From 3f911aa4ec2823b288d55108fca5026d74bee9f6 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 11:36:30 +0000 Subject: [PATCH 01/32] add RDS --- .../cdpt-chaps/application_variables.json | 10 +++++- terraform/environments/cdpt-chaps/database.tf | 35 +++++++++++++++++++ terraform/environments/cdpt-chaps/locals.tf | 9 +++++ 3 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/cdpt-chaps/database.tf diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 6b52bfe9b30..b7ba4f8cf3b 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -1,7 +1,15 @@ { "accounts": { "development": { - "example_var": "dev-data" + "db_enabled": true, + "db_instance_class": "db.t3.small", + "db_user": "admin", + "db_allocated_storage": "75", + "db_name": "chaps-dev", + "env_name": "development", + "friendly_name": "Chaps development", + "container_instance_type": "windows", + "container_version": "preproduction", }, "test": { "example_var": "test-data" diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf new file mode 100644 index 00000000000..967b3a94f54 --- /dev/null +++ b/terraform/environments/cdpt-chaps/database.tf @@ -0,0 +1,35 @@ +#------------------------------------------------------------------------------ +# Database +#------------------------------------------------------------------------------ + +resource "aws_db_instance" "database" { + identifier = local.application_name + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + name = local.app_data.accounts[local.environment].db_name + username = local.app_data.accounts[local.environment].db_user + #password = aws_secretsmanager_secret_version.db_password.arn +} + +resource "aws_security_group" "db" { + name = "db" + description = "Allow DB inbound traffic" + + ingress { + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index a7454414911..dd6fa15b334 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1 +1,10 @@ #### This file can be used to store locals specific to the member account #### + + +locals { + +app_data = jsondecode(file("./application_variables.json")) + +application_name = "Chaps" + +} \ No newline at end of file From 26b07c146ddd6854dde5755d044a9beca842ec78 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 11:46:39 +0000 Subject: [PATCH 02/32] remove app name locals --- terraform/environments/cdpt-chaps/locals.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index dd6fa15b334..2dc3ec57c65 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,10 +1,7 @@ #### This file can be used to store locals specific to the member account #### - locals { app_data = jsondecode(file("./application_variables.json")) -application_name = "Chaps" - } \ No newline at end of file From 6d21f1a7b2c642cf3924f37eaa4940a0308ad286 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 13:38:19 +0000 Subject: [PATCH 03/32] remove comma app_vars --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index b7ba4f8cf3b..24957d66d72 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -9,7 +9,7 @@ "env_name": "development", "friendly_name": "Chaps development", "container_instance_type": "windows", - "container_version": "preproduction", + "container_version": "preproduction" }, "test": { "example_var": "test-data" From f41583d1ef01e7f73f69d3a92719b1288017ff56 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:17:26 +0000 Subject: [PATCH 04/32] revise db_name --- terraform/environments/cdpt-chaps/database.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 967b3a94f54..88e3bd52307 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -8,10 +8,10 @@ resource "aws_db_instance" "database" { storage_type = "gp2" engine = "sqlserver-web" engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_class + instance_class = local.app_data.accounts[local.environment].db_instance_identifier + identifier = local.app_data.accounts[local.environment].db_instance_class name = local.app_data.accounts[local.environment].db_name username = local.app_data.accounts[local.environment].db_user - #password = aws_secretsmanager_secret_version.db_password.arn } resource "aws_security_group" "db" { From d9c205dd24bb06c2dc075ef2a69d2140f6f01949 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:19:07 +0000 Subject: [PATCH 05/32] remove extra identifier --- terraform/environments/cdpt-chaps/database.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 88e3bd52307..04080937c2b 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,7 +3,6 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - identifier = local.application_name allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage storage_type = "gp2" engine = "sqlserver-web" From b3963a56d821b0fc3dfc191f12359e264c69b6e6 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:29:37 +0000 Subject: [PATCH 06/32] remove name argument --- terraform/environments/cdpt-chaps/database.