diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 601d785bd20..d72594d3ab9 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -2,15 +2,46 @@ "accounts": { "development": { "region": "eu-west-2", - "docker_image_tag": "development" + "docker_image_tag": "development", + "db_enabled": true, + "db_instance_class": "db.t3.small", + "db_user": "admin", + "db_allocated_storage": "75", + "db_name": "chaps-dev", + "env_name": "development", + "db_instance_identifier": "chaps-dev-instance", + "friendly_name": "Chaps development", + "container_instance_type": "windows", + "container_version": "preproduction" }, "preproduction": { + "db_enabled": true, + "db_instance_class": "db.t3.xlarge", + "db_user": "admin", + "db_allocated_storage": "75", + "db_name": "chaps-preproduction", + "env_name": "preproduction", + "db_instance_identifier": "chaps-preprod-instance", + "friendly_name": "Chaps preproduction", + "container_instance_type": "windows", + "container_version": "preproduction", "region": "eu-west-2", "docker_image_tag": "preproduction" }, "production": { + "db_enabled": true, + "db_instance_class": "db.m5.xlarge", + "db_user": "admin", + "db_allocated_storage": "100", + "db_name": "chaps-prod", + "env_name": "production", + "db_instance_identifier": "chaps-prod-instance", + "friendly_name": "Chaps Production", + "container_instance_type": "windows", + "container_version": "production", "region": "eu-west-2", "docker_image_tag": "production" } } } + diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf new file mode 100644 index 00000000000..a81154c4ac5 --- /dev/null +++ b/terraform/environments/cdpt-chaps/database.tf @@ -0,0 +1,81 @@ +#------------------------------------------------------------------------------ +# Database +#------------------------------------------------------------------------------ + +resource "aws_db_instance" "database" { + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier + username = local.app_data.accounts[local.environment].db_user + iam_database_authentication_enabled = true +} + +resource "aws_db_instance_role_association" "rds_s3_role_association" { + db_instance_identifier = aws_db_instance.database.identifier + feature_name = "S3_INTEGRATION" + role_arn = "arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess" +} + +resource "aws_security_group" "db" { + name = "db" + description = "Allow DB inbound traffic" + + ingress { + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + +resource "aws_iam_role" "rds_s3_access" { + assume_role_policy = jsonencode({ + Version = "2017-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "rds.amazonaws.com" + }, + }, + ] + }) +} + +#------------------------------------------------------------------------------ +# KMS setup for RDS +#------------------------------------------------------------------------------ + +resource "aws_kms_key" "rds" { + description = "Encryption key for rds" + enable_key_rotation = true + policy = data.aws_iam_policy_document.rds-kms.json +} + +resource "aws_kms_alias" "rds-kms-alias" { + name = "alias/rds" + target_key_id = aws_kms_key.rds.arn +} + +data "aws_iam_policy_document" "rds-kms" { + statement { + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } +} diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index 1cf2cbe7024..f31e9ede4cf 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,4 +1,7 @@ +#### This file can be used to store locals specific to the member account #### locals { + app_data = jsondecode(file("./application_variables.json")) + domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value @@ -14,4 +17,4 @@ locals { domain_type_sub = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"] ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-chaps-ecr-repo" -} +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf new file mode 100644 index 00000000000..84db42a1b72 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf @@ -0,0 +1,10 @@ +resource "aws_backup_vault" "oracle_backup_vault" { + name = "${var.env_name}-oracle-backup-vault" + kms_key_arn = var.account_config.kms_keys.general_shared + tags = merge( + var.tags, + { + "Name" = "${var.env_name}-oracle-backup-vault" + }, + ) +} \ No newline at end of file diff --git a/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl b/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl index 7400286d290..e806b484203 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl +++ b/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl @@ -61,7 +61,7 @@ run_ansible() { then group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g") group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g") - database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g") + [[ $database =~ "primarydb" ]] && database_type="primary" || database_type="standby" ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type" elif [[ $i -gt 2 ]] then diff --git a/terraform/environments/delius-core/templates/userdata.sh.tftpl b/terraform/environments/delius-core/templates/userdata.sh.tftpl index 7400286d290..e806b484203 100644 --- a/terraform/environments/delius-core/templates/userdata.sh.tftpl +++ b/terraform/environments/delius-core/templates/userdata.sh.tftpl @@ -61,7 +61,7 @@ run_ansible() { then group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g") group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g") - database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g") + [[ $database =~ "primarydb" ]] && database_type="primary" || database_type="standby" ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type" elif [[ $i -gt 2 ]] then diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf index a032478c08b..2c0a0531e62 100644 --- a/terraform/environments/hmpps-domain-services/locals_test.tf +++ b/terraform/environments/hmpps-domain-services/locals_test.tf @@ -48,7 +48,7 @@ locals { availability_zone = null ebs_volumes_copy_all_from_ami = false user_data_raw = base64encode(templatefile("./templates/rds.yaml.tftpl", { - rds_hostname = "RDSConnectionBroker" + rds_hostname = "RDSBroker" })) }) instance = merge(module.baseline_presets.ec2_instance.instance.default, { diff --git a/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl b/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl index 238a8456a96..5c1b7f890d6 100644 --- a/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl +++ b/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl @@ -93,6 +93,6 @@ tasks: Disable-NetAdapterBinding -Name 'Ethernet' -ComponentID 'ms_tcpip6' Import-Module RemoteDesktop Enable-PSRemoting -force - Rename-Computer -NewName ${rds_hostname} + Rename-Computer -NewName "${rds_hostname}1" Sleep 5 Restart-Computer -Force diff --git a/terraform/environments/hmpps-oem/locals_development.tf b/terraform/environments/hmpps-oem/locals_development.tf index 1d6beab7de1..7b20a0e8987 100644 --- a/terraform/environments/hmpps-oem/locals_development.tf +++ b/terraform/environments/hmpps-oem/locals_development.tf @@ -4,6 +4,12 @@ locals { # baseline config development_config = { + baseline_secretsmanager_secrets = { + "/oracle/oem" = local.oem_secretsmanager_secrets + "/oracle/database/EMREP" = local.oem_secretsmanager_secrets + "/oracle/database/DEVRCVCAT" = local.oem_secretsmanager_secrets + } + baseline_ec2_autoscaling_groups = { dev-base-ol85 = { config = merge(module.baseline_presets.ec2_instance.config.default, { @@ -32,5 +38,21 @@ locals { } } + baseline_ec2_instances = { + dev-oem-a = merge(local.oem_ec2_default, { + config = merge(local.oem_ec2_default.config, { + ami_name = "hmpps_ol_8_5_oracledb_19c_release_2023-12-07T12-10-49.620Z" + availability_zone = "eu-west-2a" + }) + user_data_cloud_init = merge(local.oem_ec2_default.user_data_cloud_init, { + args = merge(local.oem_ec2_default.user_data_cloud_init.args, { + branch = "45027fb7482eb7fb601c9493513bb73658780dda" # 2023-08-11 + }) + }) + tags = merge(local.oem_ec2_default.tags, { + oracle-sids = "EMREP DEVRCVCAT" + }) + }) + } } } diff --git a/terraform/environments/tipstaff/rds.tf b/terraform/environments/tipstaff/rds.tf index 6a179fd4d30..1e202ea7fcb 100644 --- a/terraform/environments/tipstaff/rds.tf +++ b/terraform/environments/tipstaff/rds.tf @@ -47,6 +47,14 @@ resource "aws_security_group" "postgresql_db_sc" { module.bastion_linux.bastion_security_group ] } + + ingress { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + description = "MOJ Digital VPN access" + cidr_blocks = [local.application_data.accounts[local.environment].moj_ip] + } egress { description = "allow all outbound traffic" from_port = 0