From c66dce515522383530c91939758c6977a312a9bc Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Fri, 1 Dec 2023 12:12:18 +0000 Subject: [PATCH 001/142] Add Enterprise license Add configuration block Remove editor permissions Signed-off-by: Jacob Woffenden --- .../observability-platform/managed-grafana.tf | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 0d1b5b01b2b..b6f6a3efa22 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -1,12 +1,12 @@ module "managed_grafana" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + source = "terraform-aws-modules/managed-service-grafana/aws" version = "~> 2.0" name = local.application_name - # license_type = "ENTERPRISE_FREE_TRIAL" - associate_license = false + license_type = "ENTREPRISE" account_access_type = "CURRENT_ACCOUNT" authentication_providers = ["AWS_SSO"] @@ -16,15 +16,16 @@ module "managed_grafana" { iam_role_policy_arns = [module.amazon_managed_grafana_remote_cloudwatch_iam_policy.arn] + configuration = jsonencode({ + unifiedAlerting = { + enabled = true + } + }) + role_associations = { "ADMIN" = { "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform } - "EDITOR" = { - "group_ids" = [ - "7652b2d4-d0d1-707f-66ae-0b176587547e" # data-platform-labs - ] - } } tags = local.tags From 338da8ca27e649a0a9153334c217250315fddf56 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Fri, 1 Dec 2023 12:15:30 +0000 Subject: [PATCH 002/142] correct a typo Signed-off-by: Jacob Woffenden --- .../environments/observability-platform/managed-grafana.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index b6f6a3efa22..9e33e16d9ff 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -6,7 +6,7 @@ module "managed_grafana" { name = local.application_name - license_type = "ENTREPRISE" + license_type = "ENTERPRISE" account_access_type = "CURRENT_ACCOUNT" authentication_providers = ["AWS_SSO"] From 546f7874c28b2afd35a2feed95194bf9477a82b5 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Fri, 1 Dec 2023 12:19:17 +0000 Subject: [PATCH 003/142] Update plugin config Signed-off-by: Jacob Woffenden --- .../environments/observability-platform/managed-grafana.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 9e33e16d9ff..ef794526860 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -20,6 +20,9 @@ module "managed_grafana" { unifiedAlerting = { enabled = true } + plugins = { + pluginAdminEnabled = true + } }) role_associations = { From 831aa4cdf153ed490678413f55b51b7a48960a5e Mon Sep 17 00:00:00 2001 From: W Date: Fri, 24 Nov 2023 15:36:13 +0000 Subject: [PATCH 004/142] create t1 oasys bip b create t1 oasys bip b --- terraform/environments/oasys/locals_test.tf | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 7f72be2f5c3..d0cbf9d1127 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -266,7 +266,25 @@ locals { }) }) - + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 72615f7c6952676d41140145165707a57f0019a8 Mon Sep 17 00:00:00 2001 From: W Date: Mon, 27 Nov 2023 13:45:41 +0000 Subject: [PATCH 005/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index d0cbf9d1127..137d5e7b97d 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -266,25 +266,25 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From aa80ba98075c68c739899f096766c493cd59a855 Mon Sep 17 00:00:00 2001 From: W Date: Mon, 27 Nov 2023 13:53:02 +0000 Subject: [PATCH 006/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 137d5e7b97d..d0cbf9d1127 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -266,25 +266,25 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 11001364e50fdde1ea15d73b68dce2042b0d4fe3 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 10:22:33 +0000 Subject: [PATCH 007/142] .. --- terraform/environments/oasys/locals_test.tf | 25 ++++++++++++--------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index d0cbf9d1127..d1332b997ee 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -186,17 +186,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - # "t2-${local.application_name}-db-b" = merge(local.database_b, { - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "main" - # }) - # }) - # tags = merge(local.database_b.tags, { - # description = "t2 ${local.application_name} database" - # "${local.application_name}-environment" = "t2" - # }) - # }) + "t2-${local.application_name}-db-b" = merge(local.database_b, { + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "main" + }) + }) + tags = merge(local.database_b.tags, { + description = "t2 ${local.application_name} database" + "${local.application_name}-environment" = "t2" + bip-db-name = "T2BIPINF" + instance-scheduling = "skip-scheduling" + oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + }) + }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From c4f99511bf3c4c4ad9412447f82b22942f4248e1 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 11:03:51 +0000 Subject: [PATCH 008/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index d1332b997ee..4b4a80d7ac8 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -186,20 +186,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-b" = merge(local.database_b, { - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "main" - }) - }) - tags = merge(local.database_b.tags, { - description = "t2 ${local.application_name} database" - "${local.application_name}-environment" = "t2" - bip-db-name = "T2BIPINF" - instance-scheduling = "skip-scheduling" - oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - }) - }) + # "t2-${local.application_name}-db-b" = merge(local.database_b, { + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "main" + # }) + # }) + # tags = merge(local.database_b.tags, { + # description = "t2 ${local.application_name} database" + # "${local.application_name}-environment" = "t2" + # bip-db-name = "T2BIPINF" + # instance-scheduling = "skip-scheduling" + # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + # }) + # }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From d52c3f648771b9771d8b274fa7232b2c49fde353 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 11:10:26 +0000 Subject: [PATCH 009/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 4b4a80d7ac8..22f91aff78f 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -186,20 +186,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - # "t2-${local.application_name}-db-b" = merge(local.database_b, { - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "main" - # }) - # }) - # tags = merge(local.database_b.tags, { - # description = "t2 ${local.application_name} database" - # "${local.application_name}-environment" = "t2" - # bip-db-name = "T2BIPINF" - # instance-scheduling = "skip-scheduling" - # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - # }) - # }) + "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "main" + }) + }) + tags = merge(local.database_a.tags, { + description = "t2 ${local.application_name} database" + "${local.application_name}-environment" = "t2" + bip-db-name = "T2BIPINF" + instance-scheduling = "skip-scheduling" + oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + }) + }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From c1ed0b413f4cda35f6091db08eb020493c8fb592 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 12:00:07 +0000 Subject: [PATCH 010/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 43 ++++++++++++--------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 22f91aff78f..3dafaecb323 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,25 +269,30 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 88ccc5bdf5249eaf5aaded4c29aa914c6ccbff93 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 12:06:09 +0000 Subject: [PATCH 011/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 48 ++++++++++----------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 3dafaecb323..7644c52e826 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,30 +269,30 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 8b889392da7827bb40500b0759cd2b8c1f9e8f2f Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 14:02:59 +0000 Subject: [PATCH 012/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 7644c52e826..5a381af4717 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,31 +269,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) - } + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) + # } baseline_ec2_autoscaling_groups = { ## From 985b6d384b4a328a940982f0d2b3980967fcdb76 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 14:03:53 +0000 Subject: [PATCH 013/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 5a381af4717..4b4ebcc950e 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -293,7 +293,7 @@ locals { # oasys-db-hostname = "t1-oasys-db-a" # }) # }) - # } + } baseline_ec2_autoscaling_groups = { ## From f28c1832c91bda39223a472eec96d0f36850a7f0 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 14:11:06 +0000 Subject: [PATCH 014/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 48 ++++++++++----------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 4b4ebcc950e..7644c52e826 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,30 +269,30 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 74a8641de1fcda46701a3a9098bdf632dc6df72b Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 16:12:58 +0000 Subject: [PATCH 015/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 7644c52e826..2695316963c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -278,6 +278,7 @@ locals { instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ "Ec2T1BipPolicy", ]) + ami_name = "base_rhel_7_9*" }) user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { From 61bdf3edf90061f35c251ab7576df6a23f32f057 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 18:26:08 +0000 Subject: [PATCH 016/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 2695316963c..21768ba261f 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -278,7 +278,7 @@ locals { instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ "Ec2T1BipPolicy", ]) - ami_name = "base_rhel_7_9*" + # ami_name = "base_rhel_7_9*" }) user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { From cdd76bb07661111c26f805e3be68501ab917db47 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 10:14:20 +0000 Subject: [PATCH 017/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 21768ba261f..c8e40966a07 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -282,7 +282,7 @@ locals { }) user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" + branch = "run-no-roles" }) }) tags = merge(local.bip_b.tags, { From 2e7d47b55576eb59d276d5a37e83eab27f1eaa93 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 10:14:59 +0000 Subject: [PATCH 018/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index c8e40966a07..274a0778c52 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,31 +269,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "run-no-roles" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "run-no-roles" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 69261e081bb246b8ce948eb99c20963ca81d0825 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 10:31:52 +0000 Subject: [PATCH 019/142] .. --- terraform/environments/oasys/locals_test.tf | 50 +++++++++---------- .../templates/ansible-ec2provision.sh.tftpl | 10 ++-- 2 files changed, 30 insertions(+), 30 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 274a0778c52..c8e40966a07 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,31 +269,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "run-no-roles" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "run-no-roles" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { diff --git a/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl b/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl index 4d5f6e11754..e83949ac8da 100644 --- a/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl +++ b/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl @@ -108,11 +108,11 @@ run_ansible() { --extra-vars "target=localhost" \ --become - echo "# Cleanup" - deactivate - rm -rf $ansible_dir/python-venv - rm -rf $ansible_dir/${ansible_repo} - rmdir $ansible_dir + # echo "# Cleanup" + # deactivate + # rm -rf $ansible_dir/python-venv + # rm -rf $ansible_dir/${ansible_repo} + # rmdir $ansible_dir } echo "ansible-ec2provision.sh start" | logger -p local3.info -t user-data From 3a10bf771626960248f91d063b6eeebb2caaf2a7 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 13:56:57 +0000 Subject: [PATCH 020/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index c8e40966a07..dc0a3d944a0 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -186,20 +186,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-a-2" = merge(local.database_a, { - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "main" - }) - }) - tags = merge(local.database_a.tags, { - description = "t2 ${local.application_name} database" - "${local.application_name}-environment" = "t2" - bip-db-name = "T2BIPINF" - instance-scheduling = "skip-scheduling" - oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - }) - }) + # "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "main" + # }) + # }) + # tags = merge(local.database_a.tags, { + # description = "t2 ${local.application_name} database" + # "${local.application_name}-environment" = "t2" + # bip-db-name = "T2BIPINF" + # instance-scheduling = "skip-scheduling" + # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + # }) + # }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From 97b2e22fd8f75452a8f7734d46223ea84a87207d Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 14:04:08 +0000 Subject: [PATCH 021/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index dc0a3d944a0..e5b4481f272 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -186,20 +186,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - # "t2-${local.application_name}-db-a-2" = merge(local.database_a, { - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "main" - # }) - # }) - # tags = merge(local.database_a.tags, { - # description = "t2 ${local.application_name} database" - # "${local.application_name}-environment" = "t2" - # bip-db-name = "T2BIPINF" - # instance-scheduling = "skip-scheduling" - # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - # }) - # }) + "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oracle_psu_patching" + }) + }) + tags = merge(local.database_a.tags, { + description = "t2 ${local.application_name} database" + "${local.application_name}-environment" = "t2" + bip-db-name = "T2BIPINF" + instance-scheduling = "skip-scheduling" + oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + }) + }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From f263a6cb92b142e5b75db64f683f3a3440e50960 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 14:11:42 +0000 Subject: [PATCH 022/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e5b4481f272..85336bc3967 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -186,7 +186,7 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + "t2-${local.application_name}-db-a-3" = merge(local.database_a, { user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { branch = "oracle_psu_patching" From 964447859fcb998ea8334c6249f80176b7f66252 Mon Sep 17 00:00:00 2001 From: wullub Date: Thu, 30 Nov 2023 11:39:39 +0000 Subject: [PATCH 023/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 85336bc3967..a34a41184bc 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,31 +269,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "run-no-roles" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From f5eb807d291c4ff2bf6dc914e8a7c02c7f56c57c Mon Sep 17 00:00:00 2001 From: wullub Date: Thu, 30 Nov 2023 11:45:48 +0000 Subject: [PATCH 024/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index a34a41184bc..0227651ff6a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,31 +269,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 42127743fa67344d503685896d7584b20c63bde3 Mon Sep 17 00:00:00 2001 From: W Date: Mon, 27 Nov 2023 13:45:41 +0000 Subject: [PATCH 025/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 44 +++++++++------------ 1 file changed, 19 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 0227651ff6a..f242169532c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,31 +269,25 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 2f2093eab9b993aa9e8befda37ba6a4d8485f2dd Mon Sep 17 00:00:00 2001 From: W Date: Mon, 27 Nov 2023 13:53:02 +0000 Subject: [PATCH 026/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index f242169532c..058ec25a184 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -269,25 +269,25 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From b5d28a82313b0661ab008f6040aa8ee800dce82b Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 10:22:33 +0000 Subject: [PATCH 027/142] .. --- terraform/environments/oasys/locals_test.tf | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 058ec25a184..40868f7332c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,6 +200,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) + "t2-${local.application_name}-db-b" = merge(local.database_b, { + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "main" + }) + }) + tags = merge(local.database_b.tags, { + description = "t2 ${local.application_name} database" + "${local.application_name}-environment" = "t2" + bip-db-name = "T2BIPINF" + instance-scheduling = "skip-scheduling" + oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + }) + }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From f309b3fd1c271d19d4a33a1625abd029b78612ac Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 11:03:51 +0000 Subject: [PATCH 028/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 40868f7332c..347be0d8672 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,20 +200,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-b" = merge(local.database_b, { - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "main" - }) - }) - tags = merge(local.database_b.tags, { - description = "t2 ${local.application_name} database" - "${local.application_name}-environment" = "t2" - bip-db-name = "T2BIPINF" - instance-scheduling = "skip-scheduling" - oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - }) - }) + # "t2-${local.application_name}-db-b" = merge(local.database_b, { + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "main" + # }) + # }) + # tags = merge(local.database_b.tags, { + # description = "t2 ${local.application_name} database" + # "${local.application_name}-environment" = "t2" + # bip-db-name = "T2BIPINF" + # instance-scheduling = "skip-scheduling" + # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + # }) + # }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From ea3b86ec987ce492bed6f508eceeb3964408dda3 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 11:10:26 +0000 Subject: [PATCH 029/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 347be0d8672..125082425d7 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,20 +200,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - # "t2-${local.application_name}-db-b" = merge(local.database_b, { - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "main" - # }) - # }) - # tags = merge(local.database_b.tags, { - # description = "t2 ${local.application_name} database" - # "${local.application_name}-environment" = "t2" - # bip-db-name = "T2BIPINF" - # instance-scheduling = "skip-scheduling" - # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - # }) - # }) + "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "main" + }) + }) + tags = merge(local.database_a.tags, { + description = "t2 ${local.application_name} database" + "${local.application_name}-environment" = "t2" + bip-db-name = "T2BIPINF" + instance-scheduling = "skip-scheduling" + oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + }) + }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From b5b271b7624dad0650416d948fbf7223ece8f5fb Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 12:00:07 +0000 Subject: [PATCH 030/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 43 ++++++++++++--------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 125082425d7..ca6bd756371 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,25 +283,30 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 1fbdf2c92a1deb3dee0965e5d7e2a56769eee1d0 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 12:06:09 +0000 Subject: [PATCH 031/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 48 ++++++++++----------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index ca6bd756371..66711360e07 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,30 +283,30 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 6b10262f41a945ae2c5344c919980369451b398d Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 14:02:59 +0000 Subject: [PATCH 032/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 66711360e07..77b50f879f8 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) - } + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) + # } baseline_ec2_autoscaling_groups = { ## From b3b9b2fbc5b2eb2a2282edac3be0a0312f500ade Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 14:03:53 +0000 Subject: [PATCH 033/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 77b50f879f8..12dc1dbbec3 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -307,7 +307,7 @@ locals { # oasys-db-hostname = "t1-oasys-db-a" # }) # }) - # } + } baseline_ec2_autoscaling_groups = { ## From 26144bd149166c4819c5e6cd526941932fa38e93 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 14:11:06 +0000 Subject: [PATCH 034/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 48 ++++++++++----------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 12dc1dbbec3..66711360e07 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,30 +283,30 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From b4bdd63a79488b6329bea20441881afeadcb70ce Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 16:12:58 +0000 Subject: [PATCH 035/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 66711360e07..17d52000cdf 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -292,6 +292,7 @@ locals { instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ "Ec2T1BipPolicy", ]) + ami_name = "base_rhel_7_9*" }) user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { From d0c082480961f79d52a390f7fb726edf3c27b206 Mon Sep 17 00:00:00 2001 From: W Date: Tue, 28 Nov 2023 18:26:08 +0000 Subject: [PATCH 036/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 17d52000cdf..9478faf86fd 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -292,7 +292,7 @@ locals { instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ "Ec2T1BipPolicy", ]) - ami_name = "base_rhel_7_9*" + # ami_name = "base_rhel_7_9*" }) user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { From 826a465be1fa5c77a01e3866d2eae0ff3d86fe1f Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 10:14:20 +0000 Subject: [PATCH 037/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 9478faf86fd..3def4ed2034 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -296,7 +296,7 @@ locals { }) user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" + branch = "run-no-roles" }) }) tags = merge(local.bip_b.tags, { From 0ba8295165cb4cf2ebef7005f6b5452a89e3d1c8 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 10:14:59 +0000 Subject: [PATCH 038/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 3def4ed2034..e76eb7ad9f6 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "run-no-roles" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "run-no-roles" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 3aa75af036f06d144a4cf6b7b383fc9916a24c2b Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 10:31:52 +0000 Subject: [PATCH 039/142] .. --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e76eb7ad9f6..3def4ed2034 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "run-no-roles" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "run-no-roles" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 2004f4257a20eadf37ac7f2de25b7030543d5683 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 13:56:57 +0000 Subject: [PATCH 040/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 3def4ed2034..c70b5eee413 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,20 +200,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-a-2" = merge(local.database_a, { - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "main" - }) - }) - tags = merge(local.database_a.tags, { - description = "t2 ${local.application_name} database" - "${local.application_name}-environment" = "t2" - bip-db-name = "T2BIPINF" - instance-scheduling = "skip-scheduling" - oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - }) - }) + # "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "main" + # }) + # }) + # tags = merge(local.database_a.tags, { + # description = "t2 ${local.application_name} database" + # "${local.application_name}-environment" = "t2" + # bip-db-name = "T2BIPINF" + # instance-scheduling = "skip-scheduling" + # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + # }) + # }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From 9fcc1fa615a3dc7991b83d58b392b2bd64d42c03 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 14:04:08 +0000 Subject: [PATCH 041/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 28 ++++++++++----------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index c70b5eee413..3fb07dfa568 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,20 +200,20 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - # "t2-${local.application_name}-db-a-2" = merge(local.database_a, { - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "main" - # }) - # }) - # tags = merge(local.database_a.tags, { - # description = "t2 ${local.application_name} database" - # "${local.application_name}-environment" = "t2" - # bip-db-name = "T2BIPINF" - # instance-scheduling = "skip-scheduling" - # oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - # }) - # }) + "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oracle_psu_patching" + }) + }) + tags = merge(local.database_a.tags, { + description = "t2 ${local.application_name} database" + "${local.application_name}-environment" = "t2" + bip-db-name = "T2BIPINF" + instance-scheduling = "skip-scheduling" + oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" + }) + }) "t2-${local.application_name}-bip-b" = merge(local.bip_b, { autoscaling_group = merge(local.bip_b.autoscaling_group, { From 5d7f76b660683b3f6ec103661056a8f779b493ee Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 29 Nov 2023 14:11:42 +0000 Subject: [PATCH 042/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 3fb07dfa568..a976d1b4b9c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,7 +200,7 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-a-2" = merge(local.database_a, { + "t2-${local.application_name}-db-a-3" = merge(local.database_a, { user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { branch = "oracle_psu_patching" From f34684f0e45882ec3354168b97e3a189d3d78539 Mon Sep 17 00:00:00 2001 From: wullub Date: Thu, 30 Nov 2023 11:39:39 +0000 Subject: [PATCH 043/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index a976d1b4b9c..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "run-no-roles" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 1e1acb63c252ab67c368294cffe6855a57e6569f Mon Sep 17 00:00:00 2001 From: wullub Date: Thu, 30 Nov 2023 11:45:48 +0000 Subject: [PATCH 044/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 8b060a7d4a361ba32a5d8dd9599b2107936fac03 Mon Sep 17 00:00:00 2001 From: W Date: Fri, 1 Dec 2023 09:28:25 +0000 Subject: [PATCH 045/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From b09ef9b9339dddb0221fbe3516af682df90cd5f8 Mon Sep 17 00:00:00 2001 From: W Date: Fri, 1 Dec 2023 09:51:45 +0000 Subject: [PATCH 046/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From cdd5f67d20387a935a8f4c0fa9d642218081a4f1 Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 10:19:48 +0000 Subject: [PATCH 047/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From c213c04524a7d720f1129de4fd9ff4cb3afb3882 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 11:06:03 +0000 Subject: [PATCH 048/142] change variable to look up cert name (#4222) * change variable to look up cert name * add ssl security policy, required for HTTPS listener --- terraform/environments/planetfm/locals_preproduction.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index 1e8523b057e..8c00b103f07 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -211,9 +211,10 @@ locals { } listeners = { https = { - port = 443 - protocol = "HTTPS" - certificate_arn_lookup = "planetfm_wildcard_cert" + port = 443 + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_names_or_arns = ["planetfm_wildcard_cert"] default_action = { type = "fixed-response" fixed_response = { From d59f7f2565122ef71915b4aaeef7141beffa143b Mon Sep 17 00:00:00 2001 From: Hope Aitchison Date: Mon, 4 Dec 2023 11:19:15 +0000 Subject: [PATCH 049/142] secret placeholder for ad service account --- .../corporate-staff-rostering/locals_development.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/terraform/environments/corporate-staff-rostering/locals_development.tf b/terraform/environments/corporate-staff-rostering/locals_development.tf index 20182438635..9b0aa7a4303 100644 --- a/terraform/environments/corporate-staff-rostering/locals_development.tf +++ b/terraform/environments/corporate-staff-rostering/locals_development.tf @@ -4,6 +4,14 @@ locals { # baseline config development_config = { + baseline_secretsmanager_secrets = { + "/activedirectory/devtest/aws-lambda" = { + secrets = { + passwords = { description = "active directory lambda service account" } + } + } + } + baseline_ec2_autoscaling_groups = { dev-base-ol85 = { config = merge(module.baseline_presets.ec2_instance.config.default, { From 53f2bfb8ffd1d5d4a5dcb0fcadd3eafc77fc42cb Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 11:26:06 +0000 Subject: [PATCH 050/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From ae2348adba51a6b9b5b33318c12e117fdafbbdc8 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 11:38:58 +0000 Subject: [PATCH 051/142] specify values correctly (#4223) * specify values correctly * underscores --- .../planetfm/locals_preproduction.tf | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index 8c00b103f07..f104516cbee 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -231,11 +231,12 @@ locals { target_group_name = "web-23-80" }] conditions = [{ - field = "host-header" - values = [ - "cafmtx.pp.planetfm.service.justice.gov.uk", - "pp-cafmtx.az.justice.gov.uk", - ] + host_header = { + values = [ + "cafmtx.pp.planetfm.service.justice.gov.uk", + "pp-cafmtx.az.justice.gov.uk", + ] + } }] } web-45-80 = { @@ -245,11 +246,12 @@ locals { target_group_name = "web-45-80" }] conditions = [{ - field = "host-header" - values = [ - "cafmtwebx.pp.planetfm.service.justice.gov.uk", - "pp-cafmtwebx.az.justice.gov.uk", - ] + host_header = { + values = [ + "cafmtwebx.pp.planetfm.service.justice.gov.uk", + "pp-cafmtwebx.az.justice.gov.uk", + ] + } }] } } From 787ad053210a8d3eb86f3d771fdbe871668001fa Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 12:10:10 +0000 Subject: [PATCH 052/142] set lb_alias_records for planetfm pre-prod LB (#4226) --- terraform/environments/planetfm/locals_preproduction.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index f104516cbee..64b15b0c0a6 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -268,8 +268,8 @@ locals { # { name = "ppplanet-b", type = "CNAME", ttl = "300", records = ["pp-cafm-db-a.planetfm.hmpps-preproduction.modernisation-platform.service.justice.gov.uk"] }, ] lb_alias_records = [ - # { name = "cafmtx", type = "A", lbs_map_key = "private" } Create in subsequent PR to LB private deployment - # { name = "cafmtwebx", type = "A", lbs_map_key = "private" } Create in subsequent PR to LB private deployment + { name = "cafmtx", type = "A", lbs_map_key = "private" }, + { name = "cafmtwebx", type = "A", lbs_map_key = "private" }, ] } } From ddd7bf248d82fd114a1f27ab24446e1238113b91 Mon Sep 17 00:00:00 2001 From: Jeremy Collins Date: Mon, 4 Dec 2023 12:35:26 +0000 Subject: [PATCH 053/142] Remove PECS env vars --- .../performance-hub/templates/task_definition.json | 8 -------- 1 file changed, 8 deletions(-) diff --git a/terraform/environments/performance-hub/templates/task_definition.json b/terraform/environments/performance-hub/templates/task_definition.json index 24b4d454655..5eb404e3406 100644 --- a/terraform/environments/performance-hub/templates/task_definition.json +++ b/terraform/environments/performance-hub/templates/task_definition.json @@ -81,14 +81,6 @@ "name": "OS_VTS_API_KEY", "valueFrom": "${os_vts_api_key}" }, - { - "name": "PECS_BASM_PROD_ACCESS_KEY_ID", - "valueFrom": "${pecs_basm_prod_access_key_id}" - }, - { - "name": "PECS_BASM_PROD_SECRET_ACCESS_KEY", - "valueFrom": "${pecs_basm_prod_secret_access_key}" - }, { "name": "AP_IMPORT_ACCESS_KEY_ID", "valueFrom": "${ap_import_access_key_id}" From b37451272ffb1b77d6c6f08088ac13345cc59cf1 Mon Sep 17 00:00:00 2001 From: Jeremy Collins Date: Mon, 4 Dec 2023 12:39:42 +0000 Subject: [PATCH 054/142] Remove AP import secrets --- .../performance-hub/templates/task_definition.json | 8 -------- 1 file changed, 8 deletions(-) diff --git a/terraform/environments/performance-hub/templates/task_definition.json b/terraform/environments/performance-hub/templates/task_definition.json index 5eb404e3406..46062cdc39e 100644 --- a/terraform/environments/performance-hub/templates/task_definition.json +++ b/terraform/environments/performance-hub/templates/task_definition.json @@ -81,14 +81,6 @@ "name": "OS_VTS_API_KEY", "valueFrom": "${os_vts_api_key}" }, - { - "name": "AP_IMPORT_ACCESS_KEY_ID", - "valueFrom": "${ap_import_access_key_id}" - }, - { - "name": "AP_IMPORT_SECRET_ACCESS_KEY", - "valueFrom": "${ap_import_secret_access_key}" - }, { "name": "AP_EXPORT_ACCESS_KEY_ID", "valueFrom": "${ap_export_access_key_id}" From e14c31dba7be10d5ead1009ee7580d7ebb9e95e4 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 13:20:34 +0000 Subject: [PATCH 055/142] Add Grafana API Key Signed-off-by: Jacob Woffenden --- .../observability-platform/managed-grafana.tf | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index ef794526860..654dae3e562 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -33,3 +33,28 @@ module "managed_grafana" { tags = local.tags } + +locals { + grafana_api_key_expiration_days = 30 + grafana_api_key_expiration_seconds = 60 * 60 * 24 * local.grafana_api_key_expiration_days +} + +resource "time_rotating" "grafana_api_key_rotation" { + rotation_days = local.grafana_api_key_expiration_days +} + +resource "time_static" "grafana_api_key_rotation" { + rfc3339 = time_rotating.grafana_api_key_rotation.rfc3339 +} + +resource "aws_grafana_workspace_api_key" "automation_key" { + workspace_id = module.managed_grafana.workspace_id + + key_name = "automation" + key_role = "ADMIN" + seconds_to_live = local.grafana_api_key_expiration_seconds + + lifecycle { + replace_triggered_by = [time_static.grafana_api_key_rotation] + } +} From 7c29fdd4b3a42edcaddf34e53afc16602640c9d7 Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 13:29:36 +0000 Subject: [PATCH 056/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 795e60067a2be46619199c9e4928c4733544d12b Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 13:38:05 +0000 Subject: [PATCH 057/142] Add Grafana role association Signed-off-by: Jacob Woffenden --- .../environment-configurations.tf | 15 +++++++++++++++ .../observability-platform/managed-grafana.tf | 12 ++++++++++++ 2 files changed, 27 insertions(+) diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index b7991d5ecea..4c22d10c284 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -2,6 +2,21 @@ locals { environment_configuration = local.environment_configurations[local.environment] environment_configurations = { development = { + observability_platform_configuration = { + "data-platform" = { + sso_uuid = "16a2d234-1031-70b5-2657-7f744c55e48f" + cloudwatch_accounts = [ + "data-platform-development", + "data-platform-test", + "data-platform-staging", + "data-platform-preproduction", + "data-platform-apps-and-tools-development" + ] + prometheus_accounts = [ + "data-platform-apps-and-tools-development" + ] + } + } source_accounts = [ local.environment_management.account_ids["data-platform-apps-and-tools-development"], local.environment_management.account_ids["data-platform-development"], diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 654dae3e562..6b349887d35 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -1,3 +1,11 @@ +locals { + all_sso_uuids = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "sso_uuid", []) + ] + ])) +} + module "managed_grafana" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions @@ -29,11 +37,15 @@ module "managed_grafana" { "ADMIN" = { "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform } + "VIEWER" = { + "group_ids" = local.all_sso_uuids + } } tags = local.tags } +/* Grafana API */ locals { grafana_api_key_expiration_days = 30 grafana_api_key_expiration_seconds = 60 * 60 * 24 * local.grafana_api_key_expiration_days From 806469b22e3a37efae98f45ab8a89dafc6acfe4f Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 13:43:26 +0000 Subject: [PATCH 058/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 