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 04080937c2b..bd996de8884 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -9,7 +9,6 @@ resource "aws_db_instance" "database" { engine_version = "14.00.3381.3.v1" instance_class = local.app_data.accounts[local.environment].db_instance_identifier identifier = local.app_data.accounts[local.environment].db_instance_class - name = local.app_data.accounts[local.environment].db_name username = local.app_data.accounts[local.environment].db_user } From 48b8d24cff8f4528386e80e80054b2504502713f Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Thu, 7 Dec 2023 09:01:22 +0000 Subject: [PATCH 07/32] fix database.tf --- terraform/environments/cdpt-chaps/application_variables.json | 1 + terraform/environments/cdpt-chaps/database.tf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 24957d66d72..04dbda96653 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -7,6 +7,7 @@ "db_allocated_storage": "75", "db_name": "chaps-dev", "env_name": "development", + "db_instance_identifier": "chaps-dev-instance", "friendly_name": "Chaps development", "container_instance_type": "windows", "container_version": "preproduction" diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index bd996de8884..b96a7617805 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -7,8 +7,8 @@ resource "aws_db_instance" "database" { storage_type = "gp2" engine = "sqlserver-web" engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_identifier - identifier = local.app_data.accounts[local.environment].db_instance_class + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier username = local.app_data.accounts[local.environment].db_user } From 30d22de3ba832de15f3e07faeb7f371cc15acee4 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 10:50:53 +0000 Subject: [PATCH 08/32] add s3 access for RDS --- terraform/environments/cdpt-chaps/database.tf | 76 +++++++++++++++++-- 1 file changed, 69 insertions(+), 7 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index b96a7617805..c73153db908 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,13 +3,21 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage - storage_type = "gp2" - engine = "sqlserver-web" - engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_class - identifier = local.app_data.accounts[local.environment].db_instance_identifier - username = local.app_data.accounts[local.environment].db_user + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier + username = local.app_data.accounts[local.environment].db_user + iam_database_authentication_enabled = true + iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] + s3_import { + bucket_name = tp-dbbackups + bucket-prefix = chap-dev + ingestion_role = aws_iam_role.rds_s3_access.arn + source_engine = "sqlserver-web" +} } resource "aws_security_group" "db" { @@ -31,3 +39,57 @@ resource "aws_security_group" "db" { } } +resource "aws_iam_role" "rds_s3_access" { + assume_role_policy = jsonencode({ + Version = "2017-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "rds.amazonaws.com" + }, + }, + ] + }) +} + + + + +#------------------------------------------------------------------------------ +# S3 Bucket for Database backup files +#------------------------------------------------------------------------------ + + + + + + + +#------------------------------------------------------------------------------ +# KMS setup for RDS +#------------------------------------------------------------------------------ + +resource "aws_kms_key" "rds" { + description = "Encryption key for rds" + enable_key_rotation = true + policy = data.aws_iam_policy_document.rds-kms.json +} + +resource "aws_kms_alias" "rds-kms-alias" { + name = "alias/rds" + target_key_id = aws_kms_key.rds.arn +} + +data "aws_iam_policy_document" "rds-kms" { + statement { + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } +} From b69287e496f6427d02d7355b9c2ae0ebd5ca9d26 Mon Sep 17 00:00:00 2001 From: pavmoj <142988272+pavmoj@users.noreply.github.com> Date: Fri, 8 Dec 2023 10:57:28 +0000 Subject: [PATCH 09/32] Rename hosts (#4271) --- terraform/environments/hmpps-domain-services/locals_test.tf | 2 +- .../environments/hmpps-domain-services/templates/rds.yaml.tftpl | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf index a032478c08b..2c0a0531e62 100644 --- a/terraform/environments/hmpps-domain-services/locals_test.tf +++ b/terraform/environments/hmpps-domain-services/locals_test.tf @@ -48,7 +48,7 @@ locals { availability_zone = null ebs_volumes_copy_all_from_ami = false user_data_raw = base64encode(templatefile("./templates/rds.yaml.tftpl", { - rds_hostname = "RDSConnectionBroker" + rds_hostname = "RDSBroker" })) }) instance = merge(module.baseline_presets.ec2_instance.instance.default, { diff --git a/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl b/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl index 238a8456a96..5c1b7f890d6 100644 --- a/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl +++ b/terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl @@ -93,6 +93,6 @@ tasks: Disable-NetAdapterBinding -Name 'Ethernet' -ComponentID 'ms_tcpip6' Import-Module RemoteDesktop Enable-PSRemoting -force - Rename-Computer -NewName ${rds_hostname} + Rename-Computer -NewName "${rds_hostname}1" Sleep 5 Restart-Computer -Force From 8279a023648bc6bec00ee1ee19dd46a53821c2f3 Mon Sep 17 00:00:00 2001 From: Andrew Moore Date: Fri, 8 Dec 2023 11:01:14 +0000 Subject: [PATCH 10/32] NIT-981 deploy Oracle backup vault to all envs --- .../components/oracle_db_shared/backup_vault.