Skip to content

Commit

Permalink
Merge pull request #7951 from ministryofjustice/DBA-761
Browse files Browse the repository at this point in the history 
Dba 761
  • Loading branch information
@bill-buchan
bill-buchan authored Sep 27, 2024
2 parents be75f04 + 43749ba commit bcfbcfd
Show file tree
Hide file tree
Showing 7 changed files with 47 additions and 43 deletions.
1 change: 1 addition & 0 deletions terraform/environments/delius-core/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ locals {
db_fully_qualified_name = "${local.application_name}-${local.db_service_name}"
db_image_tag = "5.7.4"
db_port = 1521
db_tcps_port = 1522
db_name = "MODNDA"

frontend_url = "${local.application_name}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
Expand Down
20 changes: 10 additions & 10 deletions terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,15 +13,15 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
username = local.dms_audit_username
password = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
server_name = join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
port = local.oracle_port
extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.oracle_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
port = local.db_tcps_port
extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
# We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
ssl_mode = "verify-ca"
certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
# Ignore subsequent replacement with a valid wallet
lifecycle {
ignore_changes = [certificate_arn]
}
# lifecycle {
# ignore_changes = [certificate_arn]
# }
depends_on = [aws_dms_certificate.empty_oracle_wallet]
}

Expand All @@ -36,14 +36,14 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
username = local.dms_audit_username
password = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
server_name = join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
port = local.oracle_port
extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
port = local.db_tcps_port
extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
# We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
ssl_mode = "verify-ca"
certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
# Ignore subsequent replacement with a valid wallet
lifecycle {
ignore_changes = [certificate_arn]
}
# lifecycle {
# ignore_changes = [certificate_arn]
# }
depends_on = [aws_dms_certificate.empty_oracle_wallet]
}
20 changes: 10 additions & 10 deletions terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,15 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" {
username = local.dms_audit_username
password = join(",",[jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username],jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
server_name = join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])
port = local.oracle_port
extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
port = local.db_tcps_port
extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
# We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
ssl_mode = "verify-ca"
certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
# Ignore subsequent replacement with a valid wallet
lifecycle {
ignore_changes = [certificate_arn]
}
# lifecycle {
# ignore_changes = [certificate_arn]
# }
depends_on = [aws_dms_certificate.empty_oracle_wallet]
}

Expand All @@ -31,14 +31,14 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
username = local.dms_audit_username
password = join(",",[jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username],jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
server_name = join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])
port = local.oracle_port
extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
port = local.db_tcps_port
extra_connection_attributes = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
# We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
ssl_mode = "verify-ca"
certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
# Ignore subsequent replacement with a valid wallet
lifecycle {
ignore_changes = [certificate_arn]
}
# lifecycle {
# ignore_changes = [certificate_arn]
# }
depends_on = [aws_dms_certificate.empty_oracle_wallet]
}
3 changes: 2 additions & 1 deletion terraform/environments/delius-core/modules/components/dms/locals.tf
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,8 @@
locals {
account_id = data.aws_caller_identity.current.account_id
delius_account_id = var.platform_vars.environment_management.account_ids[join("-", ["delius-core", var.account_info.mp_environment])]
oracle_port = "1522"
db_port = 1521
db_tcps_port = 1522
dms_audit_username = "delius_audit_dms_pool"

# Although it is recommended to use bucket_prefix rather than bucket_name when creating an S3 bucket
Expand Down
16 changes: 8 additions & 8 deletions terraform/environments/delius-core/modules/components/dms/sg.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,8 @@ resource "aws_security_group" "dms" {
resource "aws_vpc_security_group_egress_rule" "dms_db_conn_out" {
security_group_id = aws_security_group.dms.id
description = "Allow outgoing communication between DMS and delius db instances"
from_port = local.oracle_port
to_port = local.oracle_port
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = var.db_ec2_sg_id
tags = merge(var.tags,
Expand All @@ -22,8 +22,8 @@ resource "aws_vpc_security_group_egress_rule" "dms_db_conn_out" {
resource "aws_vpc_security_group_ingress_rule" "dms_db_conn_in" {
security_group_id = aws_security_group.dms.id
description = "Allow incoming communication between delius db instances and DMS"
from_port = local.oracle_port
to_port = local.oracle_port
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = var.db_ec2_sg_id
tags = merge(var.tags,
Expand All @@ -34,8 +34,8 @@ resource "aws_vpc_security_group_ingress_rule" "dms_db_conn_in" {
resource "aws_vpc_security_group_egress_rule" "db_dms_conn_out" {
security_group_id = var.db_ec2_sg_id
description = "Allow outgoing communication between delius db instances and DMS"
from_port = local.oracle_port
to_port = local.oracle_port
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.dms.id
tags = merge(var.tags,
Expand All @@ -46,8 +46,8 @@ resource "aws_vpc_security_group_egress_rule" "db_dms_conn_out" {
resource "aws_vpc_security_group_ingress_rule" "db_dms_conn_in" {
security_group_id = var.db_ec2_sg_id
description = "Allow incoming communication between DMS and delius db instances"
from_port = local.oracle_port
to_port = local.oracle_port
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.dms.id
tags = merge(var.tags,
Expand Down
2 changes: 2 additions & 0 deletions terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,4 +61,6 @@ locals {

oracle_backup_bucket_prefix = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-backups"

db_port = 1521
db_tcps_port = 1522
}
28 changes: 14 additions & 14 deletions terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" {
resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" {
security_group_id = aws_security_group.db_ec2.id
cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
description = "Allow communication out on port 1521 to legacy rman"
tags = merge(var.tags,
Expand All @@ -37,8 +37,8 @@ resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" {
resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" {
security_group_id = aws_security_group.db_ec2.id
cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
description = "Allow communication in on port 1521 from legacy rman"
tags = merge(var.tags,
Expand All @@ -49,26 +49,26 @@ resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" {
resource "aws_vpc_security_group_egress_rule" "db_inter_conn" {
security_group_id = aws_security_group.db_ec2.id
description = "Allow communication between delius db instances"
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.db_ec2.id
}

resource "aws_vpc_security_group_ingress_rule" "db_inter_conn" {
security_group_id = aws_security_group.db_ec2.id
description = "Allow communication between delius db instances"
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = aws_security_group.db_ec2.id
}

resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_bastion" {
security_group_id = aws_security_group.db_ec2.id
description = "bastion to testing db"
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
ip_protocol = "tcp"
referenced_security_group_id = var.bastion_sg_id
}
Expand All @@ -84,16 +84,16 @@ resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ing

resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
ip_protocol = "tcp"
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
cidr_ipv4 = var.account_config.shared_vpc_cidr
security_group_id = aws_security_group.db_ec2.id
}

resource "aws_vpc_security_group_egress_rule" "delius_db_rman_db" {
ip_protocol = "tcp"
from_port = 1521
to_port = 1521
from_port = local.db_port
to_port = local.db_tcps_port
cidr_ipv4 = var.account_config.shared_vpc_cidr
security_group_id = aws_security_group.db_ec2.id
description = "Allow communication out on port 1521 to rman"
Expand Down

0 comments on commit bcfbcfd

Please sign in to comment.