1d7b25af5e5a381df6b952e6ecaa67ad07b36cbc Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 13:56:53 +0000 Subject: [PATCH 059/142] Add CloudWatch sources Signed-off-by: Jacob Woffenden --- .../environment-configurations.tf | 1 - .../observability-platform/managed-grafana.tf | 26 +++++++++++++++++++ .../modules/grafana/cloudwatch-source/main.tf | 15 +++++++++++ .../grafana/cloudwatch-source/providers.tf | 8 ++++++ .../grafana/cloudwatch-source/variables.tf | 9 +++++++ .../platform_versions.tf | 4 +++ .../observability-platform/providers.tf | 4 +++ 7 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf create mode 100644 terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf create mode 100644 terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf create mode 100644 terraform/environments/observability-platform/providers.tf diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index 4c22d10c284..ef8c32765be 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -8,7 +8,6 @@ locals { cloudwatch_accounts = [ "data-platform-development", "data-platform-test", - "data-platform-staging", "data-platform-preproduction", "data-platform-apps-and-tools-development" ] diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 6b349887d35..46b86f8bfad 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -4,6 +4,18 @@ locals { lookup(tenant_config, "sso_uuid", []) ] ])) + + all_cloudwatch_accounts = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "cloudwatch_accounts", []) + ] + ])) + + all_prometheus_accounts = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "prometheus_accounts", []) + ] + ])) } module "managed_grafana" { @@ -70,3 +82,17 @@ resource "aws_grafana_workspace_api_key" "automation_key" { replace_triggered_by = [time_static.grafana_api_key_rotation] } } + +/* CloudWatch Sources */ +module "cloudwatch_sources" { + for_each = { + for account in local.all_cloudwatch_accounts : account => { + account_id = account + } + } + + source = "./modules/grafana/cloudwatch-source" + + name = each.key + environment_management = local.environment_management +} diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf new file mode 100644 index 00000000000..b9a35508752 --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf @@ -0,0 +1,15 @@ +locals { + name = "${var.name}-cloudwatch" + account_id = var.environment_management.account_ids[var.name] +} + +resource "grafana_data_source" "this" { + type = "cloudwatch" + name = local.name + + json_data_encoded = jsonencode({ + defaultRegion = "eu-west-2" + authType = "ec2_iam_role" + assume_role_arn = "arn:aws:iam::${local.account_id}:role/observability-platform" + }) +} diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf new file mode 100644 index 00000000000..488291d9cc0 --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + grafana = { + source = "grafana/grafana" + version = "~> 2.0" + } + } +} diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf new file mode 100644 index 00000000000..64243b46a0c --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf @@ -0,0 +1,9 @@ +variable "name" { + type = string +} + +variable "environment_management" { + type = object({ + account_ids = map(string) + }) +} diff --git a/terraform/environments/observability-platform/platform_versions.tf b/terraform/environments/observability-platform/platform_versions.tf index 6161ef3bc02..735d9d8cb77 100644 --- a/terraform/environments/observability-platform/platform_versions.tf +++ b/terraform/environments/observability-platform/platform_versions.tf @@ -4,6 +4,10 @@ terraform { version = "~> 5.0" source = "hashicorp/aws" } + grafana = { + source = "grafana/grafana" + version = "~> 2.0" + } http = { version = "~> 3.0" source = "hashicorp/http" diff --git a/terraform/environments/observability-platform/providers.tf b/terraform/environments/observability-platform/providers.tf new file mode 100644 index 00000000000..2b35b159ac2 --- /dev/null +++ b/terraform/environments/observability-platform/providers.tf @@ -0,0 +1,4 @@ +provider "grafana" { + url = "https://${module.managed_grafana.workspace_endpoint}" + auth = aws_grafana_workspace_api_key.automation_key.key +} From 6a622cfc5ede66746b009b835485e6cac6ab3b61 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:04:48 +0000 Subject: [PATCH 060/142] Update JSON data Signed-off-by: Jacob Woffenden --- .../modules/grafana/cloudwatch-source/main.tf | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf index b9a35508752..9cb794ce75d 100644 --- a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf @@ -8,8 +8,9 @@ resource "grafana_data_source" "this" { name = local.name json_data_encoded = jsonencode({ - defaultRegion = "eu-west-2" - authType = "ec2_iam_role" - assume_role_arn = "arn:aws:iam::${local.account_id}:role/observability-platform" + defaultRegion = "eu-west-2" + authType = "ec2_iam_role" + assumeRoleArn = "arn:aws:iam::${local.account_id}:role/observability-platform" + externalId = var.name }) } From 9b9a68a0d9585bbdec08b9e770839bb7cf499a05 Mon Sep 17 00:00:00 2001 From: koladeadewuyi-moj <136330532+koladeadewuyi-moj@users.noreply.github.com> Date: Mon, 4 Dec 2023 14:13:54 +0000 Subject: [PATCH 061/142] DPR2-209: Increase timeout for DMS load step (#4230) --- .../digital-prison-reporting/application_variables.json | 4 ++++ .../digital-prison-reporting/data_ingestion_pipeline.tf | 3 ++- terraform/environments/digital-prison-reporting/locals.tf | 1 + .../modules/step_function/variables.tf | 6 ++++++ 4 files changed, 13 insertions(+), 1 deletion(-) diff --git a/terraform/environments/digital-prison-reporting/application_variables.json b/terraform/environments/digital-prison-reporting/application_variables.json index cd77c90ec27..9e1947f8534 100644 --- a/terraform/environments/digital-prison-reporting/application_variables.json +++ b/terraform/environments/digital-prison-reporting/application_variables.json @@ -88,6 +88,7 @@ "scheduled_s3_file_transfer_lambda_schedule": "cron(0 0/3 ? * * *)", "enable_step_function_notification_lambda": true, "enable_data_ingestion_step_function": true, + "dms_task_time_out": 28800, "enable_domain_builder_rds": true, "enable_domain_builder_agent": true, "enable_cloud_trail": false, @@ -260,6 +261,7 @@ "scheduled_s3_file_transfer_lambda_schedule": "cron(0 0/3 ? * * *)", "enable_step_function_notification_lambda": true, "enable_data_ingestion_step_function": true, + "dms_task_time_out": 28800, "enable_domain_builder_rds": true, "enable_domain_builder_agent": true, "enable_cloud_trail": false, @@ -432,6 +434,7 @@ "scheduled_s3_file_transfer_lambda_schedule": "cron(0 0/3 ? * * *)", "enable_step_function_notification_lambda": true, "enable_data_ingestion_step_function": true, + "dms_task_time_out": 28800, "enable_domain_builder_rds": true, "enable_domain_builder_agent": true, "enable_cloud_trail": false, @@ -606,6 +609,7 @@ "scheduled_s3_file_transfer_lambda_schedule": "cron(0 0/3 ? * * *)", "enable_step_function_notification_lambda": true, "enable_data_ingestion_step_function": true, + "dms_task_time_out": 28800, "enable_domain_builder_rds": true, "enable_domain_builder_agent": true, "enable_cloud_trail": false, diff --git a/terraform/environments/digital-prison-reporting/data_ingestion_pipeline.tf b/terraform/environments/digital-prison-reporting/data_ingestion_pipeline.tf index 6ce7bb70937..4bb3370a847 100644 --- a/terraform/environments/digital-prison-reporting/data_ingestion_pipeline.tf +++ b/terraform/environments/digital-prison-reporting/data_ingestion_pipeline.tf @@ -71,6 +71,7 @@ module "data_ingestion_pipeline" { enable_step_function = local.enable_data_ingestion_step_function step_function_name = local.data_ingestion_step_function_name + dms_task_time_out = local.dms_task_time_out additional_policies = [ "arn:aws:iam::${local.account_id}:policy/${aws_iam_policy.invoke_lambda_policy.name}", @@ -106,7 +107,7 @@ module "data_ingestion_pipeline" { }, "Invoke DMS State Control Lambda" : { "Type" : "Task", - "TimeoutSeconds" : 1200, + "TimeoutSeconds" : local.dms_task_time_out, "Resource" : "arn:aws:states:::lambda:invoke.waitForTaskToken", "Parameters" : { "Payload" : { diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf index b45b0f5f726..2628f4e74c7 100644 --- a/terraform/environments/digital-prison-reporting/locals.tf +++ b/terraform/environments/digital-prison-reporting/locals.tf @@ -251,6 +251,7 @@ locals { # Data Ingestion Pipeline Step Function enable_data_ingestion_step_function = local.application_data.accounts[local.environment].enable_data_ingestion_step_function data_ingestion_step_function_name = "${local.project}-data-ingestion-step-function-${local.environment}" + dms_task_time_out = local.application_data.accounts[local.environment].dms_task_time_out # Datamart create_scheduled_action_iam_role = local.application_data.accounts[local.environment].setup_scheduled_action_iam_role diff --git a/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf b/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf index dc123d33d2f..27e010c5fbc 100644 --- a/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf +++ b/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf @@ -19,6 +19,12 @@ variable "step_function_name" { type = string } +variable "dms_task_time_out" { + description = "(Optional) The duration after which the DMS load step is deemed to have failed." + default = 18000 # 5 hours + type = number +} + variable "definition" { description = "(Required) The definition of the step function" } From 280c795842a0346c9a15f3c719b89554f8ba62af Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:18:08 +0000 Subject: [PATCH 062/142] Comment out VIEWER role Add Prometheus Signed-off-by: Jacob Woffenden --- .../observability-platform/managed-grafana.tf | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 46b86f8bfad..3d53313393d 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -49,9 +49,10 @@ module "managed_grafana" { "ADMIN" = { "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform } - "VIEWER" = { - "group_ids" = local.all_sso_uuids - } + # Seeing a cycle issue with the below, so commenting out for now + # "VIEWER" = { + # "group_ids" = local.all_sso_uuids + # } } tags = local.tags @@ -83,6 +84,18 @@ resource "aws_grafana_workspace_api_key" "automation_key" { } } +/* Prometheus Source */ +resource "grafana_data_source" "observability_platform_prometheus" { + type = "prometheus" + name = "observability-platform-prometheus" + + is_default = true + + json_data_encoded = jsonencode({ + url = module.managed_prometheus.workspace_prometheus_endpoint + }) +} + /* CloudWatch Sources */ module "cloudwatch_sources" { for_each = { From d1e500915fae056530bc9b26751a9352589d00ae Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:23:10 +0000 Subject: [PATCH 063/142] Update Prometheus Signed-off-by: Jacob Woffenden --- .../observability-platform/managed-grafana.tf | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 3d53313393d..473a9c4de59 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -86,14 +86,10 @@ resource "aws_grafana_workspace_api_key" "automation_key" { /* Prometheus Source */ resource "grafana_data_source" "observability_platform_prometheus" { - type = "prometheus" - name = "observability-platform-prometheus" - + type = "prometheus" + name = "observability-platform-prometheus" + url = module.managed_prometheus.workspace_prometheus_endpoint is_default = true - - json_data_encoded = jsonencode({ - url = module.managed_prometheus.workspace_prometheus_endpoint - }) } /* CloudWatch Sources */ From 75a5fb0359388c427a06263258a7bb733b32dca3 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 14:27:13 +0000 Subject: [PATCH 064/142] fix cafmwebx url spelling (#4231) --- terraform/environments/planetfm/locals_preproduction.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index 64b15b0c0a6..2819577b875 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -248,8 +248,8 @@ locals { conditions = [{ host_header = { values = [ - "cafmtwebx.pp.planetfm.service.justice.gov.uk", - "pp-cafmtwebx.az.justice.gov.uk", + "cafmwebx.pp.planetfm.service.justice.gov.uk", + "pp-cafmwebx.az.justice.gov.uk", ] } }] @@ -269,7 +269,7 @@ locals { ] lb_alias_records = [ { name = "cafmtx", type = "A", lbs_map_key = "private" }, - { name = "cafmtwebx", type = "A", lbs_map_key = "private" }, + # { name = "cafmwebx", type = "A", lbs_map_key = "private" }, ] } } From 0c01e26d8730b1efebd3d6c4dfe002a8b2dbeb76 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:29:33 +0000 Subject: [PATCH 065/142] Reconcile Prometheus config Signed-off-by: Jacob Woffenden --- .../environments/observability-platform/managed-grafana.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 473a9c4de59..8640b792212 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -90,6 +90,12 @@ resource "grafana_data_source" "observability_platform_prometheus" { name = "observability-platform-prometheus" url = module.managed_prometheus.workspace_prometheus_endpoint is_default = true + json_data_encoded = jsonencode({ + httpMethod = "POST" + sigV4Auth = true + sigV4AuthType = "ec2_iam_role" + sigV4Region = "eu-west-2" + }) } /* CloudWatch Sources */ From 206af9802327aa57ee4eb21fb1bd100a38659df5 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 14:37:19 +0000 Subject: [PATCH 066/142] fix naming of lb_alias_records (#4232) --- terraform/environments/planetfm/locals_preproduction.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index 2819577b875..559b2cd9f6e 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -269,7 +269,7 @@ locals { ] lb_alias_records = [ { name = "cafmtx", type = "A", lbs_map_key = "private" }, - # { name = "cafmwebx", type = "A", lbs_map_key = "private" }, + { name = "cafmwebx", type = "A", lbs_map_key = "private" }, ] } } From 05b385b0f45f7e3c4955cdd98e680bb68df58268 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:40:59 +0000 Subject: [PATCH 067/142] Add Prometheus IAM role Signed-off-by: Jacob Woffenden --- .../observability-platform/managed-grafana.tf | 10 +---- .../managed-prometheus.tf | 23 ++++++++++++ .../modules/grafana/cloudwatch-source/main.tf | 5 +-- .../grafana/cloudwatch-source/variables.tf | 6 +-- .../modules/prometheus/iam-role/main.tf | 37 +++++++++++++++++++ .../modules/prometheus/iam-role/variables.tf | 11 ++++++ 6 files changed, 77 insertions(+), 15 deletions(-) create mode 100644 terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf create mode 100644 terraform/environments/observability-platform/modules/prometheus/iam-role/variables.tf diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 8640b792212..2bc521d2261 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -10,12 +10,6 @@ locals { lookup(tenant_config, "cloudwatch_accounts", []) ] ])) - - all_prometheus_accounts = distinct(flatten([ - for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ - lookup(tenant_config, "prometheus_accounts", []) - ] - ])) } module "managed_grafana" { @@ -108,6 +102,6 @@ module "cloudwatch_sources" { source = "./modules/grafana/cloudwatch-source" - name = each.key - environment_management = local.environment_management + name = each.key + account_id = local.environment_management.account_ids[each.key] } diff --git a/terraform/environments/observability-platform/managed-prometheus.tf b/terraform/environments/observability-platform/managed-prometheus.tf index 0846f1dcd23..2f741e7a4bb 100644 --- a/terraform/environments/observability-platform/managed-prometheus.tf +++ b/terraform/environments/observability-platform/managed-prometheus.tf @@ -1,3 +1,11 @@ +locals { + all_prometheus_accounts = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "prometheus_accounts", []) + ] + ])) +} + module "managed_prometheus" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/managed-service-prometheus/aws" @@ -7,3 +15,18 @@ module "managed_prometheus" { tags = local.tags } + +/* Prometheus Roles */ +module "prometheus_roles" { + for_each = { + for account in local.all_prometheus_accounts : account => { + account_id = account + } + } + + source = "./modules/prometheus/iam-role" + + name = each.key + account_id = local.environment_management.account_ids[each.key] + prometheus_workspace_arn = module.managed_prometheus.workspace_arn +} diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf index 9cb794ce75d..c5c87508554 100644 --- a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/main.tf @@ -1,6 +1,5 @@ locals { - name = "${var.name}-cloudwatch" - account_id = var.environment_management.account_ids[var.name] + name = "${var.name}-cloudwatch" } resource "grafana_data_source" "this" { @@ -10,7 +9,7 @@ resource "grafana_data_source" "this" { json_data_encoded = jsonencode({ defaultRegion = "eu-west-2" authType = "ec2_iam_role" - assumeRoleArn = "arn:aws:iam::${local.account_id}:role/observability-platform" + assumeRoleArn = "arn:aws:iam::${var.account_id}:role/observability-platform" externalId = var.name }) } diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf index 64243b46a0c..c56ba4901b8 100644 --- a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf +++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/variables.tf @@ -2,8 +2,6 @@ variable "name" { type = string } -variable "environment_management" { - type = object({ - account_ids = map(string) - }) +variable "account_id" { + type = string } diff --git a/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf b/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf new file mode 100644 index 00000000000..dbb6fedc3e3 --- /dev/null +++ b/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf @@ -0,0 +1,37 @@ +data "aws_iam_policy_document" "aps" { + statement { + sid = "AllowRemoteWrite" + effect = "Allow" + actions = [ + "aps:RemoteWrite", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata" + ] + resources = [var.prometheus_workspace_arn] + } +} + +module "iam_policy" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "~> 5.0" + + name_prefix = "${var.name}-prometheus" + + policy = data.aws_iam_policy_document.aps.json +} + +module "iam_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "~> 5.0" + + create_role = true + role_name = "${var.name}-prometheus" + trusted_role_arns = ["arn:aws:iam::${var.account_id}:root"] + custom_role_policy_arns = [module.iam_policy.arn] + role_requires_mfa = false +} diff --git a/terraform/environments/observability-platform/modules/prometheus/iam-role/variables.tf b/terraform/environments/observability-platform/modules/prometheus/iam-role/variables.tf new file mode 100644 index 00000000000..1b5d96f63d3 --- /dev/null +++ b/terraform/environments/observability-platform/modules/prometheus/iam-role/variables.tf @@ -0,0 +1,11 @@ +variable "name" { + type = string +} + +variable "account_id" { + type = string +} + +variable "prometheus_workspace_arn" { + type = string +} From d2c7c3d6607939540a40663a4a3436d8089927d5 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:50:10 +0000 Subject: [PATCH 068/142] Add team and folder Signed-off-by: Jacob Woffenden --- .../observability-platform/managed-grafana.tf | 13 +++++++++++++ .../modules/grafana/tenant-rbac/main.tf | 18 ++++++++++++++++++ .../modules/grafana/tenant-rbac/providers.tf | 8 ++++++++ .../modules/grafana/tenant-rbac/variables.tf | 11 +++++++++++ 4 files changed, 50 insertions(+) create mode 100644 terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf create mode 100644 terraform/environments/observability-platform/modules/grafana/tenant-rbac/providers.tf create mode 100644 terraform/environments/observability-platform/modules/grafana/tenant-rbac/variables.tf diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 2bc521d2261..85450255fa3 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -105,3 +105,16 @@ module "cloudwatch_sources" { name = each.key account_id = local.environment_management.account_ids[each.key] } + +/* Tenant RBAC */ +module "tenant_rbac" { + for_each = local.environment_configuration.observability_platform_configuration + + source = "./modules/grafana/tenant-rbac" + + name = each.key + sso_uuid = each.value.sso_uuid + cloudwatch_accounts = each.value.cloudwatch_accounts + + depends_on = [module.cloudwatch_sources] +} diff --git a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf new file mode 100644 index 00000000000..20e6fc7f0e7 --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf @@ -0,0 +1,18 @@ +resource "grafana_team" "this" { + name = var.name + team_sync { + groups = [var.sso_uuid] + } +} + +resource "grafana_folder" "this" { + title = var.name +} + +resource "grafana_folder_permission" "this" { + folder_uid = grafana_folder.this.uid + permissions { + team_id = grafana_team.this.id + permission = "Admin" + } +} diff --git a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/providers.tf b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/providers.tf new file mode 100644 index 00000000000..488291d9cc0 --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/providers.tf @@ -0,0 +1,8 @@ +terraform { + required_providers { + grafana = { + source = "grafana/grafana" + version = "~> 2.0" + } + } +} diff --git a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/variables.tf b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/variables.tf new file mode 100644 index 00000000000..d3e861b2278 --- /dev/null +++ b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/variables.tf @@ -0,0 +1,11 @@ +variable "name" { + type = string +} + +variable "sso_uuid" { + type = string +} + +variable "cloudwatch_accounts" { + type = list(string) +} From 2c3acdb4308bc635130b332ebb3543a2ffd3cce3 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 14:57:15 +0000 Subject: [PATCH 069/142] Add data source permissions Signed-off-by: Jacob Woffenden --- .../modules/grafana/tenant-rbac/main.tf | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf index 20e6fc7f0e7..94a2c0c234b 100644 --- a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf @@ -16,3 +16,20 @@ resource "grafana_folder_permission" "this" { permission = "Admin" } } + +data "grafana_data_source" "this" { + for_each = toset(var.cloudwatch_accounts) + + name = "${each.key}-cloudwatch" +} + +resource "grafana_data_source_permission" "this" { + for_each = toset(var.cloudwatch_accounts) + + datasource_id = data.grafana_data_source.this[each.key].id + + permissions { + team_id = grafana_team.this.id + permission = "Query" + } +} From 8295bb51d041ab0b159d3ab49a43d66e2e5e34d4 Mon Sep 17 00:00:00 2001 From: koladeadewuyi-moj <136330532+koladeadewuyi-moj@users.noreply.github.com> Date: Mon, 4 Dec 2023 15:11:06 +0000 Subject: [PATCH 070/142] DPR2-245: Create schema registry bucket (#4224) --- .../digital-prison-reporting/main.tf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf index ee254359582..a53250f2e51 100644 --- a/terraform/environments/digital-prison-reporting/main.tf +++ b/terraform/environments/digital-prison-reporting/main.tf @@ -491,6 +491,24 @@ module "s3_domain_bucket" { ) } +# Schema Registry Bucket +module "s3_schema_registry_bucket" { + source = "./modules/s3_bucket" + create_s3 = local.setup_buckets + name = "${local.project}-schema-registry-${local.env}" + custom_kms_key = local.s3_kms_arn + create_notification_queue = false # For SQS Queue + enable_lifecycle = true + + tags = merge( + local.all_tags, + { + Name = "${local.project}-schema-registry-${local.env}" + Resource_Type = "S3 Bucket" + } + ) +} + # Data Domain Configuration Bucket module "s3_domain_config_bucket" { source = "./modules/s3_bucket" From 7f50fd85a3582ee381bab049e77fa0db12ba1a87 Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 15:17:06 +0000 Subject: [PATCH 071/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From a58ecf690f7e681c84e50ca393bb9c4cec61154b Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 15:24:06 +0000 Subject: [PATCH 072/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 61b47d7ba99b91b65df92987139fe9d38a5d0545 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 15:44:44 +0000 Subject: [PATCH 073/142] Csr/dsos 2427/csr network load balancer (#4233) * prod NLB * fix naming * formatting * correct record value --- .../locals_production.tf | 513 ++++++++++++++++++ 1 file changed, 513 insertions(+) diff --git a/terraform/environments/corporate-staff-rostering/locals_production.tf b/terraform/environments/corporate-staff-rostering/locals_production.tf index a143bd8a552..7802a1f3a98 100644 --- a/terraform/environments/corporate-staff-rostering/locals_production.tf +++ b/terraform/environments/corporate-staff-rostering/locals_production.tf @@ -511,9 +511,514 @@ locals { create_external_record = true } }) + } + baseline_lbs = { + r12 = { + internal_lb = true + enable_delete_protection = false + load_balancer_type = "network" + force_destroy_bucket = true + subnets = [ + module.environment.subnet["private"]["eu-west-2a"].id, + module.environment.subnet["private"]["eu-west-2b"].id, + ] + security_groups = ["load-balancer"] + access_logs = false + enable_cross_zone_load_balancing = true + + instance_target_groups = { + pd-csr-w-12-80 = { + port = 80 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + port = 80 + protocol = "TCP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-1-a" }, + { ec2_instance_name = "pd-csr-w-2-b" }, + ] + } + pd-csr-w-12-7770 = { + port = 7770 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/isps/index.html" + port = 7770 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-1-a" }, + { ec2_instance_name = "pd-csr-w-2-b" }, + ] + } + pd-csr-w-12-7771 = { + port = 7771 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/isps/index.html" + port = 7771 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-1-a" }, + { ec2_instance_name = "pd-csr-w-2-b" }, + ] + } + pd-csr-w-12-7780 = { + port = 7780 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/" + port = 7770 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-1-a" }, + { ec2_instance_name = "pd-csr-w-2-b" }, + ] + } + pd-csr-w-12-7781 = { + port = 7781 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/" + port = 7771 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-1-a" }, + { ec2_instance_name = "pd-csr-w-2-b" }, + ] + } + } + listeners = { + http = { + port = 80 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-12-80" + } + } + http-7770 = { + port = 7770 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-12-7770" + } + } + http-7771 = { + port = 7771 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-12-7771" + } + } + http-7780 = { + port = 7780 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-12-7780" + } + } + http-7781 = { + port = 7781 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-12-7781" + } + } + } + } + r34 = { + internal_lb = true + enable_delete_protection = false + load_balancer_type = "network" + force_destroy_bucket = true + subnets = [ + module.environment.subnet["private"]["eu-west-2a"].id, + module.environment.subnet["private"]["eu-west-2b"].id, + ] + security_groups = ["load-balancer"] + access_logs = false + enable_cross_zone_load_balancing = true + instance_target_groups = { + pd-csr-w-34-80 = { + port = 80 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + port = 80 + protocol = "TCP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-3-a" }, + { ec2_instance_name = "pd-csr-w-4-b" }, + ] + } + pd-csr-w-34-7770 = { + port = 7770 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/isps/index.html" + port = 7770 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-3-a" }, + { ec2_instance_name = "pd-csr-w-4-b" }, + ] + } + pd-csr-w-34-7771 = { + port = 7771 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/isps/index.html" + port = 7771 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-3-a" }, + { ec2_instance_name = "pd-csr-w-4-b" }, + ] + } + pd-csr-w-34-7780 = { + port = 7780 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/" + port = 7770 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-3-a" }, + { ec2_instance_name = "pd-csr-w-4-b" }, + ] + } + pd-csr-w-34-7781 = { + port = 7781 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/" + port = 7771 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-3-a" }, + { ec2_instance_name = "pd-csr-w-4-b" }, + ] + } + } + + listeners = { + http = { + port = 80 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-34-80" + } + } + http-7770 = { + port = 7770 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-34-7770" + } + } + http-7771 = { + port = 7771 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-34-7771" + } + } + http-7780 = { + port = 7780 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-34-7780" + } + } + http-7781 = { + port = 7781 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-34-7781" + } + } + } + } + r56 = { + internal_lb = true + enable_delete_protection = false + load_balancer_type = "network" + force_destroy_bucket = true + subnets = [ + module.environment.subnet["private"]["eu-west-2a"].id, + module.environment.subnet["private"]["eu-west-2b"].id, + ] + security_groups = ["load-balancer"] + access_logs = false + enable_cross_zone_load_balancing = true + + instance_target_groups = { + pd-csr-w-56-80 = { + port = 80 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + port = 80 + protocol = "TCP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-5-a" }, + { ec2_instance_name = "pd-csr-w-6-b" }, + ] + } + pd-csr-w-56-7770 = { + port = 7770 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/isps/index.html" + port = 7770 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-5-a" }, + { ec2_instance_name = "pd-csr-w-6-b" }, + ] + } + pd-csr-w-56-7771 = { + port = 7771 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/isps/index.html" + port = 7771 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-5-a" }, + { ec2_instance_name = "pd-csr-w-6-b" }, + ] + } + pd-csr-w-56-7780 = { + port = 7780 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/" + port = 7770 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-5-a" }, + { ec2_instance_name = "pd-csr-w-6-b" }, + ] + } + pd-csr-w-56-7781 = { + port = 7781 + protocol = "TCP" + health_check = { + enabled = true + interval = 5 + healthy_threshold = 3 + path = "/" + port = 7771 + protocol = "HTTP" + timeout = 4 + unhealthy_threshold = 2 + } + stickiness = { + enabled = true + type = "source_ip" + } + attachments = [ + { ec2_instance_name = "pd-csr-w-5-a" }, + { ec2_instance_name = "pd-csr-w-6-b" }, + ] + } + } + + listeners = { + http = { + port = 80 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-56-80" + } + } + http-7770 = { + port = 7770 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-56-7770" + } + } + http-7771 = { + port = 7771 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-56-7771" + } + } + http-7780 = { + port = 7780 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-56-7780" + } + } + http-7781 = { + port = 7781 + protocol = "TCP" + default_action = { + type = "forward" + target_group_name = "pd-csr-w-56-7781" + } + } + } + } } + baseline_route53_zones = { "csr.service.justice.gov.uk" = { @@ -524,6 +1029,14 @@ locals { { name = "traina", type = "CNAME", ttl = "300", records = ["traina.pp.csr.service.justice.gov.uk"] }, { name = "trainb", type = "CNAME", ttl = "300", records = ["trainb.pp.csr.service.justice.gov.uk"] }, ] + # lb_alias_records = [ + # { name = "r1", type = "A", lbs_map_key = "r12" }, + # { name = "r2", type = "A", lbs_map_key = "r12" }, + # { name = "r3", type = "A", lbs_map_key = "r34" }, + # { name = "r4", type = "A", lbs_map_key = "r34" }, + # { name = "r5", type = "A", lbs_map_key = "r56" }, + # { name = "r6", type = "A", lbs_map_key = "r56" }, + #] } } } From 45ddca60901e82f12e7b54dd78cb1d31f08cef00 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Mon, 4 Dec 2023 16:21:42 +0000 Subject: [PATCH 074/142] CC-2235: Added snapshot_id to aws_ebs_volume.backup --- .../environments/ccms-ebs-upgrade/application_variables.json | 3 ++- terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 73e55f5b39d..2ace114a1a3 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -91,7 +91,8 @@ "ebs_size_ebsconc_u03": 200, "ebs_size_ebsconc_home": 100, "ebs_size_ebsconc_stage": 100, - "ebs_size_ebsconc_temp": 100 + "ebs_size_ebsconc_temp": 100, + "ebs_backup_snapshot_id": "snap-0cdfe4b46c1e34ebb" } }, "webgate_ebs": { diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 877295fcab4..53f58b24ef5 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -179,6 +179,7 @@ resource "aws_ebs_volume" "backup" { availability_zone = "eu-west-2a" size = local.application_data.accounts[local.environment].ebs_size_ebsdb_backup type = local.application_data.accounts[local.environment].ebs_type_ebsdb_backup + snapshot_id = local.application_data.accounts[local.environment].ebs_backup_snapshot_id iops = 3000 encrypted = true kms_key_id = data.aws_kms_key.ebs_shared.key_id From 6725e6e12cb06d7fd9560da8ca1bafacb2910ec4 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Mon, 4 Dec 2023 16:24:58 +0000 Subject: [PATCH 075/142] add lb_alias_records (#4235) --- .../locals_production.tf | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/terraform/environments/corporate-staff-rostering/locals_production.tf b/terraform/environments/corporate-staff-rostering/locals_production.tf index 7802a1f3a98..afa823f02f9 100644 --- a/terraform/environments/corporate-staff-rostering/locals_production.tf +++ b/terraform/environments/corporate-staff-rostering/locals_production.tf @@ -1029,14 +1029,14 @@ locals { { name = "traina", type = "CNAME", ttl = "300", records = ["traina.pp.csr.service.justice.gov.uk"] }, { name = "trainb", type = "CNAME", ttl = "300", records = ["trainb.pp.csr.service.justice.gov.uk"] }, ] - # lb_alias_records = [ - # { name = "r1", type = "A", lbs_map_key = "r12" }, - # { name = "r2", type = "A", lbs_map_key = "r12" }, - # { name = "r3", type = "A", lbs_map_key = "r34" }, - # { name = "r4", type = "A", lbs_map_key = "r34" }, - # { name = "r5", type = "A", lbs_map_key = "r56" }, - # { name = "r6", type = "A", lbs_map_key = "r56" }, - #] + lb_alias_records = [ + { name = "r1", type = "A", lbs_map_key = "r12" }, + { name = "r2", type = "A", lbs_map_key = "r12" }, + { name = "r3", type = "A", lbs_map_key = "r34" }, + { name = "r4", type = "A", lbs_map_key = "r34" }, + { name = "r5", type = "A", lbs_map_key = "r56" }, + { name = "r6", type = "A", lbs_map_key = "r56" }, + ] } } } From 305fa072163c55c978a4d6c5bdfaadff7a3f2575 Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 16:34:40 +0000 Subject: [PATCH 076/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From c576d274c0eaac3980069778fda1f44e95a9bac1 Mon Sep 17 00:00:00 2001 From: wullub Date: Mon, 4 Dec 2023 16:41:49 +0000 Subject: [PATCH 077/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From a94d8613b4f4636e7a79c5bc7d3204de4ed197ae Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 16:45:47 +0000 Subject: [PATCH 078/142] Add VIEWER association Remove data source RBAC Signed-off-by: Jacob Woffenden --- .../environments/observability-platform/managed-grafana.tf | 7 +++---- .../modules/grafana/tenant-rbac/main.tf | 4 ++++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index 85450255fa3..d1546bb9529 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -43,10 +43,9 @@ module "managed_grafana" { "ADMIN" = { "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform } - # Seeing a cycle issue with the below, so commenting out for now - # "VIEWER" = { - # "group_ids" = local.all_sso_uuids - # } + "VIEWER" = { + "group_ids" = local.all_sso_uuids + } } tags = local.tags diff --git a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf index 94a2c0c234b..6444566882d 100644 --- a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf @@ -17,6 +17,9 @@ resource "grafana_folder_permission" "this" { } } +/* Commenting out as the following code isn't working as expected. + I've created a ticket with Grafana Labs + data "grafana_data_source" "this" { for_each = toset(var.cloudwatch_accounts) @@ -33,3 +36,4 @@ resource "grafana_data_source_permission" "this" { permission = "Query" } } +*/ From 7c82e50e52a29d9df3a0d11674bc4031d6389278 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 16:50:07 +0000 Subject: [PATCH 079/142] Update data-platform SSO UUID Signed-off-by: Jacob Woffenden --- .../observability-platform/environment-configurations.