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf new file mode 100644 index 00000000000..84db42a1b72 --- /dev/null +++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf @@ -0,0 +1,10 @@ +resource "aws_backup_vault" "oracle_backup_vault" { + name = "${var.env_name}-oracle-backup-vault" + kms_key_arn = var.account_config.kms_keys.general_shared + tags = merge( + var.tags, + { + "Name" = "${var.env_name}-oracle-backup-vault" + }, + ) +} \ No newline at end of file From bda9ff20aa87e99d20a2fcc132ca3aa8fb0ca0f2 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:01:31 +0000 Subject: [PATCH 11/32] add s3 access for RDS --- terraform/environments/cdpt-chaps/locals.tf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index 968e78d3f1a..33482177713 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,5 +1,8 @@ #### This file can be used to store locals specific to the member account #### locals { + + app_data = jsondecode(file("./application_variables.json")) + domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value From 322534168799b51556838b95da3793a75c56847c Mon Sep 17 00:00:00 2001 From: ranbeersingh1 Date: Fri, 8 Dec 2023 11:05:08 +0000 Subject: [PATCH 12/32] Pick up correct database type --- terraform/environments/delius-core/templates/userdata.sh.tftpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/templates/userdata.sh.tftpl b/terraform/environments/delius-core/templates/userdata.sh.tftpl index 7400286d290..e806b484203 100644 --- a/terraform/environments/delius-core/templates/userdata.sh.tftpl +++ b/terraform/environments/delius-core/templates/userdata.sh.tftpl @@ -61,7 +61,7 @@ run_ansible() { then group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g") group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g") - database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g") + [[ $database =~ "primarydb" ]] && database_type="primary" || database_type="standby" ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type" elif [[ $i -gt 2 ]] then From a21d36960d46c5fccc0f605d0288732f0da78470 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:09:24 +0000 Subject: [PATCH 13/32] removed s3 info from rds instance --- .../environments/cdpt-chaps/application_variables.json | 1 - terraform/environments/cdpt-chaps/database.tf | 6 ------ 2 files changed, 7 deletions(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 3265756f9ce..03af1a3aeae 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -1,7 +1,6 @@ { "accounts": { "development": { - "db_enabled": true, "db_instance_class": "db.t3.small", "db_user": "admin", diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index c73153db908..6fdcda30372 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -12,12 +12,6 @@ resource "aws_db_instance" "database" { username = local.app_data.accounts[local.environment].db_user iam_database_authentication_enabled = true iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] - s3_import { - bucket_name = tp-dbbackups - bucket-prefix = chap-dev - ingestion_role = aws_iam_role.rds_s3_access.arn - source_engine = "sqlserver-web" -} } resource "aws_security_group" "db" { From e5064a421bb7dc6eae73921af8264d07b47c8e1c Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:27:49 +0000 Subject: [PATCH 14/32] fixed typo --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 03af1a3aeae..2679c1eba41 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -13,7 +13,7 @@ "container_version": "preproduction" }, "test": { - "example_var": "test-data" + "example_var": "test-data", "region": "eu-west-2", "docker_image_tag": "development" }, From 29da388bab07bc8710fe1e924ee6776ac436fa7a Mon Sep 17 00:00:00 2001 From: Matthew Searle <65017209+matthewsearle01@users.noreply.github.com> Date: Fri, 8 Dec 2023 11:28:25 +0000 Subject: [PATCH 15/32] allow moj vpn access to rds (#4267) --- terraform/environments/tipstaff/rds.tf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/terraform/environments/tipstaff/rds.tf b/terraform/environments/tipstaff/rds.tf index 6a179fd4d30..1e202ea7fcb 100644 --- a/terraform/environments/tipstaff/rds.tf +++ b/terraform/environments/tipstaff/rds.tf @@ -47,6 +47,14 @@ resource "aws_security_group" "postgresql_db_sc" { module.bastion_linux.bastion_security_group ] } + + ingress { + from_port = 5432 + to_port = 5432 + protocol = "tcp" + description = "MOJ Digital VPN access" + cidr_blocks = [local.application_data.accounts[local.environment].moj_ip] + } egress { description = "allow all outbound traffic" from_port = 0 From e354de652f7eae41b70165b50c050bb5469e71ec Mon Sep 17 00:00:00 2001 From: ranbeersingh1 Date: Fri, 8 Dec 2023 11:30:24 +0000 Subject: [PATCH 16/32] Pick up correct database type --- .../environment_all_components/templates/userdata.sh.tftpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl b/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl index 7400286d290..e806b484203 100644 --- a/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl +++ b/terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl @@ -61,7 +61,7 @@ run_ansible() { then group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g") group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g") - database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g") + [[ $database =~ "primarydb" ]] && database_type="primary" || database_type="standby" ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type" elif [[ $i -gt 2 ]] then From 7af1d61a84f276cb26bda4d1568d6e8141c63ca5 Mon Sep 17 00:00:00 2001 From: Dominic Robinson <65237317+drobinson-moj@users.noreply.github.com> Date: Fri, 8 Dec 2023 11:43:28 +0000 Subject: [PATCH 17/32] DSOS-2430: create dev oem (#4273) * add dev oem server * use updated AMI --- .../hmpps-oem/locals_development.tf | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/terraform/environments/hmpps-oem/locals_development.tf b/terraform/environments/hmpps-oem/locals_development.tf index 1d6beab7de1..7b20a0e8987 100644 --- a/terraform/environments/hmpps-oem/locals_development.tf +++ b/terraform/environments/hmpps-oem/locals_development.tf @@ -4,6 +4,12 @@ locals { # baseline config development_config = { + baseline_secretsmanager_secrets = { + "/oracle/oem" = local.oem_secretsmanager_secrets + "/oracle/database/EMREP" = local.oem_secretsmanager_secrets + "/oracle/database/DEVRCVCAT" = local.oem_secretsmanager_secrets + } + baseline_ec2_autoscaling_groups = { dev-base-ol85 = { config = merge(module.baseline_presets.ec2_instance.config.default, { @@ -32,5 +38,21 @@ locals { } } + baseline_ec2_instances = { + dev-oem-a = merge(local.oem_ec2_default, { + config = merge(local.oem_ec2_default.config, { + ami_name = "hmpps_ol_8_5_oracledb_19c_release_2023-12-07T12-10-49.620Z" + availability_zone = "eu-west-2a" + }) + user_data_cloud_init = merge(local.oem_ec2_default.user_data_cloud_init, { + args = merge(local.oem_ec2_default.user_data_cloud_init.args, { + branch = "45027fb7482eb7fb601c9493513bb73658780dda" # 2023-08-11 + }) + }) + tags = merge(local.oem_ec2_default.tags, { + oracle-sids = "EMREP DEVRCVCAT" + }) + }) + } } } From 848698328fd541f4bda69ad48f7f9a351e1be1e3 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:45:17 +0000 Subject: [PATCH 18/32] fixed typo --- terraform/environments/cdpt-chaps/database.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 6fdcda30372..11604afb426 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -11,7 +11,12 @@ resource "aws_db_instance" "database" { identifier = local.app_data.accounts[local.environment].db_instance_identifier username = local.app_data.accounts[local.environment].db_user iam_database_authentication_enabled = true - iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] +} + +resource "aws_db_instance_role_association" "rds_s3_role_association" { + db_instance_identifier = aws_db_instance.database.identifier + feature_name = "S3_INTEGRATION" + role_arn = "arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess" } resource "aws_security_group" "db" { From 6ede734d5ae3eb4a1384c70bf8cc38e7dc7d5695 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 11:36:30 +0000 Subject: [PATCH 19/32] fix conflicts rebase --- .../cdpt-chaps/application_variables.json | 9 +++++ terraform/environments/cdpt-chaps/database.tf | 35 +++++++++++++++++++ terraform/environments/cdpt-chaps/locals.tf | 5 ++- 3 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 terraform/environments/cdpt-chaps/database.tf diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 601d785bd20..14b949c4e6e 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -3,6 +3,15 @@ "development": { "region": "eu-west-2", "docker_image_tag": "development" + "db_enabled": true, + "db_instance_class": "db.t3.small", + "db_user": "admin", + "db_allocated_storage": "75", + "db_name": "chaps-dev", + "env_name": "development", + "friendly_name": "Chaps development", + "container_instance_type": "windows", + "container_version": "preproduction", }, "preproduction": { "region": "eu-west-2", diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf new file mode 100644 index 00000000000..967b3a94f54 --- /dev/null +++ b/terraform/environments/cdpt-chaps/database.tf @@ -0,0 +1,35 @@ +#------------------------------------------------------------------------------ +# Database +#------------------------------------------------------------------------------ + +resource "aws_db_instance" "database" { + identifier = local.application_name + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + name = local.app_data.accounts[local.environment].db_name + username = local.app_data.accounts[local.environment].db_user + #password = aws_secretsmanager_secret_version.db_password.arn +} + +resource "aws_security_group" "db" { + name = "db" + description = "Allow DB inbound traffic" + + ingress { + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} + diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index 1cf2cbe7024..80cd31b72af 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,4 +1,7 @@ +<<<<<<< HEAD locals { + app_data = jsondecode(file("./application_variables.json")) + application_name = "Chaps" domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value @@ -14,4 +17,4 @@ locals { domain_type_sub = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"] ecr_url = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-chaps-ecr-repo" -} +} \ No newline at end of file From 2d9c6aab631393a5ed0dcb60eec8b12c85505f02 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 11:46:39 +0000 Subject: [PATCH 20/32] fix conflict locals --- terraform/environments/cdpt-chaps/locals.tf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index 80cd31b72af..88a92ff607e 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,7 +1,9 @@ -<<<<<<< HEAD +#### This file can be used to store locals specific to the member account #### + locals { app_data = jsondecode(file("./application_variables.json")) application_name = "Chaps" + domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value From 1b47b160d7e3448915b1c7acd5a9f076ab4bf436 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 13:38:19 +0000 Subject: [PATCH 21/32] remove comma app_vars --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 14b949c4e6e..3b16c1b8039 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -11,7 +11,7 @@ "env_name": "development", "friendly_name": "Chaps development", "container_instance_type": "windows", - "container_version": "preproduction", + "container_version": "preproduction" }, "preproduction": { "region": "eu-west-2", From 789e5042a9d76532a03178c5be6c7e4b04e30a1d Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:17:26 +0000 Subject: [PATCH 22/32] revise db_name --- terraform/environments/cdpt-chaps/database.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 967b3a94f54..88e3bd52307 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -8,10 +8,10 @@ resource "aws_db_instance" "database" { storage_type = "gp2" engine = "sqlserver-web" engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_class + instance_class = local.app_data.accounts[local.environment].db_instance_identifier + identifier = local.app_data.accounts[local.environment].db_instance_class name = local.app_data.accounts[local.environment].db_name username = local.app_data.accounts[local.environment].db_user - #password = aws_secretsmanager_secret_version.db_password.arn } resource "aws_security_group" "db" { From 9a977eb741025b33eaf62d335f16df0d38d2138f Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:19:07 +0000 Subject: [PATCH 23/32] remove extra identifier --- terraform/environments/cdpt-chaps/database.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 88e3bd52307..04080937c2b 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,7 +3,6 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - identifier = local.application_name allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage storage_type = "gp2" engine = "sqlserver-web" From 17a3bb7ed134fd87159e4f250110cc2d82b7e6c7 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Tue, 5 Dec 2023 19:29:37 +0000 Subject: [PATCH 24/32] remove name argument --- terraform/environments/cdpt-chaps/database.tf | 1 - 1 file changed, 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 04080937c2b..bd996de8884 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -9,7 +9,6 @@ resource "aws_db_instance" "database" { engine_version = "14.00.3381.3.v1" instance_class = local.app_data.accounts[local.environment].db_instance_identifier identifier = local.app_data.accounts[local.environment].db_instance_class - name = local.app_data.accounts[local.environment].db_name username = local.app_data.accounts[local.environment].db_user } From b3d48a3663d83b753c7a5c562c3b70af7953fe59 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Thu, 