feat: add sfs ecs service (#8899)

* feat: add sfs ecs service * Update alfresco.tf * rename to remove _info * Update alfresco.tf * Update alfresco.tf * Update alfresco.tf * Update alfresco.tf * Update alfresco.tf * Update alfresco.tf * Update alfresco.tf
ministryofjustice · Nov 29, 2024 · b37ab74 · b37ab74
1 parent 9a8d4d7
commit b37ab74
Show file tree

Hide file tree

Showing 9 changed files with 285 additions and 20 deletions.
diff --git a/terraform/environments/delius-core/locals_environments_all.tf b/terraform/environments/delius-core/locals_environments_all.tf
@@ -17,7 +17,7 @@ locals {
     ordered_subnets               = [local.ordered_subnet_ids]
     data_subnet_ids               = data.aws_subnets.shared-data.ids
     data_subnet_a_id              = data.aws_subnet.data_subnets_a.id
-    route53_inner_zone_info       = data.aws_route53_zone.inner
+    route53_inner_zone            = data.aws_route53_zone.inner
     route53_network_services_zone = data.aws_route53_zone.network-services
     route53_external_zone         = data.aws_route53_zone.external
     shared_vpc_id                 = data.aws_vpc.shared.id
@@ -26,7 +26,8 @@ locals {
       general_shared = data.aws_kms_key.general_shared.arn
       rds_shared     = data.aws_kms_key.rds_shared.arn
     }
-    dns_suffix = "${local.application_name}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
+    dns_suffix          = "${local.application_name}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
+    internal_dns_suffix = "${local.application_name}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.internal"
   }
 
   platform_vars = {

diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
@@ -13,9 +13,9 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
   engine_name                 = "oracle"
   username                    = local.dms_audit_username
   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
-  server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
+  server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone.name])
   port                        = local.db_tcps_port
-  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
   # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
@@ -37,9 +37,9 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
   engine_name                 = "oracle"
   username                    = local.dms_audit_username
   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
-  server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
+  server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone.name])
   port                        = local.db_tcps_port
-  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
   # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn

diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
@@ -9,9 +9,9 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" {
   engine_name                 = "oracle"
   username                    = local.dms_audit_username
   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
-  server_name                 = join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone_info.name])
+  server_name                 = join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone.name])
   port                        = local.db_tcps_port
-  extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+  extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
   # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
@@ -32,9 +32,9 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
   engine_name                 = "oracle"
   username                    = local.dms_audit_username
   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
-  server_name                 = join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone_info.name])
+  server_name                 = join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone.name])
   port                        = local.db_tcps_port
-  extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+  extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names["primarydb"], var.account_config.route53_inner_zone.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
   # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
@@ -43,4 +43,4 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
     ignore_changes = [certificate_arn]
   }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
-}
+}
diff --git a/terraform/environments/delius-core/modules/components/oracle_db_instance/dns.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/dns.tf
@@ -1,7 +1,7 @@
 resource "aws_route53_record" "db_ec2_instance_internal" {
   provider = aws.core-vpc
-  zone_id  = var.account_config.route53_inner_zone_info.zone_id
-  name     = var.db_type == "primary" ? "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${var.db_count_index}.${var.account_config.route53_inner_zone_info.name}" : "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${var.db_count_index + 1}.${var.account_config.route53_inner_zone_info.name}"
+  zone_id  = var.account_config.route53_inner_zone.zone_id
+  name     = var.db_type == "primary" ? "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${var.db_count_index}.${var.account_config.route53_inner_zone.name}" : "${var.account_info.application_name}-${var.env_name}-${var.db_suffix}-${var.db_count_index + 1}.${var.account_config.route53_inner_zone.name}"
   type     = "CNAME"
   ttl      = 60
   records  = [module.instance.aws_instance.private_dns]

