcGUYUDu47mOY+VXXtJpzK94R5ZzN+74xjz/swTgJQaOY8iaeSNsILkFMm50xTr7gzSaAswL95RH8h1IibzheqmwkHtN97JEaXkJbhE/CYNPmJzUahNG05vEnBG4op7OG5oLi+7cvZlrnho9lpkWRcOgXaS/mQsMKb45plYCU52reWIZhO9IoxaXULoYybk617I0Blhe2IvYcXfWZGw5xrfJrPJFiiK5fmYGgMp0d1J730kKZ5sOh0Y7Bdf3XXefUIaHlKe95/rXQczw5EeMG+lRt6cOS3XAh4CquyvwY3Oj2HgDLE2JMQS3Y9k8dBpopUCGLvk7MnHMb4SLF4FEoaeJQdv07c6amOQm5Hk0l13TAzlQg+xkyW0y3aluLdAyH6fucbwFiUnAINm9tqem7ZGghWxaC6X9xBUpCDOWPO/3KjpLvPNRrmIgEfSh73o3Jks16Ef3f94XOCM+exO8mTuAYK3F6Uhc2I6xMb3Wp35PBOZbKBEZCeoDvyb841UKHd6LLrgQELEOG+xd3UzM24JMh2FEnbCj3orIw2Zj1B4Udyu2EyV7BLpUhMt/jNt9Jonf1MqVzn9M3JfjUQEjYwVqQ=="
   }
-  cidr_cica_ss_a = "10.10.10.0/24"
-  cidr_cica_ss_b = "10.10.110.0/24"
+  cidr_cica_ss_a  = "10.10.10.0/24"
+  cidr_cica_ss_b  = "10.10.110.0/24"
+  cidr_cica_uat_a = "10.12.10.0/24"
+  cidr_cica_uat_b = "10.12.110.0/24"
 
   #get snapshot IDs for each volume. Required to stop instance replacement on apply
   block_device_mapping_xvde = {

diff --git a/terraform/environments/cica-tariff/platform_providers.tf b/terraform/environments/cica-tariff/platform_providers.tf
@@ -56,3 +56,7 @@ provider "aws" {
     role_arn = "arn:aws:iam::${local.environment_management.aws_organizations_root_account_id}:role/ModernisationPlatformSSOReadOnly"
   }
 }
+
+provider "random" {
+
+}
diff --git a/terraform/environments/cica-tariff/tariff_ec2_app_sg.tf b/terraform/environments/cica-tariff/tariff_ec2_app_sg.tf
@@ -24,14 +24,14 @@ resource "aws_security_group" "tariff_app_security_group" {
     protocol    = "tcp"
     from_port   = 22
     to_port     = 22
-    cidr_blocks = [data.aws_vpc.shared.cidr_block, local.cidr_cica_ss_a, local.cidr_cica_ss_b]
+    cidr_blocks = [data.aws_vpc.shared.cidr_block, local.cidr_cica_ss_a, local.cidr_cica_ss_b, local.cidr_cica_uat_a, local.cidr_cica_uat_b]
   }
 
   ingress {
     protocol    = "icmp"
     from_port   = -1
     to_port     = -1
-    cidr_blocks = [data.aws_vpc.shared.cidr_block, local.cidr_cica_ss_a, local.cidr_cica_ss_b]
+    cidr_blocks = [data.aws_vpc.shared.cidr_block, local.cidr_cica_ss_a, local.cidr_cica_ss_b, local.cidr_cica_uat_a, local.cidr_cica_uat_b]
   }
 
   ingress {

diff --git a/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf b/terraform/environments/cica-tariff/tariff_vpc_endpoints.tf
@@ -1,74 +1,74 @@
-#Create endpoints to allow SSM from within private subnets
+# #Create endpoints to allow SSM from within private subnets
 
-#ssm
-resource "aws_vpc_endpoint" "ssm" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ssm"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ssm-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# #ssm
+# resource "aws_vpc_endpoint" "ssm" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ssm"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ssm-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
-resource "aws_vpc_endpoint" "ec2messages" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ec2messages"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ec2-messages-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# resource "aws_vpc_endpoint" "ec2messages" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ec2messages"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ec2-messages-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
 
 
-resource "aws_vpc_endpoint" "ec2" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ec2"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ec2-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# resource "aws_vpc_endpoint" "ec2" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ec2"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ec2-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
-resource "aws_vpc_endpoint" "ssm_messages" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.ssmmessages"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("ssm-messages-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# }
+# resource "aws_vpc_endpoint" "ssm_messages" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.ssmmessages"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("ssm-messages-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
-resource "aws_vpc_endpoint" "kms" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.kms"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("kms-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
+# resource "aws_vpc_endpoint" "kms" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.kms"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("kms-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
 
-}
+# }
 
-resource "aws_vpc_endpoint" "logs" {
-  vpc_id            = data.aws_vpc.shared.id
-  service_name      = "com.amazonaws.eu-west-2.logs"
-  vpc_endpoint_type = "Interface"
-  subnet_ids        = data.aws_subnets.shared-private.ids
-  tags = merge(tomap({
-    "Name"     = lower(format("logs-%s-endpoint", local.application_name)),
-    "hostname" = "${local.application_name}-app",
-  }), local.tags)
-}
+# resource "aws_vpc_endpoint" "logs" {
+#   vpc_id            = data.aws_vpc.shared.id
+#   service_name      = "com.amazonaws.eu-west-2.logs"
+#   vpc_endpoint_type = "Interface"
+#   subnet_ids        = data.aws_subnets.shared-private.ids
+#   tags = merge(tomap({
+#     "Name"     = lower(format("logs-%s-endpoint", local.application_name)),
+#     "hostname" = "${local.application_name}-app",
+#   }), local.tags)
+# }
-Original file line number
+Diff line change
@@ Expand Up / @@ -56,3 +56,7 @@ provider "aws" { @@
         role_arn = "arn:aws:iam::${local.environment_management.aws_organizations_root_account_id}:role/ModernisationPlatformSSOReadOnly"
       }
     }
+    provider "random" {
+    }