add RDS

terraform/environments/cdpt-chaps/application_variables.json

@@ -2,15 +2,46 @@
   "accounts": {
     "development": {
       "region": "eu-west-2",
-      "docker_image_tag": "development"
+      "docker_image_tag": "development",
+      "db_enabled": true,
+      "db_instance_class": "db.t3.small",
+      "db_user": "admin",
+      "db_allocated_storage": "75",
+      "db_name": "chaps-dev",
+      "env_name": "development",
+      "db_instance_identifier": "chaps-dev-instance",
+      "friendly_name": "Chaps development",
+      "container_instance_type": "windows",
+      "container_version": "preproduction"
     },
     "preproduction": {
+      "db_enabled": true,
+      "db_instance_class": "db.t3.xlarge",
+      "db_user": "admin",
+      "db_allocated_storage": "75",
+      "db_name": "chaps-preproduction",
+      "env_name": "preproduction",
+      "db_instance_identifier": "chaps-preprod-instance",
+      "friendly_name": "Chaps preproduction",
+      "container_instance_type": "windows",
+      "container_version": "preproduction",
       "region": "eu-west-2",
       "docker_image_tag": "preproduction"
     },
     "production": {
+      "db_enabled": true,
+      "db_instance_class": "db.m5.xlarge",
+      "db_user": "admin",
+      "db_allocated_storage": "100",
+      "db_name": "chaps-prod",
+      "env_name": "production",
+      "db_instance_identifier": "chaps-prod-instance",
+      "friendly_name": "Chaps Production",
+      "container_instance_type": "windows",
+      "container_version": "production",
       "region": "eu-west-2",
       "docker_image_tag": "production"
     }
   }
 }
+

terraform/environments/cdpt-chaps/database.tf

@@ -0,0 +1,81 @@
+#------------------------------------------------------------------------------
+# Database
+#------------------------------------------------------------------------------
+
+resource "aws_db_instance" "database" {
+	allocated_storage 									= local.app_data.accounts[local.environment].db_allocated_storage
+	storage_type 												= "gp2"
+	engine 															= "sqlserver-web"
+	engine_version 											= "14.00.3381.3.v1"
+	instance_class 											= local.app_data.accounts[local.environment].db_instance_class
+	identifier													= local.app_data.accounts[local.environment].db_instance_identifier
+	username														= local.app_data.accounts[local.environment].db_user
+	iam_database_authentication_enabled = true
+}
+
+resource "aws_db_instance_role_association" "rds_s3_role_association" {
+	db_instance_identifier 	= aws_db_instance.database.identifier
+	feature_name 						= "S3_INTEGRATION"
+	role_arn               = "arn:aws:iam::613903586696:role/RDS-S3-CrossAccountAccess"
+}
+
+resource "aws_security_group" "db" {
+	name 				= "db"
+	description = "Allow DB inbound traffic"
+
+	ingress {
+		from_port 	= 1433
+		to_port 		= 1433
+		protocol  	= "tcp"
+		cidr_blocks = ["0.0.0.0/0"]
+	}
+
+	  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_iam_role" "rds_s3_access" {
+	assume_role_policy = jsonencode({
+		Version 	= "2017-10-17",
+		Statement = [
+			{
+				Action = "sts:AssumeRole",
+				Effect = "Allow",
+				Principal = {
+				Service = "rds.amazonaws.com"
+				},
+			},
+		]
+	})
+}
+
+#------------------------------------------------------------------------------
+# KMS setup for RDS
+#------------------------------------------------------------------------------
+
+resource "aws_kms_key" "rds" {
+  description         = "Encryption key for rds"
+  enable_key_rotation = true
+  policy              = data.aws_iam_policy_document.rds-kms.json
+}
+
+resource "aws_kms_alias" "rds-kms-alias" {
+  name          = "alias/rds"
+  target_key_id = aws_kms_key.rds.arn
+}
+
+data "aws_iam_policy_document" "rds-kms" {
+  statement {
+    effect    = "Allow"
+    actions   = ["kms:*"]
+    resources = ["*"]
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
+    }
+  }
+}

terraform/environments/cdpt-chaps/locals.tf

@@ -1,4 +1,7 @@
+#### This file can be used to store locals specific to the member account ####
 locals {
+	app_data = jsondecode(file("./application_variables.json"))
+
   domain_types = { for dvo in aws_acm_certificate.external.domain_validation_options : dvo.domain_name => {
     name   = dvo.resource_record_name
     record = dvo.resource_record_value
@@ -14,4 +17,4 @@ locals {
   domain_type_sub    = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"]
 
   ecr_url  = "${local.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/cdpt-chaps-ecr-repo"
-}
+}

terraform/environments/delius-core/modules/components/oracle_db_shared/backup_vault.tf

