From 2c87ee4c0f873646f9050aff2b5c89346bf35ef0 Mon Sep 17 00:00:00 2001
From: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date: Thu, 26 Sep 2024 17:20:01 +0100
Subject: [PATCH 1/4] Increase port range to 1522 to include secure listener

---
 terraform/environments/delius-core/locals.tf  |  1 +
 .../components/dms/dms_db_source_endpoints.tf |  8 +++---
 .../components/dms/dms_db_target_endpoints.tf |  8 +++---
 .../modules/components/dms/locals.tf          |  3 +-
 .../delius-core/modules/components/dms/sg.tf  | 16 +++++------
 .../components/oracle_db_shared/locals.tf     |  2 ++
 .../modules/components/oracle_db_shared/sg.tf | 28 +++++++++----------
 7 files changed, 35 insertions(+), 31 deletions(-)

diff --git a/terraform/environments/delius-core/locals.tf b/terraform/environments/delius-core/locals.tf
index 2fdec2d9aee..c24a4d722ce 100644
--- a/terraform/environments/delius-core/locals.tf
+++ b/terraform/environments/delius-core/locals.tf
@@ -4,6 +4,7 @@ locals {
   db_fully_qualified_name = "${local.application_name}-${local.db_service_name}"
   db_image_tag            = "5.7.4"
   db_port                 = 1521
+  db_tcps_port            = 1522
   db_name                 = "MODNDA"
 
   frontend_url            = "${local.application_name}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"
diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
index 531b6ba27ee..ba47581ebdc 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
@@ -13,8 +13,8 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
   username                    = local.dms_audit_username
   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
   server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
-  port                        = local.oracle_port
-  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.oracle_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+  port                        = local.db_tcps_port
+  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.audit_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
   # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
@@ -36,8 +36,8 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
   username                    = local.dms_audit_username
   password                    = join(",", [jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username], jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
   server_name                 = join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])
-  port                        = local.oracle_port
-  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+  port                        = local.db_tcps_port
+  extra_connection_attributes = "ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".", [var.oracle_db_server_names[var.dms_config.user_source_endpoint.read_host], var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
   # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
index 9c3d89e5ceb..45e5742e40a 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
@@ -9,8 +9,8 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" {
    username                        = local.dms_audit_username
    password                        = join(",",[jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username],jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
    server_name                     = join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])
-   port                            = local.oracle_port  
-   extra_connection_attributes     = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+   port                            = local.db_tcps_port  
+   extra_connection_attributes     = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
    # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
@@ -31,8 +31,8 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
    username                        = local.dms_audit_username
    password                        = join(",",[jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username],jsondecode(data.aws_secretsmanager_secret_version.delius_core_application_passwords.secret_string)[local.dms_audit_username]])
    server_name                     = join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])
-   port                            = local.oracle_port
-   extra_connection_attributes     = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:1521/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
+   port                            = local.db_tcps_port
+   extra_connection_attributes     = "UseDirectPathFullLoad=false;ArchivedLogDestId=1;AdditionalArchivedLogDestId=32;asm_server=${join(".",[var.oracle_db_server_names["primarydb"],var.account_config.route53_inner_zone_info.name])}:${local.db_tcps_port}/+ASM;asm_user=${local.dms_audit_username};UseBFile=true;UseLogminerReader=false;"
    # We initially use an empty wallet for encryption - a populated wallet will be added by DMS configuration
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
diff --git a/terraform/environments/delius-core/modules/components/dms/locals.tf b/terraform/environments/delius-core/modules/components/dms/locals.tf
index f551c254b30..7d7b9f0a42a 100644
--- a/terraform/environments/delius-core/modules/components/dms/locals.tf
+++ b/terraform/environments/delius-core/modules/components/dms/locals.tf
@@ -1,7 +1,8 @@
 locals {
   account_id         = data.aws_caller_identity.current.account_id
   delius_account_id  = var.platform_vars.environment_management.account_ids[join("-", ["delius-core", var.account_info.mp_environment])]
-  oracle_port        = "1522"
+  db_port            = 1521
+  db_tcps_port       = 1522
   dms_audit_username = "delius_audit_dms_pool"
 