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index ef8c32765be..271eee840e9 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -4,7 +4,7 @@ locals { development = { observability_platform_configuration = { "data-platform" = { - sso_uuid = "16a2d234-1031-70b5-2657-7f744c55e48f" + sso_uuid = "a68242b4-b0a1-7085-25f4-dc60e4c122c0" cloudwatch_accounts = [ "data-platform-development", "data-platform-test", From 54c5160e99141af449c928776378ce07d322dc12 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 17:21:00 +0000 Subject: [PATCH 080/142] Add production configuration Signed-off-by: Jacob Woffenden --- .../environment-configurations.tf | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index 271eee840e9..9bde1a09d95 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -24,13 +24,19 @@ locals { ] data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] } - test = { - data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] - } - preproduction = { - data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] - } production = { + observability_platform_configuration = { + "data-platform" = { + sso_uuid = "a68242b4-b0a1-7085-25f4-dc60e4c122c0" + cloudwatch_accounts = [ + "data-platform-production", + "data-platform-apps-and-tools-production" + ] + prometheus_accounts = [ + "data-platform-apps-and-tools-production" + ] + } + } source_accounts = [ local.environment_management.account_ids["data-platform-production"], local.environment_management.account_ids["data-platform-apps-and-tools-production"] From 0c1dd14def6b478d442cdda578ace58041ec1037 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 18:02:05 +0000 Subject: [PATCH 081/142] Removed unused JSON file Removed old logic for source_accounts Squashed locals Moved legacy resources to new home before we yeet them Signed-off-by: Jacob Woffenden --- .../observability-platform/X-DELETEME.tf | 43 +++++++++++++++++++ .../application_variables.json | 16 ------- .../environment-configurations.tf | 11 ----- .../observability-platform/iam-policies.tf | 35 +++------------ .../observability-platform/iam-roles.tf | 13 ------ .../observability-platform/locals.tf | 19 ++++++++ .../observability-platform/managed-grafana.tf | 14 ------ .../managed-prometheus.tf | 8 ---- 8 files changed, 68 insertions(+), 91 deletions(-) create mode 100644 terraform/environments/observability-platform/X-DELETEME.tf delete mode 100644 terraform/environments/observability-platform/application_variables.json delete mode 100644 terraform/environments/observability-platform/iam-roles.tf diff --git a/terraform/environments/observability-platform/X-DELETEME.tf b/terraform/environments/observability-platform/X-DELETEME.tf new file mode 100644 index 00000000000..359dc0d4893 --- /dev/null +++ b/terraform/environments/observability-platform/X-DELETEME.tf @@ -0,0 +1,43 @@ +/* + This code has been replaced by module.prometheus_roles + However first we need to update DPAT EKS to use the new format for the prometheus roles +*/ +data "aws_iam_policy_document" "amazon_managed_prometheus" { + statement { + sid = "AllowRemoteWrite" + effect = "Allow" + actions = [ + "aps:RemoteWrite", + "aps:GetSeries", + "aps:GetLabels", + "aps:GetMetricMetadata" + ] + resources = [module.managed_prometheus.workspace_arn] + } +} + +module "amazon_managed_prometheus_iam_policy" { + #checkov:skip=CKV_TF_1:Module is from Terraform registry + + source = "terraform-aws-modules/iam/aws//modules/iam-policy" + version = "~> 5.0" + + name_prefix = "amazon-managed-prometheus" + + policy = data.aws_iam_policy_document.amazon_managed_prometheus.json +} + +module "data_platform_apps_tools_iam_role" { + #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions + + source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" + version = "~> 5.0" + + create_role = true + role_name = "data-platform-apps-and-tools" + trusted_role_arns = ["arn:aws:iam::${local.environment_configuration.data_platform_apps_tools_account_id}:root"] + custom_role_policy_arns = [module.amazon_managed_prometheus_iam_policy.arn] + role_requires_mfa = false + + tags = local.tags +} diff --git a/terraform/environments/observability-platform/application_variables.json b/terraform/environments/observability-platform/application_variables.json deleted file mode 100644 index 6b52bfe9b30..00000000000 --- a/terraform/environments/observability-platform/application_variables.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "accounts": { - "development": { - "example_var": "dev-data" - }, - "test": { - "example_var": "test-data" - }, - "preproduction": { - "example_var": "preproduction-data" - }, - "production": { - "example_var": "production-data" - } - } -} diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index 9bde1a09d95..578f205ade7 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -16,12 +16,6 @@ locals { ] } } - source_accounts = [ - local.environment_management.account_ids["data-platform-apps-and-tools-development"], - local.environment_management.account_ids["data-platform-development"], - local.environment_management.account_ids["data-platform-test"], - local.environment_management.account_ids["data-platform-preproduction"] - ] data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] } production = { @@ -37,12 +31,7 @@ locals { ] } } - source_accounts = [ - local.environment_management.account_ids["data-platform-production"], - local.environment_management.account_ids["data-platform-apps-and-tools-production"] - ] data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-production"] } } } - diff --git a/terraform/environments/observability-platform/iam-policies.tf b/terraform/environments/observability-platform/iam-policies.tf index fe9eddd0b9f..6e00e44f847 100644 --- a/terraform/environments/observability-platform/iam-policies.tf +++ b/terraform/environments/observability-platform/iam-policies.tf @@ -1,34 +1,11 @@ -data "aws_iam_policy_document" "amazon_managed_prometheus" { - statement { - sid = "AllowRemoteWrite" - effect = "Allow" - actions = [ - "aps:RemoteWrite", - "aps:GetSeries", - "aps:GetLabels", - "aps:GetMetricMetadata" - ] - resources = [module.managed_prometheus.workspace_arn] - } -} - -module "amazon_managed_prometheus_iam_policy" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - - source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "~> 5.0" - - name_prefix = "amazon-managed-prometheus" - - policy = data.aws_iam_policy_document.amazon_managed_prometheus.json -} - data "aws_iam_policy_document" "amazon_managed_grafana_remote_cloudwatch" { statement { - sid = "AllowAssumeRole" - effect = "Allow" - actions = ["sts:AssumeRole"] - resources = formatlist("arn:aws:iam::%s:role/observability-platform", local.environment_configuration.source_accounts) + sid = "AllowAssumeRole" + effect = "Allow" + actions = ["sts:AssumeRole"] + resources = [ + for account in local.all_cloudwatch_accounts : format("arn:aws:iam::%s:role/observability-platform", lookup(local.environment_management.account_ids, account)) + ] } } diff --git a/terraform/environments/observability-platform/iam-roles.tf b/terraform/environments/observability-platform/iam-roles.tf deleted file mode 100644 index d8590a4878e..00000000000 --- a/terraform/environments/observability-platform/iam-roles.tf +++ /dev/null @@ -1,13 +0,0 @@ -module "data_platform_apps_tools_iam_role" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "~> 5.0" - - create_role = true - role_name = "data-platform-apps-and-tools" - trusted_role_arns = ["arn:aws:iam::${local.environment_configuration.data_platform_apps_tools_account_id}:root"] - custom_role_policy_arns = [module.amazon_managed_prometheus_iam_policy.arn] - role_requires_mfa = false - - tags = local.tags -} diff --git a/terraform/environments/observability-platform/locals.tf b/terraform/environments/observability-platform/locals.tf index a7454414911..318120e2e5b 100644 --- a/terraform/environments/observability-platform/locals.tf +++ b/terraform/environments/observability-platform/locals.tf @@ -1 +1,20 @@ #### This file can be used to store locals specific to the member account #### +locals { + all_sso_uuids = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "sso_uuid", []) + ] + ])) + + all_cloudwatch_accounts = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "cloudwatch_accounts", []) + ] + ])) + + all_prometheus_accounts = distinct(flatten([ + for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ + lookup(tenant_config, "prometheus_accounts", []) + ] + ])) +} diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index d1546bb9529..e8287a283de 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -1,17 +1,3 @@ -locals { - all_sso_uuids = distinct(flatten([ - for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ - lookup(tenant_config, "sso_uuid", []) - ] - ])) - - all_cloudwatch_accounts = distinct(flatten([ - for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ - lookup(tenant_config, "cloudwatch_accounts", []) - ] - ])) -} - module "managed_grafana" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions diff --git a/terraform/environments/observability-platform/managed-prometheus.tf b/terraform/environments/observability-platform/managed-prometheus.tf index 2f741e7a4bb..425340488d5 100644 --- a/terraform/environments/observability-platform/managed-prometheus.tf +++ b/terraform/environments/observability-platform/managed-prometheus.tf @@ -1,11 +1,3 @@ -locals { - all_prometheus_accounts = distinct(flatten([ - for tenant_name, tenant_config in local.environment_configuration.observability_platform_configuration : [ - lookup(tenant_config, "prometheus_accounts", []) - ] - ])) -} - module "managed_prometheus" { #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions source = "terraform-aws-modules/managed-service-prometheus/aws" From 30b7876734cdb5b2381870e9e4f27f67718d1cc8 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Mon, 4 Dec 2023 22:41:00 +0000 Subject: [PATCH 082/142] Uncomment data source permissions Signed-off-by: Jacob Woffenden --- .../modules/grafana/tenant-rbac/main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf index 6444566882d..94a2c0c234b 100644 --- a/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf +++ b/terraform/environments/observability-platform/modules/grafana/tenant-rbac/main.tf @@ -17,9 +17,6 @@ resource "grafana_folder_permission" "this" { } } -/* Commenting out as the following code isn't working as expected. - I've created a ticket with Grafana Labs - data "grafana_data_source" "this" { for_each = toset(var.cloudwatch_accounts) @@ -36,4 +33,3 @@ resource "grafana_data_source_permission" "this" { permission = "Query" } } -*/ From 20038e1153f6023f8091906ef1aacef728d16539 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 00:52:50 +0000 Subject: [PATCH 083/142] Bump bridgecrewio/checkov-action from 12.2601.0 to 12.2602.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2601.0 to 12.2602.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/327006c6ed37c385f7c6fa126bc54dcce2cccd2f...adf99bf4b0bea40ab7340f81e36ddcc2a4354968) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 1ef3760462a..95e55691bed 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -78,7 +78,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@327006c6ed37c385f7c6fa126bc54dcce2cccd2f # v12.2601.0 + uses: bridgecrewio/checkov-action@adf99bf4b0bea40ab7340f81e36ddcc2a4354968 # v12.2602.0 with: directory: ./ framework: terraform From 1d496798810e178de2688ad1e67e146925feb69b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 5 Dec 2023 00:52:54 +0000 Subject: [PATCH 084/142] Bump actions/labeler from 4.3.0 to 5.0.0 Bumps [actions/labeler](https://github.com/actions/labeler) from 4.3.0 to 5.0.0. - [Release notes](https://github.com/actions/labeler/releases) - [Commits](https://github.com/actions/labeler/compare/ac9175f8a1f3625fd0d4fb234536d26811351594...8558fd74291d67161a8a78ce36a881fa63b766a9) --- updated-dependencies: - dependency-name: actions/labeler dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/labeler.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index d1657cad88c..987a10347d4 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -12,7 +12,7 @@ jobs: triage: runs-on: ubuntu-latest steps: - - uses: actions/labeler@ac9175f8a1f3625fd0d4fb234536d26811351594 # v4.3.0 + - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" sync-labels: "" From a749c09ce444bce7f5a8c2cea262af02abca952d Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 09:28:38 +0000 Subject: [PATCH 085/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From c0c7974f9a022e9569c018d15be478e984eec645 Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Tue, 5 Dec 2023 09:32:08 +0000 Subject: [PATCH 086/142] allow port 80 from loadbalancer for web instances (#4234) * allow port 80 from loadbalancer for web instances * allow port 80 and 443 web * add ssh bastion fixngo --- terraform/environments/planetfm/locals_security_groups.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/terraform/environments/planetfm/locals_security_groups.tf b/terraform/environments/planetfm/locals_security_groups.tf index c290e11799d..c64367a8164 100644 --- a/terraform/environments/planetfm/locals_security_groups.tf +++ b/terraform/environments/planetfm/locals_security_groups.tf @@ -116,6 +116,14 @@ locals { protocol = -1 self = true } + http_web = { + description = "80: Allow HTTP ingress from LB" + from_port = 80 + to_port = 80 + protocol = "TCP" + cidr_blocks = ["10.40.129.64/26"] # noms mgmt live jumpservers + security_groups = ["loadbalancer"] + } https_web = { description = "443: Allow HTTPS ingress from Azure" from_port = 443 From d7dd2023ef869273117f8afadb1ff54eac0e8059 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 09:36:16 +0000 Subject: [PATCH 087/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From efb58585c5799eb7f0ba4ce3a0187d33f733fb62 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Tue, 5 Dec 2023 10:47:04 +0000 Subject: [PATCH 088/142] Workflow: created files in . --- .github/CODEOWNERS | 1 + .github/workflows/cdpt-ifs.yml | 66 +++++++ terraform/environments/cdpt-ifs/README.md | 76 ++++++++ .../cdpt-ifs/application_variables.json | 16 ++ terraform/environments/cdpt-ifs/data.tf | 1 + terraform/environments/cdpt-ifs/locals.tf | 1 + .../cdpt-ifs/networking.auto.tfvars.json | 9 + .../environments/cdpt-ifs/platform_backend.tf | 13 ++ .../cdpt-ifs/platform_base_variables.tf | 11 ++ .../environments/cdpt-ifs/platform_data.tf | 173 ++++++++++++++++++ .../environments/cdpt-ifs/platform_locals.tf | 38 ++++ .../cdpt-ifs/platform_providers.tf | 49 +++++ .../environments/cdpt-ifs/platform_secrets.tf | 17 ++ .../cdpt-ifs/platform_versions.tf | 13 ++ terraform/environments/cdpt-ifs/secrets.tf | 1 + 15 files changed, 485 insertions(+) create mode 100644 .github/workflows/cdpt-ifs.yml create mode 100644 terraform/environments/cdpt-ifs/README.md create mode 100644 terraform/environments/cdpt-ifs/application_variables.json create mode 100644 terraform/environments/cdpt-ifs/data.tf create mode 100644 terraform/environments/cdpt-ifs/locals.tf create mode 100644 terraform/environments/cdpt-ifs/networking.auto.tfvars.json create mode 100644 terraform/environments/cdpt-ifs/platform_backend.tf create mode 100644 terraform/environments/cdpt-ifs/platform_base_variables.tf create mode 100644 terraform/environments/cdpt-ifs/platform_data.tf create mode 100644 terraform/environments/cdpt-ifs/platform_locals.tf create mode 100644 terraform/environments/cdpt-ifs/platform_providers.tf create mode 100644 terraform/environments/cdpt-ifs/platform_secrets.tf create mode 100644 terraform/environments/cdpt-ifs/platform_versions.tf create mode 100644 terraform/environments/cdpt-ifs/secrets.tf diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e12ec30913e..9925b8c06ae 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -6,6 +6,7 @@ /terraform/environments/ccms-ebs-upgrade @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform /terraform/environments/ccms-ebs @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform-security @ministryofjustice/modernisation-platform /terraform/environments/cdpt-chaps @ministryofjustice/central-digital-product-team @ministryofjustice/modernisation-platform +/terraform/environments/cdpt-ifs @ministryofjustice/central-digital-product-team @ministryofjustice/modernisation-platform /terraform/environments/cooker @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform /terraform/environments/corporate-staff-rostering @ministryofjustice/csr-application-support @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform /terraform/environments/dacp @ministryofjustice/dts-legacy @ministryofjustice/modernisation-platform diff --git a/.github/workflows/cdpt-ifs.yml b/.github/workflows/cdpt-ifs.yml new file mode 100644 index 00000000000..b41ed493e47 --- /dev/null +++ b/.github/workflows/cdpt-ifs.yml @@ -0,0 +1,66 @@ +--- +name: cdpt-ifs +on: + push: + branches: + - main + paths: + - 'terraform/environments/cdpt-ifs/**' + - '.github/workflows/cdpt-ifs.yml' + + pull_request: + branches: + - main + types: [opened, edited, reopened, synchronize] + paths: + - 'terraform/environments/cdpt-ifs/**' + - '.github/workflows/cdpt-ifs.yml' + + workflow_dispatch: + inputs: + action: + description: 'Set either [deploy|destroy].' + default: 'deploy' + required: true + type: string + options: + - deploy + - destroy + +permissions: + id-token: write # This is required for requesting the JWT + contents: read # This is required for actions/checkout + +jobs: + strategy: + uses: ./.github/workflows/reusable_terraform_strategy.yml + if: inputs.action != 'destroy' + with: + application: "${{ github.workflow }}" + + terraform: + needs: strategy + if: inputs.action != 'destroy' + strategy: + fail-fast: false + matrix: ${{ fromJson(needs.strategy.outputs.matrix) }} + uses: ./.github/workflows/reusable_terraform_plan_apply.yml + with: + application: "${{ github.workflow }}" + environment: "${{ matrix.target }}" + action: "${{ matrix.action }}" + secrets: + modernisation_platform_environments: "${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}" + pipeline_github_token: "${{ secrets.MODERNISATION_PLATFORM_CI_USER_ENVIRONMENTS_REPO_PAT }}" + + destroy-development: + if: inputs.action == 'destroy' + uses: ./.github/workflows/reusable_terraform_plan_apply.yml + with: + application: "${{ github.workflow }}" + environment: "development" + action: "plan_apply" + plan_apply_tfargs: "-destroy" + secrets: + modernisation_platform_environments: "${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}" + pipeline_github_token: "${{ secrets.MODERNISATION_PLATFORM_CI_USER_ENVIRONMENTS_REPO_PAT }}" diff --git a/terraform/environments/cdpt-ifs/README.md b/terraform/environments/cdpt-ifs/README.md new file mode 100644 index 00000000000..9aa2658704c --- /dev/null +++ b/terraform/environments/cdpt-ifs/README.md @@ -0,0 +1,76 @@ +# Service Runbook + + + +_If you have any questions surrounding this page please post in the `#team-name` channel._ + +## Mandatory Information + +### **Last review date:** + + + +### **Description:** + + + +### **Service URLs:** + + + +### **Incident response hours:** + + + +### **Incident contact details:** + + + +### **Service team contact:** + + + +### **Hosting environment:** + +Modernisation Platform + + + +## Optional + +### **Other URLs:** + + + +### **Expected speed and frequency of releases:** + + + +### **Automatic alerts:** + + + +### **Impact of an outage:** + + + +### **Out of hours response types:** + + + +### **Consumers of this service:** + + + +### **Services consumed by this:** + + + +### **Restrictions on access:** + + + +### **How to resolve specific issues:** + + diff --git a/terraform/environments/cdpt-ifs/application_variables.json b/terraform/environments/cdpt-ifs/application_variables.json new file mode 100644 index 00000000000..6b52bfe9b30 --- /dev/null +++ b/terraform/environments/cdpt-ifs/application_variables.json @@ -0,0 +1,16 @@ +{ + "accounts": { + "development": { + "example_var": "dev-data" + }, + "test": { + "example_var": "test-data" + }, + "preproduction": { + "example_var": "preproduction-data" + }, + "production": { + "example_var": "production-data" + } + } +} diff --git a/terraform/environments/cdpt-ifs/data.tf b/terraform/environments/cdpt-ifs/data.tf new file mode 100644 index 00000000000..96a2521d17e --- /dev/null +++ b/terraform/environments/cdpt-ifs/data.tf @@ -0,0 +1 @@ +#### This file can be used to store data specific to the member account #### diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf new file mode 100644 index 00000000000..a7454414911 --- /dev/null +++ b/terraform/environments/cdpt-ifs/locals.tf @@ -0,0 +1 @@ +#### This file can be used to store locals specific to the member account #### diff --git a/terraform/environments/cdpt-ifs/networking.auto.tfvars.json b/terraform/environments/cdpt-ifs/networking.auto.tfvars.json new file mode 100644 index 00000000000..9a757423c9f --- /dev/null +++ b/terraform/environments/cdpt-ifs/networking.auto.tfvars.json @@ -0,0 +1,9 @@ +{ + "networking": [ + { + "business-unit": "", + "set": "", + "application": "cdpt-ifs" + } + ] +} diff --git a/terraform/environments/cdpt-ifs/platform_backend.tf b/terraform/environments/cdpt-ifs/platform_backend.tf new file mode 100644 index 00000000000..c05ee15afe1 --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_backend.tf @@ -0,0 +1,13 @@ +# Backend +terraform { + # `backend` blocks do not support variables, so the following are hard-coded here: + # - S3 bucket name, which is created in modernisation-platform-account/s3.tf + backend "s3" { + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + encrypt = true + key = "terraform.tfstate" + region = "eu-west-2" + workspace_key_prefix = "environments/members/cdpt-ifs" # This will store the object as environments/members/cdpt-ifs/${workspace}/terraform.tfstate + } +} diff --git a/terraform/environments/cdpt-ifs/platform_base_variables.tf b/terraform/environments/cdpt-ifs/platform_base_variables.tf new file mode 100644 index 00000000000..e5713ed9493 --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_base_variables.tf @@ -0,0 +1,11 @@ +variable "networking" { + + type = list(any) + +} + +variable "collaborator_access" { + type = string + default = "developer" + description = "Collaborators must specify which access level they are using, eg set an environment variable of export TF_VAR_collaborator_access=migration" +} diff --git a/terraform/environments/cdpt-ifs/platform_data.tf b/terraform/environments/cdpt-ifs/platform_data.tf new file mode 100644 index 00000000000..9844360a8cd --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_data.tf @@ -0,0 +1,173 @@ +# Current account data +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} + +# VPC and subnet data +data "aws_vpc" "shared" { + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}" + } +} + +data "aws_subnets" "shared-data" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data*" + } +} + +data "aws_subnets" "shared-private" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*" + } +} + +data "aws_subnets" "shared-public" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public*" + } +} + +data "aws_subnet" "data_subnets_a" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}a" + } +} + +data "aws_subnet" "data_subnets_b" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}b" + } +} + +data "aws_subnet" "data_subnets_c" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-data-${data.aws_region.current.name}c" + } +} + +data "aws_subnet" "private_subnets_a" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}a" + } +} + +data "aws_subnet" "private_subnets_b" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}b" + } +} + +data "aws_subnet" "private_subnets_c" { + vpc_id = data.aws_vpc.shared.id + tags = { + "Name" = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private-${data.aws_region.current.name}c" + } +} + +data "aws_subnet" "public_subnets_a" { + vpc_id = data.aws_vpc.shared.id + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}a" + } +} + +data "aws_subnet" "public_subnets_b" { + vpc_id = data.aws_vpc.shared.id + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}b" + } +} + +data "aws_subnet" "public_subnets_c" { + vpc_id = data.aws_vpc.shared.id + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-public-${data.aws_region.current.name}c" + } +} + +# Route53 DNS data +data "aws_route53_zone" "external" { + provider = aws.core-vpc + + name = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk." + private_zone = false +} + +data "aws_route53_zone" "inner" { + provider = aws.core-vpc + + name = "${var.networking[0].business-unit}-${local.environment}.modernisation-platform.internal." + private_zone = true +} + +data "aws_route53_zone" "network-services" { + provider = aws.core-network-services + + name = "modernisation-platform.service.justice.gov.uk." + private_zone = false +} + +# Shared KMS keys (per business unit) +data "aws_kms_key" "general_shared" { + key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/general-${var.networking[0].business-unit}" +} + +data "aws_kms_key" "ebs_shared" { + key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/ebs-${var.networking[0].business-unit}" +} + +data "aws_kms_key" "rds_shared" { + key_id = "arn:aws:kms:eu-west-2:${local.environment_management.account_ids["core-shared-services-production"]}:alias/rds-${var.networking[0].business-unit}" +} + +# State for core-network-services resource information +data "terraform_remote_state" "core_network_services" { + backend = "s3" + config = { + acl = "bucket-owner-full-control" + bucket = "modernisation-platform-terraform-state" + key = "environments/accounts/core-network-services/core-network-services-production/terraform.tfstate" + region = "eu-west-2" + encrypt = "true" + } +} + +data "aws_organizations_organization" "root_account" {} + +# Retrieve information about the modernisation platform account +data "aws_caller_identity" "modernisation_platform" { + provider = aws.modernisation-platform +} + +# caller account information to instantiate aws.oidc provider +data "aws_caller_identity" "original_session" { + provider = aws.original-session +} + +data "aws_iam_session_context" "whoami" { + provider = aws.original-session + arn = data.aws_caller_identity.original_session.arn +} + +# Get the environments file from the main repository +data "http" "environments_file" { + url = "https://raw.githubusercontent.com/ministryofjustice/modernisation-platform/main/environments/${local.application_name}.json" +} diff --git a/terraform/environments/cdpt-ifs/platform_locals.tf b/terraform/environments/cdpt-ifs/platform_locals.tf new file mode 100644 index 00000000000..935efb22b4c --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_locals.tf @@ -0,0 +1,38 @@ +locals { + + application_name = "cdpt-ifs" + + environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string) + + # Stores modernisation platform account id for setting up the modernisation-platform provider + modernisation_platform_account_id = data.aws_ssm_parameter.modernisation_platform_account_id.value + + # This takes the name of the Terraform workspace (e.g. core-vpc-production), strips out the application name (e.g. core-vpc), and checks if + # the string leftover is `-production`, if it isn't (e.g. core-vpc-non-production => -non-production) then it sets the var to false. + is-production = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" + is-preproduction = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" + is-test = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-test" + is-development = substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-development" + + # Merge tags from the environment json file with additional ones + tags = merge( + jsondecode(data.http.environments_file.response_body).tags, + { "is-production" = local.is-production }, + { "environment-name" = terraform.workspace }, + { "source-code" = "https://github.com/ministryofjustice/modernisation-platform-environments" } + ) + + environment = trimprefix(terraform.workspace, "${var.networking[0].application}-") + vpc_name = var.networking[0].business-unit + subnet_set = var.networking[0].set + vpc_all = "${local.vpc_name}-${local.environment}" + subnet_set_name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}" + + is_live = [substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-production" || substr(terraform.workspace, length(local.application_name), length(terraform.workspace)) == "-preproduction" ? "live" : "non-live"] + provider_name = "core-vpc-${local.environment}" + + # environment specfic variables + # example usage: + # example_data = local.application_data.accounts[local.environment].example_var + application_data = fileexists("./application_variables.json") ? jsondecode(file("./application_variables.json")) : null +} diff --git a/terraform/environments/cdpt-ifs/platform_providers.tf b/terraform/environments/cdpt-ifs/platform_providers.tf new file mode 100644 index 00000000000..ac450a6ba4d --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_providers.tf @@ -0,0 +1,49 @@ +# AWS provider for the original session which you connect with +provider "aws" { + alias = "original-session" + region = "eu-west-2" +} + +# AWS provider for the workspace you're working in (every resource will default to using this, unless otherwise specified) +provider "aws" { + region = "eu-west-2" + assume_role { + role_arn = !can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? null : can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess" + } +} + +# AWS provider for the Modernisation Platform, to get things from there if required +provider "aws" { + alias = "modernisation-platform" + region = "eu-west-2" + assume_role { + role_arn = "arn:aws:iam::${local.modernisation_platform_account_id}:role/modernisation-account-limited-read-member-access" + } +} + +# AWS provider for core-vpc-, to access resources in the core-vpc accounts +provider "aws" { + alias = "core-vpc" + region = "eu-west-2" + assume_role { + role_arn = !can(regex("githubactionsrolesession|AdministratorAccess", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/member-delegation-read-only" : "arn:aws:iam::${local.environment_management.account_ids[local.provider_name]}:role/member-delegation-${local.vpc_name}-${local.environment}" + } +} + +# AWS provider for network services to enable dns entries for certificate validation to be created +provider "aws" { + alias = "core-network-services" + region = "eu-west-2" + assume_role { + role_arn = !can(regex("githubactionsrolesession|AdministratorAccess", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/read-log-records" : "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/modify-dns-records" + } +} + +# Provider for creating resources in us-east-1, eg ACM resources for CloudFront +provider "aws" { + alias = "us-east-1" + region = "us-east-1" + assume_role { + role_arn = !can(regex("githubactionsrolesession|AdministratorAccess|user", data.aws_caller_identity.original_session.arn)) ? null : can(regex("user", data.aws_caller_identity.original_session.arn)) ? "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/${var.collaborator_access}" : "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccessUSEast" + } +} diff --git a/terraform/environments/cdpt-ifs/platform_secrets.tf b/terraform/environments/cdpt-ifs/platform_secrets.tf new file mode 100644 index 00000000000..bb006856534 --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_secrets.tf @@ -0,0 +1,17 @@ +# Get modernisation account id from ssm parameter +data "aws_ssm_parameter" "modernisation_platform_account_id" { + provider = aws.original-session + name = "modernisation_platform_account_id" +} + +# Get secret by arn for environment management +data "aws_secretsmanager_secret" "environment_management" { + provider = aws.modernisation-platform + name = "environment_management" +} + +# Get latest secret value with ID from above. This secret stores account IDs for the Modernisation Platform sub-accounts +data "aws_secretsmanager_secret_version" "environment_management" { + provider = aws.modernisation-platform + secret_id = data.aws_secretsmanager_secret.environment_management.id +} diff --git a/terraform/environments/cdpt-ifs/platform_versions.tf b/terraform/environments/cdpt-ifs/platform_versions.tf new file mode 100644 index 00000000000..6161ef3bc02 --- /dev/null +++ b/terraform/environments/cdpt-ifs/platform_versions.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + version = "~> 5.0" + source = "hashicorp/aws" + } + http = { + version = "~> 3.0" + source = "hashicorp/http" + } + } + required_version = "~> 1.0" +} diff --git a/terraform/environments/cdpt-ifs/secrets.tf b/terraform/environments/cdpt-ifs/secrets.tf new file mode 100644 index 00000000000..a6a94d9c098 --- /dev/null +++ b/terraform/environments/cdpt-ifs/secrets.tf @@ -0,0 +1 @@ +#### This file can be used to store secrets specific to the member account #### From 99f9048d0d8fad0c68e4a2384c269d0b85db4111 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 10:55:29 +0000 Subject: [PATCH 089/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 659ba281808243d779896093c76089bf57e9b807 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 11:02:24 +0000 Subject: [PATCH 090/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From f0a6c124e22cab7ab1ede41fc3b3816ef2da0258 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Tue, 5 Dec 2023 11:39:19 +0000 Subject: [PATCH 091/142] default to EDITOR Signed-off-by: Jacob Woffenden --- .../environments/observability-platform/managed-grafana.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf index e8287a283de..a65a6931b2a 100644 --- a/terraform/environments/observability-platform/managed-grafana.tf +++ b/terraform/environments/observability-platform/managed-grafana.tf @@ -29,7 +29,7 @@ module "managed_grafana" { "ADMIN" = { "group_ids" = ["16a2d234-1031-70b5-2657-7f744c55e48f"] # observability-platform } - "VIEWER" = { + "EDITOR" = { "group_ids" = local.all_sso_uuids } } From 093d12d48fee9f7a13055a3ff46496a678d277ca Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Tue, 5 Dec 2023 12:04:59 +0000 Subject: [PATCH 092/142] Workflow: created files in . --- terraform/environments/cdpt-ifs/networking.auto.tfvars.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-ifs/networking.auto.tfvars.json b/terraform/environments/cdpt-ifs/networking.auto.tfvars.json index 9a757423c9f..8fe207d92fb 100644 --- a/terraform/environments/cdpt-ifs/networking.auto.tfvars.json +++ b/terraform/environments/cdpt-ifs/networking.auto.tfvars.json @@ -1,8 +1,8 @@ { "networking": [ { - "business-unit": "", - "set": "", + "business-unit": "hq", + "set": "general", "application": "cdpt-ifs" } ] From 63a10d27cee702177036175abee78b61acd9370a Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 12:10:22 +0000 Subject: [PATCH 093/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From a4a32b5cd8e2a5bbbcafccb539128325407fe7a2 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 12:15:47 +0000 Subject: [PATCH 094/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 91bd2e7574f482d822a83876c56961052badf148 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 13:43:44 +0000 Subject: [PATCH 095/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 4e27bcc22db76a97240c86ca4a502cd2ce37d1a1 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 13:49:48 +0000 Subject: [PATCH 096/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 06631a8b58b82aec1cf3df43c62f2112b389188e Mon Sep 17 00:00:00 2001 From: Silviana Horga Date: Tue, 5 Dec 2023 14:22:17 +0000 Subject: [PATCH 097/142] Create wildcard cert for lb --- terraform/environments/hmpps-domain-services/locals.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/hmpps-domain-services/locals.tf b/terraform/environments/hmpps-domain-services/locals.tf index ac44e8d4ab9..fc14e0adf3f 100644 --- a/terraform/environments/hmpps-domain-services/locals.tf +++ b/terraform/environments/hmpps-domain-services/locals.tf @@ -11,7 +11,7 @@ locals { baseline_environment_config = local.environment_configs[local.environment] baseline_presets_options = { - enable_application_environment_wildcard_cert = false + enable_application_environment_wildcard_cert = true enable_backup_plan_daily_and_weekly = true enable_business_unit_kms_cmks = true enable_image_builder = true From 3755bd5a447c80b8ab5790c7e80e4b8c9e6bf178 Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Tue, 5 Dec 2023 14:41:38 +0000 Subject: [PATCH 098/142] NIT-965 add SSM parameter for LDAP seed URI --- .../modules/environment_all_components/ldap_params.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf index 86e2b446986..07d9e02bf32 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf @@ -41,3 +41,14 @@ resource "aws_ssm_parameter" "delius_core_ldap_principal" { tags = local.tags } +resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" { + name = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name) + type = "String" + value = "INITIAL_VALUE_OVERRIDDEN" + lifecycle { + ignore_changes = [ + value + ] + } + tags = local.tags +} From 4b8e6d415dc3b955fd4f2785c69846ca5902004f Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 14:53:53 +0000 Subject: [PATCH 099/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 2e8b684eecfb5a98df98ad87715d350fb32a5590 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 14:58:55 +0000 Subject: [PATCH 100/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From e0fe4a7e617b287459ac0bc32bccf8935fcd37d3 Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Tue, 5 Dec 2023 15:03:42 +0000 Subject: [PATCH 101/142] NIT-965 hard code AMI ID temporarily --- .../delius-core/modules/environment_all_components/db_ec2.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf b/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf index acf593c61d9..64e7487a12c 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf @@ -61,7 +61,8 @@ resource "aws_instance" "db_ec2_instance" { #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." instance_type = each.value.instance.instance_type - ami = data.aws_ami.oracle_db_ami[each.key].id + # Temporarily hard coding AMI until we have a better solution to locking EC2 isntances to specific AZs + ami = "ami-084f5c88fe5bb9d44" vpc_security_group_ids = [aws_security_group.db_ec2_instance_sg.id, aws_security_group.delius_db_security_group.id] subnet_id = var.account_config.data_subnet_a_id iam_instance_profile = aws_iam_instance_profile.db_ec2_instanceprofile.name From 6503ab0c222467a01802a1d26b9aa59c79a90783 Mon Sep 17 00:00:00 2001 From: Aaron Robinson <41325732+ASTRobinson@users.noreply.github.com> Date: Tue, 5 Dec 2023 15:15:46 +0000 Subject: [PATCH 102/142] Update labeler.yml --- .github/workflows/labeler.