Skip to content

Commit

Permalink
Merge pull request #8155 from ministryofjustice/Update_101024_3
Browse files Browse the repository at this point in the history 
Update_101024_3
  • Loading branch information
@nbuckingham72
nbuckingham72 authored Oct 10, 2024
2 parents 098797d + f91acd0 commit f41855f
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 17 deletions.
4 changes: 2 additions & 2 deletions terraform/environments/ppud/endpointservice.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,8 @@ resource "aws_lb" "ppud_internal_nlb" {
load_balancer_type = "network"
subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id]
security_groups = [aws_security_group.PPUD-ALB.id]
enable_deletion_protection = false # change it to true

enable_deletion_protection = true
tags = {
Name = "${var.networking[0].business-unit}-${local.environment}"
}
Expand Down
63 changes: 48 additions & 15 deletions terraform/environments/ppud/iam.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,15 +159,19 @@ resource "aws_iam_policy" "iam_policy_for_lambda" {
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
"Resource": [
"arn:aws:logs:eu-west-2:817985104434:*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:Start*",
"ec2:Stop*"
],
"Resource": "*"
"Resource": [
"arn:aws:ec2:eu-west-2:817985104434:*"
]
},
{
"Effect": "Allow",
Expand Down Expand Up @@ -236,7 +240,9 @@ resource "aws_iam_policy" "iam_policy_for_lambda_alarm_suppression" {
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*"
"Resource": [
"arn:aws:logs:eu-west-2:817985104434:*"
]
},
{
"Effect": "Allow",
Expand Down Expand Up @@ -574,19 +580,25 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_dev" {
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": "*"
"Resource": [
"arn:aws:acm:eu-west-2:075585660276:certificate:*"
]
},
{
"Sid":"LambdaCertificateExpiryPolicy4",
"Effect": "Allow",
"Action": "SNS:Publish",
"Resource": "*"
"Resource": [
"arn:aws:sns:eu-west-2:075585660276:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy5",
"Effect": "Allow",
"Action": "cloudwatch:ListMetrics",
"Resource": "*"
"Resource": [
"arn:aws:cloudwatch:eu-west-2:075585660276:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy6",
Expand Down Expand Up @@ -675,19 +687,25 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_uat" {
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": "*"
"Resource": [
"arn:aws:acm:eu-west-2:172753231260:certificate:*"
]
},
{
"Sid":"LambdaCertificateExpiryPolicy4",
"Effect": "Allow",
"Action": "SNS:Publish",
"Resource": "*"
"Resource": [
"arn:aws:sns:eu-west-2:172753231260:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy5",
"Effect": "Allow",
"Action": "cloudwatch:ListMetrics",
"Resource": "*"
"Resource": [
"arn:aws:cloudwatch:eu-west-2:172753231260:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy6",
Expand Down Expand Up @@ -776,19 +794,25 @@ resource "aws_iam_policy" "iam_policy_for_lambda_certificate_expiry_prod" {
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": "*"
"Resource": [
"arn:aws:acm:eu-west-2:817985104434:certificate:*"
]
},
{
"Sid":"LambdaCertificateExpiryPolicy4",
"Effect": "Allow",
"Action": "SNS:Publish",
"Resource": "*"
"Resource": [
"arn:aws:sns:eu-west-2:817985104434:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy5",
"Effect": "Allow",
"Action": "cloudwatch:ListMetrics",
"Resource": "*"
"Resource": [
"arn:aws:cloudwatch:eu-west-2:817985104434:*"
]
},
{
"Sid": "LambdaCertificateExpiryPolicy6",
Expand Down Expand Up @@ -997,7 +1021,10 @@ resource "aws_iam_policy" "aws_signer_policy_prod" {
"signer:GetSigningProfile",
"signer:ListSigningJobs"
],
Resource = "*"
Resource = [
"arn:aws:signer:eu-west-2:817985104434:/signing-profiles/0r1ihd4swpgdxsjmfe1ibqhvdpm3zg05le4uni20241008100713396700000002",
"arn:aws:signer:eu-west-2:817985104434:/signing-profiles/0r1ihd4swpgdxsjmfe1ibqhvdpm3zg05le4uni20241008100713396700000002/HzoPedNoUr"
]
}
]
})
Expand Down Expand Up @@ -1055,7 +1082,10 @@ resource "aws_iam_policy" "aws_signer_policy_uat" {
"signer:GetSigningProfile",
"signer:ListSigningJobs"
],
Resource = "*"
Resource = [
"arn:aws:signer:eu-west-2:172753231260:/signing-profiles/ucjvuurx21fa91xmhktdde5ognhxig1vahls8z20241008084937718900000002",
"arn:aws:signer:eu-west-2:172753231260:/signing-profiles/ucjvuurx21fa91xmhktdde5ognhxig1vahls8z20241008084937718900000002/ZYACVFPo1R"
]
}
]
})
Expand Down Expand Up @@ -1113,7 +1143,10 @@ resource "aws_iam_policy" "aws_signer_policy_dev" {
"signer:GetSigningProfile",
"signer:ListSigningJobs"
],
Resource = "*"
Resource = [
"arn:aws:signer:eu-west-2:075585660276:/signing-profiles/grw77tzk96phtwcrceot5xlbt9veqixuyck04420241008100655411100000002",
"arn:aws:signer:eu-west-2:075585660276:/signing-profiles/grw77tzk96phtwcrceot5xlbt9veqixuyck04420241008100655411100000002/AHvOa02ifI"
]
}
]
})
Expand Down
10 changes: 10 additions & 0 deletions terraform/environments/ppud/lambda.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ data "archive_file" "zip_the_stop_instance_code" {
# Lambda Function for Stop and Start of Instance
#################################################