   # Although it is recommended to use bucket_prefix rather than bucket_name when creating an S3 bucket
diff --git a/terraform/environments/delius-core/modules/components/dms/sg.tf b/terraform/environments/delius-core/modules/components/dms/sg.tf
index ba961c5407f..9add88d96fd 100644
--- a/terraform/environments/delius-core/modules/components/dms/sg.tf
+++ b/terraform/environments/delius-core/modules/components/dms/sg.tf
@@ -10,8 +10,8 @@ resource "aws_security_group" "dms" {
 resource "aws_vpc_security_group_egress_rule" "dms_db_conn_out" {
   security_group_id            = aws_security_group.dms.id
   description                  = "Allow outgoing communication between DMS and delius db instances"
-  from_port                    = local.oracle_port
-  to_port                      = local.oracle_port
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = var.db_ec2_sg_id
   tags = merge(var.tags,
@@ -22,8 +22,8 @@ resource "aws_vpc_security_group_egress_rule" "dms_db_conn_out" {
 resource "aws_vpc_security_group_ingress_rule" "dms_db_conn_in" {
   security_group_id            = aws_security_group.dms.id
   description                  = "Allow incoming communication between delius db instances and DMS"
-  from_port                    = local.oracle_port
-  to_port                      = local.oracle_port
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = var.db_ec2_sg_id
   tags = merge(var.tags,
@@ -34,8 +34,8 @@ resource "aws_vpc_security_group_ingress_rule" "dms_db_conn_in" {
 resource "aws_vpc_security_group_egress_rule" "db_dms_conn_out" {
   security_group_id            = var.db_ec2_sg_id
   description                  = "Allow outgoing communication between delius db instances and DMS"
-  from_port                    = local.oracle_port
-  to_port                      = local.oracle_port
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = aws_security_group.dms.id
   tags = merge(var.tags,
@@ -46,8 +46,8 @@ resource "aws_vpc_security_group_egress_rule" "db_dms_conn_out" {
 resource "aws_vpc_security_group_ingress_rule" "db_dms_conn_in" {
   security_group_id            = var.db_ec2_sg_id
   description                  = "Allow incoming communication between DMS and delius db instances"
-  from_port                    = local.oracle_port
-  to_port                      = local.oracle_port
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = aws_security_group.dms.id
   tags = merge(var.tags,
diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
index d0c51065c35..292d4992d47 100644
--- a/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
+++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
@@ -61,4 +61,6 @@ locals {
 
   oracle_backup_bucket_prefix = "${var.account_info.application_name}-${var.env_name}-oracle-${var.db_suffix}-backups"
 
