Skip to content

Commit

Permalink
Nit 1150 delius core pwm vs hmpps auth usecase (#5256)
Browse files Browse the repository at this point in the history
* configure pwm

* setup ses

* image + config

* Update pwm.tf

* add dkim records

* Update pwm.tf

* Update pwm.tf

* Update pwm.tf

* Update pwm.tf

* Update pwm.tf

* task def

* Update pwm.tf

* sg

* Update PwmConfiguration.xml.tpl

* create smtp creds user

* justice relay

* Update pwm.tf

* Update pwm.tf

* Update load_balancing.tf

* Update pwm.tf

* Update pwm.tf

* Update pwm.tf

* Update PwmConfiguration.xml.tpl

* security groups

* url schema

* Update pwm.tf

* Update pwm.tf

* Update pwm.tf

* fix

* ingress

* Update locals.tf

* Update pwm.tf

* Update locals_test.tf

* Update pwm.tf

* Update pwm.tf

* Update pwm.tf
  • Loading branch information
georgepstaylor authored Mar 8, 2024
1 parent ec5ab17 commit b0394be
Show file tree
Hide file tree
Showing 12 changed files with 306 additions and 91 deletions.
2 changes: 1 addition & 1 deletion terraform/environments/delius-core/locals_development.tf
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ locals {
}

pwm = {
image_tag = "5.7.6"
image_tag = "8179630699-1"
container_port = 8080
}

Expand Down
2 changes: 1 addition & 1 deletion terraform/environments/delius-core/locals_test.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ locals {
}

pwm = {
image_tag = "5.7.6"
image_tag = "8179630699-1"
container_port = 8080
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,8 @@ output "delius_core_ldap_principal_arn" {

output "delius_core_ldap_bind_password_arn" {
value = aws_ssm_parameter.delius_core_ldap_bind_password.arn
}

output "security_group_id" {
value = aws_security_group.ldap.id
}
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ resource "aws_security_group" "ancillary_alb_security_group" {
}

resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_global_protect_allowlist" {
for_each = toset(local.globalprotect_ips)
for_each = toset(local.all_ingress_ips)
security_group_id = aws_security_group.ancillary_alb_security_group.id
description = "Access into alb over https"
from_port = "443"
Expand All @@ -19,7 +19,7 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_https_glob
}

resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_global_protect_allowlist" {
for_each = toset(local.globalprotect_ips)
for_each = toset(local.all_ingress_ips)
security_group_id = aws_security_group.ancillary_alb_security_group.id
description = "Access into alb over http (will redirect)"
from_port = "80"
Expand All @@ -28,6 +28,13 @@ resource "aws_vpc_security_group_ingress_rule" "ancillary_alb_ingress_http_globa
cidr_ipv4 = each.key # Global Protect VPN
}

resource "aws_vpc_security_group_egress_rule" "ancillary_alb_egress_private" {
security_group_id = aws_security_group.ancillary_alb_security_group.id
description = "Access into alb over http (will redirect)"
ip_protocol = "-1"
cidr_ipv4 = var.account_config.shared_vpc_cidr
}

# tfsec:ignore:aws-elb-alb-not-public
resource "aws_lb" "delius_core_ancillary" {
# checkov:skip=CKV_AWS_91
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,4 +22,19 @@ locals {
certificate_arn = aws_acm_certificate.external.arn

globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha
unilink_ips = [
"194.75.210.216/29", # Unilink AOVPN
"83.98.63.176/29", # Unilink AOVPN
"78.33.10.50/31", # Unilink AOVPN
"78.33.10.52/30", # Unilink AOVPN
"78.33.10.56/30", # Unilink AOVPN
"78.33.10.60/32", # Unilink AOVPN
"78.33.32.99/32", # Unilink AOVPN
"78.33.32.100/30", # Unilink AOVPN
"78.33.32.104/30", # Unilink AOVPN
"78.33.32.108/32", # Unilink AOVPN
"217.138.45.109/32", # Unilink AOVPN
"217.138.45.110/32", # Unilink AOVPN
]
all_ingress_ips = concat(local.globalprotect_ips, local.unilink_ips)
}

This file was deleted.

181 changes: 181 additions & 0 deletions terraform/environments/delius-core/modules/delius_environment/pwm.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,181 @@
module "pwm" {
source = "../helpers/delius_microservice"

name = "pwd-manager"
certificate_arn = local.certificate_arn
alb_security_group_id = aws_security_group.ancillary_alb_security_group.id
env_name = var.env_name
container_port_config = [
{
containerPort = var.delius_microservice_configs.pwm.container_port
protocol = "tcp"
}
]

ecs_cluster_arn = module.ecs.ecs_cluster_arn
container_secrets = [
{
name = "CONFIG_PASSWORD"
valueFrom = aws_ssm_parameter.delius_core_pwm_config_password.arn
},
{
name = "LDAP_PASSWORD"
valueFrom = aws_ssm_parameter.ldap_admin_password.arn
}
]

db_ingress_security_groups = []

cluster_security_group_id = aws_security_group.cluster.id

bastion_sg_id = module.bastion_linux.bastion_security_group

ecs_service_ingress_security_group_ids = []
ecs_service_egress_security_group_ids = [{
ip_protocol = "tcp"
port = 389
cidr_ipv4 = var.account_config.shared_vpc_cidr
},
{
ip_protocol = "tcp"
port = 25
cidr_ipv4 = "10.180.104.0/22" # https://github.com/ministryofjustice/staff-infrastructure-network-services/blob/main/README.md#smtp-relay-service

