From 63f20a05cf3fe794a1fd36aa957f3be922811ca8 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 20 Nov 2023 11:54:06 +0000 Subject: [PATCH 01/16] CC-2163: Creation of EBSApps Instances --- .../application_variables.json | 4 +- .../ec2-oracle_ebs_apps-sg.tf | 363 ++++++++++++++++++ .../ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf | 253 ++++++++++++ 3 files changed, 618 insertions(+), 2 deletions(-) create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 1415462e83a..5bb6d3a6724 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -28,8 +28,8 @@ "clamav_ami_id": "ami-0965b5afb3ac7174e", "ebsdb_ami_id": "ami-0d4b266f7ae87bbfc", "ebsconc_ami_id": "ami-0d4b266f7ae87bbfc", - "ebsapps_ami_id-1": "ami-0d4b266f7ae87bbfc", - "ebsapps_ami_id-2": "ami-0d4b266f7ae87bbfc", + "ebsapps_ami_id-1": "ami-01dad07213d8573fa", + "ebsapps_ami_id-2": "ami-092cdd881efd12af8", "accessgate_ami_id-1": "ami-0695726199c3e30e5", "accessgate_ami_id-2": "ami-0695726199c3e30e5", "webgate_ami_id-1": "ami-0e398cd57c81356a7", diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-sg.tf new file mode 100644 index 00000000000..dc3ab2892f4 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-sg.tf @@ -0,0 +1,363 @@ +# Security Group for EBSAPPS +resource "aws_security_group" "ec2_sg_ebsapps" { + name = "ec2_sg_ebsapps" + description = "SG traffic control for EBSAPPS" + vpc_id = data.aws_vpc.shared.id + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-ebsapps", local.application_name, local.environment)) } + ) +} + +# INGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_80" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "HTTP" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_443" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### SSH + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_22" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle LDAP + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_1389" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle Listerner Port + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_152x" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_5101" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_5401" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_5575" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_1636" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_10401" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_800x" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebsapps_4443" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "ingress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + + +# EGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "egress_traffic_ebsapps_80" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle HTTPs" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] +} + +### HTTPS + +resource "aws_security_group_rule" "egress_traffic_ebsapps_443" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] +} + +### FTP + +resource "aws_security_group_rule" "egress_traffic_ebsapps_2x" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "FTP" + protocol = "TCP" + from_port = 20 + to_port = 21 + cidr_blocks = ["0.0.0.0/0"] +} + +### SSH + +resource "aws_security_group_rule" "egress_traffic_ebsapps_22" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE LDAP + +resource "aws_security_group_rule" "egress_traffic_ebsapps_1389" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "ORACLE LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE Net Listener + +resource "aws_security_group_rule" "egress_traffic_ebsapps_152x" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "ORACLE Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsapps_5101" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsapps_5401" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsapps_5575" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "egress_traffic_ebsapps_1636" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_ebsapps_10401" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Lloyds FTP + +resource "aws_security_group_rule" "egress_traffic_ebsapps_50000" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 50000 + to_port = 51000 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "egress_traffic_ebsapps_800x" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "egress_traffic_ebsapps_4443" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = ["0.0.0.0/0"] +} + diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf new file mode 100644 index 00000000000..9d3954bfef9 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf @@ -0,0 +1,253 @@ +resource "aws_instance" "ec2_ebsapps" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps + ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"] + key_name = local.application_data.accounts[local.environment].key_name + vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id] + subnet_id = local.private_subnets[count.index] + #subnet_id = data.aws_subnet.data_subnets_a.id + monitoring = true + ebs_optimized = false + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name + + cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsapps + cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsapps + + # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. + lifecycle { + ignore_changes = [ + ebs_block_device, + user_data, + user_data_replace_on_change + ] + } + user_data_replace_on_change = false + user_data = base64encode(templatefile("./templates/ec2_user_data_ebs_apps.sh", { + hostname = "ebs-apps" + })) + + # AMI ebs mappings from /dev/sd[a-d] + # root + # Increase the volume size of the root volume + root_block_device { + volume_type = "gp3" + volume_size = 50 + encrypted = true + tags = merge(local.tags, + { Name = "root-block" } + ) + } + + tags = merge(local.tags, + { Name = lower(format("ec2-%s-%s-ebsapps-%s", local.application_name, local.environment, count.index + 1)) }, + { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, + { backup = "true" } + ) + depends_on = [aws_security_group.ec2_sg_ebsapps] +} + +resource "aws_ebs_volume" "swap" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = 20 + type = "gp3" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "swap" } + ) +} + +resource "aws_volume_attachment" "swap_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.swap] + device_name = "/dev/sdb" + volume_id = aws_ebs_volume.swap[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +resource "aws_ebs_volume" "temp" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = 100 + type = "gp3" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "temp" } + ) +} + +resource "aws_volume_attachment" "temp_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.temp] + device_name = "/dev/sdc" + volume_id = aws_ebs_volume.temp[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +resource "aws_ebs_volume" "home" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = 100 + type = "gp3" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "home" } + ) +} + +resource "aws_volume_attachment" "home_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.home] + device_name = "/dev/sdd" + volume_id = aws_ebs_volume.home[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +resource "aws_ebs_volume" "export_home" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = local.application_data.accounts[local.environment].ebsapps_exhome_size + type = "io2" + iops = local.application_data.accounts[local.environment].ebsapps_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "export home" } + ) +} + +resource "aws_volume_attachment" "export_home_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.export_home] + device_name = "/dev/sdh" + volume_id = aws_ebs_volume.export_home[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +resource "aws_ebs_volume" "u01" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = local.application_data.accounts[local.environment].ebsapps_u01_size + type = "io2" + iops = local.application_data.accounts[local.environment].ebsapps_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "u01" } + ) +} + +resource "aws_volume_attachment" "u01_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.u01] + device_name = "/dev/sdi" + volume_id = aws_ebs_volume.u01[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +resource "aws_ebs_volume" "u03" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = local.application_data.accounts[local.environment].ebsapps_u03_size + type = "io2" + iops = local.application_data.accounts[local.environment].ebsapps_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "u03" } + ) +} + +resource "aws_volume_attachment" "u03_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.u03] + device_name = "/dev/sdj" + volume_id = aws_ebs_volume.u03[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +resource "aws_ebs_volume" "stage" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = aws_instance.ec2_ebsapps[count.index].availability_zone + size = local.application_data.accounts[local.environment].ebsapps_stage_size + type = "io2" + iops = 3000 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "stage" } + ) +} + +resource "aws_volume_attachment" "stage_att" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + depends_on = [aws_ebs_volume.stage] + device_name = "/dev/sdk" + volume_id = aws_ebs_volume.stage[count.index].id + instance_id = aws_instance.ec2_ebsapps[count.index].id +} + +module "cw-ebsapps-ec2" { + source = "./modules/cw-ec2" + count = local.application_data.accounts[local.environment].ebsapps_no_instances + + short_env = local.application_data.accounts[local.environment].short_env + name = "ec2-ebsapps-${count.index + 1}" + topic = aws_sns_topic.cw_alerts.arn + instanceId = aws_instance.ec2_ebsapps[count.index].id + imageId = data.aws_ami.oracle_base_prereqs.id + instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps + fileSystem = "xfs" # Linux root filesystem + rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images + + cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_period = local.application_data.cloudwatch_ec2.cpu.period + cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold + + mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_period = local.application_data.cloudwatch_ec2.mem.period + mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold + + disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_period = local.application_data.cloudwatch_ec2.disk.period + disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold + + insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods + insthc_period = local.application_data.cloudwatch_ec2.insthc.period + insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold + + syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods + syshc_period = local.application_data.cloudwatch_ec2.syshc.period + syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +} From 41ce3d6db2a7be989b3a336c4d21a8b2332566d3 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 20 Nov 2023 11:59:22 +0000 Subject: [PATCH 02/16] CC-2163: Creation of EBSApps Instances --- .../ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf index 9d3954bfef9..0b1c2a87f11 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf @@ -119,7 +119,7 @@ resource "aws_volume_attachment" "home_att" { instance_id = aws_instance.ec2_ebsapps[count.index].id } -resource "aws_ebs_volume" "export_home" { +resource "aws_ebs_volume" "apps_export_home" { count = local.application_data.accounts[local.environment].ebsapps_no_instances lifecycle { ignore_changes = [kms_key_id] @@ -135,15 +135,15 @@ resource "aws_ebs_volume" "export_home" { ) } -resource "aws_volume_attachment" "export_home_att" { +resource "aws_volume_attachment" "apps_export_home_att" { count = local.application_data.accounts[local.environment].ebsapps_no_instances - depends_on = [aws_ebs_volume.export_home] + depends_on = [aws_ebs_volume.apps_export_home] device_name = "/dev/sdh" - volume_id = aws_ebs_volume.export_home[count.index].id + volume_id = aws_ebs_volume.apps_export_home[count.index].id instance_id = aws_instance.ec2_ebsapps[count.index].id } -resource "aws_ebs_volume" "u01" { +resource "aws_ebs_volume" "apps_u01" { count = local.application_data.accounts[local.environment].ebsapps_no_instances lifecycle { ignore_changes = [kms_key_id] @@ -159,15 +159,15 @@ resource "aws_ebs_volume" "u01" { ) } -resource "aws_volume_attachment" "u01_att" { +resource "aws_volume_attachment" "apps_u01_att" { count = local.application_data.accounts[local.environment].ebsapps_no_instances - depends_on = [aws_ebs_volume.u01] + depends_on = [aws_ebs_volume.apps_u01] device_name = "/dev/sdi" - volume_id = aws_ebs_volume.u01[count.index].id + volume_id = aws_ebs_volume.apps_u01[count.index].id instance_id = aws_instance.ec2_ebsapps[count.index].id } -resource "aws_ebs_volume" "u03" { +resource "aws_ebs_volume" "apps_u03" { count = local.application_data.accounts[local.environment].ebsapps_no_instances lifecycle { ignore_changes = [kms_key_id] @@ -183,11 +183,11 @@ resource "aws_ebs_volume" "u03" { ) } -resource "aws_volume_attachment" "u03_att" { +resource "aws_volume_attachment" "apps_u03_att" { count = local.application_data.accounts[local.environment].ebsapps_no_instances - depends_on = [aws_ebs_volume.u03] + depends_on = [aws_ebs_volume.apps_u03] device_name = "/dev/sdj" - volume_id = aws_ebs_volume.u03[count.index].id + volume_id = aws_ebs_volume.apps_u03[count.index].id instance_id = aws_instance.ec2_ebsapps[count.index].id } From dcb0172d2ac611058cf13b10ab7ae1e006718c6c Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 20 Nov 2023 12:02:45 +0000 Subject: [PATCH 03/16] CC-2163: Creation of EBSApps Instances --- terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf index 0b1c2a87f11..7136e078ab9 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps.tf @@ -223,7 +223,7 @@ module "cw-ebsapps-ec2" { name = "ec2-ebsapps-${count.index + 1}" topic = aws_sns_topic.cw_alerts.arn instanceId = aws_instance.ec2_ebsapps[count.index].id - imageId = data.aws_ami.oracle_base_prereqs.id + imageId = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"] instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps fileSystem = "xfs" # Linux root filesystem rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images From cfe07602d2764eadb6486975ca462ac13d5c556c Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 20 Nov 2023 16:49:55 +0000 Subject: [PATCH 04/16] CC-2163: Creation of EBSApps Instances --- .../ccms-ebs-upgrade/certificates.tf | 116 ++++++++++-------- .../ccms-ebs-upgrade/member-locals.tf | 2 + 2 files changed, 67 insertions(+), 51 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 34d00637c02..63168a33ef5 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -3,54 +3,68 @@ # *.laa-test.modernisation-platform.service.justice.gov.uk # *.laa-preproduction.modernisation-platform.service.justice.gov.uk -# resource "aws_acm_certificate" "laa_cert" { -# domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) -# validation_method = "DNS" - -# subject_alternative_names = [ -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) -# ] - -# tags = merge(local.tags, -# { Name = lower(format("%s-%s-certificate", local.application_name, local.environment)) } -# ) - -# lifecycle { -# create_before_destroy = true -# } -# } - -# resource "aws_acm_certificate_validation" "laa_cert" { -# certificate_arn = aws_acm_certificate.laa_cert.arn -# validation_record_fqdns = [for record in aws_route53_record.laa_cert_validation : record.fqdn] -# timeouts { -# create = "10m" -# } -# } - -# resource "aws_route53_record" "laa_cert_validation" { -# provider = aws.core-vpc -# for_each = { -# for dvo in aws_acm_certificate.laa_cert.domain_validation_options : dvo.domain_name => { -# name = dvo.resource_record_name -# record = dvo.resource_record_value -# type = dvo.resource_record_type -# } -# } - -# allow_overwrite = true -# name = each.value.name -# records = [each.value.record] -# ttl = 60 -# type = each.value.type -# zone_id = data.aws_route53_zone.external.zone_id -# } +resource "aws_acm_certificate" "external" { + count = local.is-production ? 0 : 1 + + validation_method = "DNS" + domain_name = "modernisation-platform.service.justice.gov.uk" + subject_alternative_names = [ + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) + ] + + tags = merge(local.tags, + { Environment = local.environment } + ) + + lifecycle { + create_before_destroy = true + } +} + +## Validation +resource "aws_route53_record" "external_validation" { + depends_on = [ + aws_instance.ec2_oracle_ebs, + aws_instance.ec2_ebsapps + ] + + provider = aws.core-network-services + + for_each = { + for dvo in local.cert_opts : dvo.domain_name => { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + allow_overwrite = true + name = each.value.name + records = [each.value.record] + ttl = 60 + type = each.value.type + zone_id = local.cert_zone_id +} + +resource "aws_acm_certificate_validation" "external" { + count = local.is-production ? 1 : 1 + + depends_on = [ + aws_route53_record.external_validation + ] + + certificate_arn = local.cert_arn + validation_record_fqdns = [for record in aws_route53_record.external_validation : record.fqdn] + + timeouts { + create = "10m" + } +} diff --git a/terraform/environments/ccms-ebs-upgrade/member-locals.tf b/terraform/environments/ccms-ebs-upgrade/member-locals.tf index 41b9cbb8846..3efe8f9b902 100644 --- a/terraform/environments/ccms-ebs-upgrade/member-locals.tf +++ b/terraform/environments/ccms-ebs-upgrade/member-locals.tf @@ -25,5 +25,7 @@ locals { data.aws_subnet.public_subnets_c.id ] + cert_opts = aws_acm_certificate.external[0].domain_validation_options + cert_arn = aws_acm_certificate.external[0].arn cert_zone_id = data.aws_route53_zone.network-services.zone_id } From 2462fcd8810d3c686f8d91d6d9ed74aefd6d8fe1 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 08:38:53 +0000 Subject: [PATCH 05/16] CC-2163: Creation of EBSApps Instances --- terraform/environments/ccms-ebs-upgrade/certificates.tf | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 63168a33ef5..57f01655fcd 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -4,10 +4,9 @@ # *.laa-preproduction.modernisation-platform.service.justice.gov.uk resource "aws_acm_certificate" "external" { - count = local.is-production ? 0 : 1 validation_method = "DNS" - domain_name = "modernisation-platform.service.justice.gov.uk" + domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) subject_alternative_names = [ format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), @@ -37,7 +36,7 @@ resource "aws_route53_record" "external_validation" { aws_instance.ec2_ebsapps ] - provider = aws.core-network-services + provider = aws.core-vpc for_each = { for dvo in local.cert_opts : dvo.domain_name => { From 0a754baed7bed05aef636c9379c384810d8ab6f9 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 08:52:33 +0000 Subject: [PATCH 06/16] CC-2163: Creation of EBSApps Instances --- terraform/environments/ccms-ebs-upgrade/member-locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/member-locals.tf b/terraform/environments/ccms-ebs-upgrade/member-locals.tf index 3efe8f9b902..c8120ac7c33 100644 --- a/terraform/environments/ccms-ebs-upgrade/member-locals.tf +++ b/terraform/environments/ccms-ebs-upgrade/member-locals.tf @@ -25,7 +25,7 @@ locals { data.aws_subnet.public_subnets_c.id ] - cert_opts = aws_acm_certificate.external[0].domain_validation_options - cert_arn = aws_acm_certificate.external[0].arn + cert_opts = aws_acm_certificate.external.domain_validation_options + cert_arn = aws_acm_certificate.external.arn cert_zone_id = data.aws_route53_zone.network-services.zone_id } From 10cfee42196b3e193251b7096e4573b2fccabc91 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 10:12:31 +0000 Subject: [PATCH 07/16] CC-2163: Creation of EBSApps Instances --- .../environments/ccms-ebs-upgrade/certificates.tf | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 57f01655fcd..77cce460cbd 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -8,16 +8,16 @@ resource "aws_acm_certificate" "external" { validation_method = "DNS" domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) subject_alternative_names = [ - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "portal-ag-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), - format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev1-upgrade", var.networking[0].business-unit, local.environment), +# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "wgatedev2-upgrade", var.networking[0].business-unit, local.environment) ] tags = merge(local.tags, From 362bf4c9d2a3a36b797e3201e104bce5deb40834 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 12:02:22 +0000 Subject: [PATCH 08/16] CC-2163: Creation of EBSApps Instances --- .../ec2-oracle_ebs_apps-alb-sg.tf | 42 +++++++++++++ .../ec2-oracle_ebs_apps-alb.tf | 60 +++++++++++++++++++ 2 files changed, 102 insertions(+) create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb-sg.tf new file mode 100644 index 00000000000..69ba667b002 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb-sg.tf @@ -0,0 +1,42 @@ +# Security Group for EBSAPP LB +resource "aws_security_group" "sg_ebsapps_lb" { + name = "sg_ebsapps_lb" + description = "Inbound traffic control for EBSAPPS loadbalancer" + vpc_id = data.aws_vpc.shared.id + + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-loadbalancer", local.application_name, local.environment)) } + ) +} + +# INGRESS Rules + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_ebslb_443" { + security_group_id = aws_security_group.sg_ebsapps_lb.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + + +# EGRESS Rules + +### All + +resource "aws_security_group_rule" "egress_traffic_ebslb_80" { + security_group_id = aws_security_group.ec2_sg_ebsapps.id + type = "egress" + description = "All" + protocol = "TCP" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] +} diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf new file mode 100644 index 00000000000..df5e3276aa6 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf @@ -0,0 +1,60 @@ +resource "aws_lb" "ebsapps_lb" { + name = lower(format("lb-%s-ebsapp", local.application_name)) + internal = true + load_balancer_type = "application" + security_groups = [aws_security_group.sg_ebsapps_lb.id] + subnets = data.aws_subnets.shared-private.ids + + enable_deletion_protection = true + + access_logs { + bucket = module.s3-bucket-logging.bucket.id + prefix = local.lb_log_prefix_ebsapp + enabled = true + } + + tags = merge(local.tags, + { Name = lower(format("lb-%s-ebsapp", local.application_name)) } + ) +} + +resource "aws_lb_listener" "ebsapps_listener" { + depends_on = [ + aws_acm_certificate_validation.external + ] + + load_balancer_arn = aws_lb.ebsapps_lb.arn + port = "443" + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = "arn:aws:acm:eu-west-2:295992623913:certificate/2a9438fc-7d0a-4dae-a8d0-05f846793a15" + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.ebsapp_tg.id + } +} + +resource "aws_lb_target_group" "ebsapp_tg" { + name = lower(format("tg-%s-ebsapp", local.application_name)) + port = local.application_data.accounts[local.environment].tg_apps_port + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + health_check { + port = local.application_data.accounts[local.environment].tg_apps_port + protocol = "HTTP" + } + + stickiness { + enabled = true + type = "lb_cookie" + cookie_duration = 3600 + } +} + +resource "aws_lb_target_group_attachment" "ebsapps" { + count = local.application_data.accounts[local.environment].ebsapps_no_instances + target_group_arn = aws_lb_target_group.ebsapp_tg.arn + target_id = element(aws_instance.ec2_ebsapps.*.id, count.index) + port = local.application_data.accounts[local.environment].tg_apps_port +} From 2dbb6e1b58d4f01a59b5bfeb55a793d5b41dbce1 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 14:01:17 +0000 Subject: [PATCH 09/16] CC-2176: Creation of AccessGate Instances --- .../ec2-oracle_accessgate-sg.tf | 363 ++++++++++++++++++ .../ccms-ebs-upgrade/ec2-oracle_accessgate.tf | 123 ++++++ .../environments/ccms-ebs-upgrade/r53.tf | 40 ++ 3 files changed, 526 insertions(+) create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate-sg.tf new file mode 100644 index 00000000000..ef3d5094b2f --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate-sg.tf @@ -0,0 +1,363 @@ +# Security Group for AccessGate +resource "aws_security_group" "ec2_sg_accessgate" { + name = "ec2_sg_accessgate" + description = "SG traffic control for AccessGate" + vpc_id = data.aws_vpc.shared.id + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-accessgate", local.application_name, local.environment)) } + ) +} + +# INGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "ingress_traffic_accessgate_80" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "HTTP" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_accessgate_443" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### SSH + +resource "aws_security_group_rule" "ingress_traffic_accessgate_22" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle LDAP + +resource "aws_security_group_rule" "ingress_traffic_accessgate_1389" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle Listerner Port + +resource "aws_security_group_rule" "ingress_traffic_accessgate_152x" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_accessgate_5101" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_accessgate_5401" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_accessgate_5575" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "ingress_traffic_accessgate_1636" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_accessgate_10401" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "ingress_traffic_accessgate_800x" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "ingress_traffic_accessgate_4443" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "ingress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + + +# EGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "egress_traffic_accessgate_80" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle HTTPs" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] +} + +### HTTPS + +resource "aws_security_group_rule" "egress_traffic_accessgate_443" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] +} + +### FTP + +resource "aws_security_group_rule" "egress_traffic_accessgate_2x" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "FTP" + protocol = "TCP" + from_port = 20 + to_port = 21 + cidr_blocks = ["0.0.0.0/0"] +} + +### SSH + +resource "aws_security_group_rule" "egress_traffic_accessgate_22" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE LDAP + +resource "aws_security_group_rule" "egress_traffic_accessgate_1389" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "ORACLE LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE Net Listener + +resource "aws_security_group_rule" "egress_traffic_accessgate_152x" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "ORACLE Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_accessgate_5101" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_accessgate_5401" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_accessgate_5575" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "egress_traffic_accessgate_1636" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_accessgate_10401" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Lloyds FTP + +resource "aws_security_group_rule" "egress_traffic_accessgate_50000" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 50000 + to_port = 51000 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "egress_traffic_accessgate_800x" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "egress_traffic_accessgate_4443" { + security_group_id = aws_security_group.ec2_sg_accessgate.id + type = "egress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = ["0.0.0.0/0"] +} + diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf new file mode 100644 index 00000000000..986994c0f3c --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf @@ -0,0 +1,123 @@ +resource "aws_instance" "ec2_accessgate" { + count = local.application_data.accounts[local.environment].accessgate_no_instances + instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate + ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"] + key_name = local.application_data.accounts[local.environment].key_name + vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id] + subnet_id = local.private_subnets[count.index] + #subnet_id = data.aws_subnet.data_subnets_a.id + monitoring = true + ebs_optimized = false + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name + + cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_accessgate + cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_accessgate + + # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. + # Also includes ebs_optimized and cpu_core_count due to changing instance family from c5d.2xlarge to m5d.large + lifecycle { + ignore_changes = [ + cpu_core_count, + ebs_block_device, + ebs_optimized, + user_data, + user_data_replace_on_change + ] + } + user_data_replace_on_change = false + user_data = base64encode(templatefile("./templates/ec2_user_data_accessgate.sh", { + hostname = "accessgate" + })) + + # AMI ebs mappings from /dev/sd[a-d] + # root + # Increase the volume size of the root volume + root_block_device { + volume_type = "gp3" + volume_size = 50 + encrypted = true + tags = merge(local.tags, + { Name = "root-block" } + ) + } + # swap + ebs_block_device { + device_name = "/dev/sdb" + volume_type = "gp3" + volume_size = 20 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + # temp + ebs_block_device { + device_name = "/dev/sdc" + volume_type = "gp3" + volume_size = 100 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + # home + ebs_block_device { + device_name = "/dev/sdd" + volume_type = "gp3" + volume_size = 100 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + + # non-AMI mappings start at /dev/sdh + # u01 + ebs_block_device { + device_name = "/dev/sdh" + volume_type = "io2" + volume_size = local.application_data.accounts[local.environment].accessgate_u01_size + iops = local.application_data.accounts[local.environment].accessgate_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + + tags = merge(local.tags, + { Name = lower(format("ec2-%s-%s-accessgate-%s", local.application_name, local.environment, count.index + 1)) }, + { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, + { backup = "true" } + ) + depends_on = [aws_security_group.ec2_sg_accessgate] +} + +module "cw-accgate-ec2" { + source = "./modules/cw-ec2" + count = local.application_data.accounts[local.environment].accessgate_no_instances + + short_env = local.application_data.accounts[local.environment].short_env + name = "ec2-accgate-${count.index + 1}" + topic = aws_sns_topic.cw_alerts.arn + instanceId = aws_instance.ec2_accessgate[count.index].id + imageId = data.aws_ami.accessgate.id + instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate + fileSystem = "xfs" # Linux root filesystem + rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images + + cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_period = local.application_data.cloudwatch_ec2.cpu.period + cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold + + mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_period = local.application_data.cloudwatch_ec2.mem.period + mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold + + disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_period = local.application_data.cloudwatch_ec2.disk.period + disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold + + insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods + insthc_period = local.application_data.cloudwatch_ec2.insthc.period + insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold + + syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods + syshc_period = local.application_data.cloudwatch_ec2.syshc.period + syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +} diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index bdf55239409..8b2316957b1 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -18,3 +18,43 @@ resource "aws_route53_record" "ebsconc" { ttl = 300 records = [aws_instance.ec2_oracle_conc.private_ip] } + +## EBSAPPS +resource "aws_route53_record" "ebsapps" { + provider = aws.core-vpc + count = local.application_data.accounts[local.environment].ebsapps_no_instances + zone_id = data.aws_route53_zone.external.zone_id + name = "ccms-ebs-app-upgrade${count.index + 1}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + ttl = 300 + records = [aws_instance.ec2_ebsapps[count.index].private_ip] +} + +## EBS ALB +resource "aws_route53_record" "external" { + provider = aws.core-vpc + + zone_id = data.aws_route53_zone.external.zone_id + name = "ccms-ebs-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + + alias { + name = aws_lb.ebsapps_lb.dns_name + zone_id = aws_lb.ebsapps_lb.zone_id + evaluate_target_health = true + } +} + + +# AccessGate Instances + +resource "aws_route53_record" "accessgate_ec2" { + provider = aws.core-vpc + count = local.application_data.accounts[local.environment].accessgate_no_instances + + zone_id = data.aws_route53_zone.external.zone_id + name = "${local.application_data.accounts[local.environment].accessgate_dns_prefix}${count.index + 1}-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + ttl = 300 + records = [aws_instance.ec2_accessgate[count.index].private_ip] +} \ No newline at end of file From f084b85e46e8a17e02b4075fefa8692c9da46d38 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 14:42:56 +0000 Subject: [PATCH 10/16] CC-2176: Creation of AccessGate Instances --- .../environments/ccms-ebs-upgrade/application_variables.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 5bb6d3a6724..73e55f5b39d 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -30,8 +30,8 @@ "ebsconc_ami_id": "ami-0d4b266f7ae87bbfc", "ebsapps_ami_id-1": "ami-01dad07213d8573fa", "ebsapps_ami_id-2": "ami-092cdd881efd12af8", - "accessgate_ami_id-1": "ami-0695726199c3e30e5", - "accessgate_ami_id-2": "ami-0695726199c3e30e5", + "accessgate_ami_id-1": "ami-0868b322f8ed469b6", + "accessgate_ami_id-2": "ami-092240a30296e0dc1", "webgate_ami_id-1": "ami-0e398cd57c81356a7", "webgate_ami_id-2": "ami-0e398cd57c81356a7", "restored_db_image": "ami-0df5f31cae1c86635", From b5474322cfd41799ea3be020c9e0a82061c9a04d Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 14:54:18 +0000 Subject: [PATCH 11/16] CC-2176: Creation of AccessGate Instances --- .../environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf index 986994c0f3c..aac892f341b 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_accessgate.tf @@ -93,7 +93,7 @@ module "cw-accgate-ec2" { name = "ec2-accgate-${count.index + 1}" topic = aws_sns_topic.cw_alerts.arn instanceId = aws_instance.ec2_accessgate[count.index].id - imageId = data.aws_ami.accessgate.id + imageId = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"] instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate fileSystem = "xfs" # Linux root filesystem rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images From e2d8880f8e9b6397454430aac30243493b2cc83c Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 15:17:21 +0000 Subject: [PATCH 12/16] CC-2176: Creation of AccessGate Instances --- terraform/environments/ccms-ebs-upgrade/certificates.tf | 8 ++++---- terraform/environments/ccms-ebs-upgrade/r53.