@@ -0,0 +1,10 @@
+resource "aws_backup_vault" "oracle_backup_vault" {
+  name        = "${var.env_name}-oracle-backup-vault"
+  kms_key_arn = var.account_config.kms_keys.general_shared
+  tags = merge(
+    var.tags,
+    {
+      "Name" = "${var.env_name}-oracle-backup-vault"
+    },
+  )
+}

terraform/environments/delius-core/modules/environment_all_components/templates/userdata.sh.tftpl

@@ -61,7 +61,7 @@ run_ansible() {
     then
       group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g")
       group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g")
-      database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g")
+      [[ $database =~ "primarydb" ]] && database_type="primary" || database_type="standby"
       ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type"
     elif [[ $i -gt 2 ]]
     then

terraform/environments/delius-core/templates/userdata.sh.tftpl

@@ -61,7 +61,7 @@ run_ansible() {
     then
       group=$(echo "$${environment_name}_$${delius_environment_name}_$${database}" | tr [:upper:] [:lower:] | sed "s/-/_/g")
       group_all=$(echo "$${environment_name}_$${delius_environment_name}_all" | tr [:upper:] [:lower:] | sed "s/-/_/g")
-      database_type=$(echo $database | cut -d'_' -f2 | sed "s/db//g")
+      [[ $database =~ "primarydb" ]] && database_type="primary" || database_type="standby"
       ansible_group_vars="$ansible_group_vars --extra-vars @group_vars/$group.yml --extra-vars @group_vars/$group_all.yml --extra-vars database_type=$database_type"
     elif [[ $i -gt 2 ]]
     then

terraform/environments/hmpps-domain-services/locals_test.tf

@@ -48,7 +48,7 @@ locals {
           availability_zone             = null
           ebs_volumes_copy_all_from_ami = false
           user_data_raw = base64encode(templatefile("./templates/rds.yaml.tftpl", {
-            rds_hostname = "RDSConnectionBroker"
+            rds_hostname = "RDSBroker"
           }))
         })
         instance = merge(module.baseline_presets.ec2_instance.instance.default, {

terraform/environments/hmpps-domain-services/templates/rds.yaml.tftpl

@@ -93,6 +93,6 @@ tasks:
           Disable-NetAdapterBinding -Name 'Ethernet' -ComponentID 'ms_tcpip6'
           Import-Module RemoteDesktop
           Enable-PSRemoting -force
-          Rename-Computer -NewName ${rds_hostname}
+          Rename-Computer -NewName "${rds_hostname}1"
           Sleep 5
           Restart-Computer -Force

terraform/environments/hmpps-oem/locals_development.tf

@@ -4,6 +4,12 @@ locals {
   # baseline config
   development_config = {
 
+    baseline_secretsmanager_secrets = {
+      "/oracle/oem"                = local.oem_secretsmanager_secrets
+      "/oracle/database/EMREP"     = local.oem_secretsmanager_secrets
+      "/oracle/database/DEVRCVCAT" = local.oem_secretsmanager_secrets
+    }
+
     baseline_ec2_autoscaling_groups = {
       dev-base-ol85 = {
         config = merge(module.baseline_presets.ec2_instance.config.default, {
@@ -32,5 +38,21 @@ locals {
       }
     }
 
+    baseline_ec2_instances = {
+      dev-oem-a = merge(local.oem_ec2_default, {
+        config = merge(local.oem_ec2_default.config, {
+          ami_name          = "hmpps_ol_8_5_oracledb_19c_release_2023-12-07T12-10-49.620Z"
+          availability_zone = "eu-west-2a"
+        })
+        user_data_cloud_init = merge(local.oem_ec2_default.user_data_cloud_init, {
+          args = merge(local.oem_ec2_default.user_data_cloud_init.args, {
+            branch = "45027fb7482eb7fb601c9493513bb73658780dda" # 2023-08-11
+          })
+        })
+        tags = merge(local.oem_ec2_default.tags, {
+          oracle-sids = "EMREP DEVRCVCAT"
+        })
+      })
+    }
   }
 }

terraform/environments/tipstaff/rds.tf

@@ -47,6 +47,14 @@ resource "aws_security_group" "postgresql_db_sc" {
       module.bastion_linux.bastion_security_group
     ]
   }
+
+  ingress {
+    from_port   = 5432
+    to_port     = 5432
+    protocol    = "tcp"
+    description = "MOJ Digital VPN access"
+    cidr_blocks = [local.application_data.accounts[local.environment].moj_ip]
+  }
   egress {
     description = "allow all outbound traffic"
     from_port   = 0