diff --git a/terraform/environments/delius-core/modules/delius_environment/alfresco.tf b/terraform/environments/delius-core/modules/delius_environment/alfresco.tf
@@ -0,0 +1,264 @@
+module "alfresco_efs" {
+  source = "../helpers/efs"
+
+  name           = "alfresco"
+  env_name       = var.env_name
+  creation_token = "${var.env_name}-sfs"
+
+  kms_key_arn                     = var.account_config.kms_keys.general_shared
+  throughput_mode                 = "elastic"
+  provisioned_throughput_in_mibps = null
+  tags                            = var.tags
+  enable_platform_backups         = false
+
+  vpc_id       = var.account_config.shared_vpc_id
+  subnet_ids   = var.account_config.private_subnet_ids
+  vpc_cidr     = var.account_config.shared_vpc_cidr
+  account_info = var.account_info
+}
+
+
+module "alfresco_sfs_ecs" {
+  source = "../helpers/delius_microservice"
+
+  name     = "alfresco-sfs"
+  env_name = var.env_name
+
+  container_cpu    = 2048
+  container_memory = 4096
+
+  container_vars_default = {
+    "scheduler.content.age.millis" = 518400000 # 6 days
+    "scheduler.cleanup.interval"   = 259200000 # 3 days
+  }
+
+  container_vars_env_specific = {}
+
+  container_secrets_default      = {}
+  container_secrets_env_specific = {}
+
+  desired_count                      = 1
+  deployment_minimum_healthy_percent = 0
+  deployment_maximum_percent         = 200
+
+  container_port_config = [
+    {
+      containerPort = 8099
+      protocol      = "tcp"
+    }
+  ]
+
+  microservice_lb                    = aws_lb.alfresco_sfs
+  microservice_lb_https_listener_arn = aws_lb_listener.alfresco_sfs_listener_https.arn
+
+  alb_listener_rule_host_header = "alf-sfs.${var.env_name}.${var.account_config.dns_suffix}"
+
+  target_group_protocol_version = "HTTP1"
+
+
+  alb_health_check = {
+    path                 = "/"
+    healthy_threshold    = 5
+    interval             = 30
+    protocol             = "HTTP"
+    unhealthy_threshold  = 5
+    matcher              = "200-499"
+    timeout              = 10
+    grace_period_seconds = 180
+  }
+
+  ecs_cluster_arn           = module.ecs.ecs_cluster_arn
+  cluster_security_group_id = aws_security_group.cluster.id
+
+  bastion_sg_id = module.bastion_linux.bastion_security_group
+  tags          = var.tags
+
+  platform_vars   = var.platform_vars
+  container_image = "ghcr.io/ministryofjustice/hmpps-delius-alfresco-shared-file-store:2.1.2-4"
+  account_config  = var.account_config
+
+  account_info = var.account_info
+
+  ignore_changes_service_task_definition = true
+
+  extra_task_exec_role_policies = {
+    efs = data.aws_iam_policy_document.alfresco_efs_access_policy
+  }
+
+  providers = {
+    aws.core-vpc              = aws.core-vpc
+    aws.core-network-services = aws.core-network-services
+  }
+
+  log_error_pattern       = "%${join("|", local.ldap_formatted_error_codes)}%"
+  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
+  enable_platform_backups = false
+  frontend_lb_arn_suffix  = aws_lb.alfresco_sfs.arn_suffix
+
+  efs_volumes = [
+    {
+      host_path = null
+      name      = "sfs"
+      efs_volume_configuration = [{
+        file_system_id          = module.alfresco_efs.fs_id
+        root_directory          = "/"
+        transit_encryption      = "ENABLED"
+        transit_encryption_port = 2049
+        authorization_config = [{
+          access_point_id = module.alfresco_efs.access_point_id
+          iam             = "DISABLED"
+        }]
+      }]
+    }
+  ]
+
+  mount_points = [{
+    sourceVolume  = "sfs"
+    containerPath = "/tmp/Alfresco"
+    readOnly      = false
+  }]
+
+  ecs_service_egress_security_group_ids = [
+    {
+      ip_protocol = "-1"
+      cidr_ipv4   = "0.0.0.0/0"
+      description = "Allow all outbound traffic to any IPv4 address"
+    }
+  ]
+
+  nlb_ingress_security_group_ids = [
+    {
+      port        = 8099
+      ip_protocol = "tcp"
+      cidr_ipv4   = var.account_config.shared_vpc_cidr
+      description = "Allow inbound traffic from VPC"
+    },
+    {
+      port        = 8099
+      ip_protocol = "udp"
+      cidr_ipv4   = var.account_config.shared_vpc_cidr
+      description = "Allow inbound traffic from VPC"
+    },
+    {
+      port        = 8099
+      ip_protocol = "tcp"
+      cidr_ipv4   = var.account_info.cp_cidr
+      description = "Allow inbound LDAP traffic from CP"
+    },
+    {
+      port        = 8099
+      ip_protocol = "udp"
+      cidr_ipv4   = var.account_info.cp_cidr
