Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
  • Loading branch information
roncitrus committed Feb 9, 2024
2 parents 778ea0c + 5da7c8f commit da9e7d1
Show file tree
Hide file tree
Showing 139 changed files with 3,248 additions and 2,752 deletions.
1 change: 1 addition & 0 deletions .github/CODEOWNERS
Validating CODEOWNERS rules …
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@
/terraform/environments/cica-copilot @ministryofjustice/cica-copilot-llm-maintainers @ministryofjustice/modernisation-platform
/terraform/environments/cooker @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
/terraform/environments/corporate-staff-rostering @ministryofjustice/csr-application-support @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
/terraform/environments/cortex-xsiam @ministryofjustice/mip-devops @ministryofjustice/modernisation-platform
/terraform/environments/dacp @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
/terraform/environments/data-and-insights-wepi @ministryofjustice/data-and-insights-hub @ministryofjustice/modernisation-platform
/terraform/environments/data-platform-apps-and-tools @ministryofjustice/data-platform-apps-and-tools @ministryofjustice/modernisation-platform
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/code-scanning.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ jobs:
fetch-depth: 0
- name: Run Checkov action
id: checkov
uses: bridgecrewio/checkov-action@0dc29cc1e9248c45929de6394c1c2026602de647 # v12.2655.0
uses: bridgecrewio/checkov-action@4fc35972a43e0622149fadb328d3a5123bfca03e # v12.2671.0
with:
directory: ./
framework: terraform
Expand Down
66 changes: 66 additions & 0 deletions .github/workflows/cortex-xsiam.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
---
name: cortex-xsiam
on:
push:
branches:
- main
paths:
- 'terraform/environments/cortex-xsiam/**'
- '.github/workflows/cortex-xsiam.yml'

pull_request:
branches:
- main
types: [opened, edited, reopened, synchronize]
paths:
- 'terraform/environments/cortex-xsiam/**'
- '.github/workflows/cortex-xsiam.yml'

workflow_dispatch:
inputs:
action:
description: 'Set either [deploy|destroy].'
default: 'deploy'
required: true
type: string
options:
- deploy
- destroy

permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout

jobs:
strategy:
uses: ./.github/workflows/reusable_terraform_strategy.yml
if: inputs.action != 'destroy'
with:
application: "${{ github.workflow }}"

terraform:
needs: strategy
if: inputs.action != 'destroy'
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.strategy.outputs.matrix) }}
uses: ./.github/workflows/reusable_terraform_plan_apply.yml
with:
application: "${{ github.workflow }}"
environment: "${{ matrix.target }}"
action: "${{ matrix.action }}"
secrets:
modernisation_platform_environments: "${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}"
pipeline_github_token: "${{ secrets.MODERNISATION_PLATFORM_CI_USER_ENVIRONMENTS_REPO_PAT }}"

destroy-development:
if: inputs.action == 'destroy'
uses: ./.github/workflows/reusable_terraform_plan_apply.yml
with:
application: "${{ github.workflow }}"
environment: "development"
action: "plan_apply"
plan_apply_tfargs: "-destroy"
secrets:
modernisation_platform_environments: "${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}"
pipeline_github_token: "${{ secrets.MODERNISATION_PLATFORM_CI_USER_ENVIRONMENTS_REPO_PAT }}"
2 changes: 1 addition & 1 deletion .github/workflows/generate-dependabot-file.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ jobs:
env:
SECRET: ${{ secrets.GITHUB_TOKEN }}
- name: Slack failure notification
uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0
uses: slackapi/slack-github-action@6c661ce58804a1a20f6dc5fbee7f0381b469e001 # v1.25.0
with:
payload: |
{"blocks":[{"type": "section","text": {"type": "mrkdwn","text": ":no_entry: Failed GitHub Action:"}},{"type": "section","fields":[{"type": "mrkdwn","text": "*Workflow:*\n<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|${{ github.workflow }}>"},{"type": "mrkdwn","text": "*Job:*\n${{ github.job }}"},{"type": "mrkdwn","text": "*Repo:*\n${{ github.repository }}"}]}]}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: SARIF file
path: results.sarif
Expand Down
143 changes: 42 additions & 101 deletions terraform/environments/corporate-staff-rostering/ec2_common.tf
Original file line number Diff line number Diff line change
@@ -1,111 +1,52 @@
resource "aws_ssm_document" "windows_domain_join" {
name = "windows-domain-join"
document_type = "Command"
document_format = "YAML"
content = file("./ssm-documents/windows-domain-join.yaml")

tags = merge(
local.tags,
{
Name = "windows-domain-join"
},
)
}

resource "aws_ssm_document" "cloud_watch_agent" {
name = "windows-cloudwatch-agent-config"
document_type = "Command"
document_format = "YAML"
content = file("./ssm-documents/windows-cloudwatch-agent-config.yaml")