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_stop" {
count = local.is-production == true ? 1 : 0
filename = "${path.module}/stop-instance/StopEC2Instances.zip"
Expand All @@ -38,6 +39,7 @@ resource "aws_lambda_function" "terraform_lambda_func_stop" {
}
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_start" {
count = local.is-production == true ? 1 : 0
filename = "${path.module}/start-instance/StartEC2Instances.zip"
Expand Down Expand Up @@ -187,6 +189,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_enable_cpu_alarm" {

# Disable CPU Alarm

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {
count = local.is-production == true ? 1 : 0
filename = "${path.module}/lambda_scripts/disable_cpu_alarm.zip"
Expand All @@ -207,6 +210,7 @@ resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" {

# Enable CPU Alarm

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" {
count = local.is-production == true ? 1 : 0
filename = "${path.module}/lambda_scripts/enable_cpu_alarm.zip"
Expand Down Expand Up @@ -238,6 +242,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_terminate_cpu_
source_arn = "arn:aws:cloudwatch:eu-west-2:075585660276:alarm:*"
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" {
count = local.is-development == true ? 1 : 0
filename = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip"
Expand Down Expand Up @@ -279,6 +284,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_terminate_cpu_
source_arn = "arn:aws:cloudwatch:eu-west-2:172753231260:alarm:*"
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" {
count = local.is-preproduction == true ? 1 : 0
filename = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip"
Expand Down Expand Up @@ -320,6 +326,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_terminate_cpu_
source_arn = "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:*"
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" {
count = local.is-production == true ? 1 : 0
filename = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip"
Expand Down Expand Up @@ -361,6 +368,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_send_cpu_notif
source_arn = "arn:aws:cloudwatch:eu-west-2:075585660276:alarm:*"
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" {
count = local.is-development == true ? 1 : 0
filename = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip"
Expand Down Expand Up @@ -406,6 +414,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_send_cpu_notif
source_arn = "arn:aws:cloudwatch:eu-west-2:172753231260:alarm:*"
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" {
count = local.is-preproduction == true ? 1 : 0
filename = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip"
Expand Down Expand Up @@ -451,6 +460,7 @@ resource "aws_lambda_permission" "allow_cloudwatch_to_call_lambda_send_cpu_notif
source_arn = "arn:aws:cloudwatch:eu-west-2:817985104434:alarm:*"
}

#trivy:ignore:CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode"
resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" {
count = local.is-production == true ? 1 : 0
filename = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip"
Expand Down

0 comments on commit f41855f

Please sign in to comment.