+  db_port      = 1521
+  db_tcps_port = 1522
 }
diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf
index 0a18a55b4ba..1eb5fde321a 100644
--- a/terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf
+++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf
@@ -25,8 +25,8 @@ resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" {
 resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" {
   security_group_id = aws_security_group.db_ec2.id
   cidr_ipv4         = var.environment_config.legacy_engineering_vpc_cidr
-  from_port         = 1521
-  to_port           = 1521
+  from_port         = local.db_port
+  to_port           = local.db_tcps_port
   ip_protocol       = "tcp"
   description       = "Allow communication out on port 1521 to legacy rman"
   tags = merge(var.tags,
@@ -37,8 +37,8 @@ resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" {
 resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" {
   security_group_id = aws_security_group.db_ec2.id
   cidr_ipv4         = var.environment_config.legacy_engineering_vpc_cidr
-  from_port         = 1521
-  to_port           = 1521
+  from_port         = local.db_port
+  to_port           = local.db_tcps_port
   ip_protocol       = "tcp"
   description       = "Allow communication in on port 1521 from legacy rman"
   tags = merge(var.tags,
@@ -49,8 +49,8 @@ resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" {
 resource "aws_vpc_security_group_egress_rule" "db_inter_conn" {
   security_group_id            = aws_security_group.db_ec2.id
   description                  = "Allow communication between delius db instances"
-  from_port                    = 1521
-  to_port                      = 1521
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = aws_security_group.db_ec2.id
 }
@@ -58,8 +58,8 @@ resource "aws_vpc_security_group_egress_rule" "db_inter_conn" {
 resource "aws_vpc_security_group_ingress_rule" "db_inter_conn" {
   security_group_id            = aws_security_group.db_ec2.id
   description                  = "Allow communication between delius db instances"
-  from_port                    = 1521
-  to_port                      = 1521
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = aws_security_group.db_ec2.id
 }
@@ -67,8 +67,8 @@ resource "aws_vpc_security_group_ingress_rule" "db_inter_conn" {
 resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_bastion" {
   security_group_id            = aws_security_group.db_ec2.id
   description                  = "bastion to testing db"
-  from_port                    = 1521
-  to_port                      = 1521
+  from_port                    = local.db_port
+  to_port                      = local.db_tcps_port
   ip_protocol                  = "tcp"
   referenced_security_group_id = var.bastion_sg_id
 }
@@ -84,16 +84,16 @@ resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ssh_ing
 
 resource "aws_vpc_security_group_ingress_rule" "delius_db_oem_db" {
   ip_protocol       = "tcp"
-  from_port         = 1521
-  to_port           = 1521
+  from_port         = local.db_port
+  to_port           = local.db_tcps_port
   cidr_ipv4         = var.account_config.shared_vpc_cidr
   security_group_id = aws_security_group.db_ec2.id
 }
 
 resource "aws_vpc_security_group_egress_rule" "delius_db_rman_db" {
   ip_protocol       = "tcp"
-  from_port         = 1521
-  to_port           = 1521
+  from_port         = local.db_port
+  to_port           = local.db_tcps_port
   cidr_ipv4         = var.account_config.shared_vpc_cidr
   security_group_id = aws_security_group.db_ec2.id
   description       = "Allow communication out on port 1521 to rman"

From 66c0bf7b94ea2dc5883d2efd50eb5282eea41c5a Mon Sep 17 00:00:00 2001
From: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date: Thu, 26 Sep 2024 17:33:13 +0100
Subject: [PATCH 2/4] Temporarily include certificate change

---
 .../components/dms/dms_db_source_endpoints.tf        | 12 ++++++------
 .../components/dms/dms_db_target_endpoints.tf        | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
index ba47581ebdc..e6f4d342b92 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
@@ -19,9 +19,9 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
   # Ignore subsequent replacement with a valid wallet
-  lifecycle {
-    ignore_changes = [certificate_arn]
-  }
+  # lifecycle {
+  #   ignore_changes = [certificate_arn]
+  # }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
 
@@ -42,8 +42,8 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
   # Ignore subsequent replacement with a valid wallet
-  lifecycle {
-    ignore_changes = [certificate_arn]
-  }
+  # lifecycle {
+  #   ignore_changes = [certificate_arn]
+  # }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
index 45e5742e40a..d70a5636f2e 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
@@ -15,9 +15,9 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" {
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
    # Ignore subsequent replacement with a valid wallet
-   lifecycle {
-      ignore_changes = [certificate_arn]
-   }
+  #  lifecycle {
+  #     ignore_changes = [certificate_arn]
+  #  }
    depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
 
@@ -37,8 +37,8 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
    # Ignore subsequent replacement with a valid wallet
-   lifecycle {
-      ignore_changes = [certificate_arn]
-   }
+  #  lifecycle {
+  #     ignore_changes = [certificate_arn]
+  #  }
    depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
\ No newline at end of file

From 28245dd1a3e23de8611e80c5e45904eeffc79fb0 Mon Sep 17 00:00:00 2001
From: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date: Thu, 26 Sep 2024 17:43:06 +0100
Subject: [PATCH 3/4] Now we ignore certificate changes again