7 Dec 2023 09:01:22 +0000 Subject: [PATCH 25/32] fix database.tf --- terraform/environments/cdpt-chaps/application_variables.json | 1 + terraform/environments/cdpt-chaps/database.tf | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index 3b16c1b8039..e8c8408fb25 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -9,6 +9,7 @@ "db_allocated_storage": "75", "db_name": "chaps-dev", "env_name": "development", + "db_instance_identifier": "chaps-dev-instance", "friendly_name": "Chaps development", "container_instance_type": "windows", "container_version": "preproduction" diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index bd996de8884..b96a7617805 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -7,8 +7,8 @@ resource "aws_db_instance" "database" { storage_type = "gp2" engine = "sqlserver-web" engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_identifier - identifier = local.app_data.accounts[local.environment].db_instance_class + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier username = local.app_data.accounts[local.environment].db_user } From 45fc12eff81c13d7590f22b16197319fbcc5e3ff Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 10:50:53 +0000 Subject: [PATCH 26/32] add s3 access for RDS --- terraform/environments/cdpt-chaps/database.tf | 76 +++++++++++++++++-- 1 file changed, 69 insertions(+), 7 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index b96a7617805..c73153db908 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -3,13 +3,21 @@ #------------------------------------------------------------------------------ resource "aws_db_instance" "database" { - allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage - storage_type = "gp2" - engine = "sqlserver-web" - engine_version = "14.00.3381.3.v1" - instance_class = local.app_data.accounts[local.environment].db_instance_class - identifier = local.app_data.accounts[local.environment].db_instance_identifier - username = local.app_data.accounts[local.environment].db_user + allocated_storage = local.app_data.accounts[local.environment].db_allocated_storage + storage_type = "gp2" + engine = "sqlserver-web" + engine_version = "14.00.3381.3.v1" + instance_class = local.app_data.accounts[local.environment].db_instance_class + identifier = local.app_data.accounts[local.environment].db_instance_identifier + username = local.app_data.accounts[local.environment].db_user + iam_database_authentication_enabled = true + iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] + s3_import { + bucket_name = tp-dbbackups + bucket-prefix = chap-dev + ingestion_role = aws_iam_role.rds_s3_access.arn + source_engine = "sqlserver-web" +} } resource "aws_security_group" "db" { @@ -31,3 +39,57 @@ resource "aws_security_group" "db" { } } +resource "aws_iam_role" "rds_s3_access" { + assume_role_policy = jsonencode({ + Version = "2017-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "rds.amazonaws.com" + }, + }, + ] + }) +} + + + + +#------------------------------------------------------------------------------ +# S3 Bucket for Database backup files +#------------------------------------------------------------------------------ + + + + + + + +#------------------------------------------------------------------------------ +# KMS setup for RDS +#------------------------------------------------------------------------------ + +resource "aws_kms_key" "rds" { + description = "Encryption key for rds" + enable_key_rotation = true + policy = data.aws_iam_policy_document.rds-kms.json +} + +resource "aws_kms_alias" "rds-kms-alias" { + name = "alias/rds" + target_key_id = aws_kms_key.rds.arn +} + +data "aws_iam_policy_document" "rds-kms" { + statement { + effect = "Allow" + actions = ["kms:*"] + resources = ["*"] + principals { + type = "AWS" + identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] + } + } +} From 00facd1e6c47728a3ca51913a33c5f410ced3f62 Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:01:31 +0000 Subject: [PATCH 27/32] fix conflicts --- terraform/environments/cdpt-chaps/locals.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/terraform/environments/cdpt-chaps/locals.tf b/terraform/environments/cdpt-chaps/locals.tf index 88a92ff607e..7ed558c4dbc 100644 --- a/terraform/environments/cdpt-chaps/locals.tf +++ b/terraform/environments/cdpt-chaps/locals.tf @@ -1,9 +1,9 @@ #### This file can be used to store locals specific to the member account #### locals { - app_data = jsondecode(file("./application_variables.json")) application_name = "Chaps" - + app_data = jsondecode(file("./application_variables.json")) + domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => { name = dvo.resource_record_name record = dvo.resource_record_value From 5f99bd5101ad7d369f5bf0ed548a84e85402f6cb Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:09:24 +0000 Subject: [PATCH 