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 77cce460cbd..ac1afe56583 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -8,10 +8,10 @@ resource "aws_acm_certificate" "external" { validation_method = "DNS" domain_name = format("%s-%s.modernisation-platform.service.justice.gov.uk", "laa", local.environment) subject_alternative_names = [ -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), -# format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "agatedev2-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app1-upgrade", var.networking[0].business-unit, local.environment), + format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-app2-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-db-upgrade", var.networking[0].business-unit, local.environment), format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "ccms-ebs-upgrade", var.networking[0].business-unit, local.environment), # format("%s.%s-%s.modernisation-platform.service.justice.gov.uk", "clamav-upgrade", var.networking[0].business-unit, local.environment), diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index 8b2316957b1..e35bfa67324 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -24,7 +24,7 @@ resource "aws_route53_record" "ebsapps" { provider = aws.core-vpc count = local.application_data.accounts[local.environment].ebsapps_no_instances zone_id = data.aws_route53_zone.external.zone_id - name = "ccms-ebs-app-upgrade${count.index + 1}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + name = "ccms-ebs-app-${count.index + 1}-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" type = "A" ttl = 300 records = [aws_instance.ec2_ebsapps[count.index].private_ip] From 719d8028bab2d94714f4a7736aa995d7e4f6b680 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 21 Nov 2023 15:30:16 +0000 Subject: [PATCH 13/16] CC-2176: Creation of AccessGate Instances --- .../environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf index df5e3276aa6..129e87d5ff6 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_apps-alb.tf @@ -27,7 +27,7 @@ resource "aws_lb_listener" "ebsapps_listener" { port = "443" protocol = "HTTPS" ssl_policy = "ELBSecurityPolicy-2016-08" - certificate_arn = "arn:aws:acm:eu-west-2:295992623913:certificate/2a9438fc-7d0a-4dae-a8d0-05f846793a15" + certificate_arn = aws_acm_certificate.external.arn default_action { type = "forward" From c8d468903468f8cdfffa7a75ec5833140fd38448 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Mon, 27 Nov 2023 15:39:10 +0000 Subject: [PATCH 14/16] CC-2176: Creation of AccessGate Instances --- terraform/environments/ccms-ebs-upgrade/certificates.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index ac1afe56583..5415b82ed2f 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -36,7 +36,7 @@ resource "aws_route53_record" "external_validation" { aws_instance.ec2_ebsapps ] - provider = aws.core-vpc + provider = aws.core-network-services for_each = { for dvo in local.cert_opts : dvo.domain_name => { From af076d60b7b3105f31376eda4d1bb2b038b8fc2d Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 28 Nov 2023 09:43:11 +0000 Subject: [PATCH 15/16] CC-2176: Creation of AccessGate Instances --- terraform/environments/ccms-ebs-upgrade/member-locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/member-locals.tf b/terraform/environments/ccms-ebs-upgrade/member-locals.tf index c8120ac7c33..2c234e63e2c 100644 --- a/terraform/environments/ccms-ebs-upgrade/member-locals.tf +++ b/terraform/environments/ccms-ebs-upgrade/member-locals.tf @@ -27,5 +27,5 @@ locals { cert_opts = aws_acm_certificate.external.domain_validation_options cert_arn = aws_acm_certificate.external.arn - cert_zone_id = data.aws_route53_zone.network-services.zone_id + cert_zone_id = data.aws_route53_zone.external.zone_id } From ac5bcf4ae809cfc309ab76edaad65744e1327371 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Tue, 28 Nov 2023 09:52:09 +0000 Subject: [PATCH 16/16] CC-2176: Creation of AccessGate Instances --- terraform/environments/ccms-ebs-upgrade/certificates.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/certificates.tf b/terraform/environments/ccms-ebs-upgrade/certificates.tf index 5415b82ed2f..ac1afe56583 100644 --- a/terraform/environments/ccms-ebs-upgrade/certificates.tf +++ b/terraform/environments/ccms-ebs-upgrade/certificates.tf @@ -36,7 +36,7 @@ resource "aws_route53_record" "external_validation" { aws_instance.ec2_ebsapps ] - provider = aws.core-network-services + provider = aws.core-vpc for_each = { for dvo in local.cert_opts : dvo.domain_name => {