}]

tags = var.tags
microservice_lb = aws_lb.delius_core_ancillary
microservice_lb_https_listener_arn = aws_lb_listener.ancillary_https.arn


alb_listener_rule_host_header = "pwm.${var.env_name}.${var.account_config.dns_suffix}"

platform_vars = var.platform_vars

container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-password-management:${var.delius_microservice_configs.pwm.image_tag}"
account_config = var.account_config
health_check_path = "/"
health_check_interval = "15"
account_info = var.account_info

target_group_protocol_version = "HTTP1"
health_check_grace_period_seconds = 10

container_cpu = 1024
container_memory = 2048
deployment_maximum_percent = 200
deployment_minimum_healthy_percent = 100

container_environment_vars = [
{
name = "CONFIG_XML_BASE64"
value = base64encode(templatefile("${path.module}/templates/PwmConfiguration.xml.tpl", {
ldap_host_url = "ldap://${module.ldap.nlb_dns_name}:${var.ldap_config.port}"
ldap_user = module.ldap.delius_core_ldap_principal_arn
pwm_url = "https://pwm.${var.env_name}.${var.account_config.dns_suffix}"
# email_smtp_address = "smtp.${data.terraform_remote_state.vpc.outputs.private_zone_name}"
email_smtp_address = "production-smtp-relay-70e032e2738d0a27.elb.eu-west-2.amazonaws.com"
# email_from_address = "no-reply@${data.terraform_remote_state.vpc.outputs.public_zone_name}"
email_from_address = "noreply-ndelius-pwm-${var.env_name}@digital.justice.gov.uk"
}))
},
{
name = "SECURITY_KEY"
value = "${uuid()}"
}
]

ignore_changes_task_definition = false
force_new_deployment = true

providers = {
aws = aws
aws.core-vpc = aws.core-vpc
}
}




#############
# SES
#############"

resource "aws_ses_domain_identity" "pwm" {
domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
}

resource "aws_ses_domain_identity_verification" "pwm" {
domain = "pwm.${var.env_name}.${var.account_config.dns_suffix}"
}

resource "aws_route53_record" "pwm_ses_verification_record" {
provider = aws.core-vpc
zone_id = var.account_config.route53_external_zone.zone_id
name = "_amazonses.${aws_ses_domain_identity.pwm.id}"
type = "TXT"
ttl = "600"
records = [aws_ses_domain_identity.pwm.verification_token]
}

resource "aws_ses_domain_identity_verification" "pwm_ses_verification" {
domain = aws_ses_domain_identity.pwm.id
depends_on = [aws_route53_record.pwm_ses_verification_record]
}


resource "aws_ses_domain_dkim" "pwm" {
domain = aws_ses_domain_identity.pwm.domain
}

resource "aws_route53_record" "pwm_amazonses_dkim_record" {
provider = aws.core-vpc
count = 3
zone_id = var.account_config.route53_external_zone.zone_id
name = "${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}._domainkey"
type = "CNAME"
ttl = "600"
records = ["${aws_ses_domain_dkim.pwm.dkim_tokens[count.index]}.dkim.amazonses.com"]
}

######################
# SES SMTP User
######################

# resource "aws_iam_user" "pwm_ses_smtp_user" {
# name = "pwm-smtp-user"
# }
#
# resource "aws_iam_access_key" "pwm_ses_smtp_user" {
# user = aws_iam_user.pwm_ses_smtp_user.name
# }
#
# resource "aws_iam_user_policy" "pwm_ses_smtp_user" {
# name = "pwm-ses-smtp-user-policy"
# user = aws_iam_user.pwm_ses_smtp_user.name
#
# policy = jsonencode({
# Version = "2012-10-17",
# Statement = [
# {
# Effect = "Allow",
# Action = [
# "ses:SendRawEmail",
# "ses:SendEmail"
# ],
# Resource = "*"
# }
# ]
# })
# }

# resource "aws_ssm_parameter" "pwm_ses_smtp_user" {
# name = "/pwm/ses_smtp"
# type = "SecureString"
# value = jsonencode({
# user = aws_iam_user.pwm_ses_smtp_user.name,
# key = aws_iam_access_key.pwm_ses_smtp_user.id,
# secret = aws_iam_access_key.pwm_ses_smtp_user.secret
# ses_smtp_password = aws_iam_access_key.pwm_ses_smtp_user.ses_smtp_password_v4
# })
# }
Loading

0 comments on commit b0394be

Please sign in to comment.