28/32] fix conflicts --- terraform/environments/cdpt-chaps/database.tf | 6 ------ 1 file changed, 6 deletions(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index c73153db908..6fdcda30372 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -12,12 +12,6 @@ resource "aws_db_instance" "database" { username = local.app_data.accounts[local.environment].db_user iam_database_authentication_enabled = true iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] - s3_import { - bucket_name = tp-dbbackups - bucket-prefix = chap-dev - ingestion_role = aws_iam_role.rds_s3_access.arn - source_engine = "sqlserver-web" -} } resource "aws_security_group" "db" { From 0653d5ba5bd39740d6ed0dcb1317fab7d60676ee Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:27:49 +0000 Subject: [PATCH 29/32] fixed conflicts --- terraform/environments/cdpt-chaps/application_variables.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index e8c8408fb25..f31905defa0 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -2,7 +2,7 @@ "accounts": { "development": { "region": "eu-west-2", - "docker_image_tag": "development" + "docker_image_tag": "development", "db_enabled": true, "db_instance_class": "db.t3.small", "db_user": "admin", From be57f08a591feab96159ca030b7155cb88e37b9e Mon Sep 17 00:00:00 2001 From: "alistair.curtis" Date: Fri, 8 Dec 2023 11:45:17 +0000 Subject: [PATCH 30/32] fixed typo --- terraform/environments/cdpt-chaps/database.tf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 6fdcda30372..11604afb426 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -11,7 +11,12 @@ resource "aws_db_instance" "database" { identifier = local.app_data.accounts[local.environment].db_instance_identifier username = local.app_data.accounts[local.environment].db_user iam_database_authentication_enabled = true - iam_roles = ["arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"] +} + +resource "aws_db_instance_role_association" "rds_s3_role_association" { + db_instance_identifier = aws_db_instance.database.identifier + feature_name = "S3_INTEGRATION" + role_arn = "arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess" } resource "aws_security_group" "db" { From 852e9db3d7a24e1e355e7afad1eaca3d4c2d0afe Mon Sep 17 00:00:00 2001 From: roncitrus Date: Fri, 8 Dec 2023 13:39:42 +0000 Subject: [PATCH 31/32] rebased branch --- terraform/environments/cdpt-chaps/application_variables.json | 1 + 1 file changed, 1 insertion(+) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index f31905defa0..f2e6dd0ff60 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -24,3 +24,4 @@ } } } + From d826ffb7b562bc4f0a1c42f502b762d826ae7aba Mon Sep 17 00:00:00 2001 From: roncitrus Date: Fri, 8 Dec 2023 14:01:30 +0000 Subject: [PATCH 32/32] add rds prepro and prod --- .../cdpt-chaps/application_variables.json | 20 +++++++++++++++++++ terraform/environments/cdpt-chaps/database.tf | 13 ------------ 2 files changed, 20 insertions(+), 13 deletions(-) diff --git a/terraform/environments/cdpt-chaps/application_variables.json b/terraform/environments/cdpt-chaps/application_variables.json index f2e6dd0ff60..d72594d3ab9 100644 --- a/terraform/environments/cdpt-chaps/application_variables.json +++ b/terraform/environments/cdpt-chaps/application_variables.json @@ -15,10 +15,30 @@ "container_version": "preproduction" }, "preproduction": { + "db_enabled": true, + "db_instance_class": "db.t3.xlarge", + "db_user": "admin", + "db_allocated_storage": "75", + "db_name": "chaps-preproduction", + "env_name": "preproduction", + "db_instance_identifier": "chaps-preprod-instance", + "friendly_name": "Chaps preproduction", + "container_instance_type": "windows", + "container_version": "preproduction", "region": "eu-west-2", "docker_image_tag": "preproduction" }, "production": { + "db_enabled": true, + "db_instance_class": "db.m5.xlarge", + "db_user": "admin", + "db_allocated_storage": "100", + "db_name": "chaps-prod", + "env_name": "production", + "db_instance_identifier": "chaps-prod-instance", + "friendly_name": "Chaps Production", + "container_instance_type": "windows", + "container_version": "production", "region": "eu-west-2", "docker_image_tag": "production" } diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf index 11604afb426..a81154c4ac5 100644 --- a/terraform/environments/cdpt-chaps/database.tf +++ b/terraform/environments/cdpt-chaps/database.tf @@ -53,19 +53,6 @@ resource "aws_iam_role" "rds_s3_access" { }) } - - - -#------------------------------------------------------------------------------ -# S3 Bucket for Database backup files -#------------------------------------------------------------------------------ - - - - - - - #------------------------------------------------------------------------------ # KMS setup for RDS #------------------------------------------------------------------------------