tags = merge(
local.tags,
{
Name = "windows-cloudwatch-agent-config"
},
)
locals {
# this local is used in locals.tf
ssm_doc_cloudwatch_log_groups = {
for key, value in local.ssm_docs :
"/aws/ssm/${try(value.name, key)}" => {
retention_in_days = 30
}
}
ssm_docs = {
windows-domain-join = {
content = file("./ssm-documents/windows-domain-join.yaml")
}
windows-cloudwatch-agent-config = {
content = file("./ssm-documents/windows-cloudwatch-agent-config.yaml")
}
ami-build-command = {
content = file("./ssm-documents/ami-build-command.yaml")
}
ami-build-automation = {
document_type = "Automation"
content = file("./ssm-documents/ami-build-automation.yaml")
}
leave-windows-domain = {
content = file("./ssm-documents/leave-windows-domain.yaml")
}
remove-local-users-windows = {
content = file("./ssm-documents/remove-local-users-windows.yaml")
}
network-testing-tools = {
content = file("./ssm-documents/network-testing-tools.yaml")
}
# windows-psreadline-fix = {
# content = file("./ssm-documents/windows-psreadline-fix.yaml")
# }
}
}

resource "aws_ssm_document" "ami_build_command" {
name = "ami-build-command"
document_type = "Command"
document_format = "YAML"
content = file("./ssm-documents/ami-build-command.yaml")

tags = merge(
local.tags,
{
Name = "ami-build-command"
},
)
}
resource "aws_ssm_document" "ssm_documents" {
for_each = local.ssm_docs

resource "aws_ssm_document" "ami_build_automation" {
name = "ami-build-automation"
document_type = "Automation"
document_format = "YAML"
content = file("./ssm-documents/ami-build-automation.yaml")
name = try(each.value.name, each.key)
document_type = try(each.value.document_type, "Command")
document_format = try(each.value.format, "YAML")
content = try(each.value.content)

tags = merge(
local.tags,
{
Name = "ami-build-automation"
Name = try(each.value.name, each.key)
},
)
}

resource "aws_ssm_document" "leave_windows_domain" {
name = "leave-windows-domain"
document_type = "Command"
document_format = "YAML"
content = file("./ssm-documents/leave-windows-domain.yaml")

tags = merge(
local.tags,
{
Name = "leave-windows-domain"
},
)
}

resource "aws_ssm_document" "remove_local_users_windows" {
name = "remove-local-users-windows"
document_type = "Command"
document_format = "YAML"
content = file("./ssm-documents/remove-local-users-windows.yaml")

tags = merge(
local.tags,
{
Name = "remove-local-users-windows"
},
)
}

resource "aws_ssm_document" "network-testing-tools" {
name = "network-testing-tools"
document_type = "Command"
document_format = "YAML"
content = file("./ssm-documents/network-testing-tools.yaml")

tags = merge(
local.tags,
{
Name = "network-testing-tools"
},
)
}

# resource "aws_ssm_document" "windows-psreadline-fix" {
# name = "windows-psreadline-fix"
# document_type = "Command"
# document_format = "YAML"
# content = file("./ssm-documents/windows-psreadline-fix.yaml")

# tags = merge(
# local.tags,
# {
# Name = "windows-psreadline-fix"
# },
# )
# }
34 changes: 34 additions & 0 deletions terraform/environments/corporate-staff-rostering/iam.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,37 @@ resource "aws_iam_user_policy_attachment" "mgn_attach_policy_app_migrationfull_a
user = aws_iam_user.mgn_user.name
policy_arn = "arn:aws:iam::aws:policy/AWSApplicationMigrationFullAccess"
}

# AD clean up lambda IAM resources

data "aws_iam_policy_document" "lambda_assume_role_policy" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]

principals {
type = "Service"
identifiers = ["lambda.amazonaws.com"]
}
}
}

resource "aws_iam_role" "lambda-ad-role" {
count = local.environment == "test" ? 1 : 0 # temporary
name = "LambdaFunctionADObjectCleanUp"
tags = local.tags

assume_role_policy = data.aws_iam_policy_document.lambda_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "lambda-vpc-attachment" {
count = local.environment == "test" ? 1 : 0 # temporary
role = aws_iam_role.lambda-ad-role[count.index].name
policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
}

resource "aws_iam_role_policy_attachment" "lambda_secrets_manager" {
count = local.environment == "test" ? 1 : 0 # temporary
role = aws_iam_role.lambda-ad-role[count.index].name
policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
}
40 changes: 40 additions & 0 deletions terraform/environments/corporate-staff-rostering/lambda.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
locals {
lambda_ad_object_cleanup = {
function_name = "AD-Object-Clean-Up"
}
}

module "ad-clean-up-lambda" {
source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function" # ref for V3.1
count = local.environment == "test" ? 1 : 0 # temporary # temporary whilst on-going work


application_name = local.lambda_ad_object_cleanup.function_name
function_name = local.lambda_ad_object_cleanup.function_name
description = "Lambda to remove corresponding computer object from Active Directory upon server termination"
package_type = "Zip"
filename = data.archive_file.ad-cleanup-lambda.output_path
source_code_hash = data.archive_file.ad-cleanup-lambda.output_base64sha256
handler = "lambda_function.lambda_handler"
runtime = "python3.8"

create_role = false
lambda_role = aws_iam_role.lambda-ad-role[count.index].arn

vpc_subnet_ids = tolist(data.aws_subnets.shared-private.ids)
vpc_security_group_ids = [module.baseline.security_groups["domain"].id]

tags = merge(
local.tags,
{
Name = "ad-object-clean-up-lambda"
},
)
}

data "archive_file" "ad-cleanup-lambda" {
type = "zip"
source_dir = "lambda/ad-clean-up"
output_path = "lambda/ad-clean-up/ad-clean-up-lambda-payload-test.zip"
}

Loading

0 comments on commit da9e7d1

Please sign in to comment.