Merge branch 'main' into add_rds

ministryofjustice · Dec 8, 2023 · e82f75e · e82f75e
2 parents 30d22de + 066dd9c
commit e82f75e
Show file tree

Hide file tree

Showing 108 changed files with 4,529 additions and 1,015 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -6,6 +6,7 @@
 /terraform/environments/ccms-ebs-upgrade @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform
 /terraform/environments/ccms-ebs @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform-security @ministryofjustice/modernisation-platform
 /terraform/environments/cdpt-chaps @ministryofjustice/central-digital-product-team @ministryofjustice/modernisation-platform
+/terraform/environments/cdpt-ifs @ministryofjustice/central-digital-product-team @ministryofjustice/modernisation-platform
 /terraform/environments/cooker @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
 /terraform/environments/corporate-staff-rostering @ministryofjustice/csr-application-support @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/dacp @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform
@@ -21,7 +22,7 @@
 /terraform/environments/example @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform
 /terraform/environments/hmpps-domain-services @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/hmpps-intelligence-management @ministryofjustice/dps-ims-tech @ministryofjustice/modernisation-platform
-/terraform/environments/hmpps-oem @ministryofjustice/hmpps-migration @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
+/terraform/environments/hmpps-oem @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform
 /terraform/environments/laa-ccms-infra-azure-ad-sso @ministryofjustice/laa-ccms-webops @ministryofjustice/modernisation-platform-security @ministryofjustice/modernisation-platform
 /terraform/environments/laa-oem @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform
 /terraform/environments/long-term-storage @ministryofjustice/modernisation-platform-long-term-storage @ministryofjustice/modernisation-platform

diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,12 +1,20 @@
 onboarding:
-  - "environments/**"
+  - changed-files:
+    - any-glob-to-any-file:
+      - "environments/**"
 
 dependencies:
-  - "terraform/**/*.lock.hcl"
+  - changed-files:
+    - any-glob-to-any-file:
+      - "terraform/**/*.lock.hcl"
 
 github-workflow:
-  - "github/workflows/**"
+  - changed-files:
+    - any-glob-to-any-file:
+      - ".github/workflows/**"
 
 environments-repository:
-  - "**/*.*"
-  - "**/*"
+  - changed-files:
+    - any-glob-to-any-file:
+      - "**/*.*"
+      - "**/*"
diff --git a/.github/workflows/cdpt-ifs.yml b/.github/workflows/cdpt-ifs.yml
@@ -0,0 +1,66 @@
+---
+name: cdpt-ifs
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'terraform/environments/cdpt-ifs/**'
+      - '.github/workflows/cdpt-ifs.yml'
+
+  pull_request:
+    branches:
+      - main
+    types: [opened, edited, reopened, synchronize]
+    paths:
+      - 'terraform/environments/cdpt-ifs/**'
+      - '.github/workflows/cdpt-ifs.yml'
+
+  workflow_dispatch:
+    inputs:
+      action:
+        description: 'Set either [deploy|destroy].'
+        default: 'deploy'
+        required: true
+        type: string
+        options:
+          - deploy
+          - destroy
+
+permissions:
+  id-token: write  # This is required for requesting the JWT
+  contents: read  # This is required for actions/checkout
+
+jobs:
+  strategy:
+    uses: ./.github/workflows/reusable_terraform_strategy.yml
+    if: inputs.action != 'destroy'
+    with:
+      application: "${{ github.workflow }}"
+
+  terraform:
+    needs: strategy
+    if: inputs.action != 'destroy'
+    strategy:
+      fail-fast: false
+      matrix: ${{ fromJson(needs.strategy.outputs.matrix) }}
+    uses: ./.github/workflows/reusable_terraform_plan_apply.yml
+    with:
+      application: "${{ github.workflow }}"
+      environment: "${{ matrix.target }}"
+      action: "${{ matrix.action }}"
+    secrets:
+      modernisation_platform_environments: "${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}"
+      pipeline_github_token: "${{ secrets.MODERNISATION_PLATFORM_CI_USER_ENVIRONMENTS_REPO_PAT }}"
+
+  destroy-development:
+    if: inputs.action == 'destroy'
+    uses: ./.github/workflows/reusable_terraform_plan_apply.yml
+    with:
+      application: "${{ github.workflow }}"
+      environment: "development"
+      action: "plan_apply"
+      plan_apply_tfargs: "-destroy"
+    secrets:
+      modernisation_platform_environments: "${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}"
+      pipeline_github_token: "${{ secrets.MODERNISATION_PLATFORM_CI_USER_ENVIRONMENTS_REPO_PAT }}"
diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
@@ -78,7 +78,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@327006c6ed37c385f7c6fa126bc54dcce2cccd2f # v12.2601.0
+        uses: bridgecrewio/checkov-action@17f081b0ade2ecb02a4d9ed2437e3a2c62801c0d # v12.2607.0
         with:
           directory: ./
           framework: terraform

diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -12,7 +12,6 @@ jobs:
   triage:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0
+    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
       with:
         repo-token: "${{ secrets.GITHUB_TOKEN }}"
-        sync-labels: ""
diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json
@@ -32,8 +32,8 @@
       "ebsapps_ami_id-2": "ami-092cdd881efd12af8",
       "accessgate_ami_id-1": "ami-0868b322f8ed469b6",
       "accessgate_ami_id-2": "ami-092240a30296e0dc1",
-      "webgate_ami_id-1": "ami-0e398cd57c81356a7",
-      "webgate_ami_id-2": "ami-0e398cd57c81356a7",
+      "webgate_ami_id-1": "ami-027421785539d3e60",
+      "webgate_ami_id-2": "ami-0923839bc3db6d2d6",
       "restored_db_image": "ami-0df5f31cae1c86635",
       "orace_base_prereqs_ami_name": "Oracle79-prereqs-v2_0",
       "orace_db_ami_name": "Oracle79-prereqs-v1_8",
@@ -69,13 +69,21 @@
       "ebsapps_u03_size": 200,
       "ebsapps_stage_size": 100,
       "tg_apps_port": 8000,
+      "ebs_iops_ebsdb_swap": 3000,
+      "ebs_size_ebsdb_swap": 20,
       "ebs_size_ebsdb_home": 100,
       "ebs_size_ebsdb_temp": 100,
       "ebs_size_ebsdb_exhome": 100,
       "ebs_size_ebsdb_u01": 300,
       "ebs_size_ebsdb_arch": 500,
       "ebs_size_ebsdb_dbf": 11000,
       "ebs_size_ebsdb_dbf_dr": 8000,
+      "ebs_iops_ebsdb_dbf01": 12000,
+      "ebs_size_ebsdb_dbf01": 4000,
+      "ebs_iops_ebsdb_dbf02": 12000,
+      "ebs_size_ebsdb_dbf02": 4000,
+      "ebs_iops_ebsdb_dbf03": 12000,
+      "ebs_size_ebsdb_dbf03": 3000,
       "ebs_size_ebsdb_redoA": 100,
       "ebs_size_ebsdb_redoB": 50,
       "ebs_size_ebsdb_techst": 100,
@@ -91,7 +99,8 @@
       "ebs_size_ebsconc_u03": 200,
       "ebs_size_ebsconc_home": 100,
       "ebs_size_ebsconc_stage": 100,
-      "ebs_size_ebsconc_temp": 100
+      "ebs_size_ebsconc_temp": 100,
+      "ebs_backup_snapshot_id": "snap-0cdfe4b46c1e34ebb"
     }
   },
   "webgate_ebs": {

diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf
@@ -46,6 +46,30 @@ resource "aws_instance" "ec2_oracle_ebs" {
   depends_on = [aws_security_group.ec2_sg_ebsdb]
 }
 
+resource "aws_ebs_volume" "ebsdb_swap" {
+  lifecycle {
+    ignore_changes = [kms_key_id]
+  }
+  availability_zone = "eu-west-2a"
+  size              = local.application_data.accounts[local.environment].ebs_size_ebsdb_swap
+  type              = "gp3"
+  iops              = local.application_data.accounts[local.environment].ebs_iops_ebsdb_swap
+  encrypted         = true
+  kms_key_id        = data.aws_kms_key.ebs_shared.key_id
+  tags = merge(local.tags,
+    { Name = "swap" }
+  )
+}
+
+resource "aws_volume_attachment" "ebsdb_swap_att" {
+  depends_on = [
+    aws_ebs_volume.ebsdb_swap
+  ]
+  device_name = "/dev/sdb"
+  volume_id   = aws_ebs_volume.ebsdb_swap.id
+  instance_id = aws_instance.ec2_oracle_ebs.id
+}
+
 resource "aws_ebs_volume" "export_home" {
   lifecycle {
     ignore_changes = [kms_key_id]
@@ -130,6 +154,78 @@ resource "aws_volume_attachment" "dbf_att" {
   instance_id = aws_instance.ec2_oracle_ebs.id
 }
 