---
 .../components/dms/dms_db_source_endpoints.tf        | 12 ++++++------
 .../components/dms/dms_db_target_endpoints.tf        | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
index e6f4d342b92..ba47581ebdc 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
@@ -19,9 +19,9 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
   # Ignore subsequent replacement with a valid wallet
-  # lifecycle {
-  #   ignore_changes = [certificate_arn]
-  # }
+  lifecycle {
+    ignore_changes = [certificate_arn]
+  }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
 
@@ -42,8 +42,8 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
   # Ignore subsequent replacement with a valid wallet
-  # lifecycle {
-  #   ignore_changes = [certificate_arn]
-  # }
+  lifecycle {
+    ignore_changes = [certificate_arn]
+  }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
index d70a5636f2e..45e5742e40a 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
@@ -15,9 +15,9 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" {
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
    # Ignore subsequent replacement with a valid wallet
-  #  lifecycle {
-  #     ignore_changes = [certificate_arn]
-  #  }
+   lifecycle {
+      ignore_changes = [certificate_arn]
+   }
    depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
 
@@ -37,8 +37,8 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
    # Ignore subsequent replacement with a valid wallet
-  #  lifecycle {
-  #     ignore_changes = [certificate_arn]
-  #  }
+   lifecycle {
+      ignore_changes = [certificate_arn]
+   }
    depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
\ No newline at end of file

From 2aefb28449d93766bd46f2ed68d5de126dfd1e1b Mon Sep 17 00:00:00 2001
From: Bill Buchan <bill.buchan@digital.justice.gov.uk>
Date: Fri, 27 Sep 2024 09:05:34 +0100
Subject: [PATCH 4/4] Include cert again

---
 .../components/dms/dms_db_source_endpoints.tf        | 12 ++++++------
 .../components/dms/dms_db_target_endpoints.tf        | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
index ba47581ebdc..e6f4d342b92 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_source_endpoints.tf
@@ -19,9 +19,9 @@ resource "aws_dms_endpoint" "dms_audit_source_endpoint_db" {
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
   # Ignore subsequent replacement with a valid wallet
-  lifecycle {
-    ignore_changes = [certificate_arn]
-  }
+  # lifecycle {
+  #   ignore_changes = [certificate_arn]
+  # }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
 
@@ -42,8 +42,8 @@ resource "aws_dms_endpoint" "dms_user_source_endpoint_db" {
   ssl_mode        = "verify-ca"
   certificate_arn = aws_dms_certificate.empty_oracle_wallet.certificate_arn
   # Ignore subsequent replacement with a valid wallet
-  lifecycle {
-    ignore_changes = [certificate_arn]
-  }
+  # lifecycle {
+  #   ignore_changes = [certificate_arn]
+  # }
   depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
diff --git a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
index 45e5742e40a..99c5987e6c9 100644
--- a/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
+++ b/terraform/environments/delius-core/modules/components/dms/dms_db_target_endpoints.tf
@@ -15,9 +15,9 @@ resource "aws_dms_endpoint" "dms_user_target_endpoint_db" {
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
    # Ignore subsequent replacement with a valid wallet
-   lifecycle {
-      ignore_changes = [certificate_arn]
-   }
+   # lifecycle {
+   #    ignore_changes = [certificate_arn]
+   # }
    depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
 
@@ -37,8 +37,8 @@ resource "aws_dms_endpoint" "dms_audit_target_endpoint_db" {
    ssl_mode                        = "verify-ca"
    certificate_arn                 = aws_dms_certificate.empty_oracle_wallet.certificate_arn
    # Ignore subsequent replacement with a valid wallet
-   lifecycle {
-      ignore_changes = [certificate_arn]
-   }
+   # lifecycle {
+   #    ignore_changes = [certificate_arn]
+   # }
    depends_on = [aws_dms_certificate.empty_oracle_wallet]
 }
\ No newline at end of file