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 987a10347d4..2621e1d548d 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -15,4 +15,3 @@ jobs: - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0 with: repo-token: "${{ secrets.GITHUB_TOKEN }}" - sync-labels: "" From c46ea7546804df86ef3d6e9cbc83152f3cf93bea Mon Sep 17 00:00:00 2001 From: Silviana Horga Date: Tue, 5 Dec 2023 15:20:56 +0000 Subject: [PATCH 103/142] Change protocol of target group from HTTP to TCP to allow source_ip based stickiness --- terraform/environments/hmpps-domain-services/locals_test.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf index ee665ce598d..9b5dc781609 100644 --- a/terraform/environments/hmpps-domain-services/locals_test.tf +++ b/terraform/environments/hmpps-domain-services/locals_test.tf @@ -199,7 +199,7 @@ locals { instance_target_groups = { rds-gateway-80 = { port = 80 - protocol = "HTTP" + protocol = "TCP" health_check = { enabled = true interval = 5 @@ -222,7 +222,7 @@ locals { listeners = { http = { port = 80 - protocol = "HTTP" + protocol = "TCP" default_action = { type = "forward" target_group_name = "rds-gateway-80" From c3effe3136cea2cffe9666b0beb132014aa35056 Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Tue, 5 Dec 2023 15:37:06 +0000 Subject: [PATCH 104/142] NIT-965 change from SSM param to secret --- .../environment_all_components/ldap_params.tf | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf index 07d9e02bf32..8a1b6548a94 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_params.tf @@ -17,20 +17,22 @@ data "aws_secretsmanager_secret" "delius_core_ldap_credential" { name = aws_secretsmanager_secret.delius_core_ldap_credential.name } -resource "aws_ssm_parameter" "delius_core_ldap_host" { - name = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name) - type = "SecureString" - value = "INITIAL_VALUE_OVERRIDDEN" +resource "aws_secretsmanager_secret" "delius_core_ldap_seed_uri" { + name = "${var.account_info.application_name}-${var.env_name}-openldap-seed-uri" +} + +resource "aws_secretsmanager_secret_version" "delius_core_ldap_seed_uri" { + secret_id = aws_secretsmanager_secret.delius_core_ldap_seed_uri.id + secret_string = "INITIAL_VALUE_OVERRIDDEN" lifecycle { ignore_changes = [ - value + secret_string ] } - tags = local.tags } -resource "aws_ssm_parameter" "delius_core_ldap_principal" { - name = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name) +resource "aws_ssm_parameter" "delius_core_ldap_host" { + name = format("/%s-%s/LDAP_HOST", var.account_info.application_name, var.env_name) type = "SecureString" value = "INITIAL_VALUE_OVERRIDDEN" lifecycle { @@ -41,9 +43,9 @@ resource "aws_ssm_parameter" "delius_core_ldap_principal" { tags = local.tags } -resource "aws_ssm_parameter" "delius_core_ldap_seed_uri" { - name = format("/%s-%s/LDAP_SEED_URI", var.account_info.application_name, var.env_name) - type = "String" +resource "aws_ssm_parameter" "delius_core_ldap_principal" { + name = format("/%s-%s/LDAP_PRINCIPAL", var.account_info.application_name, var.env_name) + type = "SecureString" value = "INITIAL_VALUE_OVERRIDDEN" lifecycle { ignore_changes = [ From e8907ac0dbc5923366380aab7f52331825787e9c Mon Sep 17 00:00:00 2001 From: Silviana Horga Date: Tue, 5 Dec 2023 16:06:27 +0000 Subject: [PATCH 105/142] Remove ingress rules not needed --- .../locals_security_groups.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_security_groups.tf b/terraform/environments/hmpps-domain-services/locals_security_groups.tf index 55cca8a93c6..8569f1b117a 100644 --- a/terraform/environments/hmpps-domain-services/locals_security_groups.tf +++ b/terraform/environments/hmpps-domain-services/locals_security_groups.tf @@ -136,20 +136,6 @@ locals { protocol = "TCP" cidr_blocks = local.security_group_cidrs.enduserclient } - http7770_7771_lb = { - description = "Allow http 7770-7771 ingress" - from_port = 7770 - to_port = 7771 - protocol = "TCP" - cidr_blocks = local.security_group_cidrs.enduserclient - } - http7780_7781_lb = { - description = "Allow http 7780-7781 ingress" - from_port = 7780 - to_port = 7781 - protocol = "TCP" - cidr_blocks = local.security_group_cidrs.enduserclient - } } egress = { all = { From c7b49950d8cdbc24bf3c57cab79dd8734e426fa8 Mon Sep 17 00:00:00 2001 From: Silviana Horga Date: Tue, 5 Dec 2023 16:13:03 +0000 Subject: [PATCH 106/142] Change stickiness type to lb_cookie and keep HTTP protocol to work with application lb --- terraform/environments/hmpps-domain-services/locals_test.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf index 9b5dc781609..a032478c08b 100644 --- a/terraform/environments/hmpps-domain-services/locals_test.tf +++ b/terraform/environments/hmpps-domain-services/locals_test.tf @@ -199,7 +199,7 @@ locals { instance_target_groups = { rds-gateway-80 = { port = 80 - protocol = "TCP" + protocol = "HTTP" health_check = { enabled = true interval = 5 @@ -211,7 +211,7 @@ locals { } stickiness = { enabled = true - type = "source_ip" + type = "lb_cookie" } #attachments = [ # { ec2_instance_name = "rds-gateway" }, @@ -222,7 +222,7 @@ locals { listeners = { http = { port = 80 - protocol = "TCP" + protocol = "HTTP" default_action = { type = "forward" target_group_name = "rds-gateway-80" From 0f737bfa8d1bc9b63dc3705d8464401a1940969f Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 16:19:33 +0000 Subject: [PATCH 107/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..29ec812d682 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # # instance-scheduling = "skip-scheduling" + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From dd410f29ad754238bbbaf8bee57eb508c6246538 Mon Sep 17 00:00:00 2001 From: wullub Date: Tue, 5 Dec 2023 16:25:37 +0000 Subject: [PATCH 108/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 50 ++++++++++----------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 29ec812d682..e091a30a88a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -283,31 +283,31 @@ locals { }) }) - # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # # ami_name = "base_rhel_7_9*" - # }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "oasys/bip-build-improvement2" - # }) - # }) - # tags = merge(local.bip_b.tags, { - # # instance-scheduling = "skip-scheduling" - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_b.config, { + instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + # ami_name = "base_rhel_7_9*" + }) + user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + branch = "oasys/bip-build-improvement2" + }) + }) + tags = merge(local.bip_b.tags, { + # instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) } baseline_ec2_autoscaling_groups = { From 0c575778047d3671933dd47aac6d9eca278de501 Mon Sep 17 00:00:00 2001 From: Aaron Robinson Date: Tue, 5 Dec 2023 16:34:28 +0000 Subject: [PATCH 109/142] update labeler config structure --- .github/labeler.yml | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/labeler.yml b/.github/labeler.yml index 569dd01777f..0cab0054f50 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -1,12 +1,20 @@ onboarding: - - "environments/**" + - changed-files: + - any-glob-to-any-file: + - "environments/**" dependencies: - - "terraform/**/*.lock.hcl" + - changed-files: + - any-glob-to-any-file: + - "terraform/**/*.lock.hcl" github-workflow: - - "github/workflows/**" + - changed-files: + - any-glob-to-any-file: + - ".github/workflows/**" environments-repository: - - "**/*.*" - - "**/*" + - changed-files: + - any-glob-to-any-file: + - "**/*.*" + - "**/*" From 508bf32a384f5060ea93612322e7e72aa06c3e5c Mon Sep 17 00:00:00 2001 From: Silviana Horga Date: Tue, 5 Dec 2023 16:36:47 +0000 Subject: [PATCH 110/142] Setup sec group for lb --- terraform/environments/hmpps-domain-services/locals.tf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/terraform/environments/hmpps-domain-services/locals.tf b/terraform/environments/hmpps-domain-services/locals.tf index fc14e0adf3f..a074c7de8b4 100644 --- a/terraform/environments/hmpps-domain-services/locals.tf +++ b/terraform/environments/hmpps-domain-services/locals.tf @@ -69,7 +69,8 @@ locals { baseline_secretsmanager_secrets = {} baseline_security_groups = { - private-dc = local.security_groups.private_dc + private-dc = local.security_groups.private_dc + load-balancer = local.security_groups.load-balancer } baseline_sns_topics = {} From 40d89a5d9867ba57da55a370e59fdea261ca6abe Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 6 Dec 2023 00:05:26 +0000 Subject: [PATCH 111/142] Drop grafana to 2.4.0 --- .../environments/observability-platform/platform_versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/platform_versions.tf b/terraform/environments/observability-platform/platform_versions.tf index 735d9d8cb77..55b77d9eac2 100644 --- a/terraform/environments/observability-platform/platform_versions.tf +++ b/terraform/environments/observability-platform/platform_versions.tf @@ -6,7 +6,7 @@ terraform { } grafana = { source = "grafana/grafana" - version = "~> 2.0" + version = "2.4.0" } http = { version = "~> 3.0" From 33adebdac8bf76b31785b5dc85c4c5aadfe18511 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 6 Dec 2023 00:15:24 +0000 Subject: [PATCH 112/142] Bump bridgecrewio/checkov-action from 12.2602.0 to 12.2605.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2602.0 to 12.2605.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/adf99bf4b0bea40ab7340f81e36ddcc2a4354968...e3b7d570872fcc4bc07f4bc54a6913f947d664d0) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 95e55691bed..099356992d0 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -78,7 +78,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@adf99bf4b0bea40ab7340f81e36ddcc2a4354968 # v12.2602.0 + uses: bridgecrewio/checkov-action@e3b7d570872fcc4bc07f4bc54a6913f947d664d0 # v12.2605.0 with: directory: ./ framework: terraform From c186a52e1164be027f26b7c40dd0004a75b677a5 Mon Sep 17 00:00:00 2001 From: Jeremy Collins Date: Wed, 6 Dec 2023 10:04:13 +0000 Subject: [PATCH 113/142] Remove PECS secret --- .../environments/performance-hub/data.tf | 2 -- .../environments/performance-hub/secrets.tf | 34 ------------------- 2 files changed, 36 deletions(-) diff --git a/terraform/environments/performance-hub/data.tf b/terraform/environments/performance-hub/data.tf index 6d448d41874..528f57fc3fe 100644 --- a/terraform/environments/performance-hub/data.tf +++ b/terraform/environments/performance-hub/data.tf @@ -26,8 +26,6 @@ data "template_file" "task_definition" { storage_bucket = "${aws_s3_bucket.upload_files.id}" friendly_name = local.app_data.accounts[local.environment].friendly_name hub_wwwroot = local.app_data.accounts[local.environment].hub_wwwroot - pecs_basm_prod_access_key_id = aws_secretsmanager_secret_version.pecs_basm_prod_access_key_id.arn - pecs_basm_prod_secret_access_key = aws_secretsmanager_secret_version.pecs_basm_prod_secret_access_key.arn ap_import_access_key_id = aws_secretsmanager_secret_version.ap_import_access_key_id.arn ap_import_secret_access_key = aws_secretsmanager_secret_version.ap_import_secret_access_key.arn ap_export_access_key_id = aws_secretsmanager_secret_version.ap_export_access_key_id.arn diff --git a/terraform/environments/performance-hub/secrets.tf b/terraform/environments/performance-hub/secrets.tf index b501e1914bd..e507672f145 100644 --- a/terraform/environments/performance-hub/secrets.tf +++ b/terraform/environments/performance-hub/secrets.tf @@ -140,40 +140,6 @@ resource "aws_secretsmanager_secret_version" "ap_export_secret_access_key" { secret_string = random_password.random_password.result } -#tfsec:ignore:AWS095 -resource "aws_secretsmanager_secret" "pecs_basm_prod_access_key_id" { - #checkov:skip=CKV_AWS_149 - name = "pecs_basm_prod_access_key_id" - recovery_window_in_days = 0 - tags = merge( - local.tags, - { - Name = "pecs_basm_prod_access_key_id" - }, - ) -} -resource "aws_secretsmanager_secret_version" "pecs_basm_prod_access_key_id" { - secret_id = aws_secretsmanager_secret.pecs_basm_prod_access_key_id.id - secret_string = random_password.random_password.result -} - -#tfsec:ignore:AWS095 -resource "aws_secretsmanager_secret" "pecs_basm_prod_secret_access_key" { - #checkov:skip=CKV_AWS_149 - name = "pecs_basm_prod_secret_access_key" - recovery_window_in_days = 0 - tags = merge( - local.tags, - { - Name = "pecs_basm_prod_secret_access_key" - }, - ) -} -resource "aws_secretsmanager_secret_version" "pecs_basm_prod_secret_access_key" { - secret_id = aws_secretsmanager_secret.pecs_basm_prod_secret_access_key.id - secret_string = random_password.random_password.result -} - #tfsec:ignore:AWS095 resource "aws_secretsmanager_secret" "db_password" { #checkov:skip=CKV_AWS_149 From 54511b1e9da3fb14e33752c4b52fa3396fb8d4ed Mon Sep 17 00:00:00 2001 From: Buckingham Date: Wed, 6 Dec 2023 10:05:26 +0000 Subject: [PATCH 114/142] Update_061223 --- terraform/environments/ppud/instances.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/ppud/instances.tf b/terraform/environments/ppud/instances.tf index 865c610508e..0c026563879 100644 --- a/terraform/environments/ppud/instances.tf +++ b/terraform/environments/ppud/instances.tf @@ -130,7 +130,7 @@ resource "aws_instance" "s609693lo6vw103" { resource "aws_instance" "s609693lo6vw110" { count = local.is-development == true ? 1 : 0 - ami = "ami-0d8e82a3d7fda95e0" + ami = "ami-0c261875f6ed81278" instance_type = "m5.large" source_dest_check = false iam_instance_profile = aws_iam_instance_profile.ec2_profile.id From afb1102c8996f03ec2dcfbe50cd444c3b4d4665f Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 10:48:09 +0000 Subject: [PATCH 115/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e091a30a88a..bd27659109c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -274,12 +274,12 @@ locals { # }) # }) tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" + instance-scheduling = "skip-scheduling" + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" }) }) From ef88aa510b81a0a6f24633f166ed525946341cb1 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 10:49:47 +0000 Subject: [PATCH 116/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index bd27659109c..a234903c27d 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -300,7 +300,7 @@ locals { }) }) tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" + instance-scheduling = "skip-scheduling" oasys-environment = "t1" bip-db-name = "T1BIPINF" bip-db-hostname = "t1-oasys-db-a" From a8a585c1c3ff8af66b46e30d39ce2501ce48a30d Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 10:54:09 +0000 Subject: [PATCH 117/142] .. --- terraform/environments/oasys/locals.tf | 23 +++++++++++---------- terraform/environments/oasys/locals_test.tf | 13 +++++------- 2 files changed, 17 insertions(+), 19 deletions(-) diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf index 39848926f4c..9ba8ca18568 100644 --- a/terraform/environments/oasys/locals.tf +++ b/terraform/environments/oasys/locals.tf @@ -266,17 +266,18 @@ locals { lb_target_groups = {} secretsmanager_secrets = {} tags = { - backup = "false" # opt out of mod platform default backup plan - component = "bip" - description = "${local.environment} ${local.application_name} bip" - os-type = "Linux" - os-major-version = 7 - os-version = "RHEL 7.9" - "Patch Group" = "RHEL" - server-type = "${local.application_name}-bip" - monitored = true - oasys-environment = local.environment - environment-name = terraform.workspace + backup = "false" # opt out of mod platform default backup plan + component = "bip" + description = "${local.environment} ${local.application_name} bip" + os-type = "Linux" + os-major-version = 7 + os-version = "RHEL 7.9" + "Patch Group" = "RHEL" + server-type = "${local.application_name}-bip" + monitored = true + oasys-environment = local.environment + environment-name = terraform.workspace + instance-scheduling = "skip-scheduling" } } bip_b = merge(local.bip_a, { diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index a234903c27d..a2f963de5cc 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -231,12 +231,11 @@ locals { # }) # }) tags = merge(local.bip_b.tags, { - # instance-scheduling = "skip-scheduling" - oasys-environment = "t2" - bip-db-name = "T2BIPINF" - bip-db-hostname = "t2-oasys-db-a" - oasys-db-name = "T2OASYS" - oasys-db-hostname = "t2-oasys-db-a" + oasys-environment = "t2" + bip-db-name = "T2BIPINF" + bip-db-hostname = "t2-oasys-db-a" + oasys-db-name = "T2OASYS" + oasys-db-hostname = "t2-oasys-db-a" }) }) @@ -274,7 +273,6 @@ locals { # }) # }) tags = merge(local.bip_b.tags, { - instance-scheduling = "skip-scheduling" oasys-environment = "t1" bip-db-name = "T1BIPINF" bip-db-hostname = "t1-oasys-db-a" @@ -300,7 +298,6 @@ locals { }) }) tags = merge(local.bip_b.tags, { - instance-scheduling = "skip-scheduling" oasys-environment = "t1" bip-db-name = "T1BIPINF" bip-db-hostname = "t1-oasys-db-a" From defb5527e9955b69a7c3d64abb806614b15be1e7 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 10:57:33 +0000 Subject: [PATCH 118/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 140 ++++++++++---------- 1 file changed, 70 insertions(+), 70 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index a2f963de5cc..1fc4a5cb46a 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -215,29 +215,29 @@ locals { }) }) - "t2-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T2BipPolicy", - ]) - }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "add-oasys-bip-role" - # }) - # }) - tags = merge(local.bip_b.tags, { - oasys-environment = "t2" - bip-db-name = "T2BIPINF" - bip-db-hostname = "t2-oasys-db-a" - oasys-db-name = "T2OASYS" - oasys-db-hostname = "t2-oasys-db-a" - }) - }) + # "t2-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T2BipPolicy", + # ]) + # }) + # # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # # branch = "add-oasys-bip-role" + # # }) + # # }) + # tags = merge(local.bip_b.tags, { + # oasys-environment = "t2" + # bip-db-name = "T2BIPINF" + # bip-db-hostname = "t2-oasys-db-a" + # oasys-db-name = "T2OASYS" + # oasys-db-hostname = "t2-oasys-db-a" + # }) + # }) ## ## T1 @@ -257,54 +257,54 @@ locals { }) }) - "t1-${local.application_name}-bip-a" = merge(local.bip_a, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_a.config, { - instance_profile_policies = concat(local.bip_a.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - }) - # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # branch = "add-oasys-bip-role" - # }) - # }) - tags = merge(local.bip_b.tags, { - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-a" = merge(local.bip_a, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_a.config, { + # instance_profile_policies = concat(local.bip_a.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # }) + # # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # # branch = "add-oasys-bip-role" + # # }) + # # }) + # tags = merge(local.bip_b.tags, { + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) - "t1-${local.application_name}-bip-b" = merge(local.bip_b, { - autoscaling_group = merge(local.bip_b.autoscaling_group, { - desired_capacity = 1 - }) - autoscaling_schedules = {} - config = merge(local.bip_b.config, { - instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - "Ec2T1BipPolicy", - ]) - # ami_name = "base_rhel_7_9*" - }) - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oasys/bip-build-improvement2" - }) - }) - tags = merge(local.bip_b.tags, { - oasys-environment = "t1" - bip-db-name = "T1BIPINF" - bip-db-hostname = "t1-oasys-db-a" - oasys-db-name = "T1OASYS" - oasys-db-hostname = "t1-oasys-db-a" - }) - }) + # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { + # autoscaling_group = merge(local.bip_b.autoscaling_group, { + # desired_capacity = 1 + # }) + # autoscaling_schedules = {} + # config = merge(local.bip_b.config, { + # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ + # "Ec2T1BipPolicy", + # ]) + # # ami_name = "base_rhel_7_9*" + # }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "oasys/bip-build-improvement2" + # }) + # }) + # tags = merge(local.bip_b.tags, { + # oasys-environment = "t1" + # bip-db-name = "T1BIPINF" + # bip-db-hostname = "t1-oasys-db-a" + # oasys-db-name = "T1OASYS" + # oasys-db-hostname = "t1-oasys-db-a" + # }) + # }) } baseline_ec2_autoscaling_groups = { From 0d87b939822ab088f6213369bae5cc7c20e10b87 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 11:09:56 +0000 Subject: [PATCH 119/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 92 ++++++++++----------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 1fc4a5cb46a..e79cacfc991 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -215,29 +215,29 @@ locals { }) }) - # "t2-${local.application_name}-bip-b" = merge(local.bip_b, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_b.config, { - # instance_profile_policies = concat(local.bip_b.config.instance_profile_policies, [ - # "Ec2T2BipPolicy", - # ]) - # }) - # # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # # branch = "add-oasys-bip-role" - # # }) - # # }) - # tags = merge(local.bip_b.tags, { - # oasys-environment = "t2" - # bip-db-name = "T2BIPINF" - # bip-db-hostname = "t2-oasys-db-a" - # oasys-db-name = "T2OASYS" - # oasys-db-hostname = "t2-oasys-db-a" - # }) - # }) + "t2-${local.application_name}-bip-a" = merge(local.bip_a, { + autoscaling_group = merge(local.bip_a.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_a.config, { + instance_profile_policies = concat(local.bip_a.config.instance_profile_policies, [ + "Ec2T2BipPolicy", + ]) + }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "add-oasys-bip-role" + # }) + # }) + tags = merge(local.bip_a.tags, { + oasys-environment = "t2" + bip-db-name = "T2BIPINF" + bip-db-hostname = "t2-oasys-db-a" + oasys-db-name = "T2OASYS" + oasys-db-hostname = "t2-oasys-db-a" + }) + }) ## ## T1 @@ -257,29 +257,29 @@ locals { }) }) - # "t1-${local.application_name}-bip-a" = merge(local.bip_a, { - # autoscaling_group = merge(local.bip_b.autoscaling_group, { - # desired_capacity = 1 - # }) - # autoscaling_schedules = {} - # config = merge(local.bip_a.config, { - # instance_profile_policies = concat(local.bip_a.config.instance_profile_policies, [ - # "Ec2T1BipPolicy", - # ]) - # }) - # # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - # # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - # # branch = "add-oasys-bip-role" - # # }) - # # }) - # tags = merge(local.bip_b.tags, { - # oasys-environment = "t1" - # bip-db-name = "T1BIPINF" - # bip-db-hostname = "t1-oasys-db-a" - # oasys-db-name = "T1OASYS" - # oasys-db-hostname = "t1-oasys-db-a" - # }) - # }) + "t1-${local.application_name}-bip-a" = merge(local.bip_a, { + autoscaling_group = merge(local.bip_b.autoscaling_group, { + desired_capacity = 1 + }) + autoscaling_schedules = {} + config = merge(local.bip_a.config, { + instance_profile_policies = concat(local.bip_a.config.instance_profile_policies, [ + "Ec2T1BipPolicy", + ]) + }) + # user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { + # args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { + # branch = "add-oasys-bip-role" + # }) + # }) + tags = merge(local.bip_b.tags, { + oasys-environment = "t1" + bip-db-name = "T1BIPINF" + bip-db-hostname = "t1-oasys-db-a" + oasys-db-name = "T1OASYS" + oasys-db-hostname = "t1-oasys-db-a" + }) + }) # "t1-${local.application_name}-bip-b" = merge(local.bip_b, { # autoscaling_group = merge(local.bip_b.autoscaling_group, { From 0dbac48488ddc47b6b5e97a19f4825d2b51d36ce Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 11:19:37 +0000 Subject: [PATCH 120/142] Update locals_test.tf --- terraform/environments/oasys/locals_test.tf | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index e79cacfc991..18381c3951c 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -200,20 +200,6 @@ locals { oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" }) }) - "t2-${local.application_name}-db-a-3" = merge(local.database_a, { - user_data_cloud_init = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags, { - args = merge(module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_ansible_no_tags.args, { - branch = "oracle_psu_patching" - }) - }) - tags = merge(local.database_a.tags, { - description = "t2 ${local.application_name} database" - "${local.application_name}-environment" = "t2" - bip-db-name = "T2BIPINF" - instance-scheduling = "skip-scheduling" - oracle-sids = "T2BIPINF T2MISTRN T2OASREP T2OASYS T2ONRAUD T2ONRBDS T2ONRSYS" - }) - }) "t2-${local.application_name}-bip-a" = merge(local.bip_a, { autoscaling_group = merge(local.bip_a.autoscaling_group, { From d2143bdb36368fb74af12fa3ae9df7da5c59d566 Mon Sep 17 00:00:00 2001 From: wullub Date: Wed, 6 Dec 2023 11:21:02 +0000 Subject: [PATCH 121/142] Update ansible-ec2provision.sh.tftpl --- .../oasys/templates/ansible-ec2provision.sh.tftpl | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl b/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl index e83949ac8da..4d5f6e11754 100644 --- a/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl +++ b/terraform/environments/oasys/templates/ansible-ec2provision.sh.tftpl @@ -108,11 +108,11 @@ run_ansible() { --extra-vars "target=localhost" \ --become - # echo "# Cleanup" - # deactivate - # rm -rf $ansible_dir/python-venv - # rm -rf $ansible_dir/${ansible_repo} - # rmdir $ansible_dir + echo "# Cleanup" + deactivate + rm -rf $ansible_dir/python-venv + rm -rf $ansible_dir/${ansible_repo} + rmdir $ansible_dir } echo "ansible-ec2provision.sh start" | logger -p local3.info -t user-data From c367b6bdb08e71297df49691adf41cfabb4779c6 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 6 Dec 2023 11:30:23 +0000 Subject: [PATCH 122/142] Upgrade Grafana provider to one before current --- .../environments/observability-platform/platform_versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/platform_versions.tf b/terraform/environments/observability-platform/platform_versions.tf index 55b77d9eac2..72f63f73856 100644 --- a/terraform/environments/observability-platform/platform_versions.tf +++ b/terraform/environments/observability-platform/platform_versions.tf @@ -6,7 +6,7 @@ terraform { } grafana = { source = "grafana/grafana" - version = "2.4.0" + version = "2.6.0" } http = { version = "~> 3.0" From d0b0e60a3b392e8466218bf8931708dc2a513092 Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 6 Dec 2023 11:33:53 +0000 Subject: [PATCH 123/142] Grafana 2.5.0 --- .../environments/observability-platform/platform_versions.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/observability-platform/platform_versions.tf b/terraform/environments/observability-platform/platform_versions.tf index 72f63f73856..7024e807f58 100644 --- a/terraform/environments/observability-platform/platform_versions.tf +++ b/terraform/environments/observability-platform/platform_versions.tf @@ -6,7 +6,7 @@ terraform { } grafana = { source = "grafana/grafana" - version = "2.6.0" + version = "2.5.0" } http = { version = "~> 3.0" From 5b0c9a8535d0b5cc243062784d797e76f0b9c7be Mon Sep 17 00:00:00 2001 From: Jacob Woffenden Date: Wed, 6 Dec 2023 12:36:22 +0000 Subject: [PATCH 124/142] Remove old DPAT role Signed-off-by: Jacob Woffenden --- .../observability-platform/X-DELETEME.tf | 43 ------------------- .../environment-configurations.tf | 2 - 2 files changed, 45 deletions(-) delete mode 100644 terraform/environments/observability-platform/X-DELETEME.tf diff --git a/terraform/environments/observability-platform/X-DELETEME.tf b/terraform/environments/observability-platform/X-DELETEME.tf deleted file mode 100644 index 359dc0d4893..00000000000 --- a/terraform/environments/observability-platform/X-DELETEME.tf +++ /dev/null @@ -1,43 +0,0 @@ -/* - This code has been replaced by module.prometheus_roles - However first we need to update DPAT EKS to use the new format for the prometheus roles -*/ -data "aws_iam_policy_document" "amazon_managed_prometheus" { - statement { - sid = "AllowRemoteWrite" - effect = "Allow" - actions = [ - "aps:RemoteWrite", - "aps:GetSeries", - "aps:GetLabels", - "aps:GetMetricMetadata" - ] - resources = [module.managed_prometheus.workspace_arn] - } -} - -module "amazon_managed_prometheus_iam_policy" { - #checkov:skip=CKV_TF_1:Module is from Terraform registry - - source = "terraform-aws-modules/iam/aws//modules/iam-policy" - version = "~> 5.0" - - name_prefix = "amazon-managed-prometheus" - - policy = data.aws_iam_policy_document.amazon_managed_prometheus.json -} - -module "data_platform_apps_tools_iam_role" { - #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions - - source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role" - version = "~> 5.0" - - create_role = true - role_name = "data-platform-apps-and-tools" - trusted_role_arns = ["arn:aws:iam::${local.environment_configuration.data_platform_apps_tools_account_id}:root"] - custom_role_policy_arns = [module.amazon_managed_prometheus_iam_policy.arn] - role_requires_mfa = false - - tags = local.tags -} diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf index 578f205ade7..46bc659bc7a 100644 --- a/terraform/environments/observability-platform/environment-configurations.tf +++ b/terraform/environments/observability-platform/environment-configurations.tf @@ -16,7 +16,6 @@ locals { ] } } - data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-development"] } production = { observability_platform_configuration = { @@ -31,7 +30,6 @@ locals { ] } } - data_platform_apps_tools_account_id = local.environment_management.account_ids["data-platform-apps-and-tools-production"] } } } From 975facba0696029a610d652f897d6de8de6efdb7 Mon Sep 17 00:00:00 2001 From: SahidKhan89 Date: Wed, 6 Dec 2023 13:26:41 +0000 Subject: [PATCH 125/142] CC-2225: Creation of WebGate resources --- .../application_variables.json | 4 +- .../ec2-oracle_webgate-alb-sg.tf | 48 +++ .../ec2-oracle_webgate-alb.tf | 56 +++ .../ccms-ebs-upgrade/ec2-oracle_webgate-sg.tf | 364 ++++++++++++++++++ .../ccms-ebs-upgrade/ec2-oracle_webgate.tf | 123 ++++++ .../environments/ccms-ebs-upgrade/r53.tf | 13 + 6 files changed, 606 insertions(+), 2 deletions(-) create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-sg.tf create mode 100644 terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate.tf diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 73e55f5b39d..d22ae363a58 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -32,8 +32,8 @@ "ebsapps_ami_id-2": "ami-092cdd881efd12af8", "accessgate_ami_id-1": "ami-0868b322f8ed469b6", "accessgate_ami_id-2": "ami-092240a30296e0dc1", - "webgate_ami_id-1": "ami-0e398cd57c81356a7", - "webgate_ami_id-2": "ami-0e398cd57c81356a7", + "webgate_ami_id-1": "ami-027421785539d3e60", + "webgate_ami_id-2": "ami-0923839bc3db6d2d6", "restored_db_image": "ami-0df5f31cae1c86635", "orace_base_prereqs_ami_name": "Oracle79-prereqs-v2_0", "orace_db_ami_name": "Oracle79-prereqs-v1_8", diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb-sg.tf new file mode 100644 index 00000000000..51f4786f4d5 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb-sg.tf @@ -0,0 +1,48 @@ +# Security Group for WEBGATE LB +resource "aws_security_group" "sg_webgate_lb" { + name = "sg_webgate_lb" + description = "Inbound traffic control for WebGate loadbalancer" + vpc_id = data.aws_vpc.shared.id + + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-webgate-loadbalancer", local.application_name, local.environment)) } + ) +} + + +# INGRESS Rules + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_webgatelb_443" { + security_group_id = aws_security_group.sg_webgate_lb.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + + +# EGRESS Rules + +### All + +resource "aws_security_group_rule" "egress_traffic_webgatelb_80" { + security_group_id = aws_security_group.sg_webgate_lb.id + type = "egress" + description = "All" + protocol = "TCP" + from_port = 0 + to_port = 0 + cidr_blocks = ["0.0.0.0/0"] +} + + + + + diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb.tf new file mode 100644 index 00000000000..0b6c06cb866 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-alb.tf @@ -0,0 +1,56 @@ +resource "aws_lb" "webgate_lb" { + name = lower(format("lb-%s-webgate", local.application_name)) + internal = true + load_balancer_type = "application" + security_groups = [aws_security_group.sg_webgate_lb.id] + subnets = data.aws_subnets.shared-private.ids + + enable_deletion_protection = true + + access_logs { + bucket = module.s3-bucket-logging.bucket.id + prefix = local.lb_log_prefix_wgate_public + enabled = true + } + + tags = merge(local.tags, + { Name = lower(format("lb-%s-webgate", local.application_name)) } + ) +} + +resource "aws_lb_listener" "webgate_listener" { + depends_on = [ + aws_acm_certificate_validation.external + ] + + load_balancer_arn = aws_lb.webgate_lb.arn + port = "443" + protocol = "HTTPS" + ssl_policy = "ELBSecurityPolicy-2016-08" + certificate_arn = aws_acm_certificate.external.arn + + default_action { + type = "forward" + target_group_arn = aws_lb_target_group.webgate_tg.id + } +} + +resource "aws_lb_target_group" "webgate_tg" { + name = lower(format("tg-%s-webgate", local.application_name)) + port = 5401 + protocol = "HTTP" + vpc_id = data.aws_vpc.shared.id + health_check { + port = 5401 + protocol = "HTTP" + matcher = 302 + timeout = 10 + } +} + +resource "aws_lb_target_group_attachment" "webgate" { + count = local.application_data.accounts[local.environment].webgate_no_instances + target_group_arn = aws_lb_target_group.webgate_tg.arn + target_id = element(aws_instance.ec2_webgate.*.id, count.index) + port = 5401 +} diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-sg.