+resource "aws_ebs_volume" "dbf01" {
+  lifecycle {
+    ignore_changes = [kms_key_id]
+  }
+  availability_zone = "eu-west-2a"
+  size              = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf01
+  type              = "io2"
+  iops              = local.application_data.accounts[local.environment].ebs_iops_ebsdb_dbf01
+  encrypted         = true
+  kms_key_id        = data.aws_kms_key.ebs_shared.key_id
+  tags = merge(local.tags,
+    { Name = "dbf01" }
+  )
+}
+
+resource "aws_volume_attachment" "dbf01_att" {
+  depends_on = [
+    aws_ebs_volume.dbf01
+  ]
+  device_name = "/dev/sde"
+  volume_id   = aws_ebs_volume.dbf01.id
+  instance_id = aws_instance.ec2_oracle_ebs.id
+}
+
+resource "aws_ebs_volume" "dbf02" {
+  lifecycle {
+    ignore_changes = [kms_key_id]
+  }
+  availability_zone = "eu-west-2a"
+  size              = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf02
+  type              = "io2"
+  iops              = local.application_data.accounts[local.environment].ebs_iops_ebsdb_dbf02
+  encrypted         = true
+  kms_key_id        = data.aws_kms_key.ebs_shared.key_id
+  tags = merge(local.tags,
+    { Name = "dbf02" }
+  )
+}
+
+resource "aws_volume_attachment" "dbf02_att" {
+  depends_on = [
+    aws_ebs_volume.dbf02
+  ]
+  device_name = "/dev/sdf"
+  volume_id   = aws_ebs_volume.dbf02.id
+  instance_id = aws_instance.ec2_oracle_ebs.id
+}
+
+resource "aws_ebs_volume" "dbf03" {
+  lifecycle {
+    ignore_changes = [kms_key_id]
+  }
+  availability_zone = "eu-west-2a"
+  size              = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf03
+  type              = "io2"
+  iops              = local.application_data.accounts[local.environment].ebs_iops_ebsdb_dbf03
+  encrypted         = true
+  kms_key_id        = data.aws_kms_key.ebs_shared.key_id
+  tags = merge(local.tags,
+    { Name = "dbf03" }
+  )
+}
+
+resource "aws_volume_attachment" "dbf03_att" {
+  depends_on = [
+    aws_ebs_volume.dbf03
+  ]
+  device_name = "/dev/sdg"
+  volume_id   = aws_ebs_volume.dbf03.id
+  instance_id = aws_instance.ec2_oracle_ebs.id
+}
+
 resource "aws_ebs_volume" "redoA" {
   lifecycle {
     ignore_changes = [kms_key_id]
@@ -179,6 +275,7 @@ resource "aws_ebs_volume" "backup" {
   availability_zone = "eu-west-2a"
   size              = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup
   type              = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup
+  snapshot_id       = local.application_data.accounts[local.environment].ebs_backup_snapshot_id
   iops              = 3000
   encrypted         = true
   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
@@ -241,7 +338,6 @@ resource "aws_volume_attachment" "diag_att" {
   instance_id = aws_instance.ec2_oracle_ebs.id
 }
 
-
 resource "aws_ebs_volume" "appshare" {
   lifecycle {
     ignore_changes = [kms_key_id]
@@ -308,6 +404,7 @@ resource "aws_volume_attachment" "db_temp_att" {
   volume_id   = aws_ebs_volume.db_temp.id
   instance_id = aws_instance.ec2_oracle_ebs.id
 }
+
 /*
 ####  This mount was required for golive incident
 ####  Just commenting out, rather than remove - just in case

diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb-sg.tf
@@ -0,0 +1,48 @@
+# Security Group for WEBGATE LB
+resource "aws_security_group" "sg_webgate_lb" {
+  name        = "sg_webgate_lb"
+  description = "Inbound traffic control for WebGate loadbalancer"
+  vpc_id      = data.aws_vpc.shared.id
+
+  tags = merge(local.tags,
+    { Name = lower(format("sg-%s-%s-webgate-loadbalancer", local.application_name, local.environment)) }
+  )
+}
+
+
+# INGRESS Rules
+
+### HTTPS
+
+resource "aws_security_group_rule" "ingress_traffic_webgatelb_443" {
+  security_group_id = aws_security_group.sg_webgate_lb.id
+  type              = "ingress"
+  description       = "HTTPS"
+  protocol          = "TCP"
+  from_port         = 443
+  to_port           = 443
+  cidr_blocks = [data.aws_vpc.shared.cidr_block,
+    local.application_data.accounts[local.environment].lz_aws_subnet_env,
+    local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env,
+  local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env]
+}
+
+
+# EGRESS Rules
+
+### All
+
+resource "aws_security_group_rule" "egress_traffic_webgatelb_80" {
+  security_group_id = aws_security_group.sg_webgate_lb.id
+  type              = "egress"
+  description       = "All"
+  protocol          = "TCP"
+  from_port         = 0
+  to_port           = 0
+  cidr_blocks       = ["0.0.0.0/0"]
+}
+
+
+
+
+