+      description = "Allow inbound LDAP traffic from CP"
+    },
+    {
+      port                         = 2049
+      ip_protocol                  = "tcp"
+      referenced_security_group_id = module.ldap.efs_sg_id
+      description                  = "EFS ingress"
+    }
+  ]
+
+  ecs_service_ingress_security_group_ids = [
+    {
+      port        = 8099
+      ip_protocol = "tcp"
+      cidr_ipv4   = var.account_config.shared_vpc_cidr
+      description = "Allow inbound traffic from VPC"
+    },
+    {
+      port        = 8099
+      ip_protocol = "udp"
+      cidr_ipv4   = var.account_config.shared_vpc_cidr
+      description = "Allow inbound traffic from VPC"
+    },
+    {
+      port        = 8099
+      ip_protocol = "tcp"
+      cidr_ipv4   = var.account_info.cp_cidr
+      description = "Allow inbound web traffic from CP"
+    },
+    {
+      port        = 8099
+      ip_protocol = "udp"
+      cidr_ipv4   = var.account_info.cp_cidr
+      description = "Allow inbound web traffic from CP"
+    },
+    {
+      port                         = 2049
+      ip_protocol                  = "tcp"
+      referenced_security_group_id = module.ldap.efs_sg_id
+      description                  = "EFS ingress"
+    }
+  ]
+}
+
+data "aws_iam_policy_document" "alfresco_efs_access_policy" {
+  statement {
+    actions = [
+      "elasticfilesystem:ClientRootAccess",
+      "elasticfilesystem:ClientWrite",
+      "elasticfilesystem:ClientMount"
+    ]
+    resources = [
+      module.ldap.efs_fs_arn
+    ]
+    effect = "Allow"
+  }
+}
+
+resource "aws_security_group" "alfresco_sfs_alb" {
+  name        = "${var.env_name}-alfresco-sfs-alb"
+  description = "controls access to and from alfresco sfs load balancer"
+  vpc_id      = var.account_config.shared_vpc_id
+  tags        = local.tags
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "alfresco_sfs_alb" {
+  for_each          = toset([var.account_info.cp_cidr, var.account_config.shared_vpc_cidr])
+  security_group_id = aws_security_group.alfresco_sfs_alb.id
+  description       = "Access into alb over https"
+  from_port         = "443"
+  to_port           = "443"
+  ip_protocol       = "tcp"
+  cidr_ipv4         = each.key
+}
+
+resource "aws_vpc_security_group_egress_rule" "alfresco_sfs_alb" {
+  security_group_id = aws_security_group.alfresco_sfs_alb.id
+  description       = "egress from alb to ecs cluster"
+  ip_protocol       = "-1"
+  cidr_ipv4         = var.account_config.shared_vpc_cidr
+}
+
+# internal application load balancer
+resource "aws_lb" "alfresco_sfs" {
+  name               = "${var.app_name}-${var.env_name}-alfresco-sfs-alb"
+  internal           = true
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.alfresco_sfs_alb.id]
+  subnets            = var.account_config.private_subnet_ids
+
+  enable_deletion_protection = false
+  drop_invalid_header_fields = true
+}
+
+
+resource "aws_lb_listener" "alfresco_sfs_listener_https" {
+  load_balancer_arn = aws_lb.alfresco_sfs.id
+  port              = 443
+  protocol          = "HTTPS"
+  certificate_arn   = local.certificate_arn
+  ssl_policy        = "ELBSecurityPolicy-TLS-1-2-2017-01"
+
+  default_action {
+    type = "fixed-response"
+    fixed_response {
+      content_type = "text/plain"
+      status_code  = "404"
+    }
+  }
+}
diff --git a/terraform/environments/delius-core/modules/delius_environment/db_ec2.tf b/terraform/environments/delius-core/modules/delius_environment/db_ec2.tf
@@ -140,8 +140,8 @@
 #    for item in var.db_config : item.name => item
 #  }
 #  provider = aws.core-vpc
-#  zone_id  = var.account_config.route53_inner_zone_info.zone_id
-#  name     = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}"
+#  zone_id  = var.account_config.route53_inner_zone.zone_id
+#  name     = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone.name}"
 #  type     = "CNAME"
 #  ttl      = 300
 #  records  = [aws_instance.db_ec2_instance[each.key].private_dns]
@@ -350,8 +350,8 @@
 #    for item in var.db_config : item.name => item
 #  }
 #  provider = aws.core-vpc
-#  zone_id  = var.account_config.route53_inner_zone_info.zone_id
-#  name     = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}"
+#  zone_id  = var.account_config.route53_inner_zone.zone_id
+#  name     = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone.name}"
 #  type     = "CNAME"
 #  ttl      = 300
 #  records  = [aws_instance.db_ec2_instance[each.key].private_dns]

diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/load_balancing.tf
@@ -149,7 +149,7 @@ resource "aws_lb_listener" "services" {
 
 resource "aws_route53_record" "services_nlb_r53_record" {
   provider = aws.core-vpc
-  zone_id  = var.account_config.route53_inner_zone_info.zone_id
+  zone_id  = var.account_config.route53_inner_zone.zone_id
   name     = "${var.name}.service.${var.env_name}"
   type     = "A"
   alias {

diff --git a/terraform/environments/delius-mis/locals_environments_all.tf b/terraform/environments/delius-mis/locals_environments_all.tf
@@ -18,7 +18,7 @@ locals {
     subnet_set                    = local.subnet_set
     data_subnet_ids               = data.aws_subnets.shared-data.ids
     data_subnet_a_id              = data.aws_subnet.data_subnets_a.id
-    route53_inner_zone_info       = data.aws_route53_zone.inner
+    route53_inner_zone            = data.aws_route53_zone.inner
     route53_network_services_zone = data.aws_route53_zone.network-services
     route53_external_zone         = data.aws_route53_zone.external
     shared_vpc_id                 = data.aws_vpc.shared.id

diff --git a/terraform/environments/delius-nextcloud/locals_environments_all.tf b/terraform/environments/delius-nextcloud/locals_environments_all.tf
@@ -18,7 +18,7 @@ locals {
     subnet_set                    = local.subnet_set
     data_subnet_ids               = data.aws_subnets.shared-data.ids
     data_subnet_a_id              = data.aws_subnet.data_subnets_a.id
-    route53_inner_zone_info       = data.aws_route53_zone.inner
+    route53_inner_zone            = data.aws_route53_zone.inner
     route53_network_services_zone = data.aws_route53_zone.network-services
     route53_external_zone         = data.aws_route53_zone.external
     shared_vpc_id                 = data.aws_vpc.shared.id