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-sg.tf new file mode 100644 index 00000000000..0603af9cabc --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate-sg.tf @@ -0,0 +1,364 @@ +# Security Group for WebGate +resource "aws_security_group" "ec2_sg_webgate" { + name = "ec2_sg_webgate" + description = "SG traffic control for WebGate" + vpc_id = data.aws_vpc.shared.id + tags = merge(local.tags, + { Name = lower(format("sg-%s-%s-webgate", local.application_name, local.environment)) } + ) +} + + +# INGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "ingress_traffic_webgate_80" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "HTTP" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### HTTPS + +resource "aws_security_group_rule" "ingress_traffic_webgate_443" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### SSH + +resource "aws_security_group_rule" "ingress_traffic_webgate_22" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle LDAP + +resource "aws_security_group_rule" "ingress_traffic_webgate_1389" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle Listerner Port + +resource "aws_security_group_rule" "ingress_traffic_webgate_152x" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_webgate_5101" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_webgate_5401" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_webgate_5575" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "ingress_traffic_webgate_1636" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle + +resource "aws_security_group_rule" "ingress_traffic_webgate_10401" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "ingress_traffic_webgate_800x" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "ingress_traffic_webgate_4443" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "ingress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = [data.aws_vpc.shared.cidr_block, + local.application_data.accounts[local.environment].lz_aws_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_nonprod_subnet_env, + local.application_data.accounts[local.environment].lz_aws_workspace_prod_subnet_env] +} + + +# EGRESS Rules + +### HTTP + +resource "aws_security_group_rule" "egress_traffic_webgate_80" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle HTTPs" + protocol = "TCP" + from_port = 80 + to_port = 80 + cidr_blocks = ["0.0.0.0/0"] +} + +### HTTPS + +resource "aws_security_group_rule" "egress_traffic_webgate_443" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "HTTPS" + protocol = "TCP" + from_port = 443 + to_port = 443 + cidr_blocks = ["0.0.0.0/0"] +} + +### FTP + +resource "aws_security_group_rule" "egress_traffic_webgate_2x" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "FTP" + protocol = "TCP" + from_port = 20 + to_port = 21 + cidr_blocks = ["0.0.0.0/0"] +} + +### SSH + +resource "aws_security_group_rule" "egress_traffic_webgate_22" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "SSH" + protocol = "TCP" + from_port = 22 + to_port = 22 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE LDAP + +resource "aws_security_group_rule" "egress_traffic_webgate_1389" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "ORACLE LDAP" + protocol = "TCP" + from_port = 1389 + to_port = 1389 + cidr_blocks = ["0.0.0.0/0"] +} + +### ORACLE Net Listener + +resource "aws_security_group_rule" "egress_traffic_webgate_152x" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "ORACLE Net Listener" + protocol = "TCP" + from_port = 1521 + to_port = 1522 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_webgate_5101" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5101 + to_port = 5101 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_webgate_5401" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5401 + to_port = 5401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_webgate_5575" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 5575 + to_port = 5575 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle LDAP SSL + +resource "aws_security_group_rule" "egress_traffic_webgate_1636" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle LDAP SSL" + protocol = "TCP" + from_port = 1636 + to_port = 1636 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle + +resource "aws_security_group_rule" "egress_traffic_webgate_10401" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 10401 + to_port = 10401 + cidr_blocks = ["0.0.0.0/0"] +} + +### Lloyds FTP + +resource "aws_security_group_rule" "egress_traffic_webgate_50000" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle" + protocol = "TCP" + from_port = 50000 + to_port = 51000 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTP + +resource "aws_security_group_rule" "egress_traffic_webgate_800x" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle HTTP" + protocol = "TCP" + from_port = 8000 + to_port = 8005 + cidr_blocks = ["0.0.0.0/0"] +} + +### Oracle HTTPS + +resource "aws_security_group_rule" "egress_traffic_webgate_4443" { + security_group_id = aws_security_group.ec2_sg_webgate.id + type = "egress" + description = "Oracle HTTPS" + protocol = "TCP" + from_port = 4443 + to_port = 4444 + cidr_blocks = ["0.0.0.0/0"] +} + diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate.tf new file mode 100644 index 00000000000..ba188a543c2 --- /dev/null +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_webgate.tf @@ -0,0 +1,123 @@ +resource "aws_instance" "ec2_webgate" { + count = local.application_data.accounts[local.environment].webgate_no_instances + instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate + ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"] + key_name = local.application_data.accounts[local.environment].key_name + vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id] + subnet_id = local.private_subnets[count.index] + #subnet_id = data.aws_subnet.data_subnets_a.id + monitoring = true + ebs_optimized = false + associate_public_ip_address = false + iam_instance_profile = aws_iam_instance_profile.iam_instace_profile_ccms_base.name + + cpu_core_count = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_webgate + cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_webgate + + # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below. + # Also includes ebs_optimized and cpu_core_count due to changing instance family from c5d.2xlarge to m5d.large + lifecycle { + ignore_changes = [ + ebs_block_device, + ebs_optimized, + cpu_core_count, + user_data, + user_data_replace_on_change + ] + } + user_data_replace_on_change = false + user_data = base64encode(templatefile("./templates/ec2_user_data_webgate.sh", { + hostname = "webgate" + })) + + # AMI ebs mappings from /dev/sd[a-d] + # root + # Increase the volume size of the root volume + root_block_device { + volume_type = "gp3" + volume_size = 50 + encrypted = true + tags = merge(local.tags, + { Name = "root-block" } + ) + } + # swap + ebs_block_device { + device_name = "/dev/sdb" + volume_type = "gp3" + volume_size = 20 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + # temp + ebs_block_device { + device_name = "/dev/sdc" + volume_type = "gp3" + volume_size = 100 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + # home + ebs_block_device { + device_name = "/dev/sdd" + volume_type = "gp3" + volume_size = 100 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + + # non-AMI mappings start at /dev/sdh + # u01 + ebs_block_device { + device_name = "/dev/sdh" + volume_type = "io2" + volume_size = local.application_data.accounts[local.environment].webgate_u01_size + iops = local.application_data.accounts[local.environment].webgate_default_iops + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + } + + tags = merge(local.tags, + { Name = lower(format("ec2-%s-%s-webgate-%s", local.application_name, local.environment, count.index + 1)) }, + { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling }, + { backup = "true" } + ) + depends_on = [aws_security_group.ec2_sg_webgate] +} + +module "cw-webgate-ec2" { + source = "./modules/cw-ec2" + count = local.application_data.accounts[local.environment].webgate_no_instances + + short_env = local.application_data.accounts[local.environment].short_env + name = "ec2-webgate-${count.index + 1}" + topic = aws_sns_topic.cw_alerts.arn + instanceId = aws_instance.ec2_webgate[count.index].id + imageId = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"] + instanceType = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate + fileSystem = "xfs" # Linux root filesystem + rootDevice = "nvme0n1p1" # This is used by default for root on all the ec2 images + + cpu_eval_periods = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_datapoints = local.application_data.cloudwatch_ec2.cpu.eval_periods + cpu_period = local.application_data.cloudwatch_ec2.cpu.period + cpu_threshold = local.application_data.cloudwatch_ec2.cpu.threshold + + mem_eval_periods = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_datapoints = local.application_data.cloudwatch_ec2.mem.eval_periods + mem_period = local.application_data.cloudwatch_ec2.mem.period + mem_threshold = local.application_data.cloudwatch_ec2.mem.threshold + + disk_eval_periods = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_datapoints = local.application_data.cloudwatch_ec2.disk.eval_periods + disk_period = local.application_data.cloudwatch_ec2.disk.period + disk_threshold = local.application_data.cloudwatch_ec2.disk.threshold + + insthc_eval_periods = local.application_data.cloudwatch_ec2.insthc.eval_periods + insthc_period = local.application_data.cloudwatch_ec2.insthc.period + insthc_threshold = local.application_data.cloudwatch_ec2.insthc.threshold + + syshc_eval_periods = local.application_data.cloudwatch_ec2.syshc.eval_periods + syshc_period = local.application_data.cloudwatch_ec2.syshc.period + syshc_threshold = local.application_data.cloudwatch_ec2.syshc.threshold +} diff --git a/terraform/environments/ccms-ebs-upgrade/r53.tf b/terraform/environments/ccms-ebs-upgrade/r53.tf index 03ca5de53f8..cf2f8cd744e 100644 --- a/terraform/environments/ccms-ebs-upgrade/r53.tf +++ b/terraform/environments/ccms-ebs-upgrade/r53.tf @@ -57,4 +57,17 @@ resource "aws_route53_record" "accessgate_ec2" { type = "A" ttl = 300 records = [aws_instance.ec2_accessgate[count.index].private_ip] +} + +# WebGate Instances + +resource "aws_route53_record" "webgate_ec2" { + provider = aws.core-vpc + count = local.application_data.accounts[local.environment].webgate_no_instances + + zone_id = data.aws_route53_zone.external.zone_id + name = "${local.application_data.accounts[local.environment].webgate_dns_prefix}${count.index + 1}-upgrade.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + ttl = 300 + records = [aws_instance.ec2_webgate[count.index].private_ip] } \ No newline at end of file From 4e71ec9df59b7fd5684f7018ae5955a8a4b27a82 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Wed, 6 Dec 2023 13:54:58 +0000 Subject: [PATCH 126/142] Nit 963 delius core db modularise the database instance terraform (#4246) * initial module declaration * ami to object * set up security groups * adding dns and condensing sg * correct provider configs + ebs/key troubleshooting --- .../delius-core/locals_development_dev1.tf | 6 +- .../delius-core/locals_development_test.tf | 5 + .../delius-core/main_development.tf | 2 + .../modules/components/oracle_db/ami.tf | 5 + .../modules/components/oracle_db/dns.tf | 8 + .../components/oracle_db/ebs_volumes.tf | 17 ++ .../modules/components/oracle_db/iam.tf | 151 ++++++++++++++++++ .../modules/components/oracle_db/instance.tf | 43 +++++ .../modules/components/oracle_db/outputs.tf | 0 .../modules/components/oracle_db/sg.tf | 62 +++++++ .../modules/components/oracle_db/ssm.tf | 14 ++ .../modules/components/oracle_db/variables.tf | 107 +++++++++++++ .../modules/components/oracle_db/versions.tf | 10 ++ .../environment_all_components/database.tf | 95 +++++++++++ .../environment_all_components/db_iam.tf | 2 +- .../ldap_datasync.tf | 4 +- .../templates/userdata.sh.tftpl | 125 +++++++++++++++ .../environment_all_components/variables.tf | 10 ++ 18 files changed, 662 insertions(+), 4 deletions(-) create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/ami.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/dns.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/iam.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/instance.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/outputs.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/sg.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/ssm.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/variables.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db/versions.tf create mode 100644 terraform/environments/delius-core/modules/environment_all_components/database.tf create mode 100644 terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl diff --git a/terraform/environments/delius-core/locals_development_dev1.tf b/terraform/environments/delius-core/locals_development_dev1.tf index 59bc42b9b08..4f44b6797b3 100644 --- a/terraform/environments/delius-core/locals_development_dev1.tf +++ b/terraform/environments/delius-core/locals_development_dev1.tf @@ -12,9 +12,13 @@ locals { route53_inner_zone_info = data.aws_route53_zone.inner route53_network_services_zone = data.aws_route53_zone.network-services route53_external_zone = data.aws_route53_zone.external - general_shared_kms_key_arn = data.aws_kms_key.general_shared.arn shared_vpc_id = data.aws_vpc.shared.id bastion = module.bastion_linux + kms_keys = { + ebs_shared = data.aws_kms_key.ebs_shared.arn + general_shared = data.aws_kms_key.general_shared.arn + rds_shared = data.aws_kms_key.rds_shared.arn + } } environment_config_dev = { diff --git a/terraform/environments/delius-core/locals_development_test.tf b/terraform/environments/delius-core/locals_development_test.tf index d815a0845d5..01338b9f660 100644 --- a/terraform/environments/delius-core/locals_development_test.tf +++ b/terraform/environments/delius-core/locals_development_test.tf @@ -15,6 +15,11 @@ locals { general_shared_kms_key_arn = data.aws_kms_key.general_shared.arn shared_vpc_id = data.aws_vpc.shared.id bastion = module.bastion_linux + kms_keys = { + ebs_shared = data.aws_kms_key.ebs_shared.arn + general_shared = data.aws_kms_key.general_shared.arn + rds_shared = data.aws_kms_key.rds_shared.arn + } } environment_config_test = { diff --git a/terraform/environments/delius-core/main_development.tf b/terraform/environments/delius-core/main_development.tf index 8936880d6af..b9a6d542239 100644 --- a/terraform/environments/delius-core/main_development.tf +++ b/terraform/environments/delius-core/main_development.tf @@ -8,6 +8,7 @@ module "environment_dev" { count = local.is-development ? 1 : 0 providers = { + aws = aws aws.bucket-replication = aws aws.core-vpc = aws.core-vpc aws.core-network-services = aws.core-network-services @@ -38,6 +39,7 @@ module "environment_test" { count = local.is-development ? 1 : 0 providers = { + aws = aws aws.bucket-replication = aws aws.core-vpc = aws.core-vpc aws.core-network-services = aws.core-network-services diff --git a/terraform/environments/delius-core/modules/components/oracle_db/ami.tf b/terraform/environments/delius-core/modules/components/oracle_db/ami.tf new file mode 100644 index 00000000000..757f26adbac --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/ami.tf @@ -0,0 +1,5 @@ +data "aws_ami" "oracle_db" { + owners = var.db_ami.owners + name_regex = var.db_ami.name_regex + most_recent = true +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/dns.tf b/terraform/environments/delius-core/modules/components/oracle_db/dns.tf new file mode 100644 index 00000000000..d88a4f6d01f --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/dns.tf @@ -0,0 +1,8 @@ +resource "aws_route53_record" "db_ec2_instance" { + provider = aws.core-vpc + zone_id = var.account_config.route53_inner_zone_info.zone_id + name = var.db_type == "primary" ? "delius-${var.env_name}-db-${var.db_count_index}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${var.db_count_index0}.${var.account_config.route53_inner_zone_info.name}" + type = "CNAME" + ttl = 300 + records = [aws_instance.db_ec2.private_dns] +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf b/terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf new file mode 100644 index 00000000000..1a8ec0fc675 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf @@ -0,0 +1,17 @@ +module "ebs_volumes" { + source = "../../ebs_volume" + for_each = { + for k, v in var.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == false + } + availability_zone = aws_instance.db_ec2.availability_zone + instance_id = aws_instance.db_ec2.id + device_name = each.key + size = each.value.volume_size + iops = var.ebs_volumes.iops + throughput = var.ebs_volumes.throughput + tags = var.tags + kms_key_id = var.ebs_volumes.kms_key_id + depends_on = [ + aws_instance.db_ec2 + ] +} diff --git a/terraform/environments/delius-core/modules/components/oracle_db/iam.tf b/terraform/environments/delius-core/modules/components/oracle_db/iam.tf new file mode 100644 index 00000000000..5032a4c1741 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/iam.tf @@ -0,0 +1,151 @@ +############################################## +# IAM Instance Profile +############################################## +resource "aws_iam_instance_profile" "db_ec2_instanceprofile" { + name = format("%s-delius-db-ec2_instance_iam_role", var.env_name) + role = aws_iam_role.db_ec2_instance_iam_role.name +} + + +# Pre-reqs - IAM role, attachment for SSM usage and instance profile +data "aws_iam_policy_document" "db_ec2_instance_iam_assume_policy" { + statement { + effect = "Allow" + actions = [ + "sts:AssumeRole" + ] + principals { + type = "Service" + identifiers = ["ec2.amazonaws.com"] + } + } +} + + +resource "aws_iam_role" "db_ec2_instance_iam_role" { + name = lower(format("%s-delius-db-ec2_instance", var.env_name)) + assume_role_policy = data.aws_iam_policy_document.db_ec2_instance_iam_assume_policy.json + tags = merge(var.tags, + { Name = lower(format("%s-delius-db-ec2_instance", var.env_name)) } + ) +} + +data "aws_iam_policy_document" "business_unit_kms_key_access" { + statement { + effect = "Allow" + actions = [ + "kms:Encrypt", + "kms:Decrypt", + "kms:ReEncrypt*", + "kms:GenerateDataKey*", + "kms:DescribeKey", + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ] + resources = [ + var.account_config.kms_keys.general_shared, + ] + } +} + +resource "aws_iam_policy" "business_unit_kms_key_access" { + name = format("%s-delius-db-business_unit_kms_key_access_policy", var.env_name) + path = "/" + policy = data.aws_iam_policy_document.business_unit_kms_key_access.json + tags = merge(var.tags, + { Name = format("%s-delius-db-business_unit_kms_key_access_policy", var.env_name) } + ) +} + +data "aws_iam_policy_document" "core_shared_services_bucket_access" { + statement { + effect = "Allow" + actions = [ + "s3:ListBucket", + "s3:GetObject" + ] + resources = [ + "arn:aws:s3:::mod-platform-image-artefact-bucket20230203091453221500000001/*", + "arn:aws:s3:::mod-platform-image-artefact-bucket20230203091453221500000001" + ] + } +} + +resource "aws_iam_policy" "core_shared_services_bucket_access" { + name = format("%s-delius-db-core_shared_services_bucket_access_policy", var.env_name) + path = "/" + policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json + tags = merge(var.tags, + { Name = format("%s-delius-db-core_shared_services_bucket_access_policy", var.env_name) } + ) +} + +data "aws_iam_policy_document" "ec2_access_for_ansible" { + statement { + effect = "Allow" + actions = [ + "ec2:DescribeTags", + "ec2:DescribeInstances", + "ec2:DescribeVolumes" + ] + resources = ["*"] + } +} + +data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" { + statement { + sid = "AllowAccessToSsmParameterStore" + effect = "Allow" + actions = [ + "ssm:PutParameter" + ] + resources = ["*"] + } +} + +resource "aws_iam_policy" "allow_access_to_ssm_parameter_store" { + name = format("%s-delius-db-allow_access_to_ssm_parameter_store", var.env_name) + path = "/" + policy = data.aws_iam_policy_document.allow_access_to_ssm_parameter_store.json + tags = merge(var.tags, + { Name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) } + ) +} + +resource "aws_iam_role_policy_attachment" "allow_access_to_ssm_parameter_store" { + role = aws_iam_role.db_ec2_instance_iam_role.name + policy_arn = aws_iam_policy.allow_access_to_ssm_parameter_store.arn +} + +resource "aws_iam_policy" "ec2_access_for_ansible" { + name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) + path = "/" + policy = data.aws_iam_policy_document.ec2_access_for_ansible.json + tags = merge(var.tags, + { Name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) } + ) +} + +resource "aws_iam_role_policy" "business_unit_kms_key_access" { + name = "business_unit_kms_key_access" + role = aws_iam_role.db_ec2_instance_iam_role.name + policy = data.aws_iam_policy_document.business_unit_kms_key_access.json +} + +resource "aws_iam_role_policy" "core_shared_services_bucket_access" { + name = "core_shared_services_bucket_access" + role = aws_iam_role.db_ec2_instance_iam_role.name + policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json +} + +resource "aws_iam_role_policy" "ec2_access" { + name = "ec2_access" + role = aws_iam_role.db_ec2_instance_iam_role.name + policy = data.aws_iam_policy_document.ec2_access_for_ansible.json +} + +resource "aws_iam_role_policy_attachment" "db_ec2_instance_amazonssmmanagedinstancecore" { + role = aws_iam_role.db_ec2_instance_iam_role.name + policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/instance.tf b/terraform/environments/delius-core/modules/components/oracle_db/instance.tf new file mode 100644 index 00000000000..08ae64bf639 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/instance.tf @@ -0,0 +1,43 @@ + + +resource "aws_instance" "db_ec2" { + #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." + instance_type = var.db_type + ami = data.aws_ami.oracle_db.id + vpc_security_group_ids = [aws_security_group.db_ec2.id, aws_security_group.db_ec2.id] + subnet_id = var.subnet_id + iam_instance_profile = aws_iam_instance_profile.db_ec2_instanceprofile.name + associate_public_ip_address = false + monitoring = var.monitoring + ebs_optimized = true + key_name = var.ec2_key_pair_name + user_data_base64 = base64encode(var.user_data) + + metadata_options { + http_endpoint = var.metadata_options.http_endpoint + http_tokens = var.metadata_options.http_tokens + } + + root_block_device { + volume_type = var.ebs_volumes.root_volume.volume_type + volume_size = var.ebs_volumes.root_volume.volume_size + iops = var.ebs_volumes.iops + throughput = var.ebs_volumes.throughput + encrypted = true + kms_key_id = var.ebs_volumes.kms_key_id + tags = var.tags + } + + dynamic "ephemeral_block_device" { + for_each = { for k, v in var.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true } + content { + device_name = ephemeral_block_device.key + no_device = true + } + } + tags = merge(var.tags, + { Name = lower(format("%s-delius-db-%s", var.env_name, var.db_count_index)) }, + { server-type = "delius_core_db" }, + { database = "delius_${var.db_name}" } + ) +} diff --git a/terraform/environments/delius-core/modules/components/oracle_db/outputs.tf b/terraform/environments/delius-core/modules/components/oracle_db/outputs.tf new file mode 100644 index 00000000000..e69de29bb2d diff --git a/terraform/environments/delius-core/modules/components/oracle_db/sg.tf b/terraform/environments/delius-core/modules/components/oracle_db/sg.tf new file mode 100644 index 00000000000..6b68557ea03 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/sg.tf @@ -0,0 +1,62 @@ +resource "aws_security_group" "db_ec2" { + name = format("%s-sg-delius-db-ec2-instance", var.env_name) + description = "Controls access to db ec2 instance" + vpc_id = var.account_config.shared_vpc_id + tags = merge(var.tags, + { Name = lower(format("%s-sg-delius-db-ec2-instance", var.env_name)) } + ) +} + +resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" { + security_group_id = aws_security_group.db_ec2.id + cidr_ipv4 = "0.0.0.0/0" + from_port = 443 + to_port = 443 + ip_protocol = "tcp" + description = "Allow communication out on port 443, e.g. for SSM" + tags = merge(var.tags, + { Name = "https-out" } + ) +} + +resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" { + security_group_id = aws_security_group.db_ec2.id + cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr + from_port = 1521 + to_port = 1521 + ip_protocol = "tcp" + description = "Allow communication out on port 1521 to legacy rman" + tags = merge(var.tags, + { Name = "legacy-rman-out" } + ) +} + +resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" { + security_group_id = aws_security_group.db_ec2.id + cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr + from_port = 1521 + to_port = 1521 + ip_protocol = "tcp" + description = "Allow communication in on port 1521 from legacy rman" + tags = merge(var.tags, + { Name = "legacy-rman-in" } + ) +} + +resource "aws_vpc_security_group_egress_rule" "db_inter_conn" { + security_group_id = aws_security_group.db_ec2.id + description = "Allow communication between delius db instances" + from_port = 1521 + to_port = 1521 + ip_protocol = "tcp" + referenced_security_group_id = aws_security_group.db_ec2.id +} + +resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_bastion" { + security_group_id = aws_security_group.db_ec2.id + description = "bastion to testing db" + from_port = 1521 + to_port = 1521 + ip_protocol = "tcp" + referenced_security_group_id = var.account_config.bastion.bastion_security_group +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/ssm.tf b/terraform/environments/delius-core/modules/components/oracle_db/ssm.tf new file mode 100644 index 00000000000..db3b628ee71 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/ssm.tf @@ -0,0 +1,14 @@ +resource "aws_ssm_parameter" "rman_password" { + name = "/delius-core-${var.env_name}/delius/oracle-db-operation/rman/rman_password" + type = "SecureString" + value = "REPLACE" + lifecycle { + ignore_changes = [ + value, + ] + } +} + +data "aws_ssm_parameter" "rman_password" { + name = aws_ssm_parameter.rman_password.name +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/variables.tf b/terraform/environments/delius-core/modules/components/oracle_db/variables.tf new file mode 100644 index 00000000000..0e1706a58cd --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/variables.tf @@ -0,0 +1,107 @@ +variable "db_type" { + description = "Database type: [primary, secondary]" + default = "primary" + type = string +} + +variable "db_name" { + description = "Database name" + type = string +} + +variable "db_count_index0" { + description = "Database count index" + type = number + default = 0 +} + +variable "db_count_index" { + description = "Database count index + 1" + type = number + default = 1 +} + +variable "env_name" { + description = "Environment name short ie dev" + type = string +} + +variable "subnet_id" { + description = "Subnet ID to launch the instance in" + type = string +} + +variable "monitoring" { + description = "Enable/disable detailed monitoring" + type = bool + default = false +} + +variable "user_data" { + description = "User data to pass to the instance" + type = string +} + +variable "account_config" { + description = "Account config to pass to the instance" + type = any +} + +variable "metadata_options" { + description = "Metadata options to pass to the instance" + type = object({ + http_endpoint = string + http_tokens = string + }) + default = { + http_endpoint = "enabled" + http_tokens = "optional" + } +} + +variable "db_ami" { + description = "AMI to use for the database instance" + type = object({ + name_regex = string + owners = list(string) + }) + +} + +variable "tags" { + description = "Tags to apply to the instance" + type = map(string) +} + +variable "ebs_volumes" { + description = "EBS volumes to attach to the instance" + type = object({ + kms_key_id = string + tags = map(string) + iops = number + throughput = number + root_volume = object({ + volume_type = string + volume_size = number + }) + ebs_non_root_volumes = map(object({ + volume_type = optional(string) + volume_size = optional(string) + no_device = optional(bool) + })) + }) +} + +variable "environment_config" { + type = object({ + migration_environment_private_cidr = optional(list(string)) + migration_environment_db_cidr = optional(list(string)) + legacy_engineering_vpc_cidr = string + ec2_user_ssh_key = string + }) +} + +variable "ec2_key_pair_name" { + description = "EC2 key pair name to associate with the instance" + type = string +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/versions.tf b/terraform/environments/delius-core/modules/components/oracle_db/versions.tf new file mode 100644 index 00000000000..bdb3762af70 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + configuration_aliases = [aws.bucket-replication, aws.core-vpc, aws.core-network-services] + } + } + required_version = ">= 1.0.1" +} diff --git a/terraform/environments/delius-core/modules/environment_all_components/database.tf b/terraform/environments/delius-core/modules/environment_all_components/database.tf new file mode 100644 index 00000000000..b031acedf57 --- /dev/null +++ b/terraform/environments/delius-core/modules/environment_all_components/database.tf @@ -0,0 +1,95 @@ +module "oracle_db" { + source = "../components/oracle_db" + account_config = var.account_config + db_ami = { + name_regex = "^delius_core_ol_8_5_oracle_db_19c_" + owners = [var.platform_vars.environment_management.account_ids["core-shared-services-production"]] + } + db_name = "primary" + ebs_volumes = { + kms_key_id = var.account_config.kms_keys.ebs_shared + tags = local.tags + iops = 3000 + throughput = 125 + root_volume = { + volume_type = "gp3" + volume_size = 30 + no_device = false + } + ebs_non_root_volumes = { + "/dev/sdb" = { + # /u01 oracle app disk + volume_type = "gp3" + volume_size = 200 + no_device = false + } + "/dev/sdc" = { + # /u02 oracle app disk + volume_type = "gp3" + volume_size = 100 + no_device = false + } + "/dev/sds" = { + # swap disk + volume_type = "gp3" + volume_size = 4 + no_device = false + } + "/dev/sde" = { + # oracle asm disk DATA01 + volume_type = "gp3" + volume_size = 500 + no_device = false + } + "/dev/sdf" = { + # oracle asm disk DATA02 + no_device = true + } + "/dev/sdg" = { + # oracle asm disk DATA03 + no_device = true + } + "/dev/sdh" = { + # oracle asm disk DATA04 + no_device = true + } + "/dev/sdi" = { + # oracle asm disk DATA05 + no_device = true + } + "/dev/sdj" = { + # oracle asm disk FLASH01 + volume_type = "gp3" + volume_size = 500 + no_device = false + } + "/dev/sdk" = { + # oracle asm disk FLASH02 + no_device = true + } + } + } + env_name = var.env_name + environment_config = var.environment_config + subnet_id = var.account_config.private_subnet_ids[0] + tags = var.tags + user_data = base64encode( + templatefile( + "${path.module}/templates/userdata.sh.tftpl", + { + branch = "main" + ansible_repo = "modernisation-platform-configuration-management" + ansible_repo_basedir = "ansible" + ansible_args = "oracle_19c_install" + } + ) + ) + + ec2_key_pair_name = aws_key_pair.environment_ec2_user_key_pair.key_name + + providers = { + aws.bucket-replication = aws + aws.core-vpc = aws.core-vpc + aws.core-network-services = aws.core-network-services + } +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf b/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf index ec9ec348895..b25024e2a66 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf @@ -35,7 +35,7 @@ data "aws_iam_policy_document" "business_unit_kms_key_access" { "kms:RevokeGrant" ] resources = [ - var.account_config.general_shared_kms_key_arn + var.account_config.kms_keys.general_shared ] } } diff --git a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf index 1eaf4a90767..533e9aecbce 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/ldap_datasync.tf @@ -73,7 +73,7 @@ data "aws_iam_policy_document" "ldap_datasync_role_access" { "kms:ReEncryptFrom", "kms:GenerateDataKeyWithoutPlaintext" ] - resources = [var.account_config.general_shared_kms_key_arn] + resources = [var.account_config.kms_keys.general_shared] } statement { sid = "allowAccessForDataSync" @@ -119,7 +119,7 @@ module "s3_bucket_ldap_data_refresh" { versioning_enabled = false ownership_controls = "BucketOwnerEnforced" replication_enabled = false - custom_kms_key = var.account_config.general_shared_kms_key_arn + custom_kms_key = var.account_config.kms_keys.general_shared bucket_policy_v2 = local.ldap_refresh_bucket_policies providers = { diff --git a/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl b/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl new file mode 100644 index 00000000000..7400286d290 --- /dev/null +++ b/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl @@ -0,0 +1,125 @@ +#!/bin/bash +# Don't set set -u as ansible activate script fails with it on RHEL6 +set -eo pipefail + +run_ansible() { + export PATH=/usr/local/bin:$PATH + + echo "ansible_repo: ${ansible_repo}" + echo "ansible_repo_basedir: ${ansible_repo_basedir}" + echo "branch: ${branch}" + echo "ansible_args: ${ansible_args}" + + if [[ -z ${ansible_repo} ]]; then + echo "ansible_repo not defined, not installing any ansible" >&2 + exit 0 + fi + + if ! command -v aws > /dev/null; then + echo "aws cli must be installed, not installing any ansible" >&2 + exit 0 + fi + + if ! command -v git > /dev/null; then + echo "git must be installed, not installing any ansible" >&2 + exit 0 + fi + + echo "# Retrieving API Token" + token=$(curl -sS -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") + + echo "# Retrieving Instance ID" + instance_id=$(curl -sS -H "X-aws-ec2-metadata-token: $token" -v http://169.254.169.254/latest/meta-data/instance-id) + + echo "# Retrieving tags using aws cli" + IFS=$'\n' + tags=($(aws ec2 describe-tags --filters "Name=resource-id,Values=$${instance_id}" "Name=key,Values=os-type,ami,server-type,environment-name,delius-environment-name,database" --output=text)) + unset IFS + + # clone ansible roles and playbook + ansible_dir=$(mktemp -d) + echo "# Cloning ${ansible_repo} into $ansible_dir using branch=${branch}" + cd $ansible_dir + git clone "https://github.com/ministryofjustice/${ansible_repo}.git" + cd $ansible_dir/${ansible_repo} + git checkout "${branch}" + cd $ansible_dir + + # find the group_var yaml files + ansible_group_vars= + for ((i=0; i<$${#tags[@]}; i++)); do + tag=($${tags[i]}) + echo "$${tag[*]}" + # aws ec2 describe-tags comes out in alphabetical order + if [[ $"$${tag[1]}" == "database" || "$${tag[1]}" == "delius-environment-name" || "$${tag[1]}" == "environment-name" ]] + then + [ "$${tag[1]}" == "database" ] && database=$${tag[4]} + [ "$${tag[1]}" == "delius-environment-name" ] && delius_environment_name=$${tag[4]} + [ "$${tag[1]}" == "environment-name" ] && environment_name="$${tag[1]}_$${tag[4]}" + fi + if [[ $i -eq 2 ]] + then + group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g") + group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g") + database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g") + ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type" + elif [[ $i -gt 2 ]] + then + group=$(echo "$${tag[1]}_$${tag[4]}" | tr [:upper:] [:lower:] | sed "s/-/_/g") + ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml" + fi + done + + # set python version + if [[ $(which python3.9 2> /dev/null) ]]; then + python=$(which python3.9) + elif [[ $(which python3.6 2> /dev/null) ]]; then + python=$(which python3.6) + else + echo "Python3.9/3.6 not found" + exit 1 + fi + echo "# Using python: $python" + + # activate virtual environment + mkdir $ansible_dir/python-venv && cd "$_" + $python -m venv ansible + source ansible/bin/activate + $python -m pip install --upgrade pip + if [[ "$python" =~ 3.6 ]]; then + $python -m pip install wheel + $python -m pip install cryptography==2.3 + export LC_ALL=en_US.UTF-8 + $python -m pip install ansible-core==2.11.12 + else + $python -m pip install ansible==6.0.0 + fi + + # install requirements in virtual env + echo "# Installing ansible requirements" + cd $ansible_dir/${ansible_repo}/${ansible_repo_basedir} + $python -m pip install -r requirements.txt + ansible-galaxy role install -r requirements.yml + ansible-galaxy collection install -r requirements.yml + + # run ansible (comma after localhost deliberate) + echo "# Execute ansible site.yml $ansible_group_vars ..." + ansible-playbook site.yml $ansible_group_vars \ + --connection=local \ + --inventory localhost, \ + --extra-vars "ansible_python_interpreter=$python" \ + --extra-vars "target=localhost" \ + --tags "${ansible_args}, ec2provision" \ + --become + + echo "# Cleanup" + deactivate + rm -rf $ansible_dir/python-venv + rm -rf $ansible_dir/${ansible_repo} + rmdir $ansible_dir +} + +echo "ansible-ec2provision.sh start" | logger -p local3.info -t user-data +run_ansible 2>&1 | logger -p local3.info -t user-data +echo "ansible-ec2provision.sh end" | logger -p local3.info -t user-data + diff --git a/terraform/environments/delius-core/modules/environment_all_components/variables.tf b/terraform/environments/delius-core/modules/environment_all_components/variables.tf index 548a25bc417..5e75dc6f594 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/variables.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/variables.tf @@ -30,6 +30,11 @@ variable "account_config" { route53_network_services_zone = any route53_external_zone = any bastion = any + kms_keys = object({ + ebs_shared = any + general_shared = any + rds_shared = any + }) general_shared_kms_key_arn = optional(string) }) @@ -46,6 +51,11 @@ variable "account_config" { migration_environment_vpc_cidr = "default_migration_environment_vpc_cidr" general_shared_kms_key_arn = "default_general_shared_kms_key_arn" bastion = {} + kms_keys = { + ebs_shared = {} + general_shared = {} + rds_shared = {} + } } } From daa0f57155ae524240fe70bf78ffe2e6e964fec4 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:03:33 +0000 Subject: [PATCH 127/142] CC-2249: New volumes for EBS DB in the Upgrade environment. --- .../application_variables.json | 6 ++ .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 74 ++++++++++++++++++- 2 files changed, 79 insertions(+), 1 deletion(-) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 7a636c1cb5d..5af8d80a4da 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -76,6 +76,12 @@ "ebs_size_ebsdb_arch": 500, "ebs_size_ebsdb_dbf": 11000, "ebs_size_ebsdb_dbf_dr": 8000, + "ebs_iops_ebsdb_dbf01": 12000, + "ebs_size_ebsdb_dbf01": 4000, + "ebs_iops_ebsdb_dbf02": 12000, + "ebs_size_ebsdb_dbf02": 4000, + "ebs_iops_ebsdb_dbf03": 12000, + "ebs_size_ebsdb_dbf03": 3000, "ebs_size_ebsdb_redoA": 100, "ebs_size_ebsdb_redoB": 50, "ebs_size_ebsdb_techst": 100, diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 53f58b24ef5..9cecca5b005 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -130,6 +130,78 @@ resource "aws_volume_attachment" "dbf_att" { instance_id = aws_instance.ec2_oracle_ebs.id } +resource "aws_ebs_volume" "dbf01" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf01 + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_iops_ebsdb_dbf01 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf01" } + ) +} + +resource "aws_volume_attachment" "dbf01_att" { + depends_on = [ + aws_ebs_volume.dbf01 + ] + device_name = "/dev/sdq" + volume_id = aws_ebs_volume.dbf01.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + +resource "aws_ebs_volume" "dbf02" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf02 + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_iops_ebsdb_dbf02 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf02" } + ) +} + +resource "aws_volume_attachment" "dbf02_att" { + depends_on = [ + aws_ebs_volume.dbf02 + ] + device_name = "/dev/sdr" + volume_id = aws_ebs_volume.dbf02.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + +resource "aws_ebs_volume" "dbf03" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_dbf03 + type = "io2" + iops = local.application_data.accounts[local.environment].ebs_iops_ebsdb_dbf03 + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "dbf03" } + ) +} + +resource "aws_volume_attachment" "dbf03_att" { + depends_on = [ + aws_ebs_volume.dbf03 + ] + device_name = "/dev/sds" + volume_id = aws_ebs_volume.dbf03.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + resource "aws_ebs_volume" "redoA" { lifecycle { ignore_changes = [kms_key_id] @@ -242,7 +314,6 @@ resource "aws_volume_attachment" "diag_att" { instance_id = aws_instance.ec2_oracle_ebs.id } - resource "aws_ebs_volume" "appshare" { lifecycle { ignore_changes = [kms_key_id] @@ -309,6 +380,7 @@ resource "aws_volume_attachment" "db_temp_att" { volume_id = aws_ebs_volume.db_temp.id instance_id = aws_instance.ec2_oracle_ebs.id } + /* #### This mount was required for golive incident #### Just commenting out, rather than remove - just in case From 887467abcd082d1a4129eb466e32f29081221e4a Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Wed, 6 Dec 2023 14:24:20 +0000 Subject: [PATCH 128/142] CC-2249: Changed device_name for new volumes. --- .../environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 9cecca5b005..ccae9815612 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -149,7 +149,7 @@ resource "aws_volume_attachment" "dbf01_att" { depends_on = [ aws_ebs_volume.dbf01 ] - device_name = "/dev/sdq" + device_name = "/dev/sde" volume_id = aws_ebs_volume.dbf01.id instance_id = aws_instance.ec2_oracle_ebs.id } @@ -173,7 +173,7 @@ resource "aws_volume_attachment" "dbf02_att" { depends_on = [ aws_ebs_volume.dbf02 ] - device_name = "/dev/sdr" + device_name = "/dev/sdf" volume_id = aws_ebs_volume.dbf02.id instance_id = aws_instance.ec2_oracle_ebs.id } @@ -197,7 +197,7 @@ resource "aws_volume_attachment" "dbf03_att" { depends_on = [ aws_ebs_volume.dbf03 ] - device_name = "/dev/sds" + device_name = "/dev/sdg" volume_id = aws_ebs_volume.dbf03.id instance_id = aws_instance.ec2_oracle_ebs.id } From 40c3ce0b19056dfd4cf849894f92d4fc87a0d3cf Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 7 Dec 2023 00:13:42 +0000 Subject: [PATCH 129/142] Bump bridgecrewio/checkov-action from 12.2605.0 to 12.2607.0 Bumps [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) from 12.2605.0 to 12.2607.0. - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](https://github.com/bridgecrewio/checkov-action/compare/e3b7d570872fcc4bc07f4bc54a6913f947d664d0...17f081b0ade2ecb02a4d9ed2437e3a2c62801c0d) --- updated-dependencies: - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/code-scanning.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml index 099356992d0..f643853418f 100644 --- a/.github/workflows/code-scanning.yml +++ b/.github/workflows/code-scanning.yml @@ -78,7 +78,7 @@ jobs: fetch-depth: 0 - name: Run Checkov action id: checkov - uses: bridgecrewio/checkov-action@e3b7d570872fcc4bc07f4bc54a6913f947d664d0 # v12.2605.0 + uses: bridgecrewio/checkov-action@17f081b0ade2ecb02a4d9ed2437e3a2c62801c0d # v12.2607.0 with: directory: ./ framework: terraform From 171e14272be3699aa954bef01eb3c1c1d2b80c25 Mon Sep 17 00:00:00 2001 From: Andrew Pepler Date: Thu, 7 Dec 2023 11:05:19 +0000 Subject: [PATCH 130/142] cdpt-chaps ecs config (#4171) --- .../cdpt-chaps/application_variables.json | 12 +- terraform/environments/cdpt-chaps/ecs.tf | 244 ++++++++++++++++++ .../environments/cdpt-chaps/loadbalancer.tf | 98 +++++++ terraform/environments/cdpt-chaps/locals.tf | 18 +- terraform/environments/cdpt-chaps/outputs.tf | 3 + .../cdpt-chaps/platform_locals.tf | 1 - terraform/environments/cdpt-chaps/route53.tf | 59 +++++ 7 files changed, 427 insertions(+), 8 deletions(-) create mode 100644 terraform/environments/cdpt-chaps/ecs.tf create mode 100644 terraform/environments/cdpt-chaps/loadbalancer.tf create mode 100644 terraform/environments/cdpt-chaps/outputs.tf create mode 100644 terraform/environments/cdpt-chaps/route53.tf diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 6b52bfe9b30..601d785bd20 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -1,16 +1,16 @@ { "accounts": { "development": { - "example_var": "dev-data" - }, - "test": { - "example_var": "test-data" + "region": "eu-west-2", + "docker_image_tag": "development" }, "preproduction": { - "example_var": "preproduction-data" + "region": "eu-west-2", + "docker_image_tag": "preproduction" }, "production": { - "example_var": "production-data" + "region": "eu-west-2", + "docker_image_tag": "production" } } } diff --git a/terraform/environments/cdpt-chaps/ecs.tf b/terraform/environments/cdpt-chaps/ecs.tf new file mode 100644 index 00000000000..e5cc2584446 --- /dev/null +++ b/terraform/environments/cdpt-chaps/ecs.tf @@ -0,0 +1,244 @@ +data "aws_ecs_task_definition" "task_definition" { + task_definition = "${local.application_name}-task-definition" + depends_on = [aws_ecs_task_definition.chaps_task_definition] +} + +resource "aws_ecs_cluster" "ecs_cluster" { + name = "${local.application_name}-ecs-cluster" + setting { + name = "containerInsights" + value = "enabled" + } +} + +resource "aws_cloudwatch_log_group" "deployment_logs" { + name = "/aws/events/deploymentLogs" + retention_in_days = "7" +} + +resource "aws_ecs_task_definition" "chaps_task_definition" { + family = "chapsFamily" + requires_compatibilities = ["FARGATE"] + network_mode = "awsvpc" + execution_role_arn = aws_iam_role.app_execution.arn + task_role_arn = aws_iam_role.app_task.arn + cpu = 1024 + memory = 2048 + container_definitions = jsonencode([ + { + name = local.application_name + image = "${local.ecr_url}:${local.application_data.accounts[local.environment].docker_image_tag}" + cpu = 1024 + memory = 2048 + essential = true + portMappings = [ + { + containerPort = 80 + protocol = "tcp" + hostPort = 80 + } + ] + environment = [ + ] + } + ]) + runtime_platform { + operating_system_family = "WINDOWS_SERVER_2019_CORE" + cpu_architecture = "X86_64" + } +} + +resource "aws_ecs_service" "ecs_service" { + depends_on = [ + aws_lb_listener.listener + ] + + name = var.networking[0].application + cluster = aws_ecs_cluster.ecs_cluster.id + task_definition = aws_ecs_task_definition.chaps_task_definition.arn + launch_type = "FARGATE" + enable_execute_command = true + desired_count = 2 + health_check_grace_period_seconds = 180 + + network_configuration { + subnets = data.aws_subnets.shared-public.ids + security_groups = [aws_security_group.ecs_service.id] + assign_public_ip = true + } + + load_balancer { + target_group_arn = aws_lb_target_group.chaps_target_group.arn + container_name = local.application_name + container_port = 80 + } + + deployment_controller { + type = "ECS" + } +} + +resource "aws_iam_role" "app_execution" { + name = "execution-${var.networking[0].application}" + + assume_role_policy = < { + name = dvo.resource_record_name + record = dvo.resource_record_value + type = dvo.resource_record_type + } + } + + domain_name_main = [for k, v in local.domain_types : v.name if k == "modernisation-platform.service.justice.gov.uk"] + domain_name_sub = [for k, v in local.domain_types : v.name if k != "modernisation-platform.service.justice.gov.uk"] + domain_record_main = [for k, v in local.domain_types : v.record if k == "modernisation-platform.service.justice.gov.uk"] + domain_record_sub = [for k, v in local.domain_types : v.record if k != "modernisation-platform.service.justice.gov.uk"] + domain_type_main = [for k, v in local.domain_types : v.type if k == "modernisation-platform.service.justice.gov.uk"] + domain_type_sub = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"] + + ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-chaps-ecr-repo" +} diff --git a/terraform/environments/cdpt-chaps/outputs.tf b/terraform/environments/cdpt-chaps/outputs.tf new file mode 100644 index 00000000000..49ce7495121 --- /dev/null +++ b/terraform/environments/cdpt-chaps/outputs.tf @@ -0,0 +1,3 @@ +output "task_definition" { + value = data.aws_ecs_task_definition.task_definition +} diff --git a/terraform/environments/cdpt-chaps/platform_locals.tf b/terraform/environments/cdpt-chaps/platform_locals.tf index d68844f5e25..eb0e1aa0c01 100644 --- a/terraform/environments/cdpt-chaps/platform_locals.tf +++ b/terraform/environments/cdpt-chaps/platform_locals.tf @@ -1,5 +1,4 @@ locals { - application_name = "cdpt-chaps" environment_management = jsondecode(data.aws_secretsmanager_secret_version.environment_management.secret_string) diff --git a/terraform/environments/cdpt-chaps/route53.tf b/terraform/environments/cdpt-chaps/route53.tf new file mode 100644 index 00000000000..d34737a0f59 --- /dev/null +++ b/terraform/environments/cdpt-chaps/route53.tf @@ -0,0 +1,59 @@ +// DEV + PRE-PRODUCTION DNS CONFIGURATION + +// ACM Public Certificate +resource "aws_acm_certificate" "external" { + domain_name = "modernisation-platform.service.justice.gov.uk" + validation_method = "DNS" + + subject_alternative_names = ["${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk"] + tags = { + Environment = local.environment + } + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_acm_certificate_validation" "external" { + certificate_arn = aws_acm_certificate.external.arn + validation_record_fqdns = [local.domain_name_main[0], local.domain_name_sub[0]] +} + +// Route53 DNS records for certificate validation +resource "aws_route53_record" "external_validation" { + provider = aws.core-network-services + + allow_overwrite = true + name = local.domain_name_main[0] + records = local.domain_record_main + ttl = 60 + type = local.domain_type_main[0] + zone_id = data.aws_route53_zone.network-services.zone_id +} + +resource "aws_route53_record" "external_validation_subdomain" { + provider = aws.core-vpc + + allow_overwrite = true + name = local.domain_name_sub[0] + records = local.domain_record_sub + ttl = 60 + type = local.domain_type_sub[0] + zone_id = data.aws_route53_zone.external.zone_id +} + +// Route53 DNS record for directing traffic to the service +resource "aws_route53_record" "external" { + provider = aws.core-vpc + + zone_id = data.aws_route53_zone.external.zone_id + name = "${var.networking[0].application}.${var.networking[0].business-unit}-${local.environment}.modernisation-platform.service.justice.gov.uk" + type = "A" + + alias { + name = aws_lb.chaps_lb.dns_name + zone_id = aws_lb.chaps_lb.zone_id + evaluate_target_health = true + } +} From b869b576e8b042ce081ec74ef7a3425efa451488 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:10:39 +0000 Subject: [PATCH 131/142] CC-2254: Added a swap volume to EBS DB in the Upgrade environment. --- .../application_variables.json | 2 ++ .../ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 24 +++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/terraform/environments/ccms-ebs-upgrade/application_variables.json b/terraform/environments/ccms-ebs-upgrade/application_variables.json index 5af8d80a4da..3fafe74446c 100644 --- a/terraform/environments/ccms-ebs-upgrade/application_variables.json +++ b/terraform/environments/ccms-ebs-upgrade/application_variables.json @@ -69,6 +69,8 @@ "ebsapps_u03_size": 200, "ebsapps_stage_size": 100, "tg_apps_port": 8000, + "ebs_iops_ebsdb_swap": 3000, + "ebs_size_ebsdb_swap": 20, "ebs_size_ebsdb_home": 100, "ebs_size_ebsdb_temp": 100, "ebs_size_ebsdb_exhome": 100, diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index ccae9815612..10bab522b12 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -46,6 +46,30 @@ resource "aws_instance" "ec2_oracle_ebs" { depends_on = [aws_security_group.ec2_sg_ebsdb] } +resource "aws_ebs_volume" "ebsdb_swap" { + lifecycle { + ignore_changes = [kms_key_id] + } + availability_zone = "eu-west-2a" + size = local.application_data.accounts[local.environment].ebs_size_ebsdb_swap + type = "gp3" + iops = local.application_data.accounts[local.environment].ebs_iops_ebsdb_swap + encrypted = true + kms_key_id = data.aws_kms_key.ebs_shared.key_id + tags = merge(local.tags, + { Name = "swap" } + ) +} + +resource "aws_volume_attachment" "ebsdb_swap_att" { + depends_on = [ + aws_ebs_volume.swap + ] + device_name = "/dev/sdb" + volume_id = aws_ebs_volume.swap.id + instance_id = aws_instance.ec2_oracle_ebs.id +} + resource "aws_ebs_volume" "export_home" { lifecycle { ignore_changes = [kms_key_id] From a0ca0797930d23555627e670f6b5fb89f632bdb4 Mon Sep 17 00:00:00 2001 From: modernisation-platform-ci Date: Thu, 7 Dec 2023 11:12:32 +0000 Subject: [PATCH 132/142] Workflow: created files in . --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 9925b8c06ae..d7544353855 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -22,7 +22,7 @@ /terraform/environments/example @ministryofjustice/modernisation-platform @ministryofjustice/modernisation-platform /terraform/environments/hmpps-domain-services @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform /terraform/environments/hmpps-intelligence-management @ministryofjustice/dps-ims-tech @ministryofjustice/modernisation-platform -/terraform/environments/hmpps-oem @ministryofjustice/hmpps-migration @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform +/terraform/environments/hmpps-oem @ministryofjustice/hmpps-dba @ministryofjustice/hmpps-migration @ministryofjustice/studio-webops @ministryofjustice/modernisation-platform /terraform/environments/laa-ccms-infra-azure-ad-sso @ministryofjustice/laa-ccms-webops @ministryofjustice/modernisation-platform-security @ministryofjustice/modernisation-platform /terraform/environments/laa-oem @ministryofjustice/laa-ccms-migration-team @ministryofjustice/modernisation-platform /terraform/environments/long-term-storage @ministryofjustice/modernisation-platform-long-term-storage @ministryofjustice/modernisation-platform From d6ac28f7854af32654954ec54fdeca992761be58 Mon Sep 17 00:00:00 2001 From: Maciej Matysiak <103054339+mmgovuk@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:15:22 +0000 Subject: [PATCH 133/142] CC-2254: Fixed typos. --- terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf index 10bab522b12..e0bfa431aad 100644 --- a/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf +++ b/terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf @@ -63,10 +63,10 @@ resource "aws_ebs_volume" "ebsdb_swap" { resource "aws_volume_attachment" "ebsdb_swap_att" { depends_on = [ - aws_ebs_volume.swap + aws_ebs_volume.ebsdb_swap ] device_name = "/dev/sdb" - volume_id = aws_ebs_volume.swap.id + volume_id = aws_ebs_volume.ebsdb_swap.id instance_id = aws_instance.ec2_oracle_ebs.id } From f9cfd896c03ae61ff79e266ab24958efadec1888 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Thu, 7 Dec 2023 11:39:26 +0000 Subject: [PATCH 134/142] DSOS-2430: create dev db backup bucket (#4258) * baseline: add an additional dev db backup bucket and correct some permissions * correct db backup permissions in nomis --- terraform/environments/nomis/locals_test.tf | 4 +- terraform/modules/baseline_presets/outputs.tf | 4 +- terraform/modules/baseline_presets/s3.tf | 53 +++++++++++++++---- 3 files changed, 45 insertions(+), 16 deletions(-) diff --git a/terraform/environments/nomis/locals_test.tf b/terraform/environments/nomis/locals_test.tf index e2092f8467a..4d8e0c2bdb1 100644 --- a/terraform/environments/nomis/locals_test.tf +++ b/terraform/environments/nomis/locals_test.tf @@ -8,7 +8,7 @@ locals { nomis-audit-archives = { custom_kms_key = module.environment.kms_keys["general"].arn bucket_policy_v2 = [ - module.baseline_presets.s3_bucket_policies.DevTestEnvironmentsReadOnlyAccessBucketPolicy, + module.baseline_presets.s3_bucket_policies.DevelopmentReadOnlyAccessBucketPolicy ] iam_policies = module.baseline_presets.s3_iam_policies } @@ -17,7 +17,7 @@ locals { custom_kms_key = module.environment.kms_keys["general"].arn iam_policies = module.baseline_presets.s3_iam_policies bucket_policy_v2 = [ - module.baseline_presets.s3_bucket_policies.DevTestEnvironmentsReadOnlyAccessBucketPolicy, + module.baseline_presets.s3_bucket_policies.DevelopmentReadOnlyAccessBucketPolicy ] } diff --git a/terraform/modules/baseline_presets/outputs.tf b/terraform/modules/baseline_presets/outputs.tf index 709caf5587b..30fa55929f8 100644 --- a/terraform/modules/baseline_presets/outputs.tf +++ b/terraform/modules/baseline_presets/outputs.tf @@ -102,9 +102,7 @@ output "s3_bucket_policies" { output "s3_iam_policies" { description = "Map of common iam_policies that can be used to give access to s3_buckets" - value = var.options.s3_iam_policies != null ? { - for key, value in local.s3_iam_policies : key => value if contains(var.options.s3_iam_policies, key) - } : local.s3_iam_policies + value = local.requested_s3_iam_policies } output "s3_buckets" { diff --git a/terraform/modules/baseline_presets/s3.tf b/terraform/modules/baseline_presets/s3.tf index e41056ad76d..4b18e9b6b1a 100644 --- a/terraform/modules/baseline_presets/s3.tf +++ b/terraform/modules/baseline_presets/s3.tf @@ -1,38 +1,53 @@ locals { + requested_s3_iam_policies = var.options.s3_iam_policies != null ? { + for key, value in local.s3_iam_policies : key => value if contains(var.options.s3_iam_policies, key) + } : local.s3_iam_policies + s3_buckets = merge( + + # if enable_shared_s3 set, create a bucket in test and production which can be used by dev and test / preprod and prod respectively var.options.enable_shared_s3 && var.environment.environment == "production" ? { "prodpreprod-${var.environment.application_name}-" = { bucket_policy_v2 = [ local.s3_bucket_policies.ImageBuilderWriteAccessBucketPolicy, local.s3_bucket_policies.ProdPreprodEnvironmentsWriteAccessBucketPolicy ] - iam_policies = local.s3_iam_policies + custom_kms_key = var.environment.kms_keys["general"].arn + iam_policies = local.requested_s3_iam_policies } } : {}, var.options.enable_shared_s3 && var.environment.environment == "test" ? { "devtest-${var.environment.application_name}-" = { bucket_policy_v2 = [ local.s3_bucket_policies.ImageBuilderWriteAccessBucketPolicy, local.s3_bucket_policies.DevTestEnvironmentsWriteAndDeleteAccessBucketPolicy ] - iam_policies = local.s3_iam_policies + custom_kms_key = var.environment.kms_keys["general"].arn + iam_policies = local.requested_s3_iam_policies } } : {}, + + # If db_backup_s3 enabled, create db_backups in all environments. + # The test and production buckets allow read access from development and preproduction resepctively var.options.db_backup_s3 && var.environment.environment == "production" ? { "prod-${var.environment.application_name}-db-backup-bucket-" = { bucket_policy_v2 = [ local.s3_bucket_policies.PreprodReadOnlyAccessBucketPolicy ] - iam_policies = local.s3_iam_policies + custom_kms_key = var.environment.kms_keys["general"].arn + iam_policies = local.requested_s3_iam_policies } } : {}, var.options.db_backup_s3 && var.environment.environment == "preproduction" ? { "preprod-${var.environment.application_name}-db-backup-bucket-" = { - bucket_policy_v2 = [ - local.s3_bucket_policies.ProdPreprodEnvironmentsWriteAccessBucketPolicy - ] - iam_policies = local.s3_iam_policies + custom_kms_key = var.environment.kms_keys["general"].arn + iam_policies = local.s3_iam_policies } } : {}, - var.options.db_backup_s3 && var.options.enable_shared_s3 && var.environment.environment == "test" ? { "devtest-${var.environment.application_name}-db-backup-bucket-" = { + var.options.db_backup_s3 && var.environment.environment == "test" ? { "devtest-${var.environment.application_name}-db-backup-bucket-" = { bucket_policy_v2 = [ - local.s3_bucket_policies.DevTestEnvironmentsWriteAndDeleteAccessBucketPolicy + local.s3_bucket_policies.DevelopmentReadOnlyAccessBucketPolicy ] - iam_policies = local.s3_iam_policies - } } : {} + custom_kms_key = var.environment.kms_keys["general"].arn + iam_policies = local.requested_s3_iam_policies + } } : {}, + var.options.db_backup_s3 && var.environment.environment == "development" ? { "dev-${var.environment.application_name}-db-backup-bucket-" = { + custom_kms_key = var.environment.kms_keys["general"].arn + iam_policies = local.requested_s3_iam_policies + } } : {}, ) s3_bucket_policies = { @@ -215,6 +230,22 @@ locals { ] } } + + DevelopmentReadOnlyAccessBucketPolicy = { + effect = "Allow" + actions = [ + "s3:GetBucketLocation", + "s3:GetObject", + "s3:GetObjectTagging", + "s3:ListBucket" + ] + principals = { + type = "AWS" + identifiers = [ + var.environment.account_root_arns["${var.environment.application_name}-development"] + ] + } + } } s3_iam_policies = { From a656ab107026096212cc00c0d4dd61bc8ea39f98 Mon Sep 17 00:00:00 2001 From: Andrew Pepler Date: Thu, 7 Dec 2023 12:32:56 +0000 Subject: [PATCH 135/142] cdpt-chaps: fix task definition reference (#4261) --- terraform/environments/cdpt-chaps/ecs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/ecs.tf b/terraform/environments/cdpt-chaps/ecs.tf index e5cc2584446..dee1cf837a7 100644 --- a/terraform/environments/cdpt-chaps/ecs.tf +++ b/terraform/environments/cdpt-chaps/ecs.tf @@ -1,5 +1,5 @@ data "aws_ecs_task_definition" "task_definition" { - task_definition = "${local.application_name}-task-definition" + task_definition = aws_ecs_task_definition.chaps_task_definition.family depends_on = [aws_ecs_task_definition.chaps_task_definition] } From 363ff5a62ee576812e0c2c719c8a703333c034a9 Mon Sep 17 00:00:00 2001 From: W Date: Thu, 7 Dec 2023 14:06:20 +0000 Subject: [PATCH 136/142] oasys goodbye ssm params oasys goodbye ssm params --- .../environments/oasys/locals_secrets.tf | 7 --- terraform/environments/oasys/locals_test.tf | 51 +------------------ 2 files changed, 1 insertion(+), 57 deletions(-) diff --git a/terraform/environments/oasys/locals_secrets.tf b/terraform/environments/oasys/locals_secrets.tf index 436881b376a..0b8101d5530 100644 --- a/terraform/environments/oasys/locals_secrets.tf +++ b/terraform/environments/oasys/locals_secrets.tf @@ -1,16 +1,9 @@ locals { - database_ssm_parameters = { - parameters = { - passwords = { description = "database passwords" } - } - } - share_secret_principal_ids_db = [ "arn:aws:iam::${module.environment.account_id}:role/ec2-database-*" ] - secret_policy_write_db = { effect = "Allow" actions = [ diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf index 18381c3951c..a5e363c8995 100644 --- a/terraform/environments/oasys/locals_test.tf +++ b/terraform/environments/oasys/locals_test.tf @@ -10,25 +10,8 @@ locals { baseline_s3_buckets = { } - baseline_ssm_parameters = { - "/oracle/database/T1OASYS" = local.database_ssm_parameters - "/oracle/database/T1OASREP" = local.database_ssm_parameters - "/oracle/database/T1AZBIPI" = local.database_ssm_parameters - "/oracle/database/T1MISTRN" = local.database_ssm_parameters - "/oracle/database/T1ONRSYS" = local.database_ssm_parameters - "/oracle/database/T1ONRAUD" = local.database_ssm_parameters - "/oracle/database/T1ONRBDS" = local.database_ssm_parameters - - "/oracle/database/T2OASYS" = local.database_ssm_parameters - "/oracle/database/T2OASREP" = local.database_ssm_parameters - "/oracle/database/T2AZBIPI" = local.database_ssm_parameters - "/oracle/database/T2MISTRN" = local.database_ssm_parameters - "/oracle/database/T2ONRSYS" = local.database_ssm_parameters - "/oracle/database/T2ONRAUD" = local.database_ssm_parameters - "/oracle/database/T2ONRBDS" = local.database_ssm_parameters - } + baseline_ssm_parameters = {} baseline_secretsmanager_secrets = { - # NEW "/oracle/database/T1OASYS" = local.secretsmanager_secrets_oasys_db "/oracle/database/T1OASREP" = local.secretsmanager_secrets_db "/oracle/database/T1AZBIPI" = local.secretsmanager_secrets_bip_db @@ -49,38 +32,6 @@ locals { "/oracle/bip/t1" = local.secretsmanager_secrets_bip "/oracle/bip/t2" = local.secretsmanager_secrets_bip - - # OLD AND WILL BE REPLACED - - "/database/t1/T1OASYS" = { - secrets = { - apex_listenerpassword = {} # move to /oracle/database/T1OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___} - apex_public_userpassword = {} # move to /oracle/database/T1OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___} - apex_rest_publicpassword = {} # move to /oracle/database/T1OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___} - } - } - "/database/t2/T2OASYS" = { - secrets = { - apex_listenerpassword = {} # move to /oracle/database/T2OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___} - apex_public_userpassword = {} # move to /oracle/database/T2OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___} - apex_rest_publicpassword = {} # move to /oracle/database/T2OASYS/apex-passwords {listener: ___ , (find the name of public user): ___ , rest_public: ___} - } - } - "/database/t2-oasys-db-a/T2BIPINF" = { - secrets = { - systempassword = {} # -> /oracle/database/T2BIPINF/bip-passwords { sys: ___ } - } - } - "/weblogic/test-oasys-bip-b" = { - secrets = { - admin_password = {} # -> /oracle/bip/t2/passwords { weblogic: admin_pass } - admin_username = {} # just have in ansible defaults , username is always weblogic - biplatformpassword = {} # -> /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ } - db_username = {} # put in ansible defaults - mdspassword = {} # -> /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ } - syspassword = {} # -> /oracle/database/T2AZBIPI/bip-passwords { biplatform: ___ , mdspassword : ___ , sys: ___ } - } - } } baseline_iam_policies = { From 0e3145ad23db227fee67b0a67a9410ed8ed72928 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Thu, 7 Dec 2023 15:49:49 +0000 Subject: [PATCH 137/142] ndh: DSOS-2421: add secrets (#4263) * Add secrets and ndh-environment tag * terraform fmt * fix --- .../environments/nomis-data-hub/locals.tf | 9 ++++++- .../nomis-data-hub/locals_test.tf | 24 ++++++++++++++++--- terraform/environments/nomis-data-hub/main.tf | 5 ++++ 3 files changed, 34 insertions(+), 4 deletions(-) diff --git a/terraform/environments/nomis-data-hub/locals.tf b/terraform/environments/nomis-data-hub/locals.tf index 22ce3e32d2b..77cf4435d3e 100644 --- a/terraform/environments/nomis-data-hub/locals.tf +++ b/terraform/environments/nomis-data-hub/locals.tf @@ -26,7 +26,8 @@ locals { "ndh_harkemsadmin_ssl_pass", ] - baseline_ssm_parameters = {} + baseline_secretsmanager_secrets = {} + baseline_ssm_parameters = {} baseline_s3_buckets = { s3-bucket = { @@ -35,6 +36,12 @@ locals { } baseline_route53_zones = {} + ndh_secretsmanager_secrets = { + secrets = { + shared = { description = "NDH secrets for both ems and app components" } + } + } + ndh_app_a = { config = merge(module.baseline_presets.ec2_instance.config.default, { ami_name = "nomis_data_hub_rhel_7_9_app_release_2023-05-02T00-00-47.783Z" diff --git a/terraform/environments/nomis-data-hub/locals_test.tf b/terraform/environments/nomis-data-hub/locals_test.tf index dbc3697f319..3c590a8d503 100644 --- a/terraform/environments/nomis-data-hub/locals_test.tf +++ b/terraform/environments/nomis-data-hub/locals_test.tf @@ -1,13 +1,31 @@ locals { test_config = { + baseline_secretsmanager_secrets = { + "/ndh/t1" = local.ndh_secretsmanager_secrets + "/ndh/t2" = local.ndh_secretsmanager_secrets + "/ndh/test" = local.ndh_secretsmanager_secrets + } + baseline_ec2_instances = { - test-management-server-2022 = local.management_server_2022 + test-management-server-2022 = merge(local.management_server_2022, { + tags = merge(local.management_server_2022.tags, { + ndh-environment = "test" + }) + }) - test-ndh-app-a = local.ndh_app_a + test-ndh-app-a = merge(local.ndh_app_a, { + tags = merge(local.ndh_app_a.tags, { + ndh-environment = "test" + }) + }) - test-ndh-ems-a = local.ndh_ems_a + test-ndh-ems-a = merge(local.ndh_ems_a, { + tags = merge(local.ndh_ems_a.tags, { + ndh-environment = "test" + }) + }) } baseline_ec2_autoscaling_groups = { diff --git a/terraform/environments/nomis-data-hub/main.tf b/terraform/environments/nomis-data-hub/main.tf index ebfcef1b6a9..b84e8fef0e7 100644 --- a/terraform/environments/nomis-data-hub/main.tf +++ b/terraform/environments/nomis-data-hub/main.tf @@ -71,6 +71,11 @@ module "baseline" { ec2_autoscaling_groups = lookup(local.environment_config, "baseline_ec2_autoscaling_groups", {}) lbs = lookup(local.environment_config, "baseline_lbs", {}) + secretsmanager_secrets = merge( + local.baseline_secretsmanager_secrets, + lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {}) + ) + ssm_parameters = merge( module.baseline_presets.ssm_parameters, local.baseline_ssm_parameters, From b3eb30682b3c42572a0603f9296e2cac6ca2071b Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 7 Dec 2023 16:19:45 +0000 Subject: [PATCH 138/142] Nit 963 delius core db modularise the database instance terraform (#4255) * initial module declaration * ami to object * set up security groups * adding dns and condensing sg * correct provider configs + ebs/key troubleshooting * refactoring * refactor * Update instance.tf * add correct tags * Update instance.tf * Update instance.tf * move locals * Remove double b64 encode * Update database.tf * enforce subnet spread --- terraform/environments/delius-core/data.tf | 29 + terraform/environments/delius-core/locals.tf | 2 + .../delius-core/locals_development_dev1.tf | 1 + .../delius-core/locals_development_test.tf | 1 + .../{ => components}/ebs_volume/main.tf | 0 .../{ => components}/ebs_volume/variables.tf | 0 .../{ => components}/ebs_volume/versions.tf | 0 .../{oracle_db => oracle_db_instance}/ami.tf | 0 .../{oracle_db => oracle_db_instance}/dns.tf | 2 +- .../ebs_volumes.tf | 2 +- .../instance.tf | 12 +- .../components/oracle_db_instance/locals.tf | 4 + .../outputs.tf | 0 .../variables.tf | 31 +- .../{oracle_db => oracle_db_shared}/iam.tf | 0 .../components/oracle_db_shared/key_pairs.tf | 19 + .../components/oracle_db_shared/outputs.tf | 19 + .../modules/components/oracle_db_shared/s3.tf | 83 +++ .../{oracle_db => oracle_db_shared}/sg.tf | 0 .../{oracle_db => oracle_db_shared}/ssm.tf | 0 .../components/oracle_db_shared/variables.tf | 24 + .../versions.tf | 0 .../environment_all_components/database.tf | 137 +++- .../environment_all_components/db_ec2.tf | 631 ++++++++++++------ .../environment_all_components/db_iam.tf | 294 ++++---- .../environment_all_components/db_s3.tf | 166 ++--- .../environment_all_components/variables.tf | 2 + .../weblogic_service.tf | 2 +- 28 files changed, 995 insertions(+), 466 deletions(-) rename terraform/environments/delius-core/modules/{ => components}/ebs_volume/main.tf (100%) rename terraform/environments/delius-core/modules/{ => components}/ebs_volume/variables.tf (100%) rename terraform/environments/delius-core/modules/{ => components}/ebs_volume/versions.tf (100%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_instance}/ami.tf (100%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_instance}/dns.tf (74%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_instance}/ebs_volumes.tf (94%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_instance}/instance.tf (74%) create mode 100644 terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_instance}/outputs.tf (100%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_instance}/variables.tf (84%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_shared}/iam.tf (100%) create mode 100644 terraform/environments/delius-core/modules/components/oracle_db_shared/key_pairs.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db_shared/outputs.tf create mode 100644 terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_shared}/sg.tf (100%) rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_shared}/ssm.tf (100%) create mode 100644 terraform/environments/delius-core/modules/components/oracle_db_shared/variables.tf rename terraform/environments/delius-core/modules/components/{oracle_db => oracle_db_shared}/versions.tf (100%) diff --git a/terraform/environments/delius-core/data.tf b/terraform/environments/delius-core/data.tf index 96a2521d17e..6ade2770185 100644 --- a/terraform/environments/delius-core/data.tf +++ b/terraform/environments/delius-core/data.tf @@ -1 +1,30 @@ #### This file can be used to store data specific to the member account #### + data "aws_subnets" "shared-private-a" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*a" + } +} + +data "aws_subnets" "shared-private-b" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*c" + } +} + +data "aws_subnets" "shared-private-c" { + filter { + name = "vpc-id" + values = [data.aws_vpc.shared.id] + } + tags = { + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*c" + } +} diff --git a/terraform/environments/delius-core/locals.tf b/terraform/environments/delius-core/locals.tf index 4ef7ac29e1a..cbd9018b957 100644 --- a/terraform/environments/delius-core/locals.tf +++ b/terraform/environments/delius-core/locals.tf @@ -21,4 +21,6 @@ locals { test = [] dev = ["dev", "test"] } + + ordered_subnet_ids = [data.aws_subnets.shared-private-a.ids[0], data.aws_subnets.shared-private-b.ids[0], data.aws_subnets.shared-private-c.ids[0]] } diff --git a/terraform/environments/delius-core/locals_development_dev1.tf b/terraform/environments/delius-core/locals_development_dev1.tf index 4f44b6797b3..1013d01750c 100644 --- a/terraform/environments/delius-core/locals_development_dev1.tf +++ b/terraform/environments/delius-core/locals_development_dev1.tf @@ -7,6 +7,7 @@ locals { shared_vpc_cidr = data.aws_vpc.shared.cidr_block private_subnet_ids = data.aws_subnets.shared-private.ids public_subnet_ids = data.aws_subnets.shared-public.ids + ordered_private_subnet_ids = local.ordered_subnet_ids data_subnet_ids = data.aws_subnets.shared-data.ids data_subnet_a_id = data.aws_subnet.data_subnets_a.id route53_inner_zone_info = data.aws_route53_zone.inner diff --git a/terraform/environments/delius-core/locals_development_test.tf b/terraform/environments/delius-core/locals_development_test.tf index 01338b9f660..77b80d9f148 100644 --- a/terraform/environments/delius-core/locals_development_test.tf +++ b/terraform/environments/delius-core/locals_development_test.tf @@ -6,6 +6,7 @@ locals { account_config_test = { shared_vpc_cidr = data.aws_vpc.shared.cidr_block private_subnet_ids = data.aws_subnets.shared-private.ids + ordered_private_subnet_ids = local.ordered_subnet_ids public_subnet_ids = data.aws_subnets.shared-public.ids data_subnet_ids = data.aws_subnets.shared-data.ids data_subnet_a_id = data.aws_subnet.data_subnets_a.id diff --git a/terraform/environments/delius-core/modules/ebs_volume/main.tf b/terraform/environments/delius-core/modules/components/ebs_volume/main.tf similarity index 100% rename from terraform/environments/delius-core/modules/ebs_volume/main.tf rename to terraform/environments/delius-core/modules/components/ebs_volume/main.tf diff --git a/terraform/environments/delius-core/modules/ebs_volume/variables.tf b/terraform/environments/delius-core/modules/components/ebs_volume/variables.tf similarity index 100% rename from terraform/environments/delius-core/modules/ebs_volume/variables.tf rename to terraform/environments/delius-core/modules/components/ebs_volume/variables.tf diff --git a/terraform/environments/delius-core/modules/ebs_volume/versions.tf b/terraform/environments/delius-core/modules/components/ebs_volume/versions.tf similarity index 100% rename from terraform/environments/delius-core/modules/ebs_volume/versions.tf rename to terraform/environments/delius-core/modules/components/ebs_volume/versions.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db/ami.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/ami.tf similarity index 100% rename from terraform/environments/delius-core/modules/components/oracle_db/ami.tf rename to terraform/environments/delius-core/modules/components/oracle_db_instance/ami.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db/dns.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/dns.tf similarity index 74% rename from terraform/environments/delius-core/modules/components/oracle_db/dns.tf rename to terraform/environments/delius-core/modules/components/oracle_db_instance/dns.tf index d88a4f6d01f..ea70a7e5780 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db/dns.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/dns.tf @@ -1,7 +1,7 @@ resource "aws_route53_record" "db_ec2_instance" { provider = aws.core-vpc zone_id = var.account_config.route53_inner_zone_info.zone_id - name = var.db_type == "primary" ? "delius-${var.env_name}-db-${var.db_count_index}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${var.db_count_index0}.${var.account_config.route53_inner_zone_info.name}" + name = var.db_type == "primary" ? "delius-${var.env_name}-db-${var.db_count_index}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${var.db_count_index + 1}.${var.account_config.route53_inner_zone_info.name}" type = "CNAME" ttl = 300 records = [aws_instance.db_ec2.private_dns] diff --git a/terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/ebs_volumes.tf similarity index 94% rename from terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf rename to terraform/environments/delius-core/modules/components/oracle_db_instance/ebs_volumes.tf index 1a8ec0fc675..825236c7c76 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db/ebs_volumes.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/ebs_volumes.tf @@ -1,5 +1,5 @@ module "ebs_volumes" { - source = "../../ebs_volume" + source = "../ebs_volume" for_each = { for k, v in var.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == false } diff --git a/terraform/environments/delius-core/modules/components/oracle_db/instance.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf similarity index 74% rename from terraform/environments/delius-core/modules/components/oracle_db/instance.tf rename to terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf index 08ae64bf639..a128a393d03 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db/instance.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/instance.tf @@ -2,16 +2,16 @@ resource "aws_instance" "db_ec2" { #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." - instance_type = var.db_type + instance_type = var.ec2_instance_type ami = data.aws_ami.oracle_db.id - vpc_security_group_ids = [aws_security_group.db_ec2.id, aws_security_group.db_ec2.id] + vpc_security_group_ids = var.security_group_ids subnet_id = var.subnet_id - iam_instance_profile = aws_iam_instance_profile.db_ec2_instanceprofile.name + iam_instance_profile = var.instance_profile.name associate_public_ip_address = false monitoring = var.monitoring ebs_optimized = true key_name = var.ec2_key_pair_name - user_data_base64 = base64encode(var.user_data) + user_data_base64 = var.user_data metadata_options { http_endpoint = var.metadata_options.http_endpoint @@ -36,8 +36,8 @@ resource "aws_instance" "db_ec2" { } } tags = merge(var.tags, - { Name = lower(format("%s-delius-db-%s", var.env_name, var.db_count_index)) }, + { Name = lower(format("%s-delius-db-%s", var.env_name, local.instance_name_index)) }, { server-type = "delius_core_db" }, - { database = "delius_${var.db_name}" } + { database = local.database_tag } ) } diff --git a/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf new file mode 100644 index 00000000000..6a76b7a4825 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf @@ -0,0 +1,4 @@ +locals { + instance_name_index = var.db_type == "primary" ? var.db_count_index : var.db_count_index + 1 + database_tag = var.db_type == "primary" ? "delius_${var.db_type}db" : "delius_${var.db_type}db${var.db_count_index}" +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/outputs.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/outputs.tf similarity index 100% rename from terraform/environments/delius-core/modules/components/oracle_db/outputs.tf rename to terraform/environments/delius-core/modules/components/oracle_db_instance/outputs.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db/variables.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf similarity index 84% rename from terraform/environments/delius-core/modules/components/oracle_db/variables.tf rename to terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf index 0e1706a58cd..cbd1ee8267c 100644 --- a/terraform/environments/delius-core/modules/components/oracle_db/variables.tf +++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/variables.tf @@ -4,19 +4,14 @@ variable "db_type" { type = string } -variable "db_name" { - description = "Database name" +variable "ec2_instance_type" { + description = "EC2 instance type" type = string -} - -variable "db_count_index0" { - description = "Database count index" - type = number - default = 0 + default = "r6i.xlarge" } variable "db_count_index" { - description = "Database count index + 1" + description = "Database count index" type = number default = 1 } @@ -104,4 +99,20 @@ variable "environment_config" { variable "ec2_key_pair_name" { description = "EC2 key pair name to associate with the instance" type = string -} \ No newline at end of file +} + +variable "standby_dbs_required" { + description = "Number of standby databases required" + type = number + default = 0 +} + +variable "instance_profile" { + description = "The instance profile to attach" + type = any +} + +variable "security_group_ids" { + description = "A list of security group IDs to attach" + type = list(string) +} diff --git a/terraform/environments/delius-core/modules/components/oracle_db/iam.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf similarity index 100% rename from terraform/environments/delius-core/modules/components/oracle_db/iam.tf rename to terraform/environments/delius-core/modules/components/oracle_db_shared/iam.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/key_pairs.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/key_pairs.tf new file mode 100644 index 00000000000..e1e555720ef --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/key_pairs.tf @@ -0,0 +1,19 @@ +# Create SSM parameter to hold parameter with value to be manually added +resource "aws_ssm_parameter" "ec2_user_ssh_key" { + name = format("/%s/oracle_db/ec2-user-ssh-key", var.env_name) + type = "SecureString" + value = "initial_value_to_be_changed" + key_id = var.account_config.general_shared_kms_key_arn + description = format("ssh private key for ec2-user used for the %s environment", var.env_name) + tags = var.tags + + lifecycle { + ignore_changes = [value] + } +} + +resource "aws_key_pair" "db_ec2_key_pair" { + key_name = format("%s-oracle-db-ec2-user-key-pair", var.env_name) + public_key = var.environment_config.ec2_user_ssh_key + tags = var.tags +} diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/outputs.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/outputs.tf new file mode 100644 index 00000000000..751fd0005ef --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/outputs.tf @@ -0,0 +1,19 @@ +output "security_group" { + value = aws_security_group.db_ec2 +} + +output "instance_profile" { + value = aws_iam_instance_profile.db_ec2_instanceprofile +} + +output "iam_role" { + value = aws_iam_role.db_ec2_instance_iam_role +} + +output "db_key_pair" { + value = aws_key_pair.db_ec2_key_pair +} + +output "db_ssh_key_ssm_parameter" { + value = aws_ssm_parameter.ec2_user_ssh_key +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf new file mode 100644 index 00000000000..9be1bfec140 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf @@ -0,0 +1,83 @@ +module "s3_bucket_oracledb_backups" { + source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" + bucket_name = "${var.env_name}-oracle-database-backups" + versioning_enabled = false + ownership_controls = "BucketOwnerEnforced" + replication_enabled = false + custom_kms_key = var.account_config.kms_keys.general_shared + + providers = { + aws.bucket-replication = aws.bucket-replication + } + + lifecycle_rule = [ + { + id = "main" + enabled = "Enabled" + prefix = "" + + tags = { + rule = "log" + autoclean = "true" + } + + transition = [ + { + days = 90 + storage_class = "STANDARD_IA" + } + ] + + expiration = { + days = 365 + } + } + ] + + tags = var.tags +} + +data "aws_iam_policy_document" "oracledb_backup_bucket_access" { + statement { + sid = "allowAccessToOracleDbBackupBucket" + effect = "Allow" + actions = [ + "s3:*" + ] + resources = [ + "${module.s3_bucket_oracledb_backups.bucket.arn}", + "${module.s3_bucket_oracledb_backups.bucket.arn}/*" + ] + } + + statement { + sid = "AllowAccessToS3OracleBackups" + effect = "Allow" + actions = [ + "s3:Get*", + "s3:List*" + ] + resources = [ + "arn:aws:s3:::eu-west-2-dmd-mis-dev-oracledb-backups", + "arn:aws:s3:::eu-west-2-dmd-mis-dev-oracledb-backups/*" + ] + } + + statement { + sid = "listAllBuckets" + effect = "Allow" + actions = [ + "s3:ListAllMyBuckets", + "s3:GetBucketLocation" + ] + resources = [ + "arn:aws:s3:::*" + ] + } +} + +resource "aws_iam_role_policy" "oracledb_backup_bucket_access_policy" { + name = "${var.env_name}-oracledb-backup-bucket-access-policy" + role = aws_iam_role.db_ec2_instance_iam_role.name + policy = data.aws_iam_policy_document.oracledb_backup_bucket_access.json +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db/sg.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf similarity index 100% rename from terraform/environments/delius-core/modules/components/oracle_db/sg.tf rename to terraform/environments/delius-core/modules/components/oracle_db_shared/sg.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db/ssm.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/ssm.tf similarity index 100% rename from terraform/environments/delius-core/modules/components/oracle_db/ssm.tf rename to terraform/environments/delius-core/modules/components/oracle_db_shared/ssm.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/variables.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/variables.tf new file mode 100644 index 00000000000..5b467d1cb65 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/variables.tf @@ -0,0 +1,24 @@ +variable "env_name" { + description = "Environment name short ie dev" + type = string +} + + +variable "tags" { + description = "Tags to apply to the instance" + type = map(string) +} + +variable "environment_config" { + type = object({ + migration_environment_private_cidr = optional(list(string)) + migration_environment_db_cidr = optional(list(string)) + legacy_engineering_vpc_cidr = string + ec2_user_ssh_key = string + }) +} + +variable "account_config" { + description = "Account config to pass to the instance" + type = any +} diff --git a/terraform/environments/delius-core/modules/components/oracle_db/versions.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/versions.tf similarity index 100% rename from terraform/environments/delius-core/modules/components/oracle_db/versions.tf rename to terraform/environments/delius-core/modules/components/oracle_db_shared/versions.tf diff --git a/terraform/environments/delius-core/modules/environment_all_components/database.tf b/terraform/environments/delius-core/modules/environment_all_components/database.tf index b031acedf57..ea7aea7d31b 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/database.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/database.tf @@ -1,11 +1,35 @@ -module "oracle_db" { - source = "../components/oracle_db" +module "oracle_db_shared" { + source = "../components/oracle_db_shared" + account_config = var.account_config + environment_config = var.environment_config + env_name = var.env_name + tags = local.tags + + providers = { + aws.bucket-replication = aws + aws.core-vpc = aws.core-vpc + aws.core-network-services = aws.core-network-services + } + +} + +module "oracle_db_primary" { + source = "../components/oracle_db_instance" account_config = var.account_config db_ami = { name_regex = "^delius_core_ol_8_5_oracle_db_19c_" owners = [var.platform_vars.environment_management.account_ids["core-shared-services-production"]] } - db_name = "primary" + db_type = "primary" + count = 1 + db_count_index = count.index + 1 + ec2_instance_type = "r6i.xlarge" + + instance_profile = module.oracle_db_shared.instance_profile + security_group_ids = [module.oracle_db_shared.security_group.id] + + ec2_key_pair_name = module.oracle_db_shared.db_key_pair.key_name + ebs_volumes = { kms_key_id = var.account_config.kms_keys.ebs_shared tags = local.tags @@ -71,8 +95,8 @@ module "oracle_db" { } env_name = var.env_name environment_config = var.environment_config - subnet_id = var.account_config.private_subnet_ids[0] - tags = var.tags + subnet_id = var.account_config.ordered_private_subnet_ids[count.index % 3] + tags = local.tags user_data = base64encode( templatefile( "${path.module}/templates/userdata.sh.tftpl", @@ -85,8 +109,109 @@ module "oracle_db" { ) ) - ec2_key_pair_name = aws_key_pair.environment_ec2_user_key_pair.key_name + providers = { + aws.bucket-replication = aws + aws.core-vpc = aws.core-vpc + aws.core-network-services = aws.core-network-services + } +} + +module "oracle_db_standby" { + source = "../components/oracle_db_instance" + account_config = var.account_config + db_ami = { + name_regex = "^delius_core_ol_8_5_oracle_db_19c_" + owners = [var.platform_vars.environment_management.account_ids["core-shared-services-production"]] + } + db_type = "standby" + count = 2 + db_count_index = count.index + 1 + + ec2_instance_type = "r6i.xlarge" + + instance_profile = module.oracle_db_shared.instance_profile + security_group_ids = [module.oracle_db_shared.security_group.id] + ec2_key_pair_name = module.oracle_db_shared.db_key_pair.key_name + + ebs_volumes = { + kms_key_id = var.account_config.kms_keys.ebs_shared + tags = local.tags + iops = 3000 + throughput = 125 + root_volume = { + volume_type = "gp3" + volume_size = 30 + no_device = false + } + ebs_non_root_volumes = { + "/dev/sdb" = { + # /u01 oracle app disk + volume_type = "gp3" + volume_size = 200 + no_device = false + } + "/dev/sdc" = { + # /u02 oracle app disk + volume_type = "gp3" + volume_size = 100 + no_device = false + } + "/dev/sds" = { + # swap disk + volume_type = "gp3" + volume_size = 4 + no_device = false + } + "/dev/sde" = { + # oracle asm disk DATA01 + volume_type = "gp3" + volume_size = 500 + no_device = false + } + "/dev/sdf" = { + # oracle asm disk DATA02 + no_device = true + } + "/dev/sdg" = { + # oracle asm disk DATA03 + no_device = true + } + "/dev/sdh" = { + # oracle asm disk DATA04 + no_device = true + } + "/dev/sdi" = { + # oracle asm disk DATA05 + no_device = true + } + "/dev/sdj" = { + # oracle asm disk FLASH01 + volume_type = "gp3" + volume_size = 500 + no_device = false + } + "/dev/sdk" = { + # oracle asm disk FLASH02 + no_device = true + } + } + } + env_name = var.env_name + environment_config = var.environment_config + subnet_id = var.account_config.ordered_private_subnet_ids[(count.index + length(module.oracle_db_primary) % 3)] + tags = local.tags + user_data = base64encode( + templatefile( + "${path.module}/templates/userdata.sh.tftpl", + { + branch = "main" + ansible_repo = "modernisation-platform-configuration-management" + ansible_repo_basedir = "ansible" + ansible_args = "oracle_19c_install" + } + ) + ) providers = { aws.bucket-replication = aws aws.core-vpc = aws.core-vpc diff --git a/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf b/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf index 64e7487a12c..f579be32fa6 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/db_ec2.tf @@ -1,211 +1,420 @@ -# Pre-reqs - security groups -resource "aws_security_group" "db_ec2_instance_sg" { - name = format("%s-sg-delius-db-ec2-instance", var.env_name) - description = "Controls access to db ec2 instance" - vpc_id = var.account_info.vpc_id - tags = merge(local.tags, - { Name = lower(format("%s-sg-delius-db-ec2-instance", var.env_name)) } - ) -} - -resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" { - security_group_id = aws_security_group.db_ec2_instance_sg.id - cidr_ipv4 = "0.0.0.0/0" - from_port = 443 - to_port = 443 - ip_protocol = "tcp" - description = "Allow communication out on port 443, e.g. for SSM" - tags = merge(local.tags, - { Name = "https-out" } - ) -} - -resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" { - security_group_id = aws_security_group.db_ec2_instance_sg.id - cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr - from_port = 1521 - to_port = 1521 - ip_protocol = "tcp" - description = "Allow communication out on port 1521 to legacy rman" - tags = merge(local.tags, - { Name = "legacy-rman-out" } - ) -} - -resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" { - security_group_id = aws_security_group.db_ec2_instance_sg.id - cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr - from_port = 1521 - to_port = 1521 - ip_protocol = "tcp" - description = "Allow communication in on port 1521 from legacy rman" - tags = merge(local.tags, - { Name = "legacy-rman-in" } - ) -} - -# Resources associated to the instance -data "aws_ami" "oracle_db_ami" { - for_each = { - for item in var.db_config : item.name => item - } - owners = [var.platform_vars.environment_management.account_ids["core-shared-services-production"]] - name_regex = each.value.ami_name_regex - most_recent = true -} - -resource "aws_instance" "db_ec2_instance" { - for_each = { - for item in var.db_config : item.name => item - } - - #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." - instance_type = each.value.instance.instance_type - # Temporarily hard coding AMI until we have a better solution to locking EC2 isntances to specific AZs - ami = "ami-084f5c88fe5bb9d44" - vpc_security_group_ids = [aws_security_group.db_ec2_instance_sg.id, aws_security_group.delius_db_security_group.id] - subnet_id = var.account_config.data_subnet_a_id - iam_instance_profile = aws_iam_instance_profile.db_ec2_instanceprofile.name - associate_public_ip_address = false - monitoring = each.value.instance.monitoring - ebs_optimized = true - key_name = aws_key_pair.environment_ec2_user_key_pair.key_name - user_data_base64 = each.value.user_data_raw - - metadata_options { - http_endpoint = "enabled" - http_tokens = "optional" - } - - root_block_device { - volume_type = each.value.ebs_volumes.root_volume.volume_type - volume_size = each.value.ebs_volumes.root_volume.volume_size - iops = each.value.ebs_volumes.iops - throughput = each.value.ebs_volumes.throughput - encrypted = true - kms_key_id = each.value.ebs_volumes.kms_key_id - tags = local.tags - } - - dynamic "ephemeral_block_device" { - for_each = { for k, v in each.value.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true } - content { - device_name = ephemeral_block_device.key - no_device = true - } - } - tags = merge(local.tags, - { Name = lower(format("%s-delius-db-%s", var.env_name, index(var.db_config, each.value) + 1)) }, - { server-type = "delius_core_db" }, - { database = "delius_${each.value.name}" } - ) -} - -locals { - flattened_ebs_volumes = flatten([ - for db_config_instance in var.db_config : - [ - for key, ebs_non_root_volumes in db_config_instance.ebs_volumes.ebs_non_root_volumes : - { - key = "${db_config_instance.name}-${key}" - block_name = key - index_name = db_config_instance.name - ebs_config = db_config_instance.ebs_volumes - ebs_non_root_volumes = ebs_non_root_volumes - } if ebs_non_root_volumes.no_device == false - ] - ]) -} - -module "ebs_volumes" { - source = "../ebs_volume" - for_each = { - for entry in local.flattened_ebs_volumes : - entry.key => entry - } - availability_zone = aws_instance.db_ec2_instance[each.value.index_name].availability_zone - instance_id = aws_instance.db_ec2_instance[each.value.index_name].id - device_name = each.value.block_name - size = each.value.ebs_non_root_volumes.volume_size - iops = each.value.ebs_config.iops - throughput = each.value.ebs_config.throughput - tags = local.tags - kms_key_id = each.value.ebs_config.kms_key_id - depends_on = [ - aws_instance.db_ec2_instance - ] -} - -resource "aws_route53_record" "db_ec2_instance" { - for_each = { - for item in var.db_config : item.name => item - } - provider = aws.core-vpc - zone_id = var.account_config.route53_inner_zone_info.zone_id - name = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" - type = "CNAME" - ttl = 300 - records = [aws_instance.db_ec2_instance[each.key].private_dns] -} - -resource "aws_security_group" "delius_db_security_group" { - name = format("%s - Delius Core DB", var.env_name) - description = "Rules for the delius testing db ecs service" - vpc_id = var.account_config.shared_vpc_id - tags = local.tags - lifecycle { - create_before_destroy = true - } -} - -resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_private_subnets" { - security_group_id = aws_security_group.delius_db_security_group.id - description = "weblogic to testing db" - from_port = var.delius_db_container_config.port - to_port = var.delius_db_container_config.port - ip_protocol = "tcp" - referenced_security_group_id = aws_security_group.weblogic_service.id -} - -resource "aws_vpc_security_group_ingress_rule" "db_inter_conn" { - security_group_id = aws_security_group.delius_db_security_group.id - description = "Allow communication between delius db instances" - from_port = 1521 - to_port = 1521 - ip_protocol = "tcp" - referenced_security_group_id = aws_security_group.delius_db_security_group.id -} - -resource "aws_vpc_security_group_egress_rule" "db_inter_conn" { - security_group_id = aws_security_group.delius_db_security_group.id - description = "Allow communication between delius db instances" - from_port = 1521 - to_port = 1521 - ip_protocol = "tcp" - referenced_security_group_id = aws_security_group.delius_db_security_group.id -} - - -resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_bastion" { - security_group_id = aws_security_group.delius_db_security_group.id - description = "bastion to testing db" - from_port = var.delius_db_container_config.port - to_port = var.delius_db_container_config.port - ip_protocol = "tcp" - referenced_security_group_id = var.bastion.security_group_id -} - -resource "aws_vpc_security_group_egress_rule" "delius_db_security_group_egress_internet" { - security_group_id = aws_security_group.delius_db_security_group.id - description = "outbound from the testing db ecs service" - ip_protocol = "tcp" - to_port = 443 - from_port = 443 - cidr_ipv4 = "0.0.0.0/0" -} - -resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" { - name = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name) - retention_in_days = 7 - tags = local.tags -} +## Pre-reqs - security groups +#resource "aws_security_group" "db_ec2_instance_sg" { +# name = format("%s-sg-delius-db-ec2-instance", var.env_name) +# description = "Controls access to db ec2 instance" +# vpc_id = var.account_info.vpc_id +# tags = merge(local.tags, +# { Name = lower(format("%s-sg-delius-db-ec2-instance", var.env_name)) } +# ) +#} +# +#resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" { +# security_group_id = aws_security_group.db_ec2_instance_sg.id +# cidr_ipv4 = "0.0.0.0/0" +# from_port = 443 +# to_port = 443 +# ip_protocol = "tcp" +# description = "Allow communication out on port 443, e.g. for SSM" +# tags = merge(local.tags, +# { Name = "https-out" } +# ) +#} +# +#resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" { +# security_group_id = aws_security_group.db_ec2_instance_sg.id +# cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# description = "Allow communication out on port 1521 to legacy rman" +# tags = merge(local.tags, +# { Name = "legacy-rman-out" } +# ) +#} +# +#resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" { +# security_group_id = aws_security_group.db_ec2_instance_sg.id +# cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# description = "Allow communication in on port 1521 from legacy rman" +# tags = merge(local.tags, +# { Name = "legacy-rman-in" } +# ) +#} +# +## Resources associated to the instance +#data "aws_ami" "oracle_db_ami" { +# for_each = { +# for item in var.db_config : item.name => item +# } +# owners = [var.platform_vars.environment_management.account_ids["core-shared-services-production"]] +# name_regex = each.value.ami_name_regex +# most_recent = true +#} +# +#resource "aws_instance" "db_ec2_instance" { +# for_each = { +# for item in var.db_config : item.name => item +# } +# +# #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." +# instance_type = each.value.instance.instance_type +# ami = data.aws_ami.oracle_db_ami[each.key].id +# vpc_security_group_ids = [aws_security_group.db_ec2_instance_sg.id, aws_security_group.delius_db_security_group.id] +# subnet_id = var.account_config.data_subnet_a_id +# iam_instance_profile = aws_iam_instance_profile.db_ec2_instanceprofile.name +# associate_public_ip_address = false +# monitoring = each.value.instance.monitoring +# ebs_optimized = true +# key_name = aws_key_pair.environment_ec2_user_key_pair.key_name +# user_data_base64 = each.value.user_data_raw +# +# metadata_options { +# http_endpoint = "enabled" +# http_tokens = "optional" +# } +# +# root_block_device { +# volume_type = each.value.ebs_volumes.root_volume.volume_type +# volume_size = each.value.ebs_volumes.root_volume.volume_size +# iops = each.value.ebs_volumes.iops +# throughput = each.value.ebs_volumes.throughput +# encrypted = true +# kms_key_id = each.value.ebs_volumes.kms_key_id +# tags = local.tags +# } +# +# dynamic "ephemeral_block_device" { +# for_each = { for k, v in each.value.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true } +# content { +# device_name = ephemeral_block_device.key +# no_device = true +# } +# } +# tags = merge(local.tags, +# { Name = lower(format("%s-delius-db-%s", var.env_name, index(var.db_config, each.value) + 1)) }, +# { server-type = "delius_core_db" }, +# { database = "delius_${each.value.name}" } +# ) +#} +# +#locals { +# flattened_ebs_volumes = flatten([ +# for db_config_instance in var.db_config : +# [ +# for key, ebs_non_root_volumes in db_config_instance.ebs_volumes.ebs_non_root_volumes : +# { +# key = "${db_config_instance.name}-${key}" +# block_name = key +# index_name = db_config_instance.name +# ebs_config = db_config_instance.ebs_volumes +# ebs_non_root_volumes = ebs_non_root_volumes +# } if ebs_non_root_volumes.no_device == false +# ] +# ]) +#} +# +#module "ebs_volumes" { +# source = "../components/ebs_volume" +# for_each = { +# for entry in local.flattened_ebs_volumes : +# entry.key => entry +# } +# availability_zone = aws_instance.db_ec2_instance[each.value.index_name].availability_zone +# instance_id = aws_instance.db_ec2_instance[each.value.index_name].id +# device_name = each.value.block_name +# size = each.value.ebs_non_root_volumes.volume_size +# iops = each.value.ebs_config.iops +# throughput = each.value.ebs_config.throughput +# tags = local.tags +# kms_key_id = each.value.ebs_config.kms_key_id +# depends_on = [ +# aws_instance.db_ec2_instance +# ] +#} +# +#resource "aws_route53_record" "db_ec2_instance" { +# for_each = { +# for item in var.db_config : item.name => item +# } +# provider = aws.core-vpc +# zone_id = var.account_config.route53_inner_zone_info.zone_id +# name = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" +# type = "CNAME" +# ttl = 300 +# records = [aws_instance.db_ec2_instance[each.key].private_dns] +#} +# +#resource "aws_security_group" "delius_db_security_group" { +# name = format("%s - Delius Core DB", var.env_name) +# description = "Rules for the delius testing db ecs service" +# vpc_id = var.account_config.shared_vpc_id +# tags = local.tags +# lifecycle { +# create_before_destroy = true +# } +#} +# +#resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_private_subnets" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "weblogic to testing db" +# from_port = var.delius_db_container_config.port +# to_port = var.delius_db_container_config.port +# ip_protocol = "tcp" +# referenced_security_group_id = aws_security_group.weblogic_service.id +#} +# +#resource "aws_vpc_security_group_ingress_rule" "db_inter_conn" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "Allow communication between delius db instances" +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# referenced_security_group_id = aws_security_group.delius_db_security_group.id +#} +# +#resource "aws_vpc_security_group_egress_rule" "db_inter_conn" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "Allow communication between delius db instances" +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# referenced_security_group_id = aws_security_group.delius_db_security_group.id +#} +# +# +#resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_bastion" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "bastion to testing db" +# from_port = var.delius_db_container_config.port +# to_port = var.delius_db_container_config.port +# ip_protocol = "tcp" +# referenced_security_group_id = var.bastion.security_group_id +#} +# +#resource "aws_vpc_security_group_egress_rule" "delius_db_security_group_egress_internet" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "outbound from the testing db ecs service" +# ip_protocol = "tcp" +# to_port = 443 +# from_port = 443 +# cidr_ipv4 = "0.0.0.0/0" +#} +# +#resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" { +# name = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name) +# retention_in_days = 7 +# tags = local.tags +#}<<<<<<< HEAD +## Pre-reqs - security groups +#resource "aws_security_group" "db_ec2_instance_sg" { +# name = format("%s-sg-delius-db-ec2-instance", var.env_name) +# description = "Controls access to db ec2 instance" +# vpc_id = var.account_info.vpc_id +# tags = merge(local.tags, +# { Name = lower(format("%s-sg-delius-db-ec2-instance", var.env_name)) } +# ) +#} +# +#resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_https_out" { +# security_group_id = aws_security_group.db_ec2_instance_sg.id +# cidr_ipv4 = "0.0.0.0/0" +# from_port = 443 +# to_port = 443 +# ip_protocol = "tcp" +# description = "Allow communication out on port 443, e.g. for SSM" +# tags = merge(local.tags, +# { Name = "https-out" } +# ) +#} +# +#resource "aws_vpc_security_group_egress_rule" "db_ec2_instance_rman" { +# security_group_id = aws_security_group.db_ec2_instance_sg.id +# cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# description = "Allow communication out on port 1521 to legacy rman" +# tags = merge(local.tags, +# { Name = "legacy-rman-out" } +# ) +#} +# +#resource "aws_vpc_security_group_ingress_rule" "db_ec2_instance_rman" { +# security_group_id = aws_security_group.db_ec2_instance_sg.id +# cidr_ipv4 = var.environment_config.legacy_engineering_vpc_cidr +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# description = "Allow communication in on port 1521 from legacy rman" +# tags = merge(local.tags, +# { Name = "legacy-rman-in" } +# ) +#} +# +## Resources associated to the instance +#data "aws_ami" "oracle_db_ami" { +# for_each = { +# for item in var.db_config : item.name => item +# } +# owners = [var.platform_vars.environment_management.account_ids["core-shared-services-production"]] +# name_regex = each.value.ami_name_regex +# most_recent = true +#} +# +#resource "aws_instance" "db_ec2_instance" { +# for_each = { +# for item in var.db_config : item.name => item +# } +# +# #checkov:skip=CKV2_AWS_41:"IAM role is not implemented for this example EC2. SSH/AWS keys are not used either." +# instance_type = each.value.instance.instance_type +# ami = data.aws_ami.oracle_db_ami[each.key].id +# vpc_security_group_ids = [aws_security_group.db_ec2_instance_sg.id, aws_security_group.delius_db_security_group.id] +# subnet_id = var.account_config.data_subnet_a_id +# iam_instance_profile = aws_iam_instance_profile.db_ec2_instanceprofile.name +# associate_public_ip_address = false +# monitoring = each.value.instance.monitoring +# ebs_optimized = true +# key_name = aws_key_pair.environment_ec2_user_key_pair.key_name +# user_data_base64 = each.value.user_data_raw +# +# metadata_options { +# http_endpoint = "enabled" +# http_tokens = "optional" +# } +# +# root_block_device { +# volume_type = each.value.ebs_volumes.root_volume.volume_type +# volume_size = each.value.ebs_volumes.root_volume.volume_size +# iops = each.value.ebs_volumes.iops +# throughput = each.value.ebs_volumes.throughput +# encrypted = true +# kms_key_id = each.value.ebs_volumes.kms_key_id +# tags = local.tags +# } +# +# dynamic "ephemeral_block_device" { +# for_each = { for k, v in each.value.ebs_volumes.ebs_non_root_volumes : k => v if v.no_device == true } +# content { +# device_name = ephemeral_block_device.key +# no_device = true +# } +# } +# tags = merge(local.tags, +# { Name = lower(format("%s-delius-db-%s", var.env_name, index(var.db_config, each.value) + 1)) }, +# { server-type = "delius_core_db" }, +# { database = "delius_${each.value.name}" } +# ) +#} +# +#locals { +# flattened_ebs_volumes = flatten([ +# for db_config_instance in var.db_config : +# [ +# for key, ebs_non_root_volumes in db_config_instance.ebs_volumes.ebs_non_root_volumes : +# { +# key = "${db_config_instance.name}-${key}" +# block_name = key +# index_name = db_config_instance.name +# ebs_config = db_config_instance.ebs_volumes +# ebs_non_root_volumes = ebs_non_root_volumes +# } if ebs_non_root_volumes.no_device == false +# ] +# ]) +#} +# +#module "ebs_volumes" { +# source = "../components/ebs_volume" +# for_each = { +# for entry in local.flattened_ebs_volumes : +# entry.key => entry +# } +# availability_zone = aws_instance.db_ec2_instance[each.value.index_name].availability_zone +# instance_id = aws_instance.db_ec2_instance[each.value.index_name].id +# device_name = each.value.block_name +# size = each.value.ebs_non_root_volumes.volume_size +# iops = each.value.ebs_config.iops +# throughput = each.value.ebs_config.throughput +# tags = local.tags +# kms_key_id = each.value.ebs_config.kms_key_id +# depends_on = [ +# aws_instance.db_ec2_instance +# ] +#} +# +#resource "aws_route53_record" "db_ec2_instance" { +# for_each = { +# for item in var.db_config : item.name => item +# } +# provider = aws.core-vpc +# zone_id = var.account_config.route53_inner_zone_info.zone_id +# name = each.key == "primary-db" ? "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" : "delius-${var.env_name}-db-${index(var.db_config, each.value) + 1}.${var.account_config.route53_inner_zone_info.name}" +# type = "CNAME" +# ttl = 300 +# records = [aws_instance.db_ec2_instance[each.key].private_dns] +#} +# +#resource "aws_security_group" "delius_db_security_group" { +# name = format("%s - Delius Core DB", var.env_name) +# description = "Rules for the delius testing db ecs service" +# vpc_id = var.account_config.shared_vpc_id +# tags = local.tags +# lifecycle { +# create_before_destroy = true +# } +#} +# +#resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_private_subnets" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "weblogic to testing db" +# from_port = var.delius_db_container_config.port +# to_port = var.delius_db_container_config.port +# ip_protocol = "tcp" +# referenced_security_group_id = aws_security_group.weblogic_service.id +#} +# +#resource "aws_vpc_security_group_ingress_rule" "db_inter_conn" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "Allow communication between delius db instances" +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# referenced_security_group_id = aws_security_group.delius_db_security_group.id +#} +# +#resource "aws_vpc_security_group_egress_rule" "db_inter_conn" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "Allow communication between delius db instances" +# from_port = 1521 +# to_port = 1521 +# ip_protocol = "tcp" +# referenced_security_group_id = aws_security_group.delius_db_security_group.id +#} +# +# +#resource "aws_vpc_security_group_ingress_rule" "delius_db_security_group_ingress_bastion" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "bastion to testing db" +# from_port = var.delius_db_container_config.port +# to_port = var.delius_db_container_config.port +# ip_protocol = "tcp" +# referenced_security_group_id = var.bastion.security_group_id +#} +# +#resource "aws_vpc_security_group_egress_rule" "delius_db_security_group_egress_internet" { +# security_group_id = aws_security_group.delius_db_security_group.id +# description = "outbound from the testing db ecs service" +# ip_protocol = "tcp" +# to_port = 443 +# from_port = 443 +# cidr_ipv4 = "0.0.0.0/0" +#} +# +#resource "aws_cloudwatch_log_group" "delius_core_testing_db_log_group" { +# name = format("%s-%s", var.env_name, var.delius_db_container_config.fully_qualified_name) +# retention_in_days = 7 +# tags = local.tags +#} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf b/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf index b25024e2a66..4568bb823fb 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/db_iam.tf @@ -1,147 +1,147 @@ -# Pre-reqs - IAM role, attachment for SSM usage and instance profile -data "aws_iam_policy_document" "db_ec2_instance_iam_assume_policy" { - statement { - effect = "Allow" - actions = [ - "sts:AssumeRole" - ] - principals { - type = "Service" - identifiers = ["ec2.amazonaws.com"] - } - } -} - - -resource "aws_iam_role" "db_ec2_instance_iam_role" { - name = lower(format("%s-delius-db-ec2_instance", var.env_name)) - assume_role_policy = data.aws_iam_policy_document.db_ec2_instance_iam_assume_policy.json - tags = merge(local.tags, - { Name = lower(format("%s-delius-db-ec2_instance", var.env_name)) } - ) -} - -data "aws_iam_policy_document" "business_unit_kms_key_access" { - statement { - effect = "Allow" - actions = [ - "kms:Encrypt", - "kms:Decrypt", - "kms:ReEncrypt*", - "kms:GenerateDataKey*", - "kms:DescribeKey", - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ] - resources = [ - var.account_config.kms_keys.general_shared - ] - } -} - -resource "aws_iam_policy" "business_unit_kms_key_access" { - name = format("%s-delius-db-business_unit_kms_key_access_policy", var.env_name) - path = "/" - policy = data.aws_iam_policy_document.business_unit_kms_key_access.json - tags = merge(local.tags, - { Name = format("%s-delius-db-business_unit_kms_key_access_policy", var.env_name) } - ) -} - -data "aws_iam_policy_document" "core_shared_services_bucket_access" { - statement { - effect = "Allow" - actions = [ - "s3:ListBucket", - "s3:GetObject" - ] - resources = [ - "arn:aws:s3:::mod-platform-image-artefact-bucket20230203091453221500000001/*", - "arn:aws:s3:::mod-platform-image-artefact-bucket20230203091453221500000001" - ] - } -} - -resource "aws_iam_policy" "core_shared_services_bucket_access" { - name = format("%s-delius-db-core_shared_services_bucket_access_policy", var.env_name) - path = "/" - policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json - tags = merge(local.tags, - { Name = format("%s-delius-db-core_shared_services_bucket_access_policy", var.env_name) } - ) -} - -data "aws_iam_policy_document" "ec2_access_for_ansible" { - statement { - effect = "Allow" - actions = [ - "ec2:DescribeTags", - "ec2:DescribeInstances", - "ec2:DescribeVolumes" - ] - resources = ["*"] - } -} - -data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" { - statement { - sid = "AllowAccessToSsmParameterStore" - effect = "Allow" - actions = [ - "ssm:PutParameter" - ] - resources = ["*"] - } -} - -resource "aws_iam_policy" "allow_access_to_ssm_parameter_store" { - name = format("%s-delius-db-allow_access_to_ssm_parameter_store", var.env_name) - path = "/" - policy = data.aws_iam_policy_document.allow_access_to_ssm_parameter_store.json - tags = merge(local.tags, - { Name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) } - ) -} - -resource "aws_iam_role_policy_attachment" "allow_access_to_ssm_parameter_store" { - role = aws_iam_role.db_ec2_instance_iam_role.name - policy_arn = aws_iam_policy.allow_access_to_ssm_parameter_store.arn -} - -resource "aws_iam_policy" "ec2_access_for_ansible" { - name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) - path = "/" - policy = data.aws_iam_policy_document.ec2_access_for_ansible.json - tags = merge(local.tags, - { Name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) } - ) -} - -resource "aws_iam_role_policy" "business_unit_kms_key_access" { - name = "business_unit_kms_key_access" - role = aws_iam_role.db_ec2_instance_iam_role.name - policy = data.aws_iam_policy_document.business_unit_kms_key_access.json -} - -resource "aws_iam_role_policy" "core_shared_services_bucket_access" { - name = "core_shared_services_bucket_access" - role = aws_iam_role.db_ec2_instance_iam_role.name - policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json -} - -resource "aws_iam_role_policy" "ec2_access" { - name = "ec2_access" - role = aws_iam_role.db_ec2_instance_iam_role.name - policy = data.aws_iam_policy_document.ec2_access_for_ansible.json -} - -resource "aws_iam_role_policy_attachment" "db_ec2_instance_amazonssmmanagedinstancecore" { - role = aws_iam_role.db_ec2_instance_iam_role.name - policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" -} - -resource "aws_iam_instance_profile" "db_ec2_instanceprofile" { - name = format("%s-delius-db-ec2_instance_iam_role", var.env_name) - role = aws_iam_role.db_ec2_instance_iam_role.name -} \ No newline at end of file +## Pre-reqs - IAM role, attachment for SSM usage and instance profile +#data "aws_iam_policy_document" "db_ec2_instance_iam_assume_policy" { +# statement { +# effect = "Allow" +# actions = [ +# "sts:AssumeRole" +# ] +# principals { +# type = "Service" +# identifiers = ["ec2.amazonaws.com"] +# } +# } +#} +# +# +#resource "aws_iam_role" "db_ec2_instance_iam_role" { +# name = lower(format("%s-delius-db-ec2_instance", var.env_name)) +# assume_role_policy = data.aws_iam_policy_document.db_ec2_instance_iam_assume_policy.json +# tags = merge(local.tags, +# { Name = lower(format("%s-delius-db-ec2_instance", var.env_name)) } +# ) +#} +# +#data "aws_iam_policy_document" "business_unit_kms_key_access" { +# statement { +# effect = "Allow" +# actions = [ +# "kms:Encrypt", +# "kms:Decrypt", +# "kms:ReEncrypt*", +# "kms:GenerateDataKey*", +# "kms:DescribeKey", +# "kms:CreateGrant", +# "kms:ListGrants", +# "kms:RevokeGrant" +# ] +# resources = [ +# var.account_config.kms_keys.general_shared +# ] +# } +#} +# +#resource "aws_iam_policy" "business_unit_kms_key_access" { +# name = format("%s-delius-db-business_unit_kms_key_access_policy", var.env_name) +# path = "/" +# policy = data.aws_iam_policy_document.business_unit_kms_key_access.json +# tags = merge(local.tags, +# { Name = format("%s-delius-db-business_unit_kms_key_access_policy", var.env_name) } +# ) +#} +# +#data "aws_iam_policy_document" "core_shared_services_bucket_access" { +# statement { +# effect = "Allow" +# actions = [ +# "s3:ListBucket", +# "s3:GetObject" +# ] +# resources = [ +# "arn:aws:s3:::mod-platform-image-artefact-bucket20230203091453221500000001/*", +# "arn:aws:s3:::mod-platform-image-artefact-bucket20230203091453221500000001" +# ] +# } +#} +# +#resource "aws_iam_policy" "core_shared_services_bucket_access" { +# name = format("%s-delius-db-core_shared_services_bucket_access_policy", var.env_name) +# path = "/" +# policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json +# tags = merge(local.tags, +# { Name = format("%s-delius-db-core_shared_services_bucket_access_policy", var.env_name) } +# ) +#} +# +#data "aws_iam_policy_document" "ec2_access_for_ansible" { +# statement { +# effect = "Allow" +# actions = [ +# "ec2:DescribeTags", +# "ec2:DescribeInstances", +# "ec2:DescribeVolumes" +# ] +# resources = ["*"] +# } +#} +# +#data "aws_iam_policy_document" "allow_access_to_ssm_parameter_store" { +# statement { +# sid = "AllowAccessToSsmParameterStore" +# effect = "Allow" +# actions = [ +# "ssm:PutParameter" +# ] +# resources = ["*"] +# } +#} +# +#resource "aws_iam_policy" "allow_access_to_ssm_parameter_store" { +# name = format("%s-delius-db-allow_access_to_ssm_parameter_store", var.env_name) +# path = "/" +# policy = data.aws_iam_policy_document.allow_access_to_ssm_parameter_store.json +# tags = merge(local.tags, +# { Name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) } +# ) +#} +# +#resource "aws_iam_role_policy_attachment" "allow_access_to_ssm_parameter_store" { +# role = aws_iam_role.db_ec2_instance_iam_role.name +# policy_arn = aws_iam_policy.allow_access_to_ssm_parameter_store.arn +#} +# +#resource "aws_iam_policy" "ec2_access_for_ansible" { +# name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) +# path = "/" +# policy = data.aws_iam_policy_document.ec2_access_for_ansible.json +# tags = merge(local.tags, +# { Name = format("%s-delius-db-ec2_access_for_ansible", var.env_name) } +# ) +#} +# +#resource "aws_iam_role_policy" "business_unit_kms_key_access" { +# name = "business_unit_kms_key_access" +# role = aws_iam_role.db_ec2_instance_iam_role.name +# policy = data.aws_iam_policy_document.business_unit_kms_key_access.json +#} +# +#resource "aws_iam_role_policy" "core_shared_services_bucket_access" { +# name = "core_shared_services_bucket_access" +# role = aws_iam_role.db_ec2_instance_iam_role.name +# policy = data.aws_iam_policy_document.core_shared_services_bucket_access.json +#} +# +#resource "aws_iam_role_policy" "ec2_access" { +# name = "ec2_access" +# role = aws_iam_role.db_ec2_instance_iam_role.name +# policy = data.aws_iam_policy_document.ec2_access_for_ansible.json +#} +# +#resource "aws_iam_role_policy_attachment" "db_ec2_instance_amazonssmmanagedinstancecore" { +# role = aws_iam_role.db_ec2_instance_iam_role.name +# policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" +#} +# +#resource "aws_iam_instance_profile" "db_ec2_instanceprofile" { +# name = format("%s-delius-db-ec2_instance_iam_role", var.env_name) +# role = aws_iam_role.db_ec2_instance_iam_role.name +#} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/environment_all_components/db_s3.tf b/terraform/environments/delius-core/modules/environment_all_components/db_s3.tf index 1db366df384..b26239190a2 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/db_s3.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/db_s3.tf @@ -1,83 +1,83 @@ -module "s3_bucket_oracledb_backups" { - source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" - bucket_name = "${var.env_name}-oracle-database-backups" - versioning_enabled = false - ownership_controls = "BucketOwnerEnforced" - replication_enabled = false - custom_kms_key = var.account_config.general_shared_kms_key_arn - - providers = { - aws.bucket-replication = aws.bucket-replication - } - - lifecycle_rule = [ - { - id = "main" - enabled = "Enabled" - prefix = "" - - tags = { - rule = "log" - autoclean = "true" - } - - transition = [ - { - days = 90 - storage_class = "STANDARD_IA" - } - ] - - expiration = { - days = 365 - } - } - ] - - tags = local.tags -} - -data "aws_iam_policy_document" "oracledb_backup_bucket_access" { - statement { - sid = "allowAccessToOracleDbBackupBucket" - effect = "Allow" - actions = [ - "s3:*" - ] - resources = [ - "${module.s3_bucket_oracledb_backups.bucket.arn}", - "${module.s3_bucket_oracledb_backups.bucket.arn}/*" - ] - } - - statement { - sid = "AllowAccessToS3OracleBackups" - effect = "Allow" - actions = [ - "s3:Get*", - "s3:List*" - ] - resources = [ - "arn:aws:s3:::eu-west-2-dmd-mis-dev-oracledb-backups", - "arn:aws:s3:::eu-west-2-dmd-mis-dev-oracledb-backups/*" - ] - } - - statement { - sid = "listAllBuckets" - effect = "Allow" - actions = [ - "s3:ListAllMyBuckets", - "s3:GetBucketLocation" - ] - resources = [ - "arn:aws:s3:::*" - ] - } -} - -resource "aws_iam_role_policy" "oracledb_backup_bucket_access_policy" { - name = "${var.env_name}-oracledb-backup-bucket-access-policy" - role = aws_iam_role.db_ec2_instance_iam_role.name - policy = data.aws_iam_policy_document.oracledb_backup_bucket_access.json -} \ No newline at end of file +#module "s3_bucket_oracledb_backups" { +# source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0" +# bucket_name = "${var.env_name}-oracle-database-backups" +# versioning_enabled = false +# ownership_controls = "BucketOwnerEnforced" +# replication_enabled = false +# custom_kms_key = var.account_config.general_shared_kms_key_arn +# +# providers = { +# aws.bucket-replication = aws.bucket-replication +# } +# +# lifecycle_rule = [ +# { +# id = "main" +# enabled = "Enabled" +# prefix = "" +# +# tags = { +# rule = "log" +# autoclean = "true" +# } +# +# transition = [ +# { +# days = 90 +# storage_class = "STANDARD_IA" +# } +# ] +# +# expiration = { +# days = 365 +# } +# } +# ] +# +# tags = local.tags +#} +# +#data "aws_iam_policy_document" "oracledb_backup_bucket_access" { +# statement { +# sid = "allowAccessToOracleDbBackupBucket" +# effect = "Allow" +# actions = [ +# "s3:*" +# ] +# resources = [ +# "${module.s3_bucket_oracledb_backups.bucket.arn}", +# "${module.s3_bucket_oracledb_backups.bucket.arn}/*" +# ] +# } +# +# statement { +# sid = "AllowAccessToS3OracleBackups" +# effect = "Allow" +# actions = [ +# "s3:Get*", +# "s3:List*" +# ] +# resources = [ +# "arn:aws:s3:::eu-west-2-dmd-mis-dev-oracledb-backups", +# "arn:aws:s3:::eu-west-2-dmd-mis-dev-oracledb-backups/*" +# ] +# } +# +# statement { +# sid = "listAllBuckets" +# effect = "Allow" +# actions = [ +# "s3:ListAllMyBuckets", +# "s3:GetBucketLocation" +# ] +# resources = [ +# "arn:aws:s3:::*" +# ] +# } +#} +# +#resource "aws_iam_role_policy" "oracledb_backup_bucket_access_policy" { +# name = "${var.env_name}-oracledb-backup-bucket-access-policy" +# role = aws_iam_role.db_ec2_instance_iam_role.name +# policy = data.aws_iam_policy_document.oracledb_backup_bucket_access.json +#} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/environment_all_components/variables.tf b/terraform/environments/delius-core/modules/environment_all_components/variables.tf index 5e75dc6f594..18a2a0785de 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/variables.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/variables.tf @@ -23,6 +23,7 @@ variable "account_config" { shared_vpc_cidr = string shared_vpc_id = string private_subnet_ids = list(string) + ordered_private_subnet_ids = list(string) public_subnet_ids = list(string) data_subnet_ids = list(string) data_subnet_a_id = string @@ -42,6 +43,7 @@ variable "account_config" { shared_vpc_cidr = "default_shared_vpc_cidr" shared_vpc_id = "default_shared_vpc_id" private_subnet_ids = ["default_private_subnet_ids"] + ordered_private_subnet_ids = [] public_subnet_ids = ["default_public_subnet_ids"] data_subnet_ids = ["default_data_subnet_ids"] data_subnet_a_id = "default_data_subnet_id" diff --git a/terraform/environments/delius-core/modules/environment_all_components/weblogic_service.tf b/terraform/environments/delius-core/modules/environment_all_components/weblogic_service.tf index 62057efb063..44ec7b0e092 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/weblogic_service.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/weblogic_service.tf @@ -127,7 +127,7 @@ resource "aws_vpc_security_group_egress_rule" "delius_core_weblogic_to_db" { from_port = var.delius_db_container_config.port to_port = var.delius_db_container_config.port ip_protocol = "tcp" - referenced_security_group_id = aws_security_group.delius_db_security_group.id + referenced_security_group_id = module.oracle_db_shared.security_group.id } resource "aws_vpc_security_group_ingress_rule" "delius_core_frontend_ldap_tcp" { From 01bf9bf396709dd2020616ff15b752f8c0fe9e7b Mon Sep 17 00:00:00 2001 From: Robert Sweetman Date: Thu, 7 Dec 2023 16:26:39 +0000 Subject: [PATCH 139/142] add port 80 redirect to HTTPS on planetfm ALB (#4264) * add port 80 redirect to HTTPS on planetfm ALB * formatting --- .../environments/planetfm/locals_preproduction.tf | 12 ++++++++++++ .../environments/planetfm/locals_security_groups.tf | 10 +++++----- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf index 559b2cd9f6e..60cf9e8cd5f 100644 --- a/terraform/environments/planetfm/locals_preproduction.tf +++ b/terraform/environments/planetfm/locals_preproduction.tf @@ -210,6 +210,18 @@ locals { } } listeners = { + http = { + port = 80 + protocol = "HTTP" + default_action = { + type = "redirect" + redirect = { + port = 443 + protocol = "HTTPS" + status_code = "HTTP_301" + } + } + } https = { port = 443 protocol = "HTTPS" diff --git a/terraform/environments/planetfm/locals_security_groups.tf b/terraform/environments/planetfm/locals_security_groups.tf index c64367a8164..7aa1d1a1bda 100644 --- a/terraform/environments/planetfm/locals_security_groups.tf +++ b/terraform/environments/planetfm/locals_security_groups.tf @@ -117,11 +117,11 @@ locals { self = true } http_web = { - description = "80: Allow HTTP ingress from LB" - from_port = 80 - to_port = 80 - protocol = "TCP" - cidr_blocks = ["10.40.129.64/26"] # noms mgmt live jumpservers + description = "80: Allow HTTP ingress from LB" + from_port = 80 + to_port = 80 + protocol = "TCP" + cidr_blocks = ["10.40.129.64/26"] # noms mgmt live jumpservers security_groups = ["loadbalancer"] } https_web = { From 0794ad1b250f8c2d3e6027b6fbf0e489d9690d0f Mon Sep 17 00:00:00 2001 From: George Taylor Date: Thu, 7 Dec 2023 18:28:01 +0000 Subject: [PATCH 140/142] Nit 963 delius core db modularise the database instance terraform (#4265) * initial module declaration * ami to object * set up security groups * adding dns and condensing sg * correct provider configs + ebs/key troubleshooting * refactoring * refactor * Update instance.tf * add correct tags * Update instance.tf * Update instance.tf * move locals * Remove double b64 encode * Update database.tf * enforce subnet spread * Update database.tf * Update database.tf * Update database.tf * error * Update database.tf --- terraform/environments/delius-core/data.tf | 4 ++-- .../modules/environment_all_components/database.tf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/environments/delius-core/data.tf b/terraform/environments/delius-core/data.tf index 6ade2770185..1f0c5501d22 100644 --- a/terraform/environments/delius-core/data.tf +++ b/terraform/environments/delius-core/data.tf @@ -1,5 +1,5 @@ #### This file can be used to store data specific to the member account #### - data "aws_subnets" "shared-private-a" { +data "aws_subnets" "shared-private-a" { filter { name = "vpc-id" values = [data.aws_vpc.shared.id] @@ -15,7 +15,7 @@ data "aws_subnets" "shared-private-b" { values = [data.aws_vpc.shared.id] } tags = { - Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*c" + Name = "${var.networking[0].business-unit}-${local.environment}-${var.networking[0].set}-private*b" } } diff --git a/terraform/environments/delius-core/modules/environment_all_components/database.tf b/terraform/environments/delius-core/modules/environment_all_components/database.tf index ea7aea7d31b..2205990e4d0 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/database.tf +++ b/terraform/environments/delius-core/modules/environment_all_components/database.tf @@ -199,7 +199,7 @@ module "oracle_db_standby" { } env_name = var.env_name environment_config = var.environment_config - subnet_id = var.account_config.ordered_private_subnet_ids[(count.index + length(module.oracle_db_primary) % 3)] + subnet_id = var.account_config.ordered_private_subnet_ids[(count.index + 1 + length(module.oracle_db_primary)) % 3] tags = local.tags user_data = base64encode( templatefile( From 9bd3219f067095a4608ca8f402a5bce4593e88c4 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 8 Dec 2023 09:09:57 +0000 Subject: [PATCH 141/142] add secret policy for test environment (#4266) --- .../environments/nomis-data-hub/locals.tf | 1 + .../nomis-data-hub/locals_test.tf | 27 +++++++++++++++++++ terraform/environments/nomis-data-hub/main.tf | 14 +++++++--- 3 files changed, 38 insertions(+), 4 deletions(-) diff --git a/terraform/environments/nomis-data-hub/locals.tf b/terraform/environments/nomis-data-hub/locals.tf index 77cf4435d3e..32c63701622 100644 --- a/terraform/environments/nomis-data-hub/locals.tf +++ b/terraform/environments/nomis-data-hub/locals.tf @@ -26,6 +26,7 @@ locals { "ndh_harkemsadmin_ssl_pass", ] + baseline_iam_policies = {} baseline_secretsmanager_secrets = {} baseline_ssm_parameters = {} diff --git a/terraform/environments/nomis-data-hub/locals_test.tf b/terraform/environments/nomis-data-hub/locals_test.tf index 3c590a8d503..b99e655b516 100644 --- a/terraform/environments/nomis-data-hub/locals_test.tf +++ b/terraform/environments/nomis-data-hub/locals_test.tf @@ -7,6 +7,23 @@ locals { "/ndh/test" = local.ndh_secretsmanager_secrets } + baseline_iam_policies = { + Ec2TestPolicy = { + description = "Permissions required for Test EC2s" + statements = [ + { + effect = "Allow" + actions = [ + "secretsmanager:GetSecretValue", + ] + resources = [ + "arn:aws:secretsmanager:*:*:secret:/ndh/test/*", + ] + } + ] + } + } + baseline_ec2_instances = { test-management-server-2022 = merge(local.management_server_2022, { @@ -16,12 +33,22 @@ locals { }) test-ndh-app-a = merge(local.ndh_app_a, { + config = merge(local.ndh_app_a.config, { + instance_profile_policies = concat(local.ndh_app_a.config.instance_profile_policies, [ + "Ec2TestPolicy", + ]) + }) tags = merge(local.ndh_app_a.tags, { ndh-environment = "test" }) }) test-ndh-ems-a = merge(local.ndh_ems_a, { + config = merge(local.ndh_ems_a.config, { + instance_profile_policies = concat(local.ndh_ems_a.config.instance_profile_policies, [ + "Ec2TestPolicy", + ]) + }) tags = merge(local.ndh_ems_a.tags, { ndh-environment = "test" }) diff --git a/terraform/environments/nomis-data-hub/main.tf b/terraform/environments/nomis-data-hub/main.tf index b84e8fef0e7..d335982ac76 100644 --- a/terraform/environments/nomis-data-hub/main.tf +++ b/terraform/environments/nomis-data-hub/main.tf @@ -53,10 +53,16 @@ module "baseline" { environment = module.environment - security_groups = local.baseline_security_groups - acm_certificates = module.baseline_presets.acm_certificates - cloudwatch_log_groups = module.baseline_presets.cloudwatch_log_groups - iam_policies = module.baseline_presets.iam_policies + security_groups = local.baseline_security_groups + acm_certificates = module.baseline_presets.acm_certificates + cloudwatch_log_groups = module.baseline_presets.cloudwatch_log_groups + + iam_policies = merge( + module.baseline_presets.iam_policies, + local.baseline_iam_policies, + lookup(local.baseline_environment_config, "baseline_iam_policies", {}) + ) + iam_roles = module.baseline_presets.iam_roles iam_service_linked_roles = module.baseline_presets.iam_service_linked_roles key_pairs = module.baseline_presets.key_pairs From 066dd9c0a28ffdf561d8af6262d5f87d6c223fcc Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 8 Dec 2023 10:13:45 +0000 Subject: [PATCH 142/142] align NDH code with nomis (#4270) --- .../environments/nomis-data-hub/locals.tf | 123 ++++---------- .../nomis-data-hub/locals_development.tf | 96 ----------- .../environments/nomis-data-hub/locals_ndh.tf | 73 +++++++++ .../nomis-data-hub/locals_security_groups.tf | 2 +- .../nomis-data-hub/locals_test.tf | 55 +------ terraform/environments/nomis-data-hub/main.tf | 155 ++++++++++++------ 6 files changed, 211 insertions(+), 293 deletions(-) create mode 100644 terraform/environments/nomis-data-hub/locals_ndh.tf diff --git a/terraform/environments/nomis-data-hub/locals.tf b/terraform/environments/nomis-data-hub/locals.tf index 32c63701622..2b7b25f2e5c 100644 --- a/terraform/environments/nomis-data-hub/locals.tf +++ b/terraform/environments/nomis-data-hub/locals.tf @@ -1,7 +1,6 @@ -#### This file can be used to store locals specific to the member account #### - locals { business_unit = var.networking[0].business-unit + region = "eu-west-2" environment_configs = { development = local.development_config @@ -10,100 +9,44 @@ locals { production = local.production_config } baseline_environment_config = local.environment_configs[local.environment] - environment_config = local.environment_configs[local.environment] - ndh_secrets = [ - "ndh_admin_user", - "ndh_admin_pass", - "ndh_domain_name", - "ndh_ems_host_a", - "ndh_ems_host_b", - "ndh_app_host_a", - "ndh_app_host_b", - "ndh_ems_port_1", - "ndh_ems_port_2", - "ndh_host_os", - "ndh_host_os_version", - "ndh_harkemsadmin_ssl_pass", - ] - baseline_iam_policies = {} - baseline_secretsmanager_secrets = {} - baseline_ssm_parameters = {} + baseline_presets_options = { + enable_application_environment_wildcard_cert = true + enable_backup_plan_daily_and_weekly = true + enable_business_unit_kms_cmks = true + enable_image_builder = true + enable_ec2_cloud_watch_agent = true + enable_ec2_self_provision = true + enable_ec2_user_keypair = true + iam_policies_filter = ["ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] + iam_policies_ec2_default = ["EC2S3BucketWriteAndDeleteAccessPolicy", "ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] + s3_iam_policies = ["EC2S3BucketWriteAndDeleteAccessPolicy"] + } + + baseline_acm_certificates = {} + baseline_backup_plans = {} + baseline_cloudwatch_log_groups = {} + baseline_cloudwatch_metric_alarms = {} + baseline_cloudwatch_log_metric_filters = {} + baseline_ec2_autoscaling_groups = {} + baseline_ec2_instances = {} + baseline_iam_policies = {} + baseline_iam_roles = {} + baseline_iam_service_linked_roles = {} + baseline_key_pairs = {} + baseline_kms_grants = {} + baseline_lbs = {} + baseline_route53_resolvers = {} + baseline_route53_zones = {} baseline_s3_buckets = { s3-bucket = { iam_policies = module.baseline_presets.s3_iam_policies } } - baseline_route53_zones = {} - ndh_secretsmanager_secrets = { - secrets = { - shared = { description = "NDH secrets for both ems and app components" } - } - } - - ndh_app_a = { - config = merge(module.baseline_presets.ec2_instance.config.default, { - ami_name = "nomis_data_hub_rhel_7_9_app_release_2023-05-02T00-00-47.783Z" - }) - instance = merge(module.baseline_presets.ec2_instance.instance.default, { - vpc_security_group_ids = ["ndh_app"] - tags = { - backup-plan = "daily-and-weekly" - } - }) - user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible - tags = { - description = "RHEL7.9 NDH App" - component = "ndh" - server-type = "ndh-app" - monitored = false - instance-scheduling = "skip-scheduling" - } - } - - ndh_ems_a = { - config = merge(module.baseline_presets.ec2_instance.config.default, { - ami_name = "nomis_data_hub_rhel_7_9_ems_test_2023-04-02T00-00-21.281Z" - }) - instance = merge(module.baseline_presets.ec2_instance.instance.default, { - vpc_security_group_ids = ["ndh_ems"] - tags = { - backup-plan = "daily-and-weekly" - } - }) - user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible - tags = { - description = "RHEL7.9 NDH ems" - component = "ndh" - server-type = "ndh-ems" - monitored = false - instance-scheduling = "skip-scheduling" - } - } - - management_server_2022 = { - # ami has unwanted ephemeral device, don't copy all the ebs_volumess - config = merge(module.baseline_presets.ec2_instance.config.default, { - ami_name = "hmpps_windows_server_2022_release_2023-*" - ebs_volumes_copy_all_from_ami = false - user_data_raw = base64encode(file("./templates/ndh-user-data.yaml")) - }) - instance = merge(module.baseline_presets.ec2_instance.instance.default, { - vpc_security_group_ids = ["management_server"] - tags = { - backup-plan = "daily-and-weekly" - } - }) - ebs_volumes = { - "/dev/sda1" = { type = "gp3", size = 100 } - } - tags = { - description = "Windows Server 2022 Management server for NDH" - os-type = "Windows" - component = "managementserver" - server-type = "ndh-management-server" - } - } + baseline_secretsmanager_secrets = {} + baseline_security_groups = local.security_groups + baseline_sns_topics = {} + baseline_ssm_parameters = {} } diff --git a/terraform/environments/nomis-data-hub/locals_development.tf b/terraform/environments/nomis-data-hub/locals_development.tf index 7f3f626129b..2286ee2f3ef 100644 --- a/terraform/environments/nomis-data-hub/locals_development.tf +++ b/terraform/environments/nomis-data-hub/locals_development.tf @@ -1,100 +1,4 @@ locals { development_config = { - - baseline_s3_buckets = { - } - - baseline_ec2_instances = { - - # Example instance using RedHat image with ansible provisioning - # dev-redhat-rhel79-1 = { - # config = merge(module.baseline_presets.ec2_instance.config.default, { - # ami_name = "RHEL-7.9_HVM-*" - # ami_owner = "309956199498" - # }) - # instance = merge(module.baseline_presets.ec2_instance.instance.default, { - # vpc_security_group_ids = ["private"] - # }) - # user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible - # tags = { - # description = "For testing with official RedHat RHEL7.9 image" - # os-type = "Linux" - # component = "test" - # server-type = "set me to the ansible server type group vars" - # } - # } - - # Example instance using base image with ansible provisioning - # dev-base-rhel79-1 = { - # config = merge(module.baseline_presets.ec2_instance.config.default, { - # ami_name = "base_rhel_7_9_*" - # }) - # instance = merge(module.baseline_presets.ec2_instance.instance.default, { - # vpc_security_group_ids = ["private"] - # }) - # user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible - # tags = { - # description = "For testing with official RedHat RHEL7.9 image" - # os-type = "Linux" - # component = "test" - # server-type = "set me to the ansible server type group vars" - # } - # } - } - - baseline_ec2_autoscaling_groups = { - - # Example ASG using base image with ansible provisioning - # Include the autoscale-trigger-hook ansible role when using hooks - # dev-base-rhel79 = { - # config = merge(module.baseline_presets.ec2_instance.config.default, { - # ami_name = "base_rhel_7_9_*" - # }) - # instance = merge(module.baseline_presets.ec2_instance.instance.default, { - # vpc_security_group_ids = ["private"] - # }) - # user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible - # autoscaling_group = { - # desired_capacity = 1 - # max_size # # = 2 - # vpc_zone_identifier = module.environment.subnets["private"].ids - # } - # autoscaling_schedules = module.baseline_presets.ec2_autoscaling_schedules.working_hours - # tags = { - # description = "For testing with official RedHat RHEL7.9 image" - # os-type = "Linux" - # component = "test" - # server-type = "set me to the ansible server type group vars" - # } - # - # Example target group setup below - # - # lb_target_groups = { - # http-7777 = { - # port = 7777 - # protocol = "HTTP" - # target_type = "instance" - # deregistration_delay = 30 - # health_check = { - # enabled = true - # interval = 30 - # healthy_threshold = 3 - # matcher = "200-399" - # path = "/" - # port = 7777 - # timeout = 5 - # unhealthy_threshold = 5 - # } - # stickiness = { - # enabled = true - # type = "lb_cookie" - # } - # } - # } - # } - } - - baseline_lbs = { - } } } diff --git a/terraform/environments/nomis-data-hub/locals_ndh.tf b/terraform/environments/nomis-data-hub/locals_ndh.tf new file mode 100644 index 00000000000..8bebaf5f7d0 --- /dev/null +++ b/terraform/environments/nomis-data-hub/locals_ndh.tf @@ -0,0 +1,73 @@ +# configuration defaults for ndh + +locals { + ndh_secretsmanager_secrets = { + secrets = { + shared = { description = "NDH secrets for both ems and app components" } + } + } + + ndh_app_a = { + config = merge(module.baseline_presets.ec2_instance.config.default, { + ami_name = "nomis_data_hub_rhel_7_9_app_release_2023-05-02T00-00-47.783Z" + }) + instance = merge(module.baseline_presets.ec2_instance.instance.default, { + vpc_security_group_ids = ["ndh_app"] + tags = { + backup-plan = "daily-and-weekly" + } + }) + user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible + tags = { + description = "RHEL7.9 NDH App" + component = "ndh" + server-type = "ndh-app" + monitored = false + instance-scheduling = "skip-scheduling" + } + } + + ndh_ems_a = { + config = merge(module.baseline_presets.ec2_instance.config.default, { + ami_name = "nomis_data_hub_rhel_7_9_ems_test_2023-04-02T00-00-21.281Z" + }) + instance = merge(module.baseline_presets.ec2_instance.instance.default, { + vpc_security_group_ids = ["ndh_ems"] + tags = { + backup-plan = "daily-and-weekly" + } + }) + user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible + tags = { + description = "RHEL7.9 NDH ems" + component = "ndh" + server-type = "ndh-ems" + monitored = false + instance-scheduling = "skip-scheduling" + } + } + + management_server_2022 = { + # ami has unwanted ephemeral device, don't copy all the ebs_volumess + config = merge(module.baseline_presets.ec2_instance.config.default, { + ami_name = "hmpps_windows_server_2022_release_2023-*" + ebs_volumes_copy_all_from_ami = false + user_data_raw = base64encode(file("./templates/ndh-user-data.yaml")) + }) + instance = merge(module.baseline_presets.ec2_instance.instance.default, { + vpc_security_group_ids = ["management_server"] + tags = { + backup-plan = "daily-and-weekly" + } + }) + ebs_volumes = { + "/dev/sda1" = { type = "gp3", size = 100 } + } + tags = { + description = "Windows Server 2022 Management server for NDH" + os-type = "Windows" + component = "managementserver" + server-type = "ndh-management-server" + } + } +} diff --git a/terraform/environments/nomis-data-hub/locals_security_groups.tf b/terraform/environments/nomis-data-hub/locals_security_groups.tf index 33d5521e0c1..6d189e22a14 100644 --- a/terraform/environments/nomis-data-hub/locals_security_groups.tf +++ b/terraform/environments/nomis-data-hub/locals_security_groups.tf @@ -63,7 +63,7 @@ locals { } security_group_cidrs = local.security_group_cidrs_by_environment[local.environment] - baseline_security_groups = { + security_groups = { public = { description = "Security group for public subnet" ingress = { diff --git a/terraform/environments/nomis-data-hub/locals_test.tf b/terraform/environments/nomis-data-hub/locals_test.tf index b99e655b516..74f54a488dc 100644 --- a/terraform/environments/nomis-data-hub/locals_test.tf +++ b/terraform/environments/nomis-data-hub/locals_test.tf @@ -53,60 +53,6 @@ locals { ndh-environment = "test" }) }) - - } - baseline_ec2_autoscaling_groups = { - # Example ASG using base image with ansible provisioning - # Include the autoscale-trigger-hook ansible role when using hooks - # dev-base-rhel79 = { - # config = merge(module.baseline_presets.ec2_instance.config.default, { - # ami_name = "base_rhel_7_9_*" - # }) - # instance = merge(module.baseline_presets.ec2_instance.instance.default, { - # vpc_security_group_ids = ["private"] - # }) - # user_data_cloud_init = module.baseline_presets.ec2_instance.user_data_cloud_init.ssm_agent_and_ansible - # autoscaling_group = { - # desired_capacity = 1 - # max_size # # = 2 - # vpc_zone_identifier = module.environment.subnets["private"].ids - # } - # autoscaling_schedules = module.baseline_presets.ec2_autoscaling_schedules.working_hours - # tags = { - # description = "For testing with official RedHat RHEL7.9 image" - # os-type = "Linux" - # component = "test" - # server-type = "set me to the ansible server type group vars" - # } - # - # Example target group setup below - # - # lb_target_groups = { - # http-7777 = { - # port = 7777 - # protocol = "HTTP" - # target_type = "instance" - # deregistration_delay = 30 - # health_check = { - # enabled = true - # interval = 30 - # healthy_threshold = 3 - # matcher = "200-399" - # path = "/" - # port = 7777 - # timeout = 5 - # unhealthy_threshold = 5 - # } - # stickiness = { - # enabled = true - # type = "lb_cookie" - # } - # } - # } - # } - - - } baseline_s3_buckets = { @@ -121,6 +67,7 @@ locals { iam_policies = module.baseline_presets.s3_iam_policies } } + #when changing the ems entries in prod or t2, also stop and start xtag to reconnect it. baseline_route53_zones = { "test.ndh.nomis.service.justice.gov.uk" = { diff --git a/terraform/environments/nomis-data-hub/main.tf b/terraform/environments/nomis-data-hub/main.tf index d335982ac76..f53739914f9 100644 --- a/terraform/environments/nomis-data-hub/main.tf +++ b/terraform/environments/nomis-data-hub/main.tf @@ -1,3 +1,7 @@ +# Majority of resources created by baseline module. +# See common settings in locals.tf and environment specific settings in +# locals_development.tf, locals_test.tf etc. + module "ip_addresses" { source = "../../modules/ip_addresses" } @@ -23,24 +27,9 @@ module "baseline_presets" { environment = module.environment ip_addresses = module.ip_addresses - - options = { - enable_application_environment_wildcard_cert = true - enable_business_unit_kms_cmks = true - enable_image_builder = true - enable_ec2_cloud_watch_agent = true - enable_ec2_self_provision = true - enable_ec2_user_keypair = true - iam_policies_filter = ["ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] - iam_policies_ec2_default = ["EC2S3BucketWriteAndDeleteAccessPolicy", "ImageBuilderS3BucketWriteAndDeleteAccessPolicy"] - s3_iam_policies = ["EC2S3BucketWriteAndDeleteAccessPolicy"] - - # comment this in if you need to resolve FixNGo hostnames - # route53_resolver_rules = { - #  outbound-data-and-private-subnets = ["azure-fixngo-domain"] - # } - } + options = local.baseline_presets_options } + module "baseline" { source = "../../modules/baseline" @@ -53,9 +42,52 @@ module "baseline" { environment = module.environment - security_groups = local.baseline_security_groups - acm_certificates = module.baseline_presets.acm_certificates - cloudwatch_log_groups = module.baseline_presets.cloudwatch_log_groups + acm_certificates = merge( + module.baseline_presets.acm_certificates, + local.baseline_acm_certificates, + lookup(local.baseline_environment_config, "baseline_acm_certificates", {}) + ) + + backups = { + "everything" = { + plans = merge( + module.baseline_presets.backup_plans, + local.baseline_backup_plans, + lookup(local.baseline_environment_config, "baseline_backup_plans", {}) + ) + } + } + + # bastion_linux = merge( + #  local.baseline_bastion_linux, + # lookup(local.baseline_environment_config, "baseline_bastion_linux", {}) + # ) + + cloudwatch_metric_alarms = merge( + local.baseline_cloudwatch_metric_alarms, + lookup(local.baseline_environment_config, "baseline_cloudwatch_metric_alarms", {}) + ) + + cloudwatch_log_metric_filters = merge( + local.baseline_cloudwatch_log_metric_filters, + lookup(local.baseline_environment_config, "baseline_cloudwatch_log_metric_filters", {}) + ) + + cloudwatch_log_groups = merge( + module.baseline_presets.cloudwatch_log_groups, + local.baseline_cloudwatch_log_groups, + lookup(local.baseline_environment_config, "baseline_cloudwatch_log_groups", {}) + ) + + ec2_autoscaling_groups = merge( + local.baseline_ec2_autoscaling_groups, + lookup(local.baseline_environment_config, "baseline_ec2_autoscaling_groups", {}) + ) + + ec2_instances = merge( + local.baseline_ec2_instances, + lookup(local.baseline_environment_config, "baseline_ec2_instances", {}) + ) iam_policies = merge( module.baseline_presets.iam_policies, @@ -63,52 +95,71 @@ module "baseline" { lookup(local.baseline_environment_config, "baseline_iam_policies", {}) ) - iam_roles = module.baseline_presets.iam_roles - iam_service_linked_roles = module.baseline_presets.iam_service_linked_roles - key_pairs = module.baseline_presets.key_pairs - kms_grants = module.baseline_presets.kms_grants - route53_resolvers = module.baseline_presets.route53_resolvers + iam_roles = merge( + module.baseline_presets.iam_roles, + local.baseline_iam_roles, + lookup(local.baseline_environment_config, "baseline_iam_roles", {}) + ) + + iam_service_linked_roles = merge( + module.baseline_presets.iam_service_linked_roles, + local.baseline_iam_service_linked_roles, + lookup(local.baseline_environment_config, "baseline_iam_service_linked_roles", {}) + ) + + key_pairs = merge( + module.baseline_presets.key_pairs, + local.baseline_key_pairs, + lookup(local.baseline_environment_config, "baseline_key_pairs", {}) + ) + + kms_grants = merge( + module.baseline_presets.kms_grants, + local.baseline_kms_grants, + lookup(local.baseline_environment_config, "baseline_kms_grants", {}) + ) + + lbs = merge( + local.baseline_lbs, + lookup(local.baseline_environment_config, "baseline_lbs", {}) + ) + + route53_resolvers = merge( + module.baseline_presets.route53_resolvers, + local.baseline_route53_resolvers, + lookup(local.baseline_environment_config, "baseline_route53_resolvers", {}) + ) + route53_zones = merge( local.baseline_route53_zones, lookup(local.baseline_environment_config, "baseline_route53_zones", {}) ) - ec2_instances = lookup(local.environment_config, "baseline_ec2_instances", {}) - ec2_autoscaling_groups = lookup(local.environment_config, "baseline_ec2_autoscaling_groups", {}) - lbs = lookup(local.environment_config, "baseline_lbs", {}) + s3_buckets = merge( + module.baseline_presets.s3_buckets, + local.baseline_s3_buckets, + lookup(local.baseline_environment_config, "baseline_s3_buckets", {}) + ) secretsmanager_secrets = merge( local.baseline_secretsmanager_secrets, lookup(local.baseline_environment_config, "baseline_secretsmanager_secrets", {}) ) + security_groups = merge( + local.baseline_security_groups, + lookup(local.baseline_environment_config, "baseline_security_groups", {}) + ) + + sns_topics = merge( + module.baseline_presets.sns_topics, + local.baseline_sns_topics, + lookup(local.baseline_environment_config, "baseline_sns_topics", {}) + ) + ssm_parameters = merge( module.baseline_presets.ssm_parameters, local.baseline_ssm_parameters, lookup(local.baseline_environment_config, "baseline_ssm_parameters", {}), ) - - s3_buckets = merge( - module.baseline_presets.s3_buckets, - local.baseline_s3_buckets, - lookup(local.baseline_environment_config, "baseline_s3_buckets", {}) - ) -} - -#create random value for defualt values -resource "random_password" "random_value" { - length = 12 -} - -#create secret store for ndh values -resource "aws_ssm_parameter" "ndh_secrets" { - for_each = toset(local.ndh_secrets) - name = each.value - type = "SecureString" - value = random_password.random_value.result - lifecycle { - ignore_